The Unique Elements of Healthcare Compliance Programs (Part II of II)
Corporate compliance programs in the healthcare industry include many of the same elements that we are all familiar with – risk assessments, code of ethics, written policies and procedures, comprehensive training requirements, confidential reporting and investigation systems to address employee concerns, gifts, meals, grants, and medical education programs, and audit and review processes to maintain a continuous improvement program.
Aside from this standard list of requirements, there are a number of specific risks that typically have to be addressed:
Physician Interactions: Healthcare companies that fall under the broad definition of “federal healthcare programs” (e.g. Medicare, Medicaid) have to ensure they avoid risks created by the Anti-Kickback Statute, the Stark Law governing physician interests and referrals, and payments to physicians that may improperly influence healthcare providers when making decisions on services and products that are in the best interest of the patient. Pharmaceutical and medical device companies face real and tangible risks in this area but so do hospitals and other providers.
Healthcare Data and Privacy: Healthcare companies face unique risks from the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) , which creates national standards to protect sensitive patient health information from disclosure with the patient’s consent. In our current data economy with social media and other immediate information sources, HIPAA risks are significant and require dedicated compliance resources.
HIPAA risks require encryption and security of personal health information, robust control policies, improper disclosure and failure to maintain business associate agreements with third-party contractors. HHS’ Office of Civil Rights enforces HIPAA and has a robust administrative record, including intervention to require changes in privacy practices and imposition of fines and penalties totaling over $100 million in the 20 years since HIPAA was first enacted.
Employment of Ineligible Persons: Healthcare providers that participate in federal healthcare programs are prohibited from hiring individuals who have been excluded by the HHS OIG, which maintains a List of Excluded Individuals and Entities (“LEIE”). As a consequence, healthcare companies have to conduct appropriate due diligence of entities and individuals to ensure that they do not hire a prohibited entity or individual.
Billing, Coding and Overpayments: Healthcare compliance professionals focus strategies on eliminating coding, billing and reimbursement errors. Fraudsters navigate the complex set of regulations to juice the reimbursement system to earn illegal revenues. Healthcare providers face different risk profiles depending on whether they operate billing systems internally or outsource the billing function to third-party providers. In the latter situation, healthcare providers need to design and implement appropriate contractual provisions, access to billing data, and robust testing and auditing protocols.
In this specific area, healthcare companies have developed innovative monitoring and audit programs that require sampling techniques and statistical analysis to ensure compliance with detailed regulations governing quality of service, coding and documentation. Healthcare compliance companies have been at the forefront of compliance strategies involving large amounts of data and transactions, and many of these principles have been applied by non-healthcare companies in analogous circumstances.
False Claims Act: In the healthcare industry, the overarching risk for healthcare providers, and pharmaceutical and medical device companies is filing of False Claims Act enforcement actions. Whistleblowers have earned significant pay outs under the qui tam rules, and nearly 90 percent of all False Claims Act cases each year involve the healthcare, pharma or device industries. Over the years, the FCA has been applied well beyond just billing and reimbursement issues to include false representations incorporated into “claims.”