Hospital systems knows regulatory changes created by the No Surprises Act and what to do for a successful implementation.
Continue readingPrivacy protection: When our colleagues are our patients
How can you protect personal health information (PHI), medical records, and patient communication when the provider is also the patient?
Continue readingStark Law and its revisions benefit patients
Recent changes to Stark aim to increase coordination of patient care, modernize, and clarify rules related to the law.
Continue readingFive tips to help providers comply with Stark
The Stark Law creates a whole set of antikickback rules that providers must understand and actively work to comply with. And with all its good intentions, the Stark Law is incredibly restrictive. In fact, even the U.S. Court of Appeals for the 4th Circuit noted that “even for the well-intentioned healthcare provider, the Stark law has become a booby trap rigged with strict liability and potentially ruinous exposure.”
The Centers for Medicare and Medicaid (CMS) and Congress have taken steps to clear up confusion and loosen the rules in some cases (See our article on exceptions for value-based care). Still, your Compliance team has a tremendous responsibility to make sure that policies match the rules and that providers understand and follow the policies.
Policies match the Stark rules
Changes to the Stark Law have been coming out practically since the law was enacted. The law, which aims to protect against kickbacks and self-referrals, has gotten complicated in the details. Congress issues amendments to help the law catch up to changing business practices. Healthcare organizations may have written policies that facilitated compliance originally. However, those may be completely out-of-date if they weren’t keeping up with the changes in the law.
For example, CMS has introduced modifications that addressed challenges with value-based care and resolve issues restricting coordinated care and health data exchange. Another modification to the law was allowing healthcare providers to accept cybersecurity tech donations from stakeholders.
While the compliance officer enforces the policies, he or she doesn’t have to live them the way those in operations do. Getting input from key stakeholders such as providers, Risk Management, and others in the C-suite can help ensure that final policies are clear. This early feedback and engagement can also help identify how the policy or regulatory changes will affect the individuals who must operate under them. Lastly, they can help identify potential operational conflicts with new policies or regulatory changes.
(See how YouCompli delivers model policies and procedures that help your organization comply.)
Providers following the Stark policies
With compliant policies in place, it’s time to help providers understand how to follow them. This is where communicating what certain key terms in a policy or regulation means in the context of the provider’s particular work becomes critically important.
Compliance officers know that “the road to success is going to run through quality of care,” says Harry Nelson, health care attorney at Nelson Hardiman. “Compliance isn’t the internal police that slows things down, but a strategic part of growth.” When it comes to making sure providers understand how to follow policies, the compliance officer has to look at the language of the policy from the providers’ perspective, not that of the compliance officer.
Here are five steps to help providers understand and follow Stark-compliant policies:
- Engage your operational leaders. Make sure the president and CEO understand the nature and intent behind Stark limitations so they can help explain and reinforce them. Give situational examples they can relate to so they understand what the key terminology means.
- Invest in training and communication. One email won’t do it with changes to Stark-related policies. Engage providers in small groups, in writing, and in person to explain nuances and answer questions about tricky scenarios. Whenever possible, use real-world scenarios to help illustrate how the regulations and policies impact them. Education and training should also be routine and ongoing with key stakeholders.
- Get feedback. Regularly check in to gather feedback from your leaders. Find out if the implemented tools and procedures are working for them, as well as to identify challenges they face. This step will help you see areas where the words on paper mean something the compliance officer had not thought of. Adapt procedures and tools if necessary.
- Encourage people to ask questions. Make sure providers and your operational leaders alike know they can use you as a sounding board for grey areas or possible violations. It’s much better if they proactively ask if a proposed arrangement is compliant. Otherwise, they may have to unwind a relationship if they find out it is not compliant.
- Promote awareness to prevent future mistakes. Once an error is made, chances are it will reoccur and lead to additional violations. As you are addressing errors, promote awareness to prevent future mistakes. For example, when you are communicating the fact that a mistake was made, go the extra step to what caused it. This will be an opportunity to find out where their confusion was and use that insight to update policies or training.
Stark compliance starts with knowing about changes to the regulations and continues with crafting policies that providers can understand and follow. Involving stakeholders in policy creation and training, and engaging tech systems to reinforce the lessons will support the long-term success of Stark-compliant policies.
Do you have the tools you need to recognize and manage regulatory change across your organization? Find out how YouCompli can help you manage and coordinate your response to regulatory change or schedule a demo.
Subscribe for blog updates
Take as directed: Medication compliance and the Compliance office
Working toward higher rates of patient medication compliance is a critical component of patient care. That includes communicating what the medications are, what they do, and how to take them. Providers are keen to ensure they provide clear directions and to be sure patients can pay.
It’s no wonder they take such care: Each year, about 125,000 Americans die due to poor medication adherence, according to the American Heart Associationi. Improper compliance practices come with a hefty price tag of $528 billion in annual expenses, according to a 2019 OptimizeRx surveyii.
What’s more, medication mismanagement is a strong predictor of hospital readmission rates. Individuals who failed to take prescribed medication as directed had a 20 percentiii chance of hospital readmission within 30 days, compared to 9 percentiv for patients who take meds as directed. For the compliance officer, keeping hospital readmission rates low is crucial to avoid wasteful spending, per the Centers for Medicare and Medicaid guidelines.
So many factors contribute to whether a patient properly follows through with medication instructions. Providers and administrators alike do their best to put systems and communications in place that make compliance easier. While not within a compliance officer’s direct control, there are policies and procedures that can help hospitals comply with CMS requirements to lower readmission rates. This helps facilitate better health outcomes and increased quality of life for patients.
So how can you ultimately help patients improve medication management skills? Here are a few tips you can include in your medication compliance plan to help reduce readmission rates.
Discuss side effects
Patients who experience side effects may stop taking their medication altogether; without discussing this decision with their healthcare provider.
That’s why it’s so important for doctors to discuss common and possible side effects with patients.
Work with healthcare providers at your facility about how they can discuss any treatment plan changes to lessen the chances of side effects. Make it known that the treatment plan may include adjusting the dosage or changing the medication altogether. Cut Out Distractions
According to BMC Health Services Researchv, three out of five patients often forget to take their medication.
Are distractions the main culprit? Encourage providers to discuss the importance of taking meds at the same time each day.
Maybe patients can use a cell phone alarm to set up reminders. Taking multiple medications at different times? The workaround may be to set other alarm times for numerous times during the day.
To make things even easier on patients, providers may consider prescribing once-daily medications.
Providers may consider collaborating with the patient on the best time to take the medications when distractions are at their lowest.
Money worries
Sometimes the issue of medication compliance comes down to cost. About 70 percentvi of physicians link high prescription costs to a lack of medication adherence.
To save money, they may ration meds or not take them at all.
In a study published in Circulation, viione in eight patients with heart disease didn’t take prescribed medication because of the expense.
Luckily, there are resources such as GoodRx, an app that allows anyone to shop at local pharmacies for the lowest prescription medication prices.
Doctors can also prescribe generic versions of meds whenever possible to cut back on costs.
Communicate more
Poor communication is a deterrent to medication compliance, which is in turn linked to poor health outcomes.
Fortunately, Motivational Interviewing can help. With Motivational Interviewing, health care providers are encouraged to ask open-ended questions beginning with What, Why, How, and When during discussions about medication usage. This technique is shown to improve behavioral change and adherence, as reported in Perspect Public Healthviii.
This PDF by The Motivational Interviewing Network of Trainers provides more information on motivational interviewing.
Medication compliance helps patients experience better health outcomes, reducing readmission rates and helping the hospital avoid tripping CMS’s indicators for fraud, waste and abuse. While much of the responsibility lies with the patient, hospital policies and procedures can help ensure the patient has the best possible chance to understand and comply with medical guidance.
YouCompli helps healthcare facilities know about regulations, decide if they apply to them, manage policy and procedure rollout, and verify compliance efforts. Learn more
i American Heart Association
ii OptimzieRX survey
iii 20 percent
iv 9 percent
v BMC Health Services Research
vi 70 percent
vii Circulation
viii study
Growth in Telemedicine Could Mean Trouble if You Are Not Careful
We can all agree that 2020 was a year filled with surprises. The emergence of COVID-19 brought restrictions, which made the business of healthcare even more challenging. But then came the saving grace: telemedicine!
Even though telemedicine has been around in some form since the 1900s, its popularity exploded during the midst of the pandemic. With millions of people stuck indoors due to government lockdowns, health care providers turned to telemedicine options to provide desperately needed health care.
According to Doximity, a social media networking service for medical professionals, only 14 percent of Americans utilized telemedicine before the pandemic. But since the outbreak, telemedicine usage skyrocketed by 57 percent. Among patients suffering from chronic conditions, the number of virtual care visits increased by a staggering 77 percent!
The increase in telemedicine accessibility also means healthcare providers can potentially face compliance issue pitfalls, which could land them in trouble with the United States government. Before COVID-19 became a household name, Medicare and Medicaid upheld strict rules regarding payment for telemedicine services. For instance, reimbursement for telemedicine services was limited to patients residing in areas of the country with limited healthcare.In an attempt to slow the spread of COVID-19, government payors loosened these restrictions.
Unfortunately, telehealth services’ widespread use brought an uptick in COVID-19 related scams that specifically target healthcare providers offering this service. Such illegal activity caught the attention of the Department of Justice (D.O.J.).
A primary focus of the D.O.J. is a government agency that mostly focuses on telehealth arrangements that implicate the Anti-Kickback Statute. The statute forbids transactions designed to corrupt medical judgment by rewarding referrals for Medicaid and Medicare services. In the past year, more than $4.5 billion in false claims were connected to telemedicine. And over 100 healthcare professionals were charged with submitting fraudulent claims to Medicare, Medicaid, and private insurance companies.
New changes to the Stark and Anti-Kickback Statutes that were long in the works took effect on January 19, 2021. The regulation updates are designed to eliminate regulatory and administrative barriers that hindered movement towards a value-based health care system. The updated rules also offer healthcare providers more flexibility to coordinate and improve patient care while maintaining safeguards against overutilization and inappropriate incentives.
The Stark Exceptions finalized three new exceptions for value-based arrangements between healthcare providers and payor systems like Medicaid and Medicare. These exemptions are solely based on the quality of delivered patient care instead of the volume of services. For example, healthcare providers face at least a 10 percent financial risk for failure to achieve value-based goals. In comparison, the Anti-Kickback Statute requires at least a 5 percent financial risk for value-based arrangements.
Physicians’ practices should express caution when offering telemedicine services to steer clear of trouble with the government. As with traditional in-person healthcare, it’s best to avoid doing business with third-party companies that give money in exchange for referrals.
Here are a few guidelines physicians should consider avoiding getting on the D.O.J.’s naughty list.
- Consult with counsel before entering into any outside business relationships.
- Establish guidelines for physical examinations and prescribing practices.
- Monitor the prescribing habits of their physicians and nurse practitioners.
- Adopt data analytic tools to identify any abnormal billing behavior.
Physicians considering telemedicine should also consider the following tips to stay compliant.
Practicing Telemedicine Across State Lines.
Usually, state governments require practicing physicians to conduct telemedicine sessions within the state they are licensed. But in some states, this stipulation is relaxed due to COVID-19 to make healthcare more accessible. But physicians must contact their state’s medical board for updated information concerning this topic.
Informed Consent.
Healthcare providers are still expected to obtain consent before providing telehealth services. Besides requesting written or verbal consent from patients, providers should make patients aware of the risks and benefits of receiving telehealth services.
Use Caution When Prescribing Medication.
Because of COVID-19, the Drug Enforcement Administration (D.E.A.) allows registered practitioners to use prescribed medication to patients via telemedcicine technology. Physicians must adhere to the following conditions:
- Prescribed medication(s) must be for a legitimate medical purpose.
- The telehealth session is conducted using a two-way, audio-visual, interactive communication system.
- The practitioners must practice healthcare within Federal and State law.
Only time will tell whether or not telemedicine will continue to grow in the upcoming months. But doctors should continue to use caution when using this technology to serve the public.
See YouCompli in Action
Easier, faster, more effective compliance is possible
Organization Liability: Types of Risk (Part I)
Risk is an important concept for compliance professionals working in the healthcare space to understand. After all, there are many times where risk and liability have crossover to compliance.
For example, in response to a suspected email or electronic health record breach, compliance and risk professionals will need to work together. This work will include:
- Evaluating the breach
- Reporting to the insurance carrier
- Collaborating with a breach coach or legal team to ensure the investigation meets legal requirements and timelines
- Collaborating with the information technology team and a forensics firm to ensure risk mitigation strategies are implemented and effective
And so on.
Generally speaking, healthcare compliance professionals should have a good working knowledge of organization risks and liabilities, as well as risk mitigation strategies.
This raises two important questions:
- What areas of risk do healthcare organizations face?
- What are the potential liabilities related to unmanaged or poorly managed risk?
Areas of Risk for a Healthcare Organization
Areas of risk for a healthcare organization are vast, and can involve injury to persons, property and reputation. Several areas of risk include:
Patient safety risks
These include near misses, which are mistakes which almost make it to the patient, as well as events or incidents that do make it to the patient, causing the patient to experience an unanticipated outcome such as a longer hospital stay, disability or death.
For example, a nurse may realize before giving a vaccine to a child that the adult vaccine and dose was drawn up in the syringe instead of the pediatric vaccine and dosage. This would be a near-miss. Along those same lines, a mistake occurs if the adult vaccine dose is actually administered to the child and an allergic reaction occurs.
Operational risks
These include such things as business interruption or supply chain issues. Business interruption incidents may include fire, flood, or pandemic. If the electronic medical record system goes down, and staff have to chart by hand on paper, this would be a business interruption. Supply chain issues can occur due to higher than normal demand or decrease in output by the manufacturer. If an organization cannot obtain needed supplies – such as hand sanitizer or surgical masks – that would be an example of a supply chain issue.
Legal risks
These typically involve lawsuits filed against the organization. Most commonly, lawsuits result from allegations of inappropriate employment practices or medical negligence or malpractice. For example, if a child had an allergic reaction after receiving an adult dose of a vaccine and unfortunately passed away, the parents may file a lawsuit alleging medical malpractice or negligence on behalf of the organization, the provider or the nurse who administered the incorrect vaccine.
Insurance risks
Insurance risks generally stem from a lack of adequate or appropriate insurance coverage or failure to transfer risk. Insurance risks can also connect to legal risks, which can stem from contracts with inadequate risk transfer or failure to conduct due diligence to vet the vendor. In the case of a pandemic, healthcare and other organizations may not have realized that pandemics and resulting business closures may be excluded from their business interruption insurance policy.
Human capital risks
These encompass the inability to hire, contract or retain appropriately trained staff. A lack of ICU level nurses causing staffing shortages would be an example. Human capital risks can also include professional board or licensing complaints against the organization’s doctors, nurses, therapists, or other licensed staff.
Reputational risks
Reputational risks are often forgotten or invisible to an organization until a bad event happens and it is announced to the public – at which point it is too late.
Reputational risk used to be limited to bad publicity which was published in print or reported on television. However, with the increased acceptance and use of social media, reputational risks are more far-reaching than the local newspaper or evening news program, and could potentially have national reach and negative impact on the organization . A newspaper may not run a story about a child who received an incorrect vaccine, but the child’s mother could post to Facebook or other social media platforms that the organization and providers are terrible and not to be trusted.
Practice Tips:
- Schedule a meeting with your insurance broker to evaluate your insurance policies by product line (i.e., general liability, property, cybersecurity, etc.) to ensure the organization is adequately covered to protect against most business losses.
- Educate staff to ensure they know how and where to report near-misses and mistakes that occur in the organization.
- Work with Risk Management to conduct a risk assessment to evaluate organization risks and implement mitigation plans.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.
Sign-up for the YouCompli Blog to Stay Up to Date on Compliance Related News!
Manage your healthcare regulatory change process effectively and efficiently
YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.
Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs
The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?
When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.
DOJ Guidance Documents Explained
Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.
This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.
There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).
Question 1: Is the compliance program well-designed?
The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.
The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.
This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.
Question 2: Is the program effectively implemented?
The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?
While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.
Question 3: Does the program actually work?
This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)
What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.
Best Practices
Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.
See YouCompli in Action
Easier, faster, more effective compliance is possible
Worker Fatigue and the Potential Negative Impact on Compliance
When workers get fatigued, what is the impact on compliance?
We all know that, during a normal workday, workers can get fatigued. Fatigue can come from a variety of sources, including personal and professional challenges or stressors. Mental fatigue specifically occurs when there is a need to process overwhelming amounts of new data or information.
The impact and stressors of working during a pandemic can make this worse. Mental fatigue is exacerbated because there is so much new information to cull through on a daily (sometimes more frequent) basis. Combine this information overload with rapidly changing pandemic recommendations and guidelines, and it’s no wonder that workers are becoming more fatigued.
Effects of Fatigue
Memory and performance both decline when a person is mentally fatigued, which can lead to non-compliant behaviors and actions. This happens because fatigue decreases the ability to make new, short-term memories. Lack of short-term memories prevents the formation of long-term memory knowledge. And a person simply cannot recall information which has not been transferred to long-term memory. In this way, fatigue decreases the ability to recall information – whether recently learned or already known.
For example, if the organization has not previously billed for telehealth visits, a fatigued coder may not remember the education that was provided regarding telehealth documentation requirements or the codes applied to these visits. Moreover, the coder may have difficulty recalling in-person visit codes or coding modifiers. When these effects of fatigue happen, coding compliance will decrease.
Mental and physical fatigue can affect worker performance in other ways. Think about the last time you did not get a good night’s sleep. At work the next day, all you can think about is drinking more coffee or taking a nap or going to bed early that night.
Signs of this kind of fatigue include decreased awareness or a general decrease in interest with respect to work or job tasks. Other signs of fatigue include changes in judgment or decision-making. Take, for example, an employee who is usually very engaged on the job, but unexpectedly shows up late for a scheduled meeting. During the meeting, the employee is unusually quiet and provides limited feedback. If that employee’s knowledge and feedback are necessary to make a critical compliance-related decision there would be not only a negative effect on compliance, but potentially a negative effect on the entire organization.
Compliance Fatigue
There is also a form of specific compliance fatigue – where people are overwhelmed and wearied by the numerous adherence requirements in healthcare policies and procedures and rules and regulations. This combines with mental fatigue, which inhibits the ability to remember and follow these policies and procedures, which is the cornerstone of good compliance.
Employees may know and understand policies and procedures addressing HIPAA. For example, they must use encryption when emailing protected health information (PHI) or personally identifiable information (PII) or payment card information (PCI). Similarly, in the course of their work, they must exercise heightened caution before clicking on links embedded in emails. If they are experiencing fatigue, the possibility of compliance failures increases.
As physical, mental and compliance fatigue increase the potential for job related mistakes, they conversely decrease worker compliance. The overall impact of worker fatigue can have very real and negative impact on compliance ranging from simple mistakes or lapses in judgment to catastrophic errors related to breach of PHI/PII or PCI.
Practice Tips
Encourage supervisors to regularly meet with their staff to evaluate the level of information fatigue or physical fatigue. If possible, conduct education and feedback sessions to help the team talk through fatigue challenges.
Utilize resources, such as youCompli, to assist the team in staying current with healthcare compliance related changes to guidelines, regulations and laws, and managing compliance-related workflows automatically.
Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.
Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.