October 19, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

October 17, 2019

Subscribe to Latest Legal News and Analysis

Obligations and Expectations Surrounding Healthcare Compliance Programs

The phrase “healthcare compliance program” is commonly used to describe those processes and procedures implemented by a healthcare provider to prevent submission of erroneous claims and combat fraudulent conduct. The expectation is that providers using internal controls will more efficiently monitor adherence to legal and regulatory requirements than providers without such controls in place1. However, confusion remains over whether a healthcare compliance program is legally required for many healthcare providers, particularly those in clinical practice.

Some healthcare providers may believe a formal compliance program is not necessary until a clear, legal requirement is established involving detailed parameters and penalties. This perspective primarily comes from those who don’t have the time, energy or resources to implement a program unless they understand it as an enforced legal mandate tied to penalties. Understandably, the same perspective surrounded compliance with HIPAA until the 2009 HITECH Act issued a clear enforcement rule with sizeable penalties for noncompliance2.

Unlike HIPAA, currently there exists no clear enforcement rule setting forth explicit penalties against all types of providers for failure to implement a formal healthcare compliance program. While Section 6401 of the Patient Protection and Affordable Care Act requires as a condition of participation, all healthcare providers participating in a federal healthcare program establish a compliance program, such mandate is subject to when the Secretary of the Department of Health and Human Services (“HHS”) determines the timeline and core elements for such mandate3. To date, the Secretary of HHS has not formally issued a timeline.

However, HHS through its Office of Inspector General (“OIG”) has issued significant guidance surrounding core elements of compliance programs for many types of participating providers. Beginning in the late 90s and through early 2000, HHS issued compliance program guidance for multiple healthcare providers, from physician practices to nursing facilities4. The OIG’s website currently contains 13 compliance resource publications and an abundance of other compliance education materials (including PowerPoints and videos for ease of understanding)5. Just last year, OIG issued a resource guide on measuring compliance program effectiveness “to ensure that all elements of a compliance program [are] covered”6. This guidance and commentary make it clear compliance programs are, at a minimum, an expectation from key enforcement agencies.

Additionally, compliance program obligations were recently addressed by HHS’s Centers for Medicare and Medicaid Services (“CMS”) in the 2016 “Overpayments” Final Rule (the “Overpayments Rule”)7. Under the Overpayments Rule, a provider is required to exercise “reasonable diligence” in identifying “overpayments”. In its commentary to the Overpayments Rule, CMS emphasized that “effective compliance programs [are] a way to avoid receiving or retaining overpayments” and, further, “undertaking no or minimal compliance activities” could result in the government finding “a failure to exercise reasonable diligence” and resulting violation of the False Claims Act8. Thus, providers who fail to implement compliance programs would have a challenging defense to the “reasonable diligence” requirements when an overpayments issue arises.

The question a provider must ask is not whether compliance programs are legally required, but whether the provider’s risk tolerance for business and individual liability is sufficient to ignore these obligations and expectations. Assuming this risk is not tolerable for most providers, the provider should focus its energy on developing a plan for an effective compliance program that is reasonable in size and scope to its practice.


1See Compliance Program Guidance for Individual and Small Group Physician Practices, at 65 Fed. Reg. 59434 (October 5, 2000).
2See the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law on February 17, 2009 as part of the Title XIII of the American Recovery and Reinvestment Act of 2009.
3It is worth noting in contrast, Section 6102 of Patient Protection and Affordable Care Act established a clear and detailed compliance program mandate for nursing facilities.
4See, for example, Compliance Program Guidance for Individual and Small Group Physician Practices, et. seq.
5See Compliance Education Materials, at https://oig.hhs.gov/compliance/101/index.asp, and Compliance Guidance, at https://oig.hhs.gov/compliance/compliance-guidance/index.asp (last accessed February 2, 2018).
6See Measuring Compliance Program Effectiveness: A Resource Guide; HCCA-OIG Compliance Effectiveness Roundtable (Issue Date: March 27, 2017), located at https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf (last accessed February 2, 2018).
7See 81 Fed. Reg. 7653 (February 12, 2016).
8See, i.d.

© Copyright 2019 Dickinson Wright PLLC

TRENDING LEGAL ANALYSIS


About this Author

Rose Willis, Dickinson Wright, Healthcare Regulatory Matters Lawyer, HIPAA Privacy Attorney
Member

Rose's practice focuses on healthcare regulatory, transactional and corporate law in her representation of healthcare providers and suppliers and other current or prospective participants in the healthcare industry. Rose regularly counsels healthcare industry clients on matters regarding:

  • Entity governance documents such as Bylaws, Operating Agreements, Shareholder Agreements, Buy-Sell Agreements and Deferred Compensation Agreements

  • HIPAA privacy and security laws

  • ...
248-433-7584