The passage of the Patient Protection and Affordable Care Act (PPACA) in 2010 has had a significant impact on the healthcare industry, drawing attention to the way healthcare is delivered and patients are covered by healthcare services. At the same time, it has raised the level of regulatory scrutiny of the healthcare industry.
The healthcare industry is comprised of two segments, providers and payers, which have different operating models, operational challenges, and regulatory environments. Healthcare providers face a myriad of government regulations and increased enforcement activity. The vast majority of enforcement activity in the past decade has been aimed at providers who receive government funds. This chapter focuses on the unique regulatory risks and challenges faced by healthcare providers as they come under increased pressure to deliver higher quality care at lower costs in a changing regulatory landscape. We will look at the current environment in which healthcare providers are operating, significant enforcement areas, and ways in which an organization can prevent, detect, and respond to the risk of noncompliance.
Government-funded healthcare spending per person has grown faster than the nation’s economic output per person since 1985. Federal spending for Medicare and Medicaid rose from 1.8 percent of gross domestic product in 1985 to 4.6 percent in 2012,1 and it is estimated that it will grow to 8 percent by 2038. In fiscal year 2015, the U.S. government spent $986 billion on healthcare with nearly two-thirds of this for Medicare,2 and the amount is expected to grow. By 2030, one in five Americans will be a senior citizen, compared with one in eight in 2000. After combining private and government spending, total healthcare spending is projected to account for 19.3 percent of gross domestic product by 2023, up from 17.2 percent in 2012.3 By 2023, government financed healthcare expenditures are projected to reach $2.5 trillion and account for 48 percent of national healthcare expenditure.
To continue to fund the cost of healthcare, the government must recoup spending. Since there is little political appetite to increase taxes, the government has looked to fund healthcare programs by expanding enforcement (recoupment of funds, fines, and penalties). This strategy of enforcement has strong government support since money spent on enforcement has a return on investment of 800 percent.4
In 2015, the government recovered $3.5 billion, marking the fourth consecutive year in which government recoveries exceeded $3.5 billion.5 From January 2009 through the end of 2015, the government recovered $26.4 billion under the False Claims Act (FCA).
The healthcare industry is unique in its relationship with the federal government because the government is frequently the party paying for services rendered to a patient. Due to this relationship and links among the FCA, the Anti-Kickback Statute (AKS) and the Stark Law (which governs physician self-referral for Medicare and Medicaid patients),6 business relationships and arrangements common in other industries are frequently found to be fraudulent in the healthcare industry. Arrangements that compensate a party for acquiring, referring, or retaining business reimbursed directly or indirectly by the federal government may be found to be illegal.
Further, consumers (i.e., patients) rarely have insight into the cost of the services they are seeking. Their buying decisions are made based on imperfect information regarding the factors of cost, quality, and time. Often in the healthcare industry, the consumer relies on a physician for referrals. However physicians cannot conduct business the same way service professionals in other industries can. Physicians who rely on government funds cannot reward loyal customers, nor offer incentives to patients to transfer from the care of one physician to another. These physicians have very little, if any, influence over the price they get paid by the government for the services they offer.
In addition to the expense, settlements of alleged fraudulent conduct with the government often include extensive monitoring. This generally takes the form of a corporate integrity agreement (CIA), which requires the settling party to comply with requirements related to the conduct of its business and monitoring provisions. Frequently, a CIA requires the company to engage an independent review organization (IRO) to monitor, test, and attest to specific compliance matters.
Recently the government insisted on monitors for both quality of care and non–quality of care matters. Historically, monitors were employed by the U.S. Department of Justice (DOJ) when a deferred prosecution agreement (DPA) was entered into in connection with a settlement. The Office of Inspector General (OIG) at the Department of Health and Human Services also employs monitors, besides IROs, to address business conduct issues.
In at least one current CIA,7 the government required the company to unwind certain business agreements. The monitor is often responsible for approving the modification of the business agreements before a company can enter or exit an arrangement or contract. Some CIAs require the approval of potential business partners to confirm they meet stated selection criteria, approval of the rationale used by the company in making its selection and the methodology used for determining the fair market value of the arrangement. Essentially, the monitor has a direct impact on the business decisions made by the company. These monitors are often selected by the government, but the fees are paid by the company. This is in contrast to a traditional IRO selected by the company and approved by the government.
Some CIAs specify compensation arrangements for sales personnel and/or executives. In a 2012 CIA,8 the company was prohibited from compensating or disciplining its sales professionals based on product sales within the individual’s territory. Rather, the employee could be compensated based on business acumen, scientific knowledge, and customer engagement. Such arrangements may directly affect a company’s ability to attract and retain salespeople.
Besides specifying how an employee could be paid, some CIAs also specify when financial recoupment from officers or employees is required. Current CIAs allow for forfeiture and recoupment of up to three years of annual pay, including bonuses and long-term incentives, if the employee was involved in “significant misconduct.”
Every CIA calls for an increased level of accountability by personnel associated with the settling entity, with certifications now extending further down the organization including middle management. Historically, board certifications were only required for repeat offenders; more recently, certification by the company’s board of directors is included in most CIAs. If the company’s compliance program does not address the board’s involvement in compliance-related activities, the CIA will often require the compliance program to be updated.
Many in the industry believe that certifications may become the basis for future enforcement. The Park Doctrine (also known as the Responsible Corporate Officer Doctrine) allows the government to pursue both civil and criminal liability for corporate violations of public welfare. The liability does not depend on the officer’s approval or knowledge of wrongdoing but on whether the officer had the responsibility or authority to prevent and correct the violation and did not do so. Besides fines and jail time, the officers convicted of a misdemeanor under the Park Doctrine may be subject to exclusion from federal healthcare programs.
Healthcare enforcement is not only driven by the government; PPACA makes it easier for citizens to bring cases against healthcare providers on behalf of the government. The FCA allows citizens with knowledge of a fraud to bring suit in the name of the government and receive up to 30 percent of the amount recovered in fines. PPACA relaxed the public disclosure bar for qui tam relators.9 Relators can now bring cases based partly on information in the public domain and partly on information that “materially adds” to public information. This opens the door for individuals who can mine and repackage publicly available information in a way that helps the government.
The amount of transactional data available to a relator is vast and increasing. This data can be mined and analyzed by relators to develop information that materially adds to public knowledge in a qui tam suit. As part of an effort to make the healthcare system more transparent, the Centers for Medicare and Medicaid Services (CMS) prepared a public data set. The Medicare Provider Utilization and Payment Data and the Physician and Other Supplier Public Use File provide information on services and procedures provided to Medicare beneficiaries by physicians and other healthcare professionals. The file contains information on utilization, payment (allowed amount and Medicare payment), and submitted charges, organized by National Provider Identifier, Healthcare Common Procedure Coding System (HCPCS), and place of service. Other available sources of data include the Physician Payment Sunshine Act, where pharmaceutical companies, medical device manufactures, biotech companies, and group purchasing organizations must collect and submit information on relationships they have with physicians and teaching hospitals. The information is published by CMS. A release of 2014 data showed that drug and medical device manufacturers made 11.4 million payments totaling $6.5 billion to physicians and teaching hospitals.10 In addition to relators with access to vast amounts of data, law enforcement also has access to a vast, new pool of available transactional data.
In a new development of the FCA, the government recently started to enforce the concept of “worthless services.” The theory is that certain healthcare providers have provided such poor quality of care that the services are ultimately worthless. In 2014, the government settled with one skilled nursing provider for $38 million, stating the services billed by the nursing home were of such poor quality that they were worthless and there was a “failure to care.”
The FCA amended the AKS to state that a person need not have specific knowledge or intent to violate the AKS, making it easier for the government to prove intent. “Knowing” means that the presenter of the claim for reimbursement (1) has actual knowledge that information presented was false; (2) acts with deliberate ignorance of the truth or falsity of the information; and (3) acts in reckless disregard of the truth or falsity of the information. The FCA imposes penalties on any person who knowingly submits or causes someone to submit a false claim to the government.
Recent significant government enforcement has focused on the following areas:
Prevention requires a new way of thinking about compliance. Historically, healthcare organizations looked to the compliance department and its various training and auditing programs to steer clear of potential violations of law. Now, compliance can no longer be the responsibility of the compliance department, but must become engrained in the thoughts and actions of all levels of an organization. The most effective way to stop a compliance issue is to prevent it. The first line of defense is frontline employees, those fulfilling the actual mission of the organization. Expectations must be clear that these employees understand and carry out their roles and responsibilities regarding compliance issues. The compliance program must be set by executive management, adopted by middle management, and carried out by frontline employees. The culture within the organization must set clear expectations that employees are encouraged to raise their hands and bring issues forward.
Organizations have limited resources in the face of ever-growing compliance requirements. Risk assessments can aid in determining how to allocate resources across the organization by examining:
There are several resources to assist organizations in determining the higher risk areas of focus. Each year the OIG publishes its work plan. The document summarizes new and ongoing reviews and activities that the OIG intends to pursue within the coming year. Riskier areas can also be identified by following emergent enforcement trends. These trends can be found in recent settlement agreements, CIAs, and other trade and industry publications. To complete a risk assessment, organizations should also look to historical audits. Internal and external compliance audits can be a very useful way of identifying and classifying specific risks to the organization.
The business practices an organization chooses can have a direct impact in preventing noncompliance. For example, physician recruitment should not focus on the physician’s ability to generate referrals. Rather, the business must recruit particular physicians based on community needs, and an analysis of the fair market value of the compensation should be clearly documented.
Accountable care organizations (ACOs) are groups of providers who form relationships that tie provider reimbursements to quality metrics and reductions in the total cost of care for an assigned population of patients. Under the ACO model, physicians and providers may earn incentive bonuses if costs savings are realized. The risk to an ACO is that if an incentive bonus doesn’t comply with certain safe harbors, it may be deemed to be a kickback to a physician.
Hospitals must fully understand who owns the companies from which they buy various medical devices. The OIG scrutinizes a business model common in the healthcare industry, whereby physician-owned medical device distributorships sell, or arrange for the sale of, implantable medical devices to healthcare providers, which may include the physician owners themselves. The OIG believes that when a physician controls the selection of a device that is provided by a distributor owned by the physician, there is too much of an incentive for the physician to favor that distributor over others.
Organizations should be very careful how they structure their compensations models and performance incentives. In the past, physician productivity and compensation were based on volume metrics attached to the number of patients seen or the revenue billed and collected. Today, productivity and compensation models are based on relative value units (RVUs). RVUs reflect the time, skills, training, and intensity required to provide a service and are a method of calculating the volume of work or effort spent by the physician. A well-patient visit has a lower assigned RVU then a complicated surgery. RVUs measure and reward “work” rather than the number of patients or billings. The key for an organization to remember when choosing an operating model is that there must be a legitimate business need. It is important to involve qualified legal counsel and the compliance department in business strategies and planning.
Besides business practices and models, an organization’s clinical practices, decisions, and documentation can aid in preventing issues related to compliance. An organization’s procedures, processes, and controls should allow the organization to correctly capture data that supports clinical and billing outcomes. Clinical documentation should adequately support all elements necessary to prove medical necessity. Procedures should be in place to capture and document the thought process and activities of the physician in real time, as opposed to after the fact and at the time of billing.
If the elements of medical necessity are clearly outlined and documented in the medical record, an organization is less likely to face an instance in which services are provided but are later found not to be medically necessary. It is also critical that the code assigned to an encounter be supported by the medical record. The organization should emphasize that employees assign the code supported by the medical records, not the code that will maximize reimbursement.
An organization’s electronic health record (EHR) can help prevent compliance issues. The EHRs should be built to allow for necessary elements of care to be captured and concurrently documented. The better the quality of data, the easier it is to code correctly and seek reimbursement for services provided. Poorly designed EHRs may contribute to compliance concerns. An organization should confirm that macro-driven notes are not copied from one encounter to the next or one patient to the next. Healthcare professionals should contemporaneously document the particular encounter rather than select prepopulated information from a list.
Detecting instances of noncompliance relies on the elements of risk assessment, data analytics, monitoring, and culture. The results of the risk assessment guide an organization in its detection mechanisms.
Once an organization inventories risks related to noncompliance, it should assess the controls in place to mitigate those risks. Effective controls are a very useful way to reduce risks. After the controls are compared against the risks, an organization can critically view which risks remain high and allocate resources to address those. The company should engage in a continuous process of monitoring and auditing to confirm that an effective compliance program exists.
Data analytics can help the organization identify an issue early. The amount of publicly available data is voluminous. Data analytics should be created to allow the organization to mine its own data, and publicly available data, to identify potential compliance violations. The analytics may address unusual relationships, including physician relationships. For example, data analytics can be used to assist in answering the following:
Analytics may also identify medically unlikely edits (MUE) and National Correct Coding Initiative (NCCI) edits. CMS uses these edits to reduce the paid claim error rate. MUE limit the units coders can report with certain Current Procedural Terminology (CPT) or HCPCS15 codes, and NCCI edits focus on combinations of codes that should not be reported together. Healthcare providers should develop policies around internally performing these edits on their own data prior to submitting it for reimbursement. Analytics can also be developed to identify outliers within the data. Not only can an organization’s own data be mined, but with the wealth of publicly available data, organizations can benchmark their data with that of their peers. For example, is one of the organization’s physicians performing a disproportionately high number of a procedure compared to his or her peers?
Monitoring and auditing should not reside solely in the compliance or internal audit functions of an organization. The organization should foster a culture where monitoring is driven back into the business. Similar to prevention, monitoring should be conducted as the first line of defense.
Each business or clinical unit within the organization should perform self-monitoring and auditing. Auditing business units is the tactical execution of a preventive culture. The clinical supervisor should routinely assess a sample of charts. This will allow the supervisor to detect issues, provide training, and monitor performance on a real-time basis. If business units own compliance, they will be committed to making the business compliant.
One of the most critical elements of effective detection is creating a culture that fosters an environment receptive to the reporting of concerns about business conduct. When an organization is made aware of an issue, it should address the concern, document the procedures and findings, and make any necessary behavioral changes. If the organization can demonstrate that it appropriately addresses concerns, the probability of a qui tam suit is reduced. Should an individual pursue a qui tam suit, the organization can demonstrate to the government the actions it took to address the behavior.
How a company responds to a compliance issue can directly affect the outcome of the event. If the organization can prove to the government that it adequately addressed the concern and incorporated corrective action, it is less likely to be assessed with the higher end of possible fines and may avoid a CIA.
When an organization learns of a compliance issue, it should determine if it is an isolated issue or more systemic. A root cause analysis, plus the use of data analytics, can aid the company in determining if there is a pattern of behavior. Analytics helps determine the extent of the issue and whether other areas of the organization need further investigation. The use of statistical sampling enables the organization to quantify the impact to the payer without the need of testing all the transactions.
The organization should also determine the root cause of the issue (e.g., business incentives, cost controls, staffing, other metrics). Was the unit understaffed to keep costs down, leading to poor quality of care? Are physicians incentivized based on the patients seen or billings generated? Often a seemingly legitimate business incentive can cause a compliance problem.
The compliance issue may be related to a systemic cause. Are the organization’s systems and processes enabling noncompliant behavior? Does the EHR either prepopulate visit notes or allow the physician to copy notes from one visit and paste into another visit? Or was the cause of the noncompliant behavior related to a control deficiency? The organization should undertake an analysis to determine if the control activity was not properly designed or functioning, or whether the control was evaded. Once the cause of noncompliant behavior is known, the organization can address it and reduce the likelihood of similar behavior in the future.
At this point, the organization should confirm that corrective measures were implemented. The corrective actions should be taken in a timely manner and address the cause of the behavior. The organization should clearly document the actions taken and provide additional training and education. To demonstrate that the corrective action is effective, the organization should undertake a process to test the operation of the new control. This monitoring and auditing will allow the company to determine if the behavior stopped. Besides corrective actions related to the control failure, the organization should determine whether any corrective actions are required for any individuals involved. Legal counsel and human resources should be involved in the corrective action procedures, especially if the individual might be a relator.
Reporting of noncompliant issues closes the feedback loop. The level and detail provided should vary based upon who is receiving the information. It is important that management and business unit leaders understand the details related to how the issue surfaced, what noncompliant actions occurred, how the matter was investigated, and what corrective actions were taken.
Does the organization understand what level of information is appropriate for the board? The message to the board may be different from the message to management. It will be interested in possible repercussions both legal and financial.
The organization should have a protocol for determining what governing bodies must be made aware of any compliance concerns and when. Engage legal counsel in this discussion as some states have specific reporting requirements. Another consideration is reporting to regulators. The organization should work with its legal counsel to determine if self-reporting is necessary and to which body it should self-report. Sometimes it may be acceptable to disclose the issue to a financial intermediary such as a Medicare contract organization, while in others it may be necessary to disclose to the government.
The benefit of self-reporting to a regulatory body may include a presumption against a CIA requirement or the benefit of a lower damages multiplier. However, the organization must provide detailed disclosures including an explanation of why the violation occurred and a full legal analysis. The organization must acknowledge that the conduct is a potential violation. Once a disclosure has been made, the organization has 90 days to complete its investigation and take the necessary corrective actions. Disclosure could trigger a criminal review because the OIG refers potential criminal conduct to the DOJ. The OIG may advocate that the disclosing party should receive a benefit for the disclosure, but it can offer no guarantees.
With the continued rise of healthcare costs, healthcare providers should expect to see an increase in enforcement actions. With an effective compliance program that is designed to prevent, detect, and respond to regulatory enforcement actions, a provider can minimize the impact of enforcement.
________________
Sarah Jacobs Beard was a major contributor to the content of this chapter. Ms. Beard is a director in KPMG’s Forensic practice based in Atlanta. She specializes in providing regulatory compliance and investigative services to healthcare providers.