Evolving compliance risks that should be on your radar

June 21, 2019 1:57 am

Ongoing changes in regulations, payment and patient care sweeping the nation’s healthcare system are raising the compliance stakes for hospitals, making it more important than ever for them to address evolving compliance concerns. Noncompliance not only puts patient lives in jeopardy but also could cause lasting reputational damage, penalties and fines, straining an organization’s finances and undermining its foothold in the industry.

The most relevant compliance program is one that is both multidimensional and adaptable, with a goal of getting in front of evolving risks via full collaboration with functional areas focused on improving clinical outcomes, such as care delivery, case management, quality and patient safety.

The evolving risk landscape

Clearly long-standing critical areas of focus for any compliance program include Stark Law, the anti-kickback statute, coding/billing and privacy and security. In addressing these areas, hospitals should be fully informed on the essential elements of effective compliance outlined in 2005 by the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG).a

Yet it also is critical that hospitals recognize and address evolving areas that can present even greater compliance risks. The best-practice approach is to mitigate the legacy risks through hardwired, data-driven controls and monitoring, thereby affording the organization more time to focus on the following evolving areas, which pose significant unprecedented compliance risks.

See related sidebar: Signs and symptoms to watch for in evolving compliance areas

Quality of care. Quality of care perhaps is the most pressing area of evolving risk. The OIG is intensifying its scrutiny of quality-of-care issues, as evidenced by the uptick in the number of corporate integrity agreements it has entered to resolve False Claims Act (FCA) allegations involving the quality of patient care. The OIG’s action also includes the release of reports in 2018 on quality-of-care issues in long-term care hospitals and hospices.b

The shift in payment models has significant compliance implications. Quality of care is becoming more tied to payment as value-based purchasing gains footing, whereas quality was much less of a compliance focus under the fee-for-service payment model.

When it comes to quality of care, the compliance program should connect with the entire hospital on matters such as identifying and preventing infections, addressing the problem of bacterial resistance and ensuring surgical safety.

A case involving a large teaching hospital underscores the need for the compliance function to actively engage with every department throughout the hospital, including ensuring clinical staff receive critical training regarding the compliance aspects of adverse patient safety events.c After a restrained patient died in the psychiatric emergency department, the clinical area failed to notify the billing department of the death, leading to a false claim. It also did not notify the Centers for Medicare & Medicaid Services (CMS) of the reportable safety event, compounding the damage. Compliance involvement in these areas could have led to a more coordinated and timely response.

There are many other examples of poor-quality care resulting in false claims settlements and significant fines. In February 2019, a skilled nursing facility chain agreed to pay more than $18 million for “billing the Medicare and Medicaid programs for grossly substandard nursing home services.”d The allegations against the company included failures to administer medications as prescribed, to provide standard infection control, to furnish wound care as ordered, to take steps to prevent pressure ulcers and to meet residents’ basic nutrition and hygiene requirements. The company entered into a quality-of-care corporate integrity agreement.

Medical necessity is another quality-of-care issue that now warrants compliance attention. Historically, third-party payers have been satisfied that a given procedure is medically necessary when a physician says it is necessary. This assumption increasingly is being challenged, with hospitals even being accused of filing false claims based on a physician’s determination of medical necessity.

In 2015, for example, Millennium Health agreed to pay $256 million to resolve allegations that it systematically billed federal healthcare programs for excessive and unnecessary urine drug testing from Jan. 1, 2008 through May 20, 2015.e More recently, in 2018, a Florida company that manages nearly 700 hospital-based wound care centers in the United States agreed to pay up to $22.51 million to settle allegations that it violated the False Claims Act by knowingly causing centers to bill Medicare for medically unnecessary and unreasonable hyperbaric oxygen therapy.f

Patient abuse. The OIG’s work plan includes a focus on preventing patient abuse, specifically in long-term care and nursing facilities. This focus likely is, at least in part, a response to horrific stories of abuse in the media, such as the case of a woman in a vegetative state at a private nursing facility in Arizona who gave birth in December 2018, allegedly as the result of rape.g A 2017 CNN investigation found “the federal government has cited more than 1,000 nursing homes for mishandling or failing to prevent alleged cases of rape, sexual assault and sexual abuse at their facilities” between 2013 and 2016.h

OIG reviews also have shown problems with quality of care and the reporting and investigation of potential abuse or neglect at group homes, nursing homes and skilled nursing facilities.i The OIG is working to uncover incidents of potential abuse or neglect and determine whether these incidents are reported and investigated in accordance with applicable requirements. In response to some of this work, CMS has added reporting requirements to training courses and has issued supporting interpretive guidance and training to its surveyors. The OIG has encouraged CMS to impose civil monetary penalties and exclusion provisions for reporting failures, further necessitating compliance involvement.

A hospital’s or health system’s compliance program should include measures to address such compliance concerns, including steps to ensure post-acute-care owned entities and partners are fully compliant in this area.

Quality reporting. Quality reporting requirements continue to change and evolve, necessitating constant vigilance. The requirements also are playing a larger role in payment, through avenues such as the Medicare Access and CHIP Reauthorization Act of 2015 and CMS’s Hospital Value-Based Purchasing Program, Hospital-Acquired Condition Reduction Program and Hospital Readmission Reduction Program. Thus, what may seem like minor reporting missteps could substantially affect revenues, whether through penalties or reduced incentives or through incentives to which the organization is not entitled.

A hospital’s compliance program should stay up to date on the numerous reporting requirements and the data collection and other processes and procedures being used to satisfy those requirements. Testing and validation of the processes and related internal controls are vital to mitigate the risk of lost dollars for false reporting.

Emergency preparedness. In 2016, CMS issued its final rule on emergency preparedness outlining the requirements for every type of provider and supplier.j Among other things, hospitals are expected to do the following:

  • Conduct risk assessments
  • Maintain emergency plans and communication plans
  • Establish policies and procedures based on the plans and risk assessments
  • Implement training and testing programs

There also are annual requirements, such as annual participation in a full-scale facility- or community-based exercise, and compliance is required for Medicare and Medicaid participation.

Case management. Because case management is intended to promote cost-effective, high-quality outcomes, it has both clinical and financial aspects. A patient who lingers too long in a hospital, for example, presents both financial problems (because payment often is based on a case rate for the patient’s condition, not length of stay [LOS]) and an increased risk of additional health problems (such as infection and complications).

Strong controls are necessary for:

  • Discharge planning
  • Utilization management
  • LOS and avoidable days
  • Readmissions
  • Throughput and logistics
  • Transitions of care

A hospital that lacks such controls can experience poor clinical outcomes, increased readmissions, denials and billing problems, and it could potentially face loss of Medicare and Medicaid eligibility due to regulatory noncompliance.

How to move toward next-generation compliance

Upgrading  the compliance function to where it needs to be in today’s rapidly evolving risk environment requires effective and consistent ongoing communication among clinical, quality and compliance functions. Today, the areas all too often operate in silos where neither staff nor systems communicate with each other, which means nobody is getting a complete picture that captures all the risks and what is being done about them.

In this environment, the requisite collaboration can take some work. Compliance traditionally has been seen as having a clearly defined scope, encompassing things like billing and physician agreements and governed by laws and regulations. And it also is through laws and regulations, coupled with increased regulatory focus, that the compliance function must extend to clinical and quality areas.

To achieve next-generation compliance, all hospital functions must understand what the others do and the interconnections among them. An organizational culture that supports cross-functional collaboration, starting at the top, is essential. An organization might start by including or expanding clinical and quality representatives on the compliance committee, and compliance representatives on clinical and quality committees to break down barriers and foster communication. If staff have not previously been active in the other areas, they should be educated to be able to “speak the language.”

Finance leaders are well positioned to facilitate this transformation. They historically have worked alongside clinical leaders to address cross-functional issues, such as LOS and throughput, although their level of involvement varies by organization. In particular, finance leaders can support compliance efforts by connecting key compliance and clinical leaders and educating all parties on the financial and revenue cycle implications of evolving risks, such as:

  • Payment effects of value-based purchasing penalties and incentives
  • Billing requirements for hospital-acquired conditions and adverse safety events
  • The financial cost of medical necessity issues   in terms of denials, reduced payment and unreimbursed costs

Often, clinical and quality representatives perform monitoring-type activities, such as medical record reviews, tracer exercises, conditions of participation assessments and emergency preparedness reviews. These activities tend not to be labeled “compliance monitoring” or reported to the compliance committee. That practice should change: The compliance office should seek to formalize collaboration with clinical and quality personnel on such activities, making reporting on them to the compliance committee part of compliance policies and procedures.

The future is now

A new approach to compliance is needed to address the evolving risks hospitals are encountering today and will encounter in the future. In the face of new compliance challenges, this is a task that cannot be delayed. Hospitals need to bring “the bedside and the business side” together to communicate and collaborate on compliance. Only then can an organization manage its risks in a way that greatly improves patient lives and the organization’s financial performance. 


a. HHS, OIG, “OIG Supplemental Compliance Program Guidance for Hospitals,” Federal Register, Jan. 31, 2005.

b. HHS, OIG, Adverse Events in Long-Term Care Hospitals: National Incidence Among Medicare Beneficiaries, November 2018; and HHS, OIG, Vulnerabilities in the Medicare Hospice Program Affect Quality Care and Program Integrity: An OIG Portfolio, July 2018.

c. Moffeit, M., “Federal Report Details Psych Patient’s Death, Says Parkland Violated Rights,” Dallas News, June 2011.

d. U.S. Department of Justice, “Vanguard Healthcare Agrees to Resolve Federal and State False Claims Act Liability: Settlement by Nursing Home Chain Is Largest Worthless Services Resolution in Tennessee’s History,” news release, Feb. 27, 2019.

e. U.S. Department of Justice “Millennium Health Agrees to Pay $256 Million to Resolve Allegations of Unnecessary Drug and Genetic Testing and Illegal Remuneration to Physicians,” news release, Oct. 19, 2015.

f. U.S. Department of Justice, “Healogics Agrees to Pay Up to $22.51 Million to Settle False Claims Act Liability for Improper Billing of Hyperbaric Oxygen Therapy,” news release, June 20, 2018. 

g. Haag, M., “Police Investigate Sexual Assault Allegations After Woman in Vegetative State Gives Birth,” The New York Times, Jan. 4, 2019.  

h. Blake Ellis, B., and Hicken, M., “Sick, Dying and Raped in America’s Nursing Homes,” CNN, Feb. 22, 2017.

i. HHS, OIG, “Early Alert: The Centers for Medicare & Medicaid Services Has Inadequate Procedures to Ensure That Incidents of Potential Abuse or Neglect at Skilled Nursing Facilities Are Identified and Reported in Accordance with Applicable Requirements (A-01-17-00504),” memorandum, Aug. 24, 2017. 

j. CMS, “Emergency Preparedness Rule,” CMS, page last modified March 12, 2019.


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );