Importance of Compliance in the Healthcare Industry
Civil and criminal liability for healthcare organizations and their representatives is a continuing and growing threat. While organized healthcare fraud, particularly in Medicare, is a well-known problem, legitimate healthcare organizations increasingly face criminal and civil exposure due to various factors, including increased enforcement of complex federal regulations and improper actions by companies whose representatives are tempted to cut corners due to shrinking margins and increased competition in the industry.
Of course, a healthcare organization’s exposure to criminal, civil, and administrative penalties can never be eliminated entirely. It can be substantially reduced, through the development and implementation of a compliance program. Such programs have become a requirement of prudent corporate healthcare management because the institution and operation of an effective program can prevent violations of the law in the first instance. In addition, if the program’s preventative function somehow fails, it can reduce the penalties imposed in a criminal, administrative, or civil proceeding. In short, compliance programs are an honest corporation’s best hope to prevent violations and to limit exposure if a problem has occurred.
The existence of a well-implemented healthcare compliance program is an essential component of lenity in the sentencing of organizations under the United States Sentencing Guidelines. Further, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) has announced that it will consider the existence of an effective compliance program that predates any governmental investigation when addressing the appropriateness of administrative penalties.
Proactive Compliance: What are the Compliance Requirements in the Healthcare Industry
Healthcare is one of the most regulated industries in the United States, making healthcare compliance a crucial and growing field within the industry. Here’s an overview of some of the major laws, acts, and regulations that healthcare organizations need to stay in compliance with and that compliance professionals need to know. In addition, it is crucial to stay on top of these and new regulations and to strive for proactive compliance as the government will inevitably amend and add to the healthcare compliance requirements.
Healthcare Regulations that Safeguard Privacy and Ensure Quality Care
The U.S. Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) is the governmental wing responsible for protecting patient
privacy, ensuring quality care, and combating fraud by ensuring healthcare
organizations are compliant with federal healthcare laws and HHS programs.
The Healthcare Information Portability and Accountability Act (HIPAA), passed in 1996 and implemented in 2003, spurred the need for healthcare compliance across the industry. Among other things, HIPAA mandates industry-wide standards and processes for the protection and confidential handling of patient health information.
The Health Information Technology for Economic and Clinical Health Act (HITECH) promotes standardized electronic health records (EHR). The act was implemented in 2009 to address the patient data privacy and security concerns, EHR files, and how they’re shared. HITECH strengthens the enforcement of HIPAA’s protected patient information rules, requiring the Department of Health and Human Services Office for Civil Rights to conduct periodic provider audits and stiffen penalties for breaches of information, meaning a provider or facility found noncompliant can face a fine of up to $1.5 million.
The Emergency Medical Treatment and Labor Act (EMTALA) ensures public access to emergency services regardless of a patient’s insurance coverage or ability to pay. EMTALA continues to be a “high-risk area” as identified by the OIG, primarily due to conflicting legal interpretations of what constitutes a “medical screening” and “stabilization”.
The Affordable Care Act (ACA) brought mandatory, subsidized healthcare to the U.S. The law requires healthcare providers implement a compliance and ethics program as a condition for reimbursement for patients enrolled in federally funded healthcare programs. The goal is to keep costs down and improve patient outcomes, incentivizing healthcare providers with a “pay-for-value” model rather than the traditional “pay-for-service”.
The Centers for Medicare and Medicaid Services (CMS) within the HHS is responsible for the administration of Medicare, Medicaid and the Children’s Health Insurance Program (CHIP). CMS oversight also includes the Electronic Health Record (EHR) Incentive Programs, which sets incentives and criteria for meeting standards set by HITECH for the implementation of electronic health records; the 2015 Medicare Access and CHIP Reauthorization Act (MACRA), which includes the Quality Payment Program and its Merit-Based Incentive Payments System (MIPS), reimbursing physicians and healthcare organizations based on quality of care and patient outcomes.
Fighting Healthcare Fraud and Abuse
As of 2017, U.S. healthcare spending reached $3.5 trillion with roughly 3% to 10% lost to fraud. A number of laws, statutes and even entire units exist to combat fraud and waste. For physicians and compliance professionals, understanding these laws is crucial, as violations can result in criminal charges, fines and, for physicians, possibly the loss of their medical license.
Medicaid Fraud Control Units (MFCU) investigate and prosecute Medicaid provider fraud (which falls under the False Claims Act), as well as patient abuse or neglect in healthcare facilities. According to the The United States Department of Justice of the $3.5 billion recovered from False Claims Act cases in 2015, $1.9 billion came from healthcare organizations.
The federal Anti-Kickback Statute prohibits healthcare professionals from accepting any kind of “kickback” (i.e. money, contracts, products) as rewards for referrals or providers recommendations to patients on federally covered medical programs, such as Medicare and Medicaid. The statute covers the payers of kickbacks as well as the recipients of kickbacks, with physicians who pay or accept kickbacks facing penalties of up to $50,000 per kickback.
The Physician Self-Referral Law prohibits physicians from referring patients covered by Medicare or Medicaid to treatment or service entities that the physician has a financial relationship with or stands to profit from.
Staying on Top of Healthcare Regulations
In a fluid regulatory landscape, healthcare compliance will only grow more complex, and the need for comprehensive tool kits and qualified professionals to lead
organizations through the regulatory minefield will grow more intense.
Maintaining Continuous Healthcare Compliance
Every healthcare compliance requirement stated above has a corresponding audit protocol. For example, the HIPAA Audit Protocol reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.
The audit protocol is organized by rule and regulatory provision and addresses separately the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review.
The audits target the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards.
All relevant policies, procedures, documentation of evidence has to be associated with the relevant compliance requirement and current as of the period of audit, for objective verification.
The audits cover:
- all workforce members including
entity employees, on-site contractors, students, and volunteers
- information systems including
hardware, software, information, data, applications, communications, and
Consequences of Non-Compliance
A sample of cases highlights the need for both covered entities and business associates to take the risk seriously:
- Oregon Health & Science University agreed to a $2.7 million settlement in a case that addressed several breaches. OHSU stored over 3,000 individuals’ ePHI in Google Drive and Google Mail without any business associate agreement in place with Google.
- Raleigh Orthopaedic Clinic paid a $750,000 settlement for charges regarding their failure to have a Business Associate Agreement in place with a firm that promised to transfer x-ray images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh provided more than 17,000 records to the unnamed firm, who failed to return the materials.
- North Memorial Hospital agreed to pay $1.55 million as part of settling charges stemming from an incident in 2011 when a laptop with unencrypted PHI on 9,497 patients was stolen from an employee’s car.
- Catholic Health Care Services, a business associate, paid a $650,000 settlement after the theft of an employee’s cell phone that contained unprotected PHI for 412 patients. Children’s Medical Center of Dallas paid a civil penalty of $3.2 million for the impermissible disclosure of unsecured PHI, including the loss of an unencrypted, non-password protected Blackberry device that contained the PHI of 3,800 individuals and the theft of an unencrypted laptop with 2,462 individuals’ PHI. Additional non-compliance with HIPAA regulations was also discovered, such as a failure to implement risk management plans and lack of adequate security precautions.
- Advocate Health Care Network agreed to pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate, Blackhawk Consulting Group. Advocate did not have a satisfactory BAA in place with Blackhawk at the time.
- On March 8, 2019, Sweet Town, LLC d/b/a Cleveland Manor Nursing and Rehabilitation (Cleveland Manor), Cleveland, Oklahoma, entered into a $171,047 settlement agreement with OIG. The settlement agreement resolves allegations that Cleveland Manor employed an individual who was excluded from participating in any Federal healthcare program. OIG’s investigation revealed that the excluded individual, an office manager, provided items or services to Cleveland Manor’s patients that were billed to Federal healthcare programs.
The settlement costs are only part of the total cost of a breach to the organization, which includes lawyer fees, investigation and notification resources, and other costs. It’s estimated that every compromised record in a data breach costs $407 for healthcare entities, compared to $221 across all industries.
Healthcare Technology for Continuous Compliance
In today’s healthcare compliance environment, it is critical to implement solutions that focus on proactive compliance. While there are many technology solutions available in the market, maintaining a state of continuous compliance seems to be more of a challenge given siloed approach to addressing issues relating to Governance Risk and Compliance (GRC), Vulnerability Analysis and Penetration Testing (VAPT), third party risk assessments, dark web threats, data leak prevention, etc., that result in highly fragmented approach at a high cost.
SureShield simplifies all of these processes through automation and interlinking of security, risk, privacy, and regulatory/standard controls and processes for end-to-end automation of Risk, Security, and Compliance (RSC). This is unique and significant as it simplifies security, risk, and compliance across multiple regulations and standards.
To find out more about how SureShield’s IT Risk & Compliance Software can help your organization meet today’s ever-changing compliance requirements, download the Playbook for Corporate Compliance in Healthcare.