4 Questions with Pamela Del Negro, Chief Compliance and Privacy Officer
What are some of the top compliance risks facing physician organizations in 2023?
Health care fraud continues to be a key area of focus for the federal government. False Claims Act settlements and judgments exceeded $2.2 billion in 2022, of which over $1.7 billion related to health care organizations. The U.S. Department of Justice (DOJ) indicated that it will continue taking a proactive approach to investigating potential concerns, leveraging data analytics and other resources to identify potential false claims. Key areas of focus for physician organizations include accurate coding, medical necessity, Stark Law / physician compensation arrangements, unlawful kickbacks, telehealth, and the use of pandemic-related funds, such as Paycheck Protection Program (PPP) funds. In addition, the DOJ’s Cybersecurity Initiative is focused on using the False Claims Act to address situations where there are breaches of cybersecurity that are not adequately addressed by providers and organizations. The first settlement from this initiative occurred in 2022, so this is an area that will likely continue to evolve.
What steps can organizations take to address their compliance and privacy risks?
Consider the organization’s size, geographic footprint, and the regulatory and enforcement landscape in which it operates. For example, do you conduct telehealth visits out of state? Do you have cyber-liability insurance? Do you know where your patient health information is located? What is the accuracy rate of your coders? Did you receive PPP funds? Have you had patient complaints or government audits or investigations in specific areas? What are regulatory agencies focusing on with respect to organizations similar to yours? Each organization is unique. Understanding the distinct risk profile facing that specific organization can guide leaders and staff on where to focus time and resources in order to mitigate risks. Once the risk profile is identified, the next step is to develop – and implement – a plan to address key risks. These plans are often multi-faceted and can include a variety of mitigation techniques, including proactive monitoring, staff education, auditing (conducted by internal resources and/or independent third parties), changes in processes and updates to policies, procedures, and workflows.
Why should providers have a compliance program?
For practices treating Medicare and Medicaid beneficiaries, the Patient Protection and Affordable Care Act of 2020 requires them to have a compliance program. Beyond that requirement, compliance programs can be a helpful tool to clarify expectations for employees, encourage an environment where employees can speak up if they see something wrong without fear of retaliation, and prevent and detect potential misconduct. In the event of a government investigation, the existence of a compliance program can help mitigate potential settlement. Effective programs can also proactively protect against financial losses and reputational harm.
Where can practices go for help in building or updating their compliance programs?
The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) has published guidance on compliance programs for individual and small group physician practices that can serve as a tool to understand the expectations for a practice’s compliance program. The OIG has also published a resource guide on evaluating the effectiveness of a compliance program. The American Medical Association has published resources on HIPAA privacy and security, and the HHS Office for Civil Rights also has key resources on HIPAA privacy and security. In addition, DOJ has established criteria for how it will evaluate corporate compliance programs in the event of potential wrongdoing. There are also a number of consulting firms and professional advisors that can support practices in their compliance efforts.