Healthcare Compliance Officers' Highest Priorities in 2018

May 4, 2018 Richard Kusserow, Strategic Management Services, LLC (guest post)

 

SAI Global and Strategic Management Services recently completed the ninth annual Healthcare Compliance Benchmark Survey. The most eye-opening section of all? Priorities.

SAI Global and Strategic Management Services recently completed the ninth annual Healthcare Compliance Benchmark Survey. The survey results are compiled in the annual report, and the most eye-opening section of all to me is about priorities. There is a mismatch between what compliance offices, as practitioners, see as the most important priorities, compared to the regulatory agencies' priority perspectives, like the Office of Inspector General (OIG) and Department of Justice (DoJ).

 

The largest challenge stated by compliance officers is addressing ongoing monitoring and ongoing auditing of high-risk areas. Overwhelmingly, respondents reported dealing with data breaches as their highest-ranked priority, with two-thirds citing HIPAA Security/Cyber-security, and over half for HIPAA Privacy as their number one concern. This represented the biggest change from last year's survey. Coupled with this was that nearly three-quarters of respondents reported the compliance office as having responsibility for HIPAA Privacy and nearly one-third having responsibility for HIPAA Security.

 

Troubling, though, is the fact that the number one regulatory and enforcement priority by the OIG and DOJ remain corrupt arrangements with referral sources. The second-most important priority is the issue of false claims. Together they represent virtually all the major enforcement actions and penalties and represent a far greater exposure to liabilities than security breaches. However, not only was arrangement with referral sources not the top high-risk area priority for compliance officers, it was ranked fifth in priority; and claims accuracy ranked in third place.

 

Put plainly: the survey results indicate that these top compliance high-risk areas cited by the DOJ and OIG do not coincide with respondents' highest priorities.

 

Why The Mismatch?

Naturally, this leads one to ask: why, in the face of the priorities of the enforcement agencies are corporate compliance officers placing these high risk areas in a lower category priority? The report results and recommendations point to compliance officers realigning their priorities to be more in line with those set out by the regulatory and enforcement agencies.

 

As Former Inspector General, I believe that part of the reason why arrangements with referral sources may not receive as much attention by compliance officers is that many defer to their legal counsel for ongoing monitoring and auditing of arrangements. Yet, all arrangements will likely have involved (to one degree or another) legal counsel; and by definition, those involved in the development of arrangements cannot independently audit their work.  

 

Furthermore, virtually all anti-kickback and Stark law enforcement actions dealt with arrangements where legal counsel had been involved. A key point is recognizing that the arrangement contract document is only one small piece of the whole picture taken into consideration by enforcement authorities. There is much more to consider, such as:

 

  • Establishing medical need for a part time physician based on evidence
  • Designing a method to determine selection of those who will fill the role
  • Determining fair market value and commercial reasonableness for the services
  • Ensuring all the areas of the contract have been properly filled out
  • Verifying performance on arrangement before payments are made 

 

Who Conducts The Audit?

Many Compliance Officers are also concerned about their qualifications to review the claims processing system, forgetting that ongoing auditing does not need to be performed by the compliance office. And frankly, it shouldn't. The compliance officer just needs to ensure that ongoing monitoring is taking place, and by which program managers. This also includes their keeping current with payment rules, translating them into written guidance, training the staff on following that guidance, and monitoring that it is being followed.

 

The auditing can be performed by internal audit, external auditors or consultants, or any combination thereof, including staff from the compliance office. They can participate in the effort, but it can be done by others, as long as they are independent of the function.

 

For those encountering resistance to compliance oversight of the arrangements or claims processing processes, a viable option may be engaging experts in those areas to do the auditing. 

 


 For a lot more on the results of the 2018 Healthcare Compliance Benchmark Survey, register for the complementary May 9th webinar at 2pm EDT where key findings are discussed and analyzed. You may also download your complimentary copy of the survey report here. It will assist in understanding the analysis in the webinar.

 


 

Strategic Management Services, LLC, (Strategic Management) was founded over 25 years ago by Richard Kusserow, the former DHHS Inspector General. It is a pioneer in healthcare compliance and was the first consulting firm to focus on it - before the government had even issued any formal compliance program guidance documents for the industry. The firm has assisted over 2,000 healthcare organizations with regulatory compliance services, such as the development of compliance program infrastructure, evaluation of compliance programs, standard of conduct development and reviews, compliance training programs, hotline setup, risk assessments, claims data analysis, assistance with the CIA requirements, IRO duties, and litigation support.

 

 

Previous Article
Data Protection Policies and Procedures in the Workplace
Data Protection Policies and Procedures in the Workplace

Data protection legislation has been around for a long time so most organizations will have some policies a...

Next Article
Data Breach – It’s Not If, But When!
Data Breach – It’s Not If, But When!

It's not so much a case of if your organization will suffer a cyber-attack but when. It is vital that IT Se...

Join the conversation via LinkedIn

FOLLOW US