For the second year in a row, Foley & Lardner LLP and PYA hosted a compliance master class on various health-related compliance issues. “Let’s Talk Compliance” is an annual one-day event featuring a panel of presenters that includes health care attorneys, certified public accountants and valuators, and health care advisors, who discuss important compliance issues. For 2020, the presentations related to physician compensation issues, overpayments, HIPAA privacy and security issues, and long-term care transactions.
This year’s event took place in Orlando, Florida on Friday, January 24th. The panelists included Foley attorneys Jana Kolarik, Taylor Pancake, Myla Reizen, and Kelly Thompson, as well as PYA thought leaders Angie Caldwell, Barry Mathis, Valerie Rock, and Andrew Stafford.
To highlight important information covered during the event, the following list details top takeaways from the 2020 “Let’s Talk Compliance.”
- At the end of 2019, the Office of Civil Rights (OCR) entered into the first enforcement actions we have seen related to the U.S. Department of Health and Human Services’ (DHHS’s) Patient Right to Access Initiative. This should serve as a reminder that covered entities should respond to patient requests for access to their medical records in a timely manner, in the format requested by the patient, and not charge more than a reasonable cost based fee. (Note: There may be state laws that are more stringent than the Federal law, and as such, should be followed if applicable.)
- DHHS has identified ransomware as one of the most common threats to patient health information (PHI). Though there were initially only two basic types of ransomware—lock and crypto—there is now a third type, DataKeeper, which is franchised and gaining ground quickly. Health care providers, and related entities, should remain alert to this fast-developing privacy and security threat.
- The regulatory landscape for health care providers is vast and includes the Stark Law, the Federal anti-kickback statute (AKS), the Civil Monetary Penalties (CMP) Law, the False Claims Act, antitrust laws, the Eliminating Kickbacks in Recovery Act of 2018 (EKRA), and state laws. Changes to the regulatory bedrock Stark Law and AKS are forthcoming with the issuance of proposed regulations that will presumably be finalized. Moreover, the first criminal prosecution pursuant to EKRA took place in 2019.
- Determining value-based compensation arrangements for physicians can be tricky. To ease this process, health care providers should prepare value-based reimbursement inventories and understand what the outcome to incentivize is. Relatedly, such providers should not rely solely on benchmark data.
- Under the statutory 60-day overpayment refund requirement and implementing regulations addressing Medicare Parts A and B, health care providers have an obligation to exercise reasonable diligence through the timely, good faith investigation of credible information to identify an overpayment. Deciding whether information is sufficiently credible to merit an investigation is fact-specific. However, the Centers for Medicare and Medicaid Services (CMS) makes it clear in the Parts A/B regulations and preambles that identification requires both proactive and reactive auditing of billing. Providers and suppliers should also keep in mind that the overpayment requirement extends beyond the regulatory requirements for Medicare Parts A and B to Medicare C and D, Medicare Advantage, Medicaid and Medicaid managed care plans. There are no implementing regulations for these other payors, but the statutory obligation remains.
- There is no de minimus threshold for governmental overpayments, i.e., there is no minimal amount that can be ignored. All potential overpayments should be investigated. Health care providers should expect their decision regarding whether to conduct relevant claims extrapolation (versus a per claim analysis and repayment) to be scrutinized closely.
- Some areas of due diligence to consider with respect to health care-related transactions include: gaps in understanding of compliance plans or lack of compliance plans; coding, billing, and documentation issues; HIPAA security; litigation, audits, and investigations; employee relations; risk management; quality metric reporting; and change of ownership filing/approval requirements.
- Compliance due diligence processes should incorporate the following: annual risk assessments to develop up-to-date compliance work plans, exclusion checks and conflict of interest reviews upon initiation of employment or contract and regularly thereafter, and management and monitoring of revenue cycle functions and vendor contractual arrangements.