• Section 3: Navigating the Regulatory Maze

    Nov 01, 2011

    Recognizing the risks associated with an increasingly complex regulatory environment, providers are heading off potentially devastating fallouts by allocating time, attention, and capital to compliance efforts.

    Even as they make major investments in care delivery changes and absorb reimbursement cuts, providers are having to devote scarce resources to complying with ICD-10, RACs, HIPAA, Stark, and numerous other regulations and enforcement efforts.

    Many of these regulations promise to protect patients, as well as providers and payers, from fraud, data breaches, or other unintended harm. Others are designed to enhance transparency around quality and costs or improve clinical and claims reporting.

    This is Section 3 in the Fall 2011 Leadership report, Managing Business and Clinical Risks.

    Return to the full Leadership report  

    It's hard to argue with these goals. But the devil is in the details, as they say, especially for providers that have to ensure that they dot every "i" and cross every "t" to avoid potential financial penalties associated with noncompliance.

    The answer, according to the providers in this section, is preparation and vigilance. While the four case studies in this section focus on divergent regulatory requirements, some commonalities can be found in the providers' approaches.

    • Driving compliance in a top-down fashion with senior leaders providing visible and frequent support
    • Focusing on how a regulation coincides with the provider's quest to improve quality and reduce costs
    • Devoting dollars, staff, and time to the compliance effort
    • Collaborating directly with regulatory or enforcing agencies, when necessary, to determine the most appropriate response
    • Studying how the regulation is being enforced-and how other providers are being affected
    • Enlisting key stakeholders from service lines, departments, and units affected by the regulation in developing a multidisciplinary compliance approach
    • Developing organization-specific policies and procedures, training materials, and other tools to help ensure compliance
    • Using risk analysis and root-cause analysis to determine how the organization may be at risk of noncompliance-and/or determine targeted corrective actions to decrease the likelihood of repeat problems

    Case Study

    Preparing for ICD-10

    When Deborah Beezley, director of health information management at St. Anthony's Medical Center in St. Louis, invited hospital managers to a meeting about a new medical coding system, she knew how to get their attention.

    Her message: Healthcare providers that do not adopt the new coding system by Oct. 1, 2013, will be unable to submit claims or receive payments from government or private payers.

    "It was one of those situations where I sent an email out and people listened," she says.

    Everyone invited to that December 2010 kickoff meeting for St. Anthony's implementation of the ICD-10 coding system showed up, and the hospital is now nearly through the first of a four-phase, three-year roadmap to hit the 2013 deadline.

    With all the other changes in the healthcare industry in the next few years, it is unfortunate timing that America's diagnostic and procedure classification system must be overhauled at the same time. But the deadline has been postponed repeatedly, and knowledgeable providers know better than to expect additional delays.

    The ICD-10 medical coding system, endorsed by the World Health Organization in 1990, has already been implemented by virtually every other industrialized nation. The United States has continued to use ICD-9, but that system is running out of numeric capacity to expand and can no longer adequately support the information needs of today's healthcare system.

    The ICD-10 system has more than 68,000 medical codes, compared to about 13,000 in the current ICD-9 coding system. But the scope of implementing ICD-10 is far greater than simply mastering new codes; the new system will affect a vast array of financial and operational processes, requiring careful preparation by a wide group of stakeholders.

    That is why St. Anthony's CFO John Skeans advises hospital leaders to realize this issue cannot be postponed. "If you haven't begun the process of planning and implementation for ICD-10, begin now and expect to be playing catch-up."

    Getting started.
    Beezley's first step-almost a year ago-was to create a 10-page executive summary designed to educate St. Anthony's senior leaders about the importance and scope of the ICD-10 implementation.

    Those top leaders are key to maintaining the visibility of the ICD-10 project as an organizationwide priority. "During regular monthly manager meetings and leadership retreats, they continue to mention and discuss this project as a critical milestone that has to be met," says Beezley.

    CFO Skeans monitors the ICD-10 project's progress on a monthly basis and ensures that Beezley's team has the support it needs from senior leadership.

    The purpose of the kickoff meeting for about 45 senior leaders and managers was to engage the support of leaders in meeting the 2013 deadline. Just because the coding change has been anticipated for decades does not mean it was on everyone's radar screen. "It was really amazing to me how many ancillary and support department directors were unaware of the change that was coming," says Beezley. "It became one of those big eye-openers for our facility."

    St. Anthony's ICD-10 steering committee includes representatives from all departments that will be affected by the coding change, including patient accounting, risk management, information services, and clinical operations (see the exhibit below).


    Beezley asked each department head to assign individuals to the steering committee who have experience in change management and understand revenue cycle issues.

    Among other things, the steering committee ensures that several overarching considerations are being addressed.

    Managing information system resources. Like many hospitals, St. Anthony's is adopting a new electronic health record (EHR) this year, which is obviously a top priority for IT staff. Adopting the ICD-10 coding system will also require significant IT support, so planning ahead is essential to ensure staff resources are available.

    Capital and operational budget for ICD-10 conversion. St. Anthony's goal is to have the ICD-10 conversion budget in place by December 2011. In addition to IT costs associated with the conversion, Skeans is budgeting for a long list of internal costs, including

    • Staff training
    • Extra labor costs (e.g., temporary staff) to support coding staff while they are being trained and gaining experience with the new codes
    • Legal costs involved in updating vendor contracts to ensure they comply with the new coding system
    • Updated encoding software
    • Costs of modifying information services systems to accommodate new code sizes
    • ICD-10 coding books and resources, such as anatomical software or charts, that coders will need to code with greater specificity

    "These costs equate to additional expenses at the same time we are experiencing decreased reimbursement," he says.

    Education and training. Because the new codes are more numerous and more specific, medical coders are likely to need additional basic education about anatomy, physiology, pharmacology, and surgical procedures in addition to training on the new codes.

    In addition, physicians and nurses will need to be trained to provide more specific documentation to support the new codes. Other staff requiring job-specific ICD-10 training include those in the patient financial services, patient access, scheduling, compliance, and legal departments.

    Data reporting and exchange.
    Medical codes underlie many data-driven functions and reporting, such as business intelligence and decision support, performance metrics, claims billing, clinical research projects, and tumor registries, says Beezley. "A personal concern that I have is how the ICD-10 conversion is going to affect reports and outside data transfers," says Beezley. Thus, St. Anthony's ICD-10 steering committee is paying close attention to ensure that the coding conversion does not jeopardize any ongoing data collection, analysis, and reporting.

    Engaging stakeholders. While those hospitalwide concerns are being addressed, Beezley is systematically going department to department to help managers think through how the ICD-10 implementation will affect all aspects of their operations.

    During hour-long interviews with about 25 departments that use medical codes, Beezley is asking a series of questions designed to uncover specific ICD-10 to-do items related to training, software conversions, internal and external reporting, and budget needs. Responses are recorded in a detailed spreadsheet that will be used to create the work plan for a smooth conversion to the new system.

    "This is a good time to stress one-on-one with each department what exactly is needed to implement ICD-10," she says. "People are beginning to understand the critical nature of this initiative, and we are gaining tremendous input into what we need to accomplish to ensure a successful conversion." 

    Case Study

    Avoiding HIPAA Violations

    Like every good healthcare compliance officer, George Rousis at Halifax Health, a two-hospital system in Daytona Beach, Fla., has his eyes trained on the U.S. Office of Civil Rights (OCR).

    The OCR, responsible for enforcing provisions of the Health Insurance Portability and Accountability Act (HIPAA), has been very busy this year. As of mid-July, it had issued three enforcement actions against health systems, each of which had big dollars attached. In comparison, there were only two enforcements in 2010, and just one in each of the two previous years.

    This is just the beginning. A recent audit of seven hospitals by the U.S. Office of the Inspector General (OIG) found so many security problems related to electronic patient health information that the OCR has launched investigations into each hospital. In response to the OIG's scathing report of security oversight, the OCR has contracted with a consultant to conduct 150 audits of hospitals and other covered entities by the end of 2012.

    Halifax Health, which has some 4,000 employees who can potentially access patient information, has not had a formal complaint lodged against it in two years. However, the health system has been contacted by the OCR six times in eight years to investigate complaints. Despite these interactions, Rousis is not nervous about the agency's stepped-up enforcement activity. "I have never dealt with an investigator who I thought was totally unreasonable," he says.

    However, Rousis believes the OCR's new aggressiveness sends a message to all providers: HIPAA compliance must be a top priority.

    Understanding the risks. OCR is responsible for enforcing the HIPAA privacy rule, which protects the privacy of personal health information that identifies individuals, and the HIPAA security rule, which sets standards for the security of electronic health information.

    Health systems must perform a risk assessment to ensure they are in full compliance with the HIPAA security rule, although the frequency and scope of those assessments is not specified in the rule. A risk assessment is also required for EHRs to meet the Stage 1 meaningful use criteria.

    In addition to the formal assessment that is conducted every few years, Halifax Health hires an outside consultant to conduct reviews to ensure that its HIPAA compliance plan is effective. "The risk assessment is going to tell you where you are most vulnerable," says Rousis.

    For example, a recent risk assessment identified Halifax Health's need to protect patient information that could potentially leave the health system's premises. "Laptops, cell phones, USB flash drives, and all other mobile devices-in addition to paper-that leave the premises has become a high priority," he says.

    For that reason, Halifax Health is using encryption technology to help ensure that patient-specific data cannot be accessed on computers and mobile devices in the event of a loss, theft, or other security breach. In addition, Halifax Health has adopted policies that prohibit employees from transmitting a patient's personal health information onto any device-either corporate or personal-without encryption or other safeguards. Staff are also being trained to understand that they must have explicit approval from a supervisor before they take or send any patient information off the premises, such as to an external auditor or other business associate.

    The health system's policy also delineates the internal process for reporting and addressing possible breaches of portable data, including how investigations will be conducted. The policy requires an analysis of the root causes behind the breach and implementation of corrective actions that will decrease the likelihood of a repeat problem.

    The biggest challenge to complying with HIPAA rules is the human factor, says Rousis. "This makes administrative policies especially challenging to monitor and enforce because you must rely on humans to do the right thing, or be aware of when they are acting imprudently," he says. "With a technical safeguard like encryption, you can obtain virtually absolute assurance that information is inaccessible to anyone other than the person that has the decryption key. But even with encryption, we must rely on humans to set it up properly, and keep their passwords secret."

    Learning from others. While compliance officers are working to protect their organizations against theoretical HIPAA violations, healthcare executives should familiarize themselves with actual cases that resulted in financial settlements or penalties. Rousis urges top leaders to read the OCR's enforcement actions (available on the OCR website) because these cases document how poor judgment by staff members can turn into huge payouts by health systems.


    "CEOs need to know what is in the HIPAA enforcement cases, and then ask the question: 'Could this happen to us?'" says Rousis. "If I was a CEO, I would want to know what my organization is doing to prevent similar breaches of personal health information."

    Hospital executives should also study the OIG report that prompted the government to initiate its new audit program. In the OIG's audits of seven large hospitals, 151 "vulnerabilities" were identified, of which 124 were categorized as high impact. These included unencrypted laptops and portable drives that contained personal health information, outdated antivirus software, unsecured networks, and the failure to detect rogue devices intruding on wireless networks (OIG, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, May 16, 2011).

    "The OIG has already identified the security weaknesses found at hospitals during its own audits," says Rousis. "A good place to start is to have your team look at those and report back how they are addressing them in your own shop."

    Case Study

    Avoiding Anti-Kickback Violations When Partnering with Physicians

    The opportunity to earn a 5 percent bonus through an insurer's pay-for-performance program intrigued leaders at Borgess Medical Center in Kalamazoo, Mich. But they knew the money would be earned only if the hospital successfully engaged physicians in quality improvement initiatives-and that sharing the bonuses with physicians could risk violating the anti-kickback and civil monetary penalty statutes.

    These two statutes-along with Stark regulation-are designed to discourage physicians from allowing their personal financial considerations to influence their decisions about patient care, including their referrals to hospitals and other providers.

    Borgess undertook a lengthy process of seeking an opinion from the U.S. Office of the Inspector General (OIG): Could Borgess create a structure that allows medical staff physicians to share pay-for-performance incentives without violating federal law?

    OIG's answer was yes-but that decision applies only to Borgess and comes with specific requirements. "You can use prior OIG opinions for guidance but you can't assume that if Organization A got an OIG approval, then Organization B automatically gets the same thing," says J. Patrick Dyson, Borgess Health's executive vice president. "It's probably advisable to get your own opinion and play it safe."

    Seizing an opportunity. Since 2006, Blue Cross Blue Shield of Michigan (BCBSM) has offered hospitals the opportunity to earn a bonus of up to 5 percent on total inpatient, outpatient, and rehabilitation payments if the hospitals achieve quality and efficiency goals.

    Borgess wanted to incentivize physicians to improve the quality of care-and increase Borgess' chance of earning the pay-for-performance bonus-by allowing the physicians the opportunity to share the money. The hospital decided to create a limited liability company that would, ultimately, be owned by participating physicians.

    The purpose of the company-Borgess Quality Improvement Partners LLC, or BQIP-is to provide opportunities for physicians to work on hospital quality initiatives and to receive and distribute up to 50 percent of financial rewards that Borgess receives for its performance on quality measures.

    Getting the opinion. Winning the OIG's approval for its plan required considerable effort, but Dyson was pleased with the experience and the result.

    "It was a give and take that was constructive and respectful," he says. "It was two parties working together to come to a solution."

    That said, getting the OIG approval took a long time-and cost about $25,000 in legal fees. The hospital started by submitting a proposal of how it wanted to set up BQIP, based on its understanding of regulations that govern relationships between hospitals and referring physicians.

    "The OIG identified some concerns and apprehensions," says Dyson. "That enabled us to engage, through our legal counsel, in direct discussion with the OIG, saying, 'Can we find ways to address your concerns?'"

    One of the OIG's concerns was that physicians would be enticed to change their referral patterns simply to participate in BQIP and share the potential bonuses. For that reason, the BQIP documents were written to require that physicians must be on Borgess' active medical staff for one year before they can join BQIP.

    Borgess also wanted to ensure the physicians in BQIP were really pursuing quality improvement. So each BQIP member must spend four hours a month working on quality improvement initiatives at the hospital. The quality indicators included in the BCBSM program are all included in the Specifications Manual for National Hospital Quality Measures, which includes measures that have been approved by The Joint Commission and the Centers for Medicare & Medicaid Services (CMS).

    Borgess changed the terms of its program over the next 19 months. In October 2008, it became the first hospital to receive OIG approval to split the financial rewards of an insurer's pay-for-performance program with a broad group of physicians on its medical staff who help Borgess achieve quality targets-and it remains the only hospital to enjoy that status.

    Building in safeguards. Today BQIP includes 26 physicians, each of whom provided a $2,000 capital contribution to participate. Additional physicians are expected to join this year, says Dyson.

    The hospital contracts with BQIP to share a portion of quality incentives it receives (see the exhibit below). The physicians are eligible for up to 50 percent of bonuses that Borgess receives for quality performance, but-to ensure they are not overly focused on cost-cutting-they can receive none of the incentives that the health system receives for efficiency measures, as per the OIG opinion.


    The bonus money is distributed among BQIP members based on the number of physicians in the LLC, not based on the number of patients an individual physician refers to Borgess. "This was a safeguard to make sure somebody's not motivated to shift volume purely for the incentive," says Dyson.

    Case Study

    Preparing for Value-Based Purchasing

    Value-based purchasing is the government's boldest move yet to reward hospitals that provide high-quality care-and penalize those that do not. Hospitals that score well on 21 performance metrics that are publicly posted on the Hospital Compare website (12 clinical process measures and nine patient experience measures) will receive incentive bonuses from CMS.

    The catch: The program will be funded in its initial year by a 1 percent DRG payment reduction. So any hospital that does not earn a quality bonus will, in effect, be financially penalized. In subsequent years, the DRG payment reduction will gradually increase, while the amount of the incentive payments and the number of performance measures evaluated will also increase.

    Ascension Health has calculated its financial risk associated with CMS's value-based purchasing program. Based on a snapshot of its 70 acute care hospitals, Ascension Health-which posts revenues of more than $15 billion a year-might expect a financial hit of about $928,000 when the CMS introduces value-based purchasing in October 2012.

    However, if just eight Ascension Health hospitals improve their performance on quality measures and patient satisfaction in 2012-and earn quality bonuses-that small negative number could be turned into a small positive, says David Pryor, MD, Ascension Health's chief medical officer.

    Focusing on the main issue. "The overall financial impact to Ascension Health will likely be relatively small," says Pryor. "But if you focus only on the overall financial impact, you miss the bigger picture."

    That bigger picture is that value-based purchasing is just one of many government and private payer initiatives that link quality to payment. The even bigger picture, in Ascension Health's view, is that improving quality reduces a health system's expenses, which may have a much more significant impact on its financial performance.

    That is why the calculation of a potential $928,000 hit from CMS's value-based purchasing program does not, in and of itself, drive an action plan. Rather, Ascension Health continues to work its quality program for reasons only strengthened by the theoretical CMS paycheck.

    "The far more important issue is the organization's overall approach to improving quality," says Pryor.

    Like many health systems, Ascension Health internally reports Hospital Compare measures for all its hospitals on a monthly basis, so leaders of each hospital can see how they compare to one another and to national benchmarks and work to improve on the facility's shortcomings. As shown in the exhibit below, Ascension Health staff follow a continuous four-step process to improve performance on Hospital Compare measures (see the exhibit below).


    Calculating the financial benefits. Ascension Health launched an aggressive quality initiative in 2003-well before payers were offering financial incentives tied to quality-and is saving 1,500 lives each year because of it (Pryor, D., et al, "The Quality 'Journey' at Ascension Health: How We've Prevented at Least 1,500 Avoidable Deaths a Year-and Aim to Do Better," Health Affairs, April 2011, pp. 604-611).

    The health system started by choosing eight priorities for action, developed a set of evidence- based interventions to address each of these priorities, and disseminated the practices to all its hospitals. For example, to reduce the incidence of pressure ulcers, Ascension Health nurses adopted the standardized use of the S.K.I.N bundle: (S)election of appropriate surfaces, (K)eep patients moving, (I)ncontinence management, and (N)utrition management and hydration.

    Despite-or perhaps, in part, because of-its investment in patient safety, the Catholic health system is also financially robust: Earlier this year, Ascension Health announced a deal to acquire a four-hospital system, bringing its total to 73 acute care hospitals.

    After eight years of intense focus on quality improvement, the health system has some concrete examples of how improved quality translates into improved financial performance; for example, its malpractice costs declined by 36 percent between FY05 and FY10.

    However, calculating the cost-effectiveness of many individual quality programs is elusive, says Pryor. "We can point to examples that illustrate a direct tie between improving quality and reducing our overall operational costs. However, this is not the case with every quality improvement."

    Unable to cast "higher quality equals lower costs" in stone, Ascension Health has adopted a divergent philosophy: "Fundamentally, we as an organization believe that good quality is also good business," says Pryor.

    Return to the full Leadership report