Health Care Legal Guidelines
With the rapid growth of the health care industry in the past few decades, keeping track of regulations and laws has become a challenging task. This is especially true when it comes to keeping track of which regulations apply to what areas of the industry. Fortunately, the government has passed several key rules that simplify compliance for health care businesses. Some of the most important federal laws and regulations with which health care businesses should familiarize themselves include: Health Insurance Portability and Accountability Act (HIPAA) – HIPAA applies only to specific entities, including health care systems and health care clearinghouses. The purpose of the law is to establish national standards to protect citizens’ privacy and personal medical information. Thus, it requires health care professionals and staff to adhere to specific protocols when dealing with patients’ PHI. Affordable Care Act (ACA) – As one of the more recent health care regulations , ACA was passed in 2010 and updated in 2017. The intent of the ACA is to expand access to health care for citizens, reduce costs, and prevent discrimination based on pre-existing conditions. Physician Self-Referral Law (Stark Law) – The Stark Law prohibits physicians from submitting certain claims to Medicare or Medicaid when those claims are related to a referral made by that physician to an entity with which he or she has a financial relationship. For example, physicians with a financial interest in a diagnostic laboratory can’t refer patients to that lab using Medicare or Medicaid benefits. Civil Monetary Penalty Law – The regulation includes various provisions for penalties for individuals or entities found to have employed kickbacks, false claims, improper inducements or self-referrals. The penalties can include both administrative and criminal penalties, as well as fines.
Legal Compliance Hurdles
For all that is essential in health care, nothing is more important than protecting patient privacy, rights and information. In 2016 and 2017, 45 percent of health care organizations reported at least one HIPAA breach over the course of two years, a number that is somewhat disconcerting. Despite the fact that technology and legal safeguards exist, they must be properly implemented by all parties involved to avoid exposure and liability.
One of the most difficult challenges for health care systems is effectively managing changing regulations. Often, there are new developments in HIPAA laws, or other rules and regulations, and these can involve times where there is a lot of uncertainty on how to handle them. Organizations that are not prepared for these changes, or that lack effective compliance programs, risk facing large fines or other forms of discipline from regulatory bodies.
Another challenge is implementing adequate policies and procedures to protect information from being compromised. One of the biggest industries that is targeted by hackers is the health care industry, due in part to the fact that it is such a lucrative field for hackers — health care information is worth some 10 times more on the black market than basic credit card information. Even in the face of new security measures, not all practitioners are taking the threats as seriously as they should, and thus do not prioritize compliance with the law.
Of course, one of the largest issues for health care organizations is the high cost of compliance. For many facilities, compliance costs account for a large percentage of their operating budget, which makes it difficult for them to provide affordable care. When you couple these costs with the fact that smaller organizations often do not have the same resources as their larger counterparts, you can understand why it is so tempting to try and cut corners or forego compliance. Not all facilities have well-established compliance programs (or any compliance programs whatsoever), which makes them naturally vulnerable to incurring penalties in the event of a breach.
Managing Compliance Best Practices
What we have in place at our fantastic health care law firm is the four categories for compliance programs:
- Compliance programs concerning health care regulatory laws like those of HIPAA and OSHA
- Compliance programs regarding reimbursement regulations such as those for Medicaid/Medicare
- Other non-reimbursement regulations, including human resource laws such as the Fair Labor Standards Act and payroll laws, as well as other laws concerning workplace safety
- Corporate compliance programs such as medical board compliance and licensing requirements
So when it comes to creating a compliance plan, you are going to need to know which laws apply to your practice and in what way, and then you can be compliant with each one.
The best practices tell us that there needs to be regular auditing for compliance on all levels, including audits focusing on prevention and looking back on the history of compliance in the practice.
For example, we often provide audits for new practices making sure that procedures are being followed and there is a physician on-site to provide supervision and collaboration of other medical practitioners at all times. And this is just one area where there has previously been the potential of liability.
Training for staff on the rules and regulations is also a vital part of keeping your clinic compliant. Staff is also responsible, and to protect the business, there are materials and formal meetings to inform and update them on what their responsibilities are and how to handle them.
There is also a centralized reporting system and compliance manager in place at our law firm so that patients can report any issues at the clinic or office. Going further, the office must have a plan in place as far as how to add employees who have not been to the training and what to do in case of their visit to your practice.
Another great idea is to establish a hotline or email to the compliance manager or another trustworthy employee. That way any concerned shout-outs can be taken in and addressed.
Software can be utilized to detect issues or problems in compliance. There’s even something like HIPAA One that has off-the-shelf sort of solutions for issues with data breaches, to get your entire team on board with complete compliance for both reimbursement and regulatory standards.
With all that in mind, keeping the lines of communication totally open and people aware of what’s going on is important at your practice. This includes compliance ideas that are informal and are not written down, like asking patient how things went and whether or not they had any issues or questions.
The less people have to guess, the better — for everyone!
Compliance Officers
The compliance officer is tasked with the responsibility of assuring that their organization is in compliance with the law. They are charged with developing, leading, and overseeing all aspects of the corporation’s compliance program. The compliance officer develops and implements the policies, procedures and training programs necessary to comply with all applicable laws and regulations and works throughout the organization to establish a culture of integrity.
The compliance officer evaluates the effectiveness of the company’s compliance program by monitoring, auditing , and evaluating the operations of the policies and procedures he or she has implemented. The compliance officer is also responsible for reporting directly to the Chief Executive Officer (CEO) of the organization. In order to be effective, the compliance officer must be knowledgeable about health care regulations and compliance requirements and be skilled in fitness-for-duty evaluation, interpersonal and communication skills. Compliance officers are also responsible for communicating modifications and updates to the policies and procedures they develop to those who need to be in compliance. In order to be effective, the compliance officer must be knowledgeable about health care regulations and compliance requirements and be skilled in fitness-for-duty evaluation, interpersonal and communication skills.
The Implications of Non-Compliance
Compliance failures can have serious legal, financial and reputational consequences for health care entities. For instance, in 2014, Health Management Associates, Inc., a Florida based hospital system, agreed to pay $34 million and enter into a five year Corporate Integrity Agreement with the Office of the Inspector General to resolve a civil False Claims Act allegation that it paid bonuses to hospital employees to increase Medicare and other federal health care program admissions. OFIG alleged that the payments violated the anti-kickback statute, which prohibits the remuneration in exchange for or to induce the referral of federal health care program business.
In another case, Baptist Health Care System consented to a settlement of $3.55 million following an OIG investigation which found evidence that Baptist violated the anti-kickback statute by paying physicians bonuses tied to the amount of revenue generated from hospital services which were incidental to the physicians’ professional services. The system also entered into a five-year corporate integrity agreement with OIG.
Running afoul of the federal anti-kickback statute can trigger liability under the federal False Claims Act. The False Claims Act establishes liability for any person who knowingly submits a claim to the government that is false or fraudulent. In addition to the damages incurred by the government, a defendant may also be liable for substantial penalties. The damages and statutory penalties may range from $11,000 to $22,000 per claim, and for violations involving multiple claims, may total into the millions or billions of dollars.
In 2015, Brookdale Senior living entered into a $3.8 million settlement with Florida to resolve potential violations of the federal Anti-kickback Statute, the False Claims Act and the federal Civil Monetary Penalty Law related to three patient repositioning devices it marketed and charged to Florida’s Medicaid program. The devices, intended to prevent bed sores in bedridden patients, were subject to Medicare’s competitive bidding process and could not be billed to the government at a non-bid price. In this regard, the Florida Attorney General posed the scenario that Brookdale may have paid rewards to providers in order to encourage them to buy repositioning devices, with the understanding that providers could then bill Florida Medicaid for the devices at an inflated price. In addition to the million dollar payout to Florida, Brookdale also agreed to enter into a corporate integrity agreement with the Department of Health and Human Services Office of Inspector General.
What the Future Holds for Health Care Compliance
The future of compliance in the health care industry will increasingly be driven by new trends, including digitalization, Artificial Intelligence (AI) technology and telemedicine. The global digitalization trend is transforming traditional compliance management by requiring health care organizations to constantly transform their compliance, data management and privacy control programs to adapt to the increased volume of data and new technology. AI technology will be key to achieving a high level of protection in a cost-effective manner. AI-based compliance systems will increasingly enable organizations to detect and correct compliance breaches at an earlier stage . For example, AI systems are already being used to improve fraud detection and compliance activities, such as sanction monitoring. Meanwhile, the rise of telemedicine will also pose new challenges to compliance. Telemedicine allows physicians to offer distant consultations, conduct remote patient examinations and perform tele-manipulation procedures. The rising number of mobile health applications (often called mHealth apps) installed on smartphones also increases the amount of personal and sensitive patient data that must be protected. In light of these changes, the future of compliance management in the health care industry will include significant advancements in compliance management systems that harness digitalization, AI technology and telemedicine.