In previous posts I’ve written about the need for providers in all industry sectors to fully understand the compliance and legal risks that are inherent to the appropriate industry sector, as well as to health care today in general. As someone who has been immersed in health care operations and health policy for the past quarter century, I can honestly say that I have not seen a period more perilous for providers and quite frankly, I perceive that it will remain risky and perhaps escalate in the near future. Consider the following;
- There is renewed vigor and funding in Washington to root out perceived waste and fraud, principally focused on Medicare. Every sector that I follow is a target for the OIG and/or Recovery Audit activity. In spite of GAO findings that Recovery Audits have fallen short of achieving their targeted goal of reducing $231 million in over-payments or improper payments, the action from CMS is to “improve” the system or in other words, increase the amount of personnel and resources devoted to this task. In July, the Department of Justice announced the results of a multistate Medicare fraud investigation implicating 90 individuals, tied to a total of $251 million in Medicare payments. The investigation involved doctors, nurses, therapy companies and others. The investigation was part of the new Health Care Fraud Prevention and Enforcement Action Team.
- According to a recent report from the Congressional Research Service the number of new agencies, commissions and boards created under the recently passed Health Care Reform law is “unknowable”. The Center for Health Transformation headed by former speaker Newt Gingrich estimates that 159 new agencies, offices and programs were created under the PPACA and the Joint Economic Committee claims 47 new bureaucratic entities were created. What this all means in brief is “more regulation”, not less and in most cases, regulations that haven’t even been written yet. Most troubling is that the PPACA seemingly creates bundles upon bundles of additional regulation but is virtually moot on any current regulatory relief or reform. Two interesting charts regarding the bureaucracies created under the PPACA are available at http://www.healthtransformation.net/
- Existing regulatory burdens are already steep and increasing, regardless of the PPACA. Take for example, the annual CMS rule making process regarding rates and payments. Wholesale changes in Medicare assessment requirements and payments are forthcoming this fall for the SNF industry. The home health industry has also seen its share of Medicare reimbursement changes and required assessment and documentation changes under Medicare imposed by CMS without any legislative activity. New HIPAA requirements regarding electronic communications came into play this year, new self-disclosure rules under Stark and the False Claims Act, as well as dozens of other agency regulations.
- Non-health care specific laws also change constantly and impact providers. Whether these laws are labor related, tax related, state laws, local laws, commerce laws, building codes, etc., all are in some way related to the general business conducted by providers.
- The court system (or more appropriately, the plaintiff’s bar) has become more actively focused on the provider side of the health care industry. In just the first seven months of this year, two significant class-action suits have laid new fertile ground that providers should both fear and understand. The first occurred in California where a jury awarded plaintiffs $613 million in statutory damages and $58 million in restitutionary damages (punitive damages not yet determined) against Skilled Healthcare Group, a proprietary nursing home chain. The award was predicated on a 4 year old complaint that the organization failed to staff its facilities to meet the State of California’s minimum staffing requirement of 3.2 nursing hours per patient day at 22 of its California facilities. The “rub” in this case for providers is that no harm or actual damage theory was applied to the “class of patients” affected or in other words, the residents of the 22 facilities were never effectively damaged in total yet, the jury awarded the maximum damages allowed under California law. The result is that, even before punitive damages are assessed, the damage amount is larger than the value of the organization or more simply, if the damage amounts remain unaltered, Skilled Healthcare is bankrupt. A final piece of irony? The regulatory system that oversees nursing homes in the state took no specific action against Skilled Healthcare to prevent the “understaffing”. The second case comes from the home health industry where as of today, three class action suits have been filed against Amedysis, the industry’s largest proprietary home health company. The suits were born as a result of a Wall Street Journal article and a subsequent Senate Finance Committee inquiry into the Medicare billing practices of large, for-profit home health companies. The fundamental allegation is that Amedysis, along with other major for-profit companies, used the Medicare rules in-place to essentially increase their revenues. The fundamental issue pertains to therapy visits and a provision under Medicare two plus years ago that provided for incentive payments to be made to agencies based on the number of therapy visits (more visits, higher payments). The basis of the suit against Amedysis (clearly a target because of its size, its focus on Medicare patients and the Wall Street Journal article) is that the company overstated its revenues and once investigated or discovered, the same activity now disclosed caused shareholders to lose value as a result of falling stock prices. In a unique twist, the suits use Sarbanes-Oxley, a securities related law that requires senior corporate officers to avoid activity that would result in unethical conduct or malfeasance, harming shareholders. As in the Skilled Healthcare case, the irony here is thick. First, there is no allegation that patients were harmed or that care was rendered inappropriately. Second, the activity of Amedysis was not under investigation by CMS or the OIG concurrent to or before the filing of the suits. In other words, the government’s own enforcement activity was moot on this issue and there is considerable question as to whether what Amedysis did was even improper given the rules that were in effect at the time. Third, virtually all providers practice Medicare maximization or that time-honored practice of using Medicare’s own rules concerning reimbursements to maximize the amount of reimbursement available to them. If the Amedysis case is the standard, virtually every Medicare provider would in fact, be guilty of similar conduct dependent on the industry and the applicable reimbursement rules.
Taking the above into account, and it is truly an overview only, providers need to recognize the gravitas of the environment and the totality of legal and compliance risks that are present and mounting. Recognition and identification of the compliance requirements per applicable industry sector and the legal risks associated with the business and operations encompassed is where providers can begin to respond, not react, and develop the tools, processes, plans and ultimately culture, that mitigates risk and creates effectively compliant operations (“effectively” because totally compliant is improbable if not impossible). Below are some time-honored tips and approaches for creating an organizational environment that achieves high-levels of compliance and mitigates legal risks (I ran a very large, multi-site, complex organization for twenty plus years and never had a lawsuit).
- Within each industry sector there are tons of regulations that in theory, require daily compliance. Likewise, within each industry sector, there are compliance themes and “key” compliance requirements. Focus on the key compliance requirements as activities, tools, and systems that drive compliance in these areas mitigates 90 plus percent of the compliance risk and in all cases, the risk that is expensive and serious. I like to think about the core intent of compliance and create understanding and organizational capacity and systems around these intents. For example, in the areas of patient care, outcomes are the baseline of regulations. Regulations focus on documentation of outcomes, prevention of negative outcomes, and actual standards for outcomes. Systems which assure a close match with the regulatory expectations and are part of an organizational QI process (constantly) achieve the regulatory intent and create a “halo” of compliance. The same can be said for billing practices under Medicare and Medicaid, privacy requirements under HIPAA, etc. Polices are insufficient to achieve the requisite level of compliance required and quite often, do nothing more if not integrated within organizational practices and systems, than create more compliance risk.
- Legal risks are harder to quantify but in some cases, easier to generally address. Take the two legal cases I illustrated above. In the first case, if the staffing requirement in a state is 3.2 hours per patient day, any provider flirting with these levels consistently is asking for trouble – avoid the risk entirely. In the second case, as I pointed out, Medicare maximization is a time-honored tradition for providers. What is not time-honored or allowable, is any activity that suggests that the provider is routinely and consistently, seeking to “game” the system. I see too many therapy companies and SNF providers that merely “up-code” all residents into Ultra High therapy categories as a means of achieving the highest Medicare reimbursement per day. I see too many providers stress the justifications for additional days, manipulate the rules to extract additional benefit periods, and create care requirements and documentation that is not supported by the actual needs or conditions of the patient. These activities, when pervasive and constant, create a legal risk that is tough to impossible to defend. A better approach is to develop strategic and operational plans that maximize revenue the right way. The right way is by achieving high-levels of organizational capability in delivering the right care to the right patient at the most efficient cost levels possible. It also means developing marketing plans and programs that attract the ideal patient mix that produces the highest possible revenue profile for the organization. With respect to employment, avoiding significant legal risks means dealing with employees within the constructs of employment law. This doesn’t mean don’t fire or don’t discipline. It means fire and discipline effectively and only for consistent, documented and legally permissible activity. A core or key requirement is to effectively train and only employ, capable and competent management that know and understand the applicable labor laws and are capable of using effective hiring and supervision methods that produce organizational results without violating company policy or the law.
- Organizationally, the primary methodology to achieving a high level of compliance and to mitigate legal risks involves creating an organizational culture that focuses on compliant activity and solid risk management principles. While not exhaustive, here are some key elements that are part of the culture.
- Internal and external education and audits that identify risks and provide solutions. Developing organizational thought-leaders and subject matter experts provides key resources that can be deployed to solve problems, identify risks, and provide education.
- Encourage reporting and self-disclosure and reward the activity. Management must be open to hearing “what is not right” and providing reinforcement for this activity.
- Integrate compliance and risk management as part of strategic planning and allocate budgetary resources adequate to address the risks. While risk prevention always appears to be money with another use, it is far cheaper to prevent compliance and legal risks than it is to bear the costs after an event has occurred.
- Reward the concept and ideology of “doing the right things” first as opposed to those things which may be short-term, expedient or more profitable.
- Benchmark and test key indicators constantly. For example, if your Medicare census and revenue per day is higher than industry norms and/or market norms, make sure that such results are tied directly to organizational performance and activity, not to billing creativity.
- Provide ownership to compliance activities and outcomes to all staff, not just management. Engage the entirety of the workforce.
- Keep up with pending or new regulatory activity and legal activity and get “ahead” of the curve. Organizations that only respond to laws already passed and cases already decided tend to get caught trying to “react” rather than remain vigilant and prepared. Rarely do new compliance requirements and legal requirements come instantaneously on the radar screen – they have been there for a while. Providers that see and understand the trends can use the virtue of time to integrate new systems into existing systems, teach new knowledge requirements, and build new organizational capacity to manage effectively, the new requirements.