For the second year in a row, Foley & Lardner LLP and PYA hosted a compliance master class on various health-related compliance issues. “Let’s Talk Compliance” is an annual one-day event featuring a panel of presenters that includes health care attorneys, certified public accountants and valuators, and health care advisors, who discuss important compliance issues. For 2020, the presentations related to physician compensation issues, overpayments, HIPAA privacy and security issues, and long-term care transactions.
This year’s event took place in Orlando, Florida on Friday, January 24th. The panelists included Foley attorneys Jana Kolarik, Taylor Pancake, Myla Reizen, and Kelly Thompson, as well as PYA thought leaders Angie Caldwell, Barry Mathis, Valerie Rock, and Andrew Stafford.
To highlight important information covered during the event, the following list details top takeaways from the 2020 “Let’s Talk Compliance.”
At the end of 2019, the Office of Civil Rights (OCR) entered into the first enforcement actions we have seen related to the U.S. Department of Health and Human Services’ (DHHS’s) Patient Right to Access Initiative. This should serve as a reminder that covered entities should respond to patient requests for access to their medical records in a timely manner, in the format requested by the patient, and not charge more than a reasonable cost based fee. (Note: There may be state laws that are more stringent than the Federal law, and as such, should be followed if applicable.)
DHHS has identified ransomware as one of the most common threats to patient health information (PHI). Though there were initially only two basic types of ransomware—lock and crypto—there is now a third type, DataKeeper, which is franchised and gaining ground quickly. Health care providers, and related entities, should remain alert to this fast-developing privacy and security threat.
The regulatory landscape for health care providers is vast and includes the Stark Law, the Federal anti-kickback statute (AKS), the Civil Monetary Penalties (CMP) Law, the False Claims Act, antitrust laws, the Eliminating Kickbacks in Recovery Act of 2018 (EKRA), and state laws. Changes to the regulatory bedrock Stark Law and AKS are forthcoming with the issuance of proposed regulations that will presumably be finalized. Moreover, the first criminal prosecution pursuant to EKRA took place in 2019.
Determining value-based compensation arrangements for physicians can be tricky. To ease this process, health care providers should prepare value-based reimbursement inventories and understand what the outcome to incentivize is. Relatedly, such providers should not rely solely on benchmark data.
Under the statutory 60-day overpayment refund requirement and implementing regulations addressing Medicare Parts A and B, health care providers have an obligation to exercise reasonable diligence through the timely, good faith investigation of credible information to identify an overpayment. Deciding whether information is sufficiently credible to merit an investigation is fact-specific. However, the Centers for Medicare and Medicaid Services (CMS) makes it clear in the Parts A/B regulations and preambles that identification requires both proactive and reactive auditing of billing. Providers and suppliers should also keep in mind that the overpayment requirement extends beyond the regulatory requirements for Medicare Parts A and B to Medicare C and D, Medicare Advantage, Medicaid and Medicaid managed care plans. There are no implementing regulations for these other payors, but the statutory obligation remains.
There is no de minimus threshold for governmental overpayments, i.e., there is no minimal amount that can be ignored. All potential overpayments should be investigated. Health care providers should expect their decision regarding whether to conduct relevant claims extrapolation (versus a per claim analysis and repayment) to be scrutinized closely.
Some areas of due diligence to consider with respect to health care-related transactions include: gaps in understanding of compliance plans or lack of compliance plans; coding, billing, and documentation issues; HIPAA security; litigation, audits, and investigations; employee relations; risk management; quality metric reporting; and change of ownership filing/approval requirements.
Compliance due diligence processes should incorporate the following: annual risk assessments to develop up-to-date compliance work plans, exclusion checks and conflict of interest reviews upon initiation of employment or contract and regularly thereafter, and management and monitoring of revenue cycle functions and vendor contractual arrangements.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.