With recent years bringing about unprecedented change in the healthcare industry, Health Service Organizations (HSOs), more than ever, need to manage their risk through ensuring they maintain effective corporate compliance programs. Maintenance is key. However, just when an HSO may they think they have a solid program in place…everything changes. Well, ‘everything’ may be an exaggeration, but with the passage of the Patient Protection and Affordable Care Act (PPACA) signed into law by President Obama back in March 2010, healthcare companies certainly have to remain flexible and fluid and their compliance programs must be able to incorporate changes that do occur in a timely, accurate and responsive manner. An unstable economy, pressure to reduce rising healthcare costs and millions of uninsured Americans struggling to obtain coverage has accelerated the government’s attempt to get things ‘under control’.
The PPACA statute directly affects just about every company in the healthcare industry that provides or pays for health related services, as well as individuals and employers in general. PPACA includes numerous provisions that are being phased in over the course of several years. From expansion and access to care, to the delivery and quality of care, PPACA is sure to be followed closely to assess if the intended impact ultimately materializes. While some provisions of the statute are already in place, many of the major provisions do not take effect until 2014.
So how can entities, who have already been navigating the myriad of rules and regulations that govern the industry, now incorporate the new legislation to minimize their risk of non-compliance? Although different precautions to comply with the legislation depend upon the type of entity, the following represent five risk areas that should be taken into consideration.
Risk #1 Understanding the applicability and the timing of PPACA provisions
Reading through approximately 1,000 pages of statute may seem daunting, but the PPACA statute lays out the various titles and provisions in a relatively easy to follow format. However, with motions to repel, implementation extensions and the indirect aspects of some of the provisions on the operational, financial and regulatory aspects of HSOs, it is important for organizations to ensure they have their Compliance Officer, or other designated person, follow the sometimes daily or weekly related updates from various regulatory and legislative bodies, as well as industry experts.
Risk #2 Continued and Increased Government Scrutiny
It is well publicized that much of the funding of the new legislation has been, and will continue to be derived from the government’s success in retrieving monies through its fraud and abuse initiatives. Therefore, healthcare entities, now, more than ever need to be prepared for unannounced agency visits focused on investigating policies, procedures and practices of the organization. Additionally, PPACA has required an almost immediate turnaround (i.e., 60 days) in reporting and refunding an identified overpayment. Qui tam suits are likely to increase as disgruntled employees may take advantage of this requirement if the organization fails to adhere.
Risk #3 Reporting Requirements
The new law establishes pay-for-reporting and pay-for-performance programs. Some of these programs include pilot programs, integrated care models and Accountable Care Organizations (ACO), among others. Providers will want to ensure they are aware of the selected quality metrics that need to be monitored. They will want to ensure the performance standards can be objectively and quantifiably measured. They will be responsible for reporting information on the metrics so they can be evaluated in care delivery, patient outcomes and overall population health, as the results will directly affect their pay. Bad data or the inability to report useable data may lead to inaccurate compensation calculations and potential litigation.
Risk #4 Data Integrity and Security
Although advancing technology has tremendous benefits in the collection, compilation and use of health related information, it also leaves an organization vulnerable to documentation deficiencies, as well as potential breaches in the privacy and security of data. The industry is saturated with software programs designed to encapsulate electronic medical records, however some of these programs have been criticized for being too ‘cookie cutter’ in the capturing of information and not tailored to the specifics of the individual. Organizations should choose software carefully and continue with routine monitoring of documentation to ensure the advantages of technology do not put them at increased risk. Technology also has to be managed to track where data exists, what type of data is retained and who has access to the data. Entities, as they have been required to do through the Health Insurance Portability and Accountability Act (HIPAA), must continue with the recent legislation to have controls in place to prevent unauthorized use or release of sensitive and protected health information.
Risk #5 Expanded and Mandatory Coverage
Beginning in 2014, many states are expected to have established the health insurance exchanges. The exchanges are aimed to provide access for individuals and small employers to private health insurance plans. To avoid penalties, the plans must provide standardized benefits and cost-sharing options for those that are eligible. Annual dollar limitations on certain services, as well as exclusions for pre-existing conditions are prohibited. Plans must ensure their organizations are prepared to adhere to the new requirements or face the risks and consequences of non-compliance.
Although some of the risks identified above are new, other risks discussed above have existed for years. Unfortunately legislative changes just appear to increase the risk and pose challenges to healthcare entities with the addition of new and often unclear requirements. With the government trying to get things ‘under control’ it is no wonder healthcare companies in their efforts to maintain compliance often find themselves feeling ‘out of control’. Therefore, it is important for organizations to be informed, to stay aware of legislative changes and to recognize that compliance will always be an ongoing, evolving process.