Compliance Requirements Continue to Change, Need Close Attention
EXECUTIVE SUMMARY
Compliance efforts are constantly affected by changes in rules and enforcement priorities. Staying on top of recent changes is an ongoing challenge.
- Changing managed care requirements creates risks.
- The reach of the False Claim Act is expanding.
- Online tracking technologies are a concern.
Healthcare compliance is a never-ending challenge, and the expectations change constantly. Staying abreast of new developments is essential. Some of the latest involve the False Claims Act, Medicare risk adjustments, and HIPAA enforcement.
One area to watch is compliance guidance for managed care. New guidance is expected soon, says Jana L. Kolarik, JD, partner with Foley & Lardner in Jacksonville, FL. The legal community is curious whether it will address some kickback concerns more specifically beyond what has been said in the past, she says. Artificial intelligence (AI) is another area that is of interest from the privacy security standpoint.
“We’ve seen AI present in software development, and it can be a benefit. But there are some risks there that I think compliance officers should be aware of,” Kolarik says. “This is an issue that needs to be dealt with not only from a governance perspective and having compliance programs, but also thinking about how they want to address that with the compliance officer and people in the C-suite. Figuring out how that needs to be addressed is a top-down discussion.”
There is more emphasis on benchmarking and objective measures of quality when considering healthcare compliance, says Robert Andrews, JD, CEO of Health Transformation Alliance in Scottsdale, AZ, which oversees the strategic direction of more than 50 major corporations to fix the U.S. healthcare system.
Andrews urges healthcare organizations to focus on quality measures like Leapfrog scores to improve patient safety. “Internally, it might point out areas of improvement that could help the risk managers reduce risk and improve compliance. If you find out that your hospital-based infection rate is higher than your peers, we want you to think about what you can do to fix that,” he says. “If I’m the risk manager, I realize there’s liability that attaches to that and additional costs and maybe additional insurance premiums and other indicia of risks.”
Financial transparency is another concern, Andrews says. Providers are required to publish the prices they charge for various procedures and locations. “There’s pretty dismal compliance. Part of it is technical because the way the files have to be built and transmitted is not optimal. It’s expensive and bulky,” he says. “But it is a requirement, and the degree of compliance with that has been abysmally wrong. I do think it’s important that that change.”
New Reimbursement Requirements
One compliance issue that may slip under the radar of hospitals and health systems involves new requirements for Medicare and Medicaid reimbursement, says Venson Wallin, managing director at the BDO Center for Healthcare Excellence & Innovation in Richmond, VA. There are new requirements for exhibits to be included in the cost reports.
“They need to make sure that they are including these exhibits. This is new for this year, so this will be a lot more recordkeeping. It will be a bit more onerous,” Wallin says. “For hospitals and health systems, they have to be able to provide significant additional information on things like Medicare, bad debts, Medicare-eligible days, charity care charges by patient, [and] total bad debts by patient. It’s a compliance issue because it is required now, and if they don’t comply with that, then there are negative implications, such as holding up their reimbursement or potentially freezing reimbursement, because it is now considered part of the cost report.”
The amount of healthcare spend flowing through state-based managed Medicaid programs is another area of concern, says Matthew C. Sullivan, JD, partner with Hogan Lovells in New York City.
“Companies, compliance officers, and in-house counsel would be well advised to monitor enforcement trends in that space, and particularly on the application of other theories and enforcement efforts that traditionally had focused more on traditional Medicare and traditional Medicaid,” Sullivan says. “They are now targeting those managed care plans, which in the past may not have been as much of a focus in part because some of the additional legal hurdles and challenges in building a viable False Claims Act case, whether that’s an enforcement action brought by the government or a civil suit brought by qui tam relator.”
False Claims Act Reach Expands
There is a prevalent sense that the False Claims Act’s (FCA) reach continues to expand, says Jolie Apicella, JD, partner with Wiggin and Dana in New York City. The good news is that there is more direct guidance from the Department of Justice (DOJ) on how compliance programs will be evaluated. The DOJ updated its Evaluation of Corporate Compliance Programs in March 2023, emphasizing third-party management.1 Apicella advises conducting due diligence not only at the outset of third-party engagement, but throughout that relationship.
“Otherwise — and this is reflected in FCA settlements and qui tam complaints — companies can be on the hook for the bad conduct of its third-party vendors when that company knew or should have known about that conduct,” Apicella says.
Apicella notes that last year, the White House issued a national cybersecurity strategy in which it explicitly called to DOJ authorities to use the FCA “to pursue civil actions against government grantees and contractors who fail to meet cybersecurity obligations.”2
“This is another area where companies who receive government funds need to really tighten their cybersecurity practices to make sure they can identify and patch any vulnerabilities. It won’t take an actual breach to find yourself in hot water,” Apicella says. “The government expects to see compliance with cybersecurity standards, a real and continued effort to assess risks, and timely reporting of any suspected incidents.”
Fully implementing the controls may not always be successful. There likely will be more self-disclosures to DOJ and settlements in this area, Apicella notes. For healthcare providers, plans, and clearinghouses, failing to comply with HIPAA’s requirements to implement security measures and report data breaches leads to another avenue of FCA liability.
Protected health information (PHI) found in medical records and clinical data may be vulnerable to hacking, which will come back to those healthcare companies, Apicella says. Medical device manufacturers have additional obligations to make sure their products are cyber-secure.
As Medicare Advantage continues to increase and account for more federal Medicare spending, the government will spend resources enforcing perceived fraud and abuse in this area, Apicella says. Last year, the DOJ focused on risk adjustment — whether organizations knowingly submitted or failed to correct inaccurate information about their beneficiaries that increased their reimbursement.
“Where MAOs [Medicare Advantage Organizations] are conducting chart reviews that only result in corrections in one direction — that would enhance reimbursement — or where contradictory information is ignored and conditions are added in the face of inadequate support in the medical records — that kind of conduct will be highly suspicious to DOJ,” Apicella says.
OIG Issues Guidelines
In November 2023, the Office of Inspector General (OIG) published its General Compliance Program Guidance (GCPG), its first update in 25 years,3 notes Shannon Leonard, RN, MBA, CPCO, CHPC, CHC, chief compliance officer with Cardiovascular Logistics in Houma, LA. This GCPG is a modern, resource-friendly set of guidelines to assist stakeholders in their efforts to navigate the ever-changing landscape of healthcare, advance their voluntary compliance programs, and avoid committing activities interpreted as fraud, waste, or abuse.
“This modernization initiative of the OIG is so welcomed with the continuing proliferation of innovative treatments and the evolution and increasing complexity of financial relationships within the healthcare industry,” Leonard says.
While preventing fraud, waste, and abuse has always been entrenched in OIG’s seven elements of a compliance program, Leonard says the 2023 GCPG suggests that risk assessments of a compliance program be considered an eighth element. The GCPG strongly recommends that a risk assessment process for identifying, analyzing, and responding to risks stemming from violations of law, regulations, or other legal requirements should be in place. This process is enforced by reviewing the company’s methodology for identifying and addressing any risks of misconduct or wrongdoing by employees.
To protect themselves, healthcare organizations must exercise due diligence to prevent and detect criminal conduct by following the GCPG, Leonard says. This includes having a compliance leader responsible for day-to-day operational compliance and promoting and exemplifying a culture of compliance and ethics.
“Organizations must continuously educate personnel of compliance standards and laws; establish trust and transparency with its governing bodies; encourage uninhibited communication with staff; provide and promote an anonymous reporting system for any concerns of staff, patients, or vendors; and monitor and audit activities to be assured they are performed within the regulations and preventing violations,” Leonard says. “It also is important to analyze data reports so you can have a reasonably designed and effective compliance program that is continuously pursuing opportunities for enhancement.”
Watch Online Tracking
One area of HIPAA noncompliance federal agencies will be watching is the use of online tracking technologies by healthcare providers, says Paul F. Schmeltzer, JD, senior attorney with Clark Hill in Los Angeles. In July 2023, the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a joint letter to healthcare providers that cautioned them about the privacy and security risks associated with the use of online tracking technologies that may be present on their websites or mobile applications that could be disclosing electronic PHI (ePHI) of patients to third parties without their permission.4
In March, OCR revised its guidance on the use of online tracking technologies by HIPAA-covered entities and business associates. It reminded regulated entities and the public that online tracking technology is subject to the HIPAA Privacy, Security, and Breach Notification Rules. Online tracking technologies collect and analyze information user interactions with a regulated entity’s website or mobile application.
“OCR’s bulletin serves as a reminder that covered entities and business associates are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules,” Schmeltzer says. “OCR’s bulletin provides additional examples of when visits to an unauthenticated webpage may or may not involve the disclosure of ePHI, additional tips for complying with the HIPAA rules when using online tracking technologies, and guidance about OCR’s enforcement priorities in investigations involving regulated entities’ use of online tracking technologies. Healthcare practices would be wise to review this bulletin to become familiar with these examples and requirements.”
It is not just HIPAA-covered entities and business associates who need to be concerned with online tracking technologies, Schmeltzer notes. The FTC enforces deceptive or unfair business practices, including the misuse and exploitation of PHI.
The FTC emphasized in their June 2023 letter that companies not covered by HIPAA, such as digital healthcare platforms, also have a responsibility to prevent unauthorized disclosures of PHI. The FTC cautioned these companies to monitor the flow of PHI to third parties that use tracking technologies because any unauthorized disclosure could constitute a violation of the FTC Act and a security breach under the FTC’s Health Breach Notification Rule.4
Telemedicine is another area of concern. The Drug Enforcement Administration (DEA) and HHS extended the telehealth flexibilities for the prescribing of controlled medications that were put in place during the COVID-19 public health emergency through Dec. 31, 2024.6
“However, we can expect to see how the DEA’s final rules regarding the prescribing of controlled medications will look by the end of this year,” Schmeltzer says. “Additionally, telemedicine regulations varied by state, creating a complicated patchwork of laws for providers to follow. Healthcare organizations needed to stay abreast of evolving guidelines.”
Healthcare practices also need to concern themselves with the security of medical devices as the increased connectivity of medical devices means there is an increased threat of cybersecurity incidents, Schmeltzer says. This includes compliance with section 524B of the Federal Food, Drug, and Cosmetic Act, adhering to standards like the Medical Device Regulation in Europe, and staying updated on guidance from regulatory bodies.
Cybersecurity continues to be a major concern in the healthcare industry, says John F. Howard, JD, senior attorney with Clark Hill in Scottsdale, AZ. Healthcare entities continue to be targeted by threat actors and are facing an ever-increasing threat of suffering a ransomware attack, he says. OCR has started investigating and entering into settlement agreements and corrective action plans with healthcare entities that have fallen victim to this type of cyberattack.
These enforcement actions have focused on HIPAA’s requirements to conduct an accurate and thorough risk assessment to determine potential risks and vulnerabilities to ePHI, monitoring of health information systems, and the policies and procedures necessary to implement these requirements and the other requirements of the security rule, Howard says. In December 2023, OCR announced its next steps in its ongoing cybersecurity work for the healthcare and public health industry. This includes the development and publication of healthcare-specific cybersecurity performance goals and increasing accountability and coordination within the sector.
“At this time, these cybersecurity performance goals will be voluntary, but HHS OCR has signaled that they will move to incorporate these goals into their regulatory regimes,” Howard says. “All of this activity goes to show that the players in the industry need to renew their focus on cybersecurity and HIPAA Security Rule compliance. It is critical that accurate and thorough risk assessments are conducted that include all potential risks and vulnerabilities to ePHI.”
This would include looking at the different ways a threat actor may target a health system during a ransomware attack, Howard says. There may be a need, depending on the size and sophistication of the entity, to implement additional security technology, such as an endpoint detection and response solution, or other tools that will allow for the monitoring of the systems for potential malicious activity.
“But the implementation of the tools alone is not enough. It is necessary to also have the policies and procedures that require the use of the tools; monitoring of their outputs, such as logs or alerts; and the staff with the requisite skill to do so,” Howard says. “It is not an implement-and-forget kind of circumstance.”
For smaller entities, it will be important to look at the services received from their IT providers and make sure that cybersecurity is included in what is received, Howard says.
REFERENCES
- U.S. Department of Justice. Evaluation of Corporate Compliance Programs. March 2023. https://www.justice.gov/crimin...
- The White House. National Cybersecurity Strategy. March 1, 2023. https://www.whitehouse.gov/wp-...
- U.S. Department of Health and Human Services Office of Inspector General. General Compliance Program Guidance. November 2023. https://oig.hhs.gov/compliance...
- Federal Trade Commission. FTC and HHS warn hospital systems and telehealth providers about privacy and security risks from online tracking technologies. July 20, 2023. https://www.ftc.gov/news-event...
- U.S. Department of Health and Human Services. Use of online tracking technologies by HIPAA covered entities and business associates. March 18, 2024. https://www.hhs.gov/hipaa/for-...
- Drug Enforcement Administration. DEA and HHS extend telemedicine flexibilities through 2024. Oct. 6, 2023. https://www.dea.gov/documents/...
SOURCES
- Robert Andrews, JD, CEO, Health Transformation Alliance, Scottsdale, AZ.
- Jolie Apicella, JD, Partner, Wiggin and Dana, New York City. Phone: (212) 551-2844. Email: [email protected].
- John F. Howard, JD, Senior Attorney, Clark Hill, Scottsdale, AZ. Phone: (480) 684-1133. Email: [email protected].
- Jana L. Kolarik, JD, Partner, Foley & Lardner, Jacksonville, FL. Phone: (904) 633-8915. Email: [email protected].
- Shannon Leonard, Chief Compliance Officer, Cardiovascular Logistics, Houma, LA.
- Paul F. Schmeltzer, JD, Clark Hill, Los Angeles. Phone: (213) 417-5163. Email: [email protected].
- Matthew C. Sullivan, JD, Partner, Hogan Lovells, New York City. Phone: (212) 918-3084. Email: [email protected].
- Venson Wallin, Managing Director, BDO Center for Healthcare Excellence & Innovation, Richmond, VA. Phone: (804) 330-3092.
Healthcare compliance is a never-ending challenge, and the expectations change constantly. Staying abreast of new developments is essential. Some of the latest involve the False Claims Act, Medicare risk adjustments, and HIPAA enforcement.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.