Healthcare Enterprise Risk Management: Sanction and Exclusion Checks
July 12, 2019
Sanction Checks & Exclusions Regulated by the Office of Inspector General (OIG) to Ensure Enterprise Risk Management in Healthcare
The Office of Inspector General (OIG) was established in the U.S. Department of Health and Human Services (HHS) to identify and eliminate fraud, waste, and abuse in the department’s programs and to promote efficiency and economy in departmental operations. The OIG carries out its responsibilities through a nationwide program of audits, inspections, and investigations. The OIG has also been given the authority to exclude individuals and entities who have engaged in fraud or abuse from participation in Medicare, Medicaid, and other federal health care programs The OIG also have the authority to impose civil money penalties (CMPs) for certain misconduct related to federal health care programs (sanction checks and exclusions).
Congress has further strengthened and expanded the OIG’s authority to exclude individuals and entities from federal health care programs. These laws expanded the OIG’s authority to assess monetary penalties against individuals and entities that violate the law. To combat healthcare fraud, OIG partners with the United States Department of Justice (DOJ), state Medicaid Fraud Control Units (MFCUs), and other federal, state, and local law enforcement agencies. These partnerships include the Medicare Fraud Strike Force, which detect, investigate, and prosecute healthcare fraud through a coordinated and data-driven approach. In OIG’s recent semiannual report to Congress, the OIG indicated that they expect $2.91 billion in investigative recoveries and $521 million in audit recoveries for fiscal year 2018.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996, authorized the OIG to provide guidance to the health care industry to prevent fraud and abuse, and to promote high levels of ethical and lawful conduct. The Balanced Budget Act (BBA) of 1997 further expanded the OIG’s sanction authorities. These statutes extended the application and scope of the current CMPs and exclusion authorities beyond programs funded by the department to all “federal health care programs.” BBA also authorized a new CMP authority to be imposed against health care providers or entities that employ or enter into contracts with excluded individuals for the provision of services or items to federal program beneficiaries.
The basic effect of an OIG exclusion from federal health care programs is that no federal health care program payment may be made for any items or services furnished by an excluded individual or entity or directed or prescribed by an excluded physician. This payment ban applies to all methods of federal program reimbursement.
The prohibition against federal program payment for items or services furnished by excluded individuals or entities also extends to payment for administrative and management services not directly related to patient care, but that are a necessary component of providing items and services to federal program beneficiaries.
There are a variety of types of items or services that are reimbursed by federal health care programs which, when provided by excluded parties, violate an OIG exclusion. These include:
- Services performed by excluded nurses, technicians, or other excluded individuals who work for a hospital, nursing home, home health agency, or physician practice.
- Services performed by excluded pharmacists or other excluded individuals who input prescription information for pharmacy billing or who are involved in any way in filling prescriptions for drugs reimbursed.
- Services performed by excluded ambulance drivers, dispatchers, and other employees involved in providing transportation.
- Services performed for program beneficiaries by excluded individuals who sell, deliver, or refill orders for medical devices or equipment.
- Services performed by excluded social workers who are employed by health care entities to provide services.
- Administrative services, including the processing of claims for payment, performed for a Medicare intermediary or carrier, or a Medicaid fiscal agent, by an excluded individual.
- Services performed by an excluded administrator, billing agent, accountant, claims processor, or utilization reviewer that are related to and reimbursed, directly or indirectly.
Cost of Violation of an OIG Exclusion by an Excluded Individual or Entity
Receiving an exclusion from OIG can have a devastating effect on a healthcare stakeholder and can spell the end of a career or a business in the healthcare industry. Once excluded or sanctioned, an individual or entity is prohibited from receiving payment or reimbursement from any federal healthcare program, which includes Medicare and Medicaid. The payment prohibition affects the person, anyone who contracts or employs the excluded person, and health providers that service the person.
An excluded party is in violation of its exclusion if it furnishes to federal program beneficiaries’ items or services for which federal health care program payment is sought. An excluded individual or entity that submits a claim for
reimbursement to a federal health care program, or causes such a claim to be
submitted, may be subject to a CMP of $10,000 for each item or service
furnished during the period that the person or entity was excluded. The
individual or entity may also be subject to treble damages for the amount
claimed for each item or service. Consider that a large organization probably
processes thousands of claims in a month. Multiply that by $10,000 and you can
understand the significance of this risk to a healthcare organization.
The major challenges faced are significant as there are now close to 42 Federal and State Exclusions Lists that should be checked, and the changes are dynamic. A provider or vendor may not be on an exclusion list one month and then on it the next. If the healthcare organization has not performed adequate sanction checks, they could now be working with any entity that they are forbidden to work with.
To be effective in the sanction checks screening process, it is necessary to go through the exclusion lists managed and maintained by the entities that give out the sanctions, which is either the OIG or a state Medicaid agency. The OIG’s List of Excluded Individuals and Entities (LEIE) is the primary federal-level list that should be referenced for currently excluded individuals but there are others like the General Services Administration’s (GSA) Excluded Parties List System (EPLS). The LEIE is updated every month while the GSA System for Award Management, which includes the EPLS, is usually updated every week.
Additionally, there are the state-level exclusion lists that are separately maintained by different states. Ideally, the names included in the state-level lists should
also be found in the LEIE, but that is not a certainty. As such, it’s best to
also consult the specific state’s exclusion list when performing a sanction
checks screening. How often these lists are updated depends on the state. So,
if a healthcare entity is doing business in multiple states, a healthcare
stakeholder needs to consider both the federal and state databases that apply.
Any person who provides any service or item that is being paid in part or in full by any federal healthcare program must be screened. This includes employees, contractors, subcontractors, and even people employed by contractors. Employees
might be screened by the human resources department. Professional caregivers
may be screened by a credentialing committee. The procurement department might perform sanction checks screening on all their vendors to ensure that their contractors and vendors are not on any of the exclusions lists. Ultimately, the
responsibility for all of this falls on the compliance office.
The sheer number of names to be screened and the different formats, update schedules, and features of the sanction lists make manual screenings a complicated, time-consuming, and very risky task. While the sanction checks screening process is conducted, here are some areas to consider:
Sanction Checks: Screening Frequency
The OIG updates the LEIE list every month and recommends that providers perform
sanction checks on their employees on a monthly basis. Adhering to this
guideline lowers financial risk as it allows the organization to detect excluded
employees or contractors as early as possible and minimize the amount of
potential take backs and fines from CMS. In addition, screening employees,
physicians, and contractors or vendors before getting them on board is also a
must and then this should be maintained as they are working with the
Sanction Checks: Name Matching
When doing searches, exact matches of first and last names are not enough. To ensure the reliability and accuracy of the sanctions check search consideration should be given to name variations, maiden names, hyphenations, international names, and spelling errors. While this is a difficult process, it cannot be used as an excuse for failing to detect an excluded individual.
Vendor Risk Mitigation Best Practices – Sanction Checks with Vendor Matching
Vendor matching for sanction checks can be difficult because, aside from the vendor name and Employer Identification Number (EIN), there’s often times not a lot more information that can be used. If screening all vendors is too monumental a task, the healthcare stakeholder should consider prioritize contractors that get paid beyond a certain amount or provide significant billing services. This can help lower financial risk.
Sanction Checks Documentation and Leveraging Healthcare Technology
Sanction checks screening documentation plays an important role in the event there is a match or a probable match, or in case of an audit. It’s ideal to keep screenshots, documents, and time stamps of the names that have already been reviewed, the exclusion list the names were reviewed against, and the process of determining a match.
The process of taking internal, manual responsibility is extremely difficult for any healthcare stakeholder and particularly for those of any size. Consider a mid-size hospital or large physician practice could have hundreds to thousands of providers to screen and a similar number of contractors and vendors. As such, many healthcare organizations may use the services of agencies that specialize in background searches. This can be a costly choice and static in nature as these agencies only do sanction checks when commissioned by the provider. Thus, there is latency in the process. Utilizing more current sanction checks and exclusion screening technologies is an option for companies that want cost-effective, quick, continuous searches with reliable results.
If you are evaluating utilizing technology to assist in the screening process, here are requirements that you should verify that the healthcare enterprise risk management solution has:
- The healthcare enterprise risk management solution sanction checks all databases. There are currently 42 federal and state exclusion and screening databases.
- The technology can be distributed to different internal stakeholders to carry out their sanction checks screening processes. As indicated, the responsibility for employees may reside in HR, practitioners in credentialing, and vendors in supply chain/procurement. The system should allow these different stakeholders to carry out the tasks they are assigned.
- Data can be centralized and viewed at both a macro and micro level. The compliance department requires an overall insight to all sanctioned or excluded providers and vendors. While different departments may carry out the process, the overall data should be able to be rolled up.
- The healthcare technology solution provides the information on the reason for an exclusion or sanction. Ideally, documentation should list the reason for compliance purposes.
- The healthcare enterprise risk management solution allows documentation, interaction, and verification internally and externally. There can be areas identified that need to correspond with the provider or vendor to further validate and document for the organization to take action. Assure that the considered solution can do this.
- The sanction checks process is continuous; the solution should be regularly checking ALL providers, employees, and vendors continuously. More advanced solutions will do daily sanction checks of all databases and have sophisticated algorithms on the backend to identify daily changes to any of the databases.
- The solution provides active alerting and notifications. In a busy environment, ideally an organization is alerted when there is a change or exception in the data. If all is good, a software assistant can do this and have it send an alert if a new exception or sanction has been identified for action to be taken.
- The healthcare enterprise risk management solution is checking ALL your vendors, employees, and practitioners. Previously with manual processes, this was not viable, and many healthcare stakeholders tried to stratify their providers and vendors by those at highest potential risk. Today with new technologies, all providers and vendors should be checked.
- Ideal pricing model; make sure that billing is not based on every sanction check performed. Ideally, the provider should have a monthly or annual charge for doing all of continuous sanction checks.
Enable Healthcare Stakeholders to Comply with Regulations, Protect PHI, and Avoid Penalties
Data breaches, healthcare fraud, and violations are increasingly receiving public notoriety resulting in negative brand exposure to healthcare stakeholders. They are not only facing significant fines, but the negative brand image typically results in declining revenues. The increasing oversight and enforcement by the OIG necessitates that the business associates, third party vendors, contractors, employees, and new hires of a healthcare entity are screened in a timely manner to minimize vulnerabilities that could result in costly fines and public stigma.
With healthcare organizations leveraging the services of hundreds of third-party vendors and business associates, not to mention hundreds of full-time employees, migrating traditional, cumbersome manual processes to a SaaS-based automated approach can save an enormous amount of time, not to mention the ability to minimize risk, faster. Enterprise healthcare risk management monitoring software enables healthcare organizations to conduct OIG screening, sanctions checks, and employee backgrounds in real-time with no need to wait days, weeks, or months – all while reducing risk to the healthcare organization.
Find out how simple ongoing security and compliance monitoring can be with an enterprise risk management solution.