Top 10 Federal Compliance Risks for Hospitals
Hospitals in the United States face numerous compliance risks. Multiple federal agencies oversee hospitals’ compliance efforts, and directors, administrators, and compliance officers must thoroughly assess their facilities’ compliance efforts on an ongoing basis to ensure that this oversight does not lead to recoupments, loss of program eligibility, or other penalties.
In order to mitigate their risk of penalization, hospitals need to identify their specific risks and address these risks in a manner that reflects the unique aspects of their operations. No two hospitals’ compliance obligations are exactly alike. However, when it comes to the biggest compliance risks, for most hospitals, these risks fall in the same general areas. This article provides an overview of these general areas—followed by an introduction to the steps that hospitals in the U.S. need to take in order to establish and maintain federal compliance.
What are the Top Federal Compliance Risks for Hospitals?
Is your hospital fully compliant? Do you know for sure? Could it face challenges if targeted in a federal billing compliance audit or health care fraud investigation? Here are 10 key areas of compliance that often present the greatest risks for hospitals:
1. Medicare, Medicaid, Tricare, and DOL Billing Compliance
Federal billing compliance presents risks for all types of federally-funded healthcare entities. But, for hospitals, the burdens of compliance can be particularly substantial. Hospitals must ensure billing compliance across all departments and across all relevant federal healthcare benefit programs.
Due to the challenges of federal billing compliance, many hospitals rely on third-party billing administrators. While this can be a good option, hospitals must select their third-party billing administrators carefully, and they must ensure that they have the oversight they need in order to evaluate their own billing compliance. If a third-party billing administrator makes mistakes, the hospital will still face the repercussions of noncompliance—and it will be up to the hospital to seek indemnification from its third-party administrator.
2. Private Health Insurance, PPO, and HMO Billing Compliance
Private health insurance billing compliance is also a significant area of risk for hospitals. Not only do insurance companies, PPOs, and HMOs conduct their own compliance enforcement efforts, but federal authorities can take action against hospitals suspected of fraudulently billing private payors as well. Insurance fraud is a federal offense, and hospitals – and potentially their owners and executives – can face substantial penalties as the result of federal insurance fraud investigations.
3. Controlled Substances Act (CSA) Compliance
The U.S. Drug Enforcement Administration (DEA) vigorously enforces hospitals’ and other healthcare providers’ compliance obligations under the Controlled Substances Act (CSA). While opioid diversion has been a top federal law enforcement priority in recent years, hospitals can face penalties for all types of prescription-related compliance violations.
Another compliance risk for hospitals with their own pharmacies is the risk of noncompliance with the Drug Supply Chain Security Act (DSCSA). This little-known federal statute establishes substantial compliance burdens; and, while many hospitals meet many of the statute’s requirements as a matter of course, hospitals must specifically address the DSCSA in their compliance programs in order to avoid costly DEA scrutiny.
4. Anti-Kickback Compliance
The Anti-Kickback Statute makes it a federal offense for hospitals to offer, solicit, pay, or receive most forms of remuneration in relation to referrals of federal healthcare benefit program beneficiaries. The lesser-known Eliminating Kickbacks in Recovery Act (EKRA) imposes additional restrictions on hospitals’ and other healthcare providers’ ability to provide or accept compensation for patient referrals. Stark Law compliance can be an issue for hospitals as well; and, in many cases, prohibited financial relationships with third-party healthcare providers and marketers will be the triggers for federal healthcare fraud investigations.
5. Telemedicine and Telehealth Compliance
The COVID-19 pandemic drastically accelerated the timeline for most hospitals’ adoption of telemedicine and telehealth practices. While federal authorities relaxed many of the rules for telemedicine and telehealth early in the pandemic, hospitals must now be focused on maintaining comprehensive compliance with all pertinent federal laws and regulations.
From using appropriate billing codes to providing consultations to out-of-state patients, telemedicine compliance presents a broad array of challenges for hospitals. Hospitals cannot rely on their in-person treatment compliance protocols for telemedicine and telehealth, but must instead adopt policies and procedures that are specific to this unique care environment.
6. Relationships with Independent Physicians, Marketers, and Others
Beyond traditional human resources (HR) compliance issues, hospitals can also face compliance risks arising out of their relationships with independent physicians, marketers, and others. Hospitals must take adequate steps to ensure that these independent parties’ actions do not give rise to compliance failures, and they must ensure that they have the oversight and authority to take appropriate remedial action when necessary. This applies to virtually all aspects of hospital compliance, from billing to privacy, and from anti-kickback compliance to telemedicine and telehealth.
7. HHS OIG Compliance Oversight
The U.S. Department of Health and Human Services’ Office of Inspector General ( HHS OIG) is among the most-active federal agencies in the area of healthcare fraud enforcement. HHS OIG has published compliance program guidance for hospitals (and various other healthcare entities); and, while it labels this guidance as instructive rather than mandatory, it has also made clear that it expects hospitals to be able to fully demonstrate compliance within its priority enforcement areas.
As a result, hospitals should consider HHS OIG’s compliance program as a starting point, but they should also understand and accept that their compliance obligations far exceed HHS OIG’s minimum recommendations. HHS OIG also makes clear that hospitals need to tailor their compliance programs to their specific needs, and they must be able to fully document compliance in all areas of their operations.
8. Insurance and Healthcare Program Compliance Audits
Private health insurance companies, PPOs, and HMOs reserve broad contractual rights to audit hospitals for billing compliance. Hospitals are also subject to auditing by ZPICs, UPICs, RACs, and other “fee-for-service” audit contractors working with the Centers for Medicare and Medicaid Services (CMS).
In order to survive these audits unscathed, hospitals need to not only maintain comprehensive compliance, but also comprehensively document their compliance efforts. Hospitals must also have protocols in place for responding to – and defending against – these audits, as auditing mistakes are common, and failure to intervene in the process can result in substantial unjustified demands for recoupments (and potentially other penalties).
9. Patient and Employee Privacy Compliance
Privacy compliance is a growing concern for hospitals of all sizes and in all regions of the United States. Hospitals have become prime targets for hackers due to the extraordinary amount of personal and financial data they store. While federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) establish privacy and security standards for healthcare providers, hospitals will often need to go significantly beyond the federal requirements in order to adequately safeguard their patients’ and employees’ private information.
10. Compliance Documentation (or Lack Thereof)
When facing audits and investigations, hospitals must be able to affirmatively demonstrate that recoupments and other penalties are unwarranted. As a result, from a risk mitigation perspective, maintaining documentation of compliance is just as important as maintaining compliance itself.
From policies and procedures to contracts with third parties, and from patient records to billing records, hospitals must generate and store multiple forms of documentation in order to establish compliance during external inquiries. If they don’t, and if they are unable to prove compliance as a result, then they can expect to face penalties even if they have met all of their legal, regulatory, and contractual obligations.
What Can (and Should) Hospitals Do to Address These Compliance Risks?
Given these risks, what can (and should) hospitals do in order to avoid facing penalties as the result of compliance audits and investigations? Some of the fundamental components of an effective hospital compliance program include:
- Compliance Needs Assessment – Hospitals must assess their specific needs in order to develop custom-tailored compliance programs that provide adequate protection.
- Compliance Policies and Procedures – Hospitals must work with their legal counsel to draft policies and procedures that fully address their compliance obligations under all pertinent laws, regulations, and contracts.
- Training and Implementation – Hospitals must ensure that all personnel receive appropriate compliance training, and they must implement their compliance programs in all aspects of their operations.
- Auditing, Documentation, and Enforcement – Hospitals must audit their compliance efforts on an ongoing basis, generate and store ongoing documentation of compliance, and follow consistent protocols for enforcing compliance when issues arise.
- Reevaluation and Modification – Hospitals must constantly reevaluate their compliance obligations, and they must modify their compliance programs in order to reflect any changes in their operations or the government rules and regulations.
Speak with a Federal Healthcare Compliance Lawyer at Oberheiden P.C.
Do you have questions about your hospital’s compliance obligations? Are you concerned that your hospital’s existing compliance program might not be sufficient to survive an insurance audit or federal healthcare fraud investigation? If so, we can help. To speak with a senior federal healthcare compliance lawyer at Oberheiden P.C. in confidence, call 888-680-1745 or request a complimentary consultation online today.
Dr. Nick Oberheiden, founder of Oberheiden P.C., focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation.