|Customer Login Contact Us Join Mailing List
HIPAA/HITECH Privacy Breach Management
HIPAA Compliance Audits
Claims Audit Management
Claims Denials Management
Medicare RAC Audit Management
Medicaid RAC Audit Management
How to successfully manage Medicare & Medicaid Audits
MIC Audit Management
To learn more or
request a personal demo:
Healthcare - Requirements Addressed
The Compliance 360 on-demand solution for healthcare reduces the overhead and risks of regulatory compliance initiatives, enabling increased focus on the core business of providing quality health care. With over 250,000 active users, Compliance 360 is the most widely used compliance, risk and governance solution in the healthcare industry today. Key healthcare industry requirements addressed by Compliance 360 include:
Joint Commission Accreditation
Preparing for a Joint Commission survey can be challenging process for any healthcare provider. At a minimum a hospital must be completely familiar with the current standards, examine current processes, policies and procedures relative to the standards and prepare to improve any areas that are not currently in compliance. The Hospital must be in compliance with the standards for at least four months prior to the initial survey. The hospital should also be in compliance with applicable standards during the entire period of accreditation which means that surveyors will look for a full three years of implementation for several standards-related issues.
HIPAA / HITECH Compliance
The Administrative Simplification provisions under Title II of the Health Insurance Portability & Accountability Act (HIPAA) were enacted to improve the efficiency of healthcare delivery by establishing guidelines for standardizing electronic patient data interchange and securing patient confidentiality. These provisions have had broad implications for healthcare providers because the administrative oversight needed to stay in compliance impact an organization’s time, finances and reputation. The Economic Stimulus Act of 2009 significantly expanded the scope of HIPAA requirements. The HITECH provisions of the act expanded HIPAA regulations to include mandatory data breach notifications, heightened enforcement, increased penalties and expanded patient rights.
Starting in 2012, the HHS Office for Civil Rights (OCR) is piloting a program to perform as many as 150 audits of covered entities to assess privacy and security compliance as mandated under the HITECH Act. The audits will be focused on assessing whether each covered entity: (1) has comprehensive policies and procedures that address critical requirements of the HIPAA Privacy and Security Rules; and (2) has implemented these policies and procedures through routine operations in a manner consistent with the Rules.
When you consider the myriad of tasks, projects and assessments that an organization must undertake to ensure an effective HIPAA compliance program, you are likely navigating through multiple, independent IT solutions and manual processes including: policy development, incident reporting, employee surveys, policy acknowledgements and risk assessments. Even if fully automated, staff must still expend enormous effort to tie all aspects together to document evidence of your overall HIPAA compliance efforts.
Within the context of a dynamic regulatory environment, today’s healthcare CFO’s must manage increasing financial risk to ensure the financial health of their organizations. Regulations such as Sarbanes-Oxley create many new challenges and risk management assessments are now being included in many of the credit and bond ratings conducted by Standard and Poors and the other ratings agencies. Finance executives must be able to efficiently manage compliance and risk reduction efforts working collaboratively with the corresponding line-of-business executives in their healthcare organizations.
To ensure the financial health of a hospital, it is critical that compliance is practiced, by all staff, throughout the revenue cycle process. From the beginning of the revenue cycle (patient registration and determination of insurance eligibility) to the completion (billing for services administered to patients), each successful step in the process minimizes the hospital’s A/R days and improves cash flow. Errors made by staff in the revenue cycle process, however, can prove detrimental to a hospital’s financial stability, reputation, and brand.
The requirements for compliance with laws and regulations, providing necessary care, accurately documenting each patient’s hospital experience, and generating clean claims for payment can create an overwhelming amount of overhead and responsibility. These measures are necessary however, to maximize the efficiency of your hospital’s revenue cycle process, protect your financial and reputational welfare, and maintain your organization’s compliance with the law.
Medicare Recovery Audit Contractors (RAC)
As of June 2008, RAC audits had already corrected more than $1 billion in improper Medicare payments. The corresponding bounty for RAC auditors amounts to more than $200 million. RAC auditors are highly motivated to stake their next claim in your hospital. You need to be prepared to fight this onslaught - with proactive defenses and appeals strategies – to keep your potential losses to a minimum.
OIG Work Plan
The OIG Work Plan, in many cases, is the bedrock for healthcare provider compliance programs. Released each fiscal year by The Office of Inspector General of the Department of Health and Human Services (OIG), the Work Plan gives healthcare providers visibility into the issues that will receive particular attention from the OIG and provides the necessary guidance to address the related requirements. The Work Plan also serves as a roadmap to future government enforcement activity.
As was the case with previous work plans, the 2008 Work Plan is organized based on HHS programs (Medicare, Medicaid, other Centers for Medicare and Medicaid Services (CMS) issues, Public Health Programs, Human Service Programs, and overarching department-wide issues), and by the type of provider within each category. The OIG Work Plan is an invaluable tool that enables healthcare providers to prioritize risk, focus efforts, and create effective compliance programs.
OIG Corporate Integrity Agreement (CIA)
The imposition of a Corporate Integrity Agreement (CIA) from the Office of the Inspector General (OIG) on any healthcare provider that participates in one of the federal healthcare programs, generally creates significant risk and compliance overhead. These corporate integrity agreements (CIA) generally last for 5 years and include specific compliance stipulations that must be enacted within specified time frames which are often as short as 90 days. These stipulations frequently include verifiable code of conduct attestations and training certifications from all “covered persons” (employees and all contractors and vendors) as well as verifiable distribution of relevant policies and procedures to all appropriate covered persons. Corporate Integrity Agreements (CIA) also frequently mandate specific claims review criteria and reporting of the findings as well as the establishment of processes for managing and reporting on “Reportable Events” that might be criminal or fraudulent in nature.
Fraud, Waste and Abuse
For the many hospitals that treat Medicare and Medicaid recipients, the risk of fraud, waste and abuse violations has increased. The OIG and Inspector Generals across the country have stepped up their audit and inspection efforts to root out fraud and abuse in these government programs. The recent appointment of the Medicaid Inspector General in New York is a good example of the increased focus on identifying and prosecuting fraud, waste and abuse. The bounty for whistle-blowers, ranging from 15 percent to 25 percent can create a very compelling motive and necessitates the establishment of preventative and response measures for healthcare providers. Improving the management and overall outcomes of fraud, waste and abuse claims now harbors a significant financial advantage for most hospitals.
False Claims Act (FCA) Compliance and Provider Self-Disclosure Protocol (SDP)
The False Claims Act (31 U.S.C. Sections 3729-33) also called the “Lincoln Act”, “Informers Act” or the “Qui Tam statute” allows a private individual or “whistleblower” with knowledge of past or present fraud on the federal government, to sue on behalf of the government to recover civil penalties and damages. Fraud under the False Claims Act means that a contractor has knowingly presented a false claim for payment to the United States. The fraud can occur wherever federal and state monies are directly or indirectly used to purchase services or goods.
On April 15, 2008 The OIG published an Open Letter to Health Care Providers restating the value and purpose of the Provider Self-Disclosure Protocol (SDP). The SDP provides the healthcare provider with a proactive way of notifying the OIG of potential fraud. Through a process of proactive cooperation, a healthcare provider may be able to settle liabilities with the OIG for an amount near the lower end of the damages continuum. Organizations who fail to self report or who do not cooperate can be placed under a Corporate Integrity Agreement (CIA) or Certification of Compliance Agreement (CCA).
Physician Contract Management
Assuring that physician contracts do not violate Stark III or The Medicare and Medicaid Patient Protection Act of 1987 (Anti-kickback Statute) is now a critical imperative for healthcare provider organizations. Hospitals can no longer hope that physician contracts are within compliance requirements, they must aggressively and proactively manage these contracts. What was once thought of as contractual add-on (lab coats, specialty equipment leases, vendor inducements) can now jeopardize the compliance of the healthcare organization if improperly managed.
The new Stark III regulations went into effect on December 4, 2007. As a result of the Stark III regulations, healthcare organizations must review their physicians’ contracts and professional arrangements to make sure they comply with the new self-referral rules. The Stark law prohibits physicians from referring Medicare patients to hospitals or other entities in which they have a financial relationship, unless the arrangement falls under one of several specific exceptions.
One of the law’s most controversial provisions states that a physician “stands in the shoes” of his or her group practice for the purpose of determining whether Stark covers the doctor’s relationship with another entity. Unlike other regulations, such as those for the anti-kickback statute, the Stark regulations are not simply agency guidance – they have the force of law. CMS has clearly signaled that more enforcement is likely and physicians and health care providers should be prepared. NIH to Crack Down on Conflicts of Interest (Wall Street Journal)
The Emergency Medical Treatment and Active Labor Act (EMTALA) is a statute that obligates hospitals to provide screening and institute treatment for patients regardless of their ability to pay. Essentially an anti-discrimination law, EMTALA is given teeth by monetary penalties, liable claims against attending physicians and possible revocation of the CMS provider agreement.
Although the law has seen many revisions since its 1986 adoption, its legal and medical interpretation by hospital administration, physicians and General Counsel can be subjective.
There are few other compliance activities that can be as laborious and cumbersome as establishing an effective incident management and reporting process. Whether it is an adverse incident, concern, event, or investigation, a healthcare provider’s ability to create a consistent and effective intake and resolution process is imperative for proper risk management and proof of compliance. Incidents, in many cases, can be managed across multiple departments, with different approaches, and most certainly arrive from multiple sources (hotline calls, emails, verbal communication, hand-written notes, etc.) This creates a burden as organizations try to secure sensitive material, create a consistent process and manage the potential masses of data associated with each item.
Limited Information Technology (IT) Resources
In most hospitals, the vast majority of Information Technology (IT) resources are dedicated to the core business functions tied to patient records, accounting and billing. As a result, it is often difficult for non-core business functions to compete successfully for limited IT resources. Many compliance teams are limited to the options of surviving without needed resources or they are forced to hire expensive consultants to build what they want. The end result is usually increased risk of regulatory sanctions and a mode of operations in compliance that is more reactive than proactive.
To learn how leading healthcare providers are using Compliance 360 to minimize their compliance overhead and risks, and how you can be doing the same, Contact Us today.
Copyright © 2001-2016 Compliance 360, Inc. All Rights Reserved.