In thinking through the top health care compliance issues for 2020, we thought through our recent experiences and what government agencies have been discussing:
- OCR Enforcement Actions
At the end of 2019, the Office of Civil Rights (OCR) entered into the first enforcement actions we have seen related to the U.S. Department of Health and Human Services’ (DHHS’s) Patient Right to Access Initiative. This should serve as a reminder that covered entities should respond to patient requests for access to their medical records in a timely manner, in the format requested by the patient, and not charge more than a reasonable cost based fee. (Note: There may be state laws that are more stringent than the Federal law, and as such, should be followed if applicable.) - Ransomware
DHHS has identified ransomware as one of the most common threats to patient health information (PHI). Though there were initially only two basic types of ransomware—lock and crypto—there is now a third type, DataKeeper—which is franchised and gaining ground quickly. Health care providers and related entities should remain alert to this fast-developing privacy and security threat. - Regulatory Landscape
The fraud and abuse regulatory landscape for health care providers is vast and includes the Stark Law, the Federal anti-kickback statute (AKS), the Civil Monetary Penalties (CMP) Law, the False Claims Act, antitrust laws, the Eliminating Kickbacks in Recovery Act of 2018 (EKRA), and state laws. Changes to the regulatory bedrock Stark Law and AKS are forthcoming with the issuance of proposed regulations that will presumably be finalized. Moreover, the first criminal prosecution pursuant to EKRA took place in 2019. - Value-Based Compensation Arrangements
Determining value-based compensation arrangements for physicians can be tricky. To ease this process, health care providers should prepare value-based reimbursement inventories and understand what the outcome to incentivize is. Accordingly, providers should not rely solely on benchmark data. - Medicare Overpayment Refunds
Under the statutory 60-day overpayment refund requirement and implementing regulations addressing Medicare Parts A and B, health care providers have an obligation to exercise reasonable diligence through the timely, good faith investigation of credible information to identify an overpayment. Deciding whether information is sufficiently credible to merit an investigation is fact-specific. However, the Centers for Medicare and Medicaid Services (CMS) makes it clear in the Parts A/B regulations and preambles that identification requires both proactive and reactive auditing of billing. Providers and suppliers should also keep in mind that the overpayment requirement extends beyond the regulatory requirements for Parts A/B to Medicare C and D, Medicare Advantage, Medicaid and Medicaid managed care plans. There are no implementing regulations for these other payors, but the statutory obligation remains. - Government Overpayments
There is no de minimus threshold for governmental overpayments, i.e., there is no minimal amount that can be ignored. All potential overpayments should be investigated. Health care providers should expect their decision regarding whether to conduct relevant claims extrapolation (versus a per claim analysis and repayment) to be scrutinized closely. - Health Care Transaction Due Diligence
Areas of due diligence to consider with respect to health care-related transactions include: gaps in understanding of compliance plans or lack of compliance plans; coding, billing, and documentation issues; HIPAA security; litigation, audits, and investigations; employee relations; risk management; quality metric reporting; and change of ownership filing/approval requirements. - Compliance Due Diligence
Compliance due diligence processes should incorporate the following: annual risk assessments to develop up-to-date compliance work plans, exclusion checks and conflict of interest reviews upon initiation of employment or contract and regularly thereafter, and management and monitoring of revenue cycle functions and vendor contractual arrangements.
- Telemedicine Provider Qualification, Licensing, and Operations Compliance
Telemedicine entities engaging in and/or embarking on multi-state delivery models must be cognizant of, and compliant with, applicable state foreign entity qualification requirements and corporate practice prohibitions, and must ensure that their clinical services providers are duly licensed (or registered) and compliant with clinical practice requirements in the states in which they seek to treat patients.
- False Claims Act Enforcement Target Areas
In the coming year, we expect to see an increased number of cases focused on Medicare Advantage (MA) and skilled nursing facilities (SNFs). The focus of the MA cases will arise out of plans’ failure to inform the government of mistaken diagnoses that are not current because MA plans are paid based on those diagnosis codes. Further, we have been told that those Medicare Advantage cases could pull in healthcare providers and suppliers, so although diagnosis codes have been reviewed in compliance audits in the past, the scrutiny on the accuracy of those diagnosis codes, the electronic health records’ issues with pulling past diagnosis codes forward and the correction of such diagnosis codes must be a focus. We also understand that the DOJ is focusing on SNFs because of continuing issues related to substandard care, neglect and improper prescribing of drugs to patients, so the DOJ’s Elder Justice Initiative is likely to involve a more thorough investigation into these kinds of cases in the near future.
These ten issues reflect the current focus on compliance within the industry, as well as what we expect going forward in 2020. If you would like to discuss any of these issues in more detail, please reach out.
