5 issues that are keeping healthcare compliance professionals up at night
Healthcare providers are confronting a wide range of compliance challenges, from ramped-up enforcement of some regulations to the introduction of new rules and requirements.
Rarely has the compliance landscape been more muddled or presented more of a challenge for healthcare organizations.
“I’ve been a compliance officer for about 20 years now, and I’ve been in healthcare forever,” said Kirsten Wild, RN, a nurse by background who now owns a healthcare compliance consultancy. “But the volume and the pace of change is crazy these days.”
“It just feels unlike anything I’ve ever seen,” said Lynne Rinehimer, Esq., compliance manager with Symplr, who has worked in the compliance field since 1998. “So many big areas, big things that organizations need to be in compliance with.”
Amid a dizzying array of rules and regulations, a few areas stand out as stumbling blocks for providers because of new twists or unfamiliar applications. Based on interviews with experts, here are five topics that merit especially close attention.
1. False Claims Act
“The risk of a hospital or a health system getting drawn into one of these whistleblower False Claims Act [FCA] cases is not a remote risk,” said Gabriel Imperato, JD, managing partner with the Fort Lauderdale office of Nelson Mullins and a board member with the Health Care Compliance Association.
Part of the issue, he said, is that the government advertises its willingness to generously compensate people for blowing the whistle on fraudulent claims in Medicare and Medicaid, among other public programs.
“There are a lot of people out there who know about the opportunity, which has created really a fishbowl existence for healthcare organizations,” he said.
At least for now, providers can be liable even if they did not knowingly commit misconduct but rather acted with deliberate ignorance or reckless disregard — “In other words, sticking your head in the sand like an ostrich,” Imperato said.
However, the Supreme Court in April was set to hear arguments in litigation involving Medicare and Medicaid claims filed by two pharmacies. A decision later this year in favor of the defendants, SuperValu and Safeway, could create narrower interpretations of what it means to act with intent in FCA scenarios.
Regardless, “You really need to have something in place to evaluate the amount of risk,” said Joanne Byron, the CEO and Board Chair of the American Institute of Healthcare Compliance. “How many errors are happening? Are you fixing them? Are you moving forward by refunding overpayments or rebilling for underpayments, and trying to do the best you can?
“Coding is really complex, and you can get a certified coder, but they may not have experience for your type of specialty. It’s really hard for healthcare providers to find people that they can count on to do the right thing and not make mistakes.”
Bringing in outside auditors may be warranted for organizations that aren’t sure they have the internal expertise to assess risk, she said.
2. No Surprises Act
The No Surprises Act became law in late 2020, with the core provisions taking effect at the start of 2022. Yet for providers, the headaches have not lessened with time.
“We’re over a year in, and there’s still so much that’s unsettled that it’s hard to have your policies and procedures in place, train your employees and do the things you need to do to better ensure your compliance,” Rinehimer said.
Among various areas of concern, the requirement to provide good-faith estimates to uninsured and self-pay patients leaves hospitals vulnerable to a dispute resolution process. Patients can pursue that option when the cost of the care episode exceeds the estimate by at least $400.
$10,000
Potential penalty per case for noncompliance with provisions pertaining to good-faith estimates in the No Surprises Act.
The requirement will become more burdensome whenever HHS implements the provision for convening providers to incorporate projected costs from co-providers on an estimate for a care episode. Such a step might even necessitate contractual language among providers, Wild said. For now, HHS has tabled the co-provider requirement to examine the need to provide a technical infrastructure and establish standards for the exchange of information.
A potentially overlooked challenge is the gray area between the No Surprises Act and the Emergency Medical Treatment and Labor Act (EMTALA), Byron said.
“[Under EMTALA], somebody comes in on an emergency basis, and [providers are] not even allowed to ask, ‘Do you have insurance?’ until they’re stabilized,” she said.
“When you couple EMTALA with the No Surprises Act, it’s an area of compliance that hospitals really have to look at from a lot of different perspectives, get some legal advice on it, and figure out how to implement appropriate measures to stay compliant with EMTALA while staying compliant with detecting [which] providers might be out of network and [with] not generating surprise medical bills in emergency situations,” Byron added.
3. Telehealth and the end of the public health emergency
Even with the COVID-19 public health emergency (PHE) ending May 11, Congress has established that many telehealth flexibilities will extend at least through 2024, allowing Medicare patients to continue receiving authorized services at home.
However, the regulatory scrutiny is likely to be intense.
“While on one hand, federal and state governments want to promote telemedicine, on the other hand, they consider it — with justification — to be a very vulnerable place where fraud is committed,” Imperato said.
A key determinant of a provider’s risk exposure is the physician-patient relationship, he explained.
“If I advertise a phone number out there on the web for you to call to get some type of durable medical equipment, and you call, and I’m taking information from you, and then I connect you with a physician in a telemedicine encounter who’s never seen you before, who won’t see you again, and he prescribes certain medical equipment that he concludes that you need, and it’s paid for by federal health programs — they’re not going to like that physician-patient relationship,” he said.
Some telehealth flexibilities will be curtailed when the PHE ends. Of note, providers will have to ensure agreements to protect patient health information are set with their contracted vendors. Such agreements weren’t mandatory during the PHE.
Many providers “slammed things into place in March and April [of 2020], even into May and June,” Wild said. “But now they need to look back and make sure that [they] have the right pieces in place.”
Looking beyond telehealth, other immediate consequences of the PHE termination include the expiration of waivers that allowed relief from Stark Law and Anti-Kickback Statute rules.
“Organizations need to be going back through those relationships and roll them back to what they were pre-COVID,” Rinehimer said.
Providers also should be ready for the reinstatement of the following requirements, among many others:
- That an inpatient hospitalization last at least three days before Medicare will cover a skilled nursing facility stay
- That patients’ medical records be completed within 30 days of discharge
(Editor’s note: The second bullet point above has been corrected. It previously stated that patients’ medical records must be completed “at discharge.”)
Other regulations will be phased back in by the end of 2023, including a provision that requires supervising healthcare professionals to be available on-site instead of virtually.
To help keep pace with all the forthcoming changes, experts recommend CMS’s Feb. 27 fact sheet on the end of the PHE.
4. HIPAA and Dobbs
HIPAA’s core privacy regulations were updated in a proposed rule drafted by the Trump administration and released in early 2021, but implementation has been delayed ever since. There’s still an expectation that the new rules will take effect, quite possibly this year.
The regulations may add to confusion about the interplay between longstanding rules that guard patient privacy and newer points of emphasis designed to boost patients’ access to information in their medical record, Byron noted.
“If [patient information] gets loose, you’re on the front of the newspaper, you’re on OCR’s wall of shame, and so everybody tightens things up,” she said, referring to HHS’s Office of Civil Rights. “But now if you’re too tight with the information, you could be charged with violating a patient’s right of access.”
If patients request such access and providers do not make the information available within 30 days (with certain exceptions), they can be reported to OCR just as they can for violating confidentiality protocols. The provision has been in place since 2003, but enforcement intensified over the past several years as part of a formal initiative by OCR.
The 2021 regulations would limit that period to 15 days. Wild said it remains to be seen whether the more constricted timetable is implemented, given ongoing pushback from the industry.
More changes to HIPAA are in the offing after the 2022 decision in Dobbs v. Jackson Women’s Health Organization, in which the Supreme Court ruled that accessibility to abortion is not a constitutional right. In April 2023, HHS released a proposed rule “to prevent an individual’s information from being disclosed to investigate, sue or prosecute an individual, a healthcare provider or a loved one simply because that person sought, obtained, provided or facilitated legal reproductive healthcare, including abortion.”
A preview came last June with guidance clarifying that protected health information cannot be disclosed without an individual’s authorization — except as described in HIPAA privacy language and state law, Rinehimer said in an interview before the new rule was issued.
“Let’s say a patient comes to the hospital and they are in the process of going through a miscarriage,” she said. “And the hospital worker who is treating that patient has a suspicion that the patient initiated the miscarriage. If state law doesn’t expressly require reporting of that, then the hospital worker can’t report it.
“Obviously, that requires an understanding by the medical professionals, the doctors, the nurses, the individuals who are treating patients to understand what they can and can’t do under HIPAA,” Rinehimer added. “We have this new wrinkle here, and there’s going to need to be an understanding of what state law allows for. Every state is going be a little bit different.”
5. New E&M codes
Coding and documentation changes for evaluation and management (E&M) care encounters were incorporated for outpatient and office settings in 2021 and many other settings this year.
While the changes are designed to streamline administrative burdens, they have brought new compliance risks.
“Providers rely on their EHR [electronic health record] systems, but unless someone has worked with their vendor to convert their system from the 1995 and ’97 guidelines to the new guidelines, they’re probably not documenting in a compliant fashion,” Byron said.
One issue is that the websites of Medicare administrative contractors may still have the 1995/97 guidelines posted even though those are obsolete, she added.
“Unless you have continuing education with your office coders, and then [have] someone to sit down with the providers and say, ‘We have to change things and we need to talk to our vendors and change the prompts and change our format for how we document things,’ things are going to be out of compliance,” she noted.
Providers now can choose to bill E&M visits based on time spent in a care encounter or (with some exceptions) medical decision-making criteria. Choosing the time option, while tempting, can lead to situations in which physicians end up billing for more time than they worked on a particular day.
“This can cause a provider to get on Medicare’s radar very quickly and very easily trigger an investigation or a probe,” Byron said. “So, you have to be careful with what you’re choosing, and you still have to have rigorous documentation to support the level of service and medical necessity.”
The Provider Relief Fund auditing process is a potential source of stress
Ensuring everything is in order regarding past Provider Relief Fund grants may fall under the purview of finance teams rather than compliance departments, but it’s an urgent task regardless.
The auditing process is underway at the Health Resources and Services Administration (HRSA), which primarily is seeking to ensure providers have met reporting requirements in the $178 billion program.
Smaller providers, especially, may not have gotten around to reporting on what they were doing with their funds, said Gabriel Imperato, JD, managing partner with the Fort Lauderdale office of Nelson Mullins and a board member with the Health Care Compliance Association. Any such straggler can expect to receive a letter from HRSA saying the money will be recouped unless the organization requests a waiver for failure to report and subsequently complies as required.
“We’ve had to do that for a few small physician practices and maybe one or two other clients,” Imperato said.
Even reporting as required won’t change the fact that in some cases, “There’s inevitably going to be recoupment,” Imperato said. “There could even be cases where the conduct in connection with the funds may involve allegations of false and fraudulent activity.”
That’s certainly been the case, he noted, with the Paycheck Protection Program — another massive federal grant program that was launched at the start of the pandemic.
The bottom line: “Where a provider who received the money can submit an adequate report substantiating that they used it in the correct way, they should be fine,” Imperato said. “But they’ve got to be able to do that.”
The importance of a sound compliance program
Health system board members frequently ask compliance consultant Kirsten Wild, RN, about the most important topics that should be on their radar.
She tells them the most pressing question is what they don’t know.
Amid what can seem like an avalanche of regulations, Wild said, “How do senior leaders get your board to understand, especially if they don’t work in healthcare, that there are some risks inherent in trying to comply with all these regulations? How do you make sure that they have the confidence of knowing that your organization is doing its best?
“That really comes from your compliance program.”
Good compliance programs are about more than checking boxes. They also ensure the organization has appropriate training and education for staff and communication channels that allow employees to report potential missteps.
“It doesn’t mean you’re perfect, [that] you have everything done,” Wild said. “But you have your meetings, you have it recorded, you can put in an organized report and report out to your board: This is our status … this is where we have risk.”
The Affordable Care Act made compliance programs mandatory for Medicare- and Medicaid-certified providers. Thirteen years later, regulations establishing those mandates have been issued for skilled nursing facilities but not for other providers.
But it’s best to prepare as if the regulations are imminent.
“One day, they’re going to pop these regulations out and say you have six months to comply,” Wild said. “And how is that going to happen?”