Compliance with legal and regulatory requirements places an extra financial and administrative burden on hospitals, as facilities strive to comply with laws on physician financial relationships, privacy in healthcare IT and medical billing and collections while keeping physicians happy and costs low.
Here Debbie Wheeler, director of regional compliance for Tenet Healthcare's Florida Region, and Thomas M. Tammany, shareholder with Buchanan Ingersoll & Rooney and former chief counsel for the University of Pennsylvania Health System, discuss the top legal and regulatory challenges facing hospitals in 2011 and how facilities can work to achieve compliance.
Q: How can hospitals work with employees and physicians to ensure legal compliance is promoted through the system?
Debbie Wheeler: Compliance is promoted when the chief executive officer and leadership team are champions of the compliance program. When the chief executive officer sends a written message supporting the hospital's code of conduct and standards to new employees and routinely [appears] at physician and employee meetings, they are reminded that compliance is expected.
If an organization has an ethics program, it is clear to the physicians and employees that the organization has set expectations beyond compliance to demonstrate a culture of both compliance and compassion. When compliance is tied to quality of care within an organization, physicians and employees are reminded that legal compliance is part of best practices from a clinical and a business perspective. Training and education that emphasizes the priorities of legal compliance in health care in a clear and organized method of delivery ensure that employees and physicians are more likely to understand compliance, ask questions for clarification and comply with policies and procedures that reflect legal and regulatory compliant practices.
An active multi-disciplinary compliance committee working on behalf of the organization to effectively address ethics and compliance issues is [also] paramount to involving employees and physicians in addressing the compliance program.
Q: Data breaches have been all over the headlines lately, with HHS issuing monetary fines for privacy violations starting in Feb. 2011. How can hospitals protect themselves against data breaches, and what is the best course of action once a breach has occurred?
DW: Of course, the best protective measure is a strong and proactive compliance program and compliance and privacy officer endorsed and supported by the board. Privacy and security policies that are reviewed and updated accordingly and ongoing education of staff, physicians and contractors are obvious areas of focus, as well as strong access control measures that focus on network security, laptop, portable media and stored password encryption and restriction of access.
Items identified through annual and ongoing risk assessments and incident trends should be included in an annual work plan. Additionally, routine audits and testing that include preventive and priority indicators, items identified through the risk assessments and any new regulatory or industry focus are a required component of a solid privacy and security program.
The United States Department of Health and Human Services/Health Information Privacy site should be utilized as a resource. The site is very user-friendly, and signing up for their listserv is a great way of getting updates and useful information. The site provides basic information on privacy and security and related statutes and rules. [Hospitals can also access information on] enforcement activities, results, actual case examples and corrective actions that the Office of Civil Rights has obtained from covered entities. Additionally, the frequently asked questions section is extremely thorough, inclusive and up-to-date.
While prevention is the very best way to avoid the consequences of a security breach, if a security breach does occur, depending on the circumstances, important steps including investigation, disclosure, remediation plans and potential regulatory involvement of state, federal, law enforcement and licensing agencies are necessary.
Q: How can hospitals protect themselves from violating the Anti-Kickback Statute? Where are the challenges in promoting compliance with AKS, and how can hospitals ensure financial relationships with physicians are legal?
Thomas Tammany: In general, the anti-kickback statute prohibits anyone paying or providing anything of value — whether it's money, services, or the like — to induce or in return for Medicare and Medicaid referrals. So you've got to start with a culture of compliance at your institution. The Office of Inspector General of the U.S. Department of Health and Human Services has published what it believes are the key elements of model compliance policies for hospitals and other health care providers, which should be adopted in one form or another. The key, however, is that compliance has to be part of the culture and embraced from the top down. The board of directors and senior management have to want to make compliance part of the culture. That means communicating it, reinforcing it and providing education to employees and physicians, and auditing your progress from time to time.
We do a lot of work for hospitals, and many physicians have seen their clinical incomes adversely affected by cuts in reimbursement over the least few years. They hear stories about their colleagues in other health systems, or other parts of the country contracting with hospitals or engaging in joint ventures to supplement their clinical practice income (which may or may not be true), and more and more they want similar arrangements. Unfortunately, they often have high compensation expectations and are suspicious of the whole process. That is where education comes in. The OIG has issued certain "safe harbors" over the years, and as long as the arrangement meets the requirements of the applicable safe harbor, it is perfectly permissible for a hospital to pay physicians for services they provide.
The Personal Services and Management Contracts safe harbor, for example, requires among other things that the arrangement between the parties be documented in writing, have a term of at least one year and have aggregate compensation that is set in advance and consistent with fair market value. There is no requirement that the parties obtain an independent fair market value analysis, but since the anti-kickback statute applies to both parties, it is usually advisable to do so for each party's protection, especially where the compensation is out of the ordinary for any reason. Hospitals may avoid having to deal with this on a case by case basis by providing periodic education to the medical staff on these issues, such as at the quarterly medical staff meetings.
Q: Do you believe the necessity of providing fair market value compensation will dissuade physicians from pursuing non-clinical duties once they realize the pay may not be as high as they may have thought?
TT: No, I do not. The vast majority of physicians are good people and have historically been providing administrative services (e.g., as department chairs, division chiefs and medical directors) for free as part of their medical staff responsibilities. Many are seeking compensation now as their clinical reimbursement has come under pressure, but they will understand the importance of staying within the fair market value range of compensation. They might say, "Why don't you pay me at the higher end of the range?", but they'll stay within the range. Historically, hospitals would just look at what their competitors were paying and negotiate the rate based on that. They would take the position that if they engaged in arms-length negotiations, that meant the rate was fair market value. They are beginning to use outside valuation firms more and more, based in part on the advice of outside lawyers, to help them withstand potential government scrutiny, but it's expensive — it can cost $5,000-$10,000 to get this kind of report, depending on the deal.
Where it could get complicated is with a highly productive physician. Hypothetically, say the median annual compensation for an orthopedic surgeon is $400,000, and the compensation at the 90th percentile is $800,000. You may have an experienced doctor legitimately making $1,000,000 a year because he's working 12-18 hours per day taking care of patients. That physician might say, "My time is more valuable, so you have to pay me more than the 90th percentile, or I will not provide the services" and that's a legitimate issue. But the hospital could not just agree to pay him an hourly amount based on his clinical income. Rather, it should obtain a fair market valuation analysis supporting the level of permissible compensation under those circumstances. The valuation firm will not usually base such a valuation on clinical income but will look to other factors, such as the physician's experience, national reputation, special skills, the number of similarly skilled physicians available or other relevant factors to support the ultimate compensation valuation.
The key question, however, before ever getting to the fair market value analysis, is whether there is a real need for the service in the first place. For example, if a group of physicians in a given specialty wants to be paid to be on-call (which is also becoming a more frequent request), the first question is whether the hospital has an unmet need for those services that would justify paying for it. If there are other physicians in that specialty that are willing to take call without being paid, the question becomes whether the hospital is really paying for something else, such as referrals.
Q: What do you see as the biggest challenges for hospitals regarding recovery audit contractors?
DW: The RAC program is now in full force. Past reviews were automated in nature, and now the RACs are more focused on complex reviews that involve the use of clinical judgment by a licensed medical professional or certified coding specialist to evaluate cases. Complex reviews are initiated when the RACs identify a significant probability that the service is not covered or when no Medicare policies or coding guidelines exist.
It is important for hospitals to stay aware of the audit issues posted by their applicable RAC, especially items and services where the RACs have focused their attention. By now, providers should know their RAC auditor and how to access resources, including audit areas of focus on their RAC's website. Maintaining effective pre- and post-admission review, coding and auditing and monitoring processes, providing ongoing staff education and maintaining an active multi-disciplinary task force is the best way to remain compliant and be prepared for any RAC inquires.
TT: One of the biggest challenges we are seeing is the lack of clarity in the regulations and the guidelines that have been issued over the years, either by the government or by the Medicare contractor. What happens is the RACs come in and review 200 charts and say, "Aha, you didn't document that XYZ was medically necessary under the industry standards," and the hospital says, "Well, we did document ABC because that's what we believed the standard was at the time." And the RAC will explain that today you have to document XYZ, so they're going back and recouping those payments. In many cases, the guidelines are gray or conflicting, and hospitals did the best they could, but now they're being second-guessed in hindsight.
It's also an issue of resources. There's a proliferation of all these agencies — RACs, Medicaid Integrity Contractors and Zone Program Integrity Contractors — and while hospitals are trying to take care of patients in an era of declining reimbursement, they have to devote more and more resources to responding to requests from several of these companies at the same time (e.g., making copies of voluminous numbers of records), preparing their cases and pursing appeals. Many hospitals are currently trying to handle this internally, without the use of outside consultants or lawyers, but as the amounts at stake increase or the RACs deny claims across a whole swath of similar services, the hospitals will be forced to devote more resources, internally and externally, to try and preserve that reimbursement.
Q: How can hospitals build compliant co-management arrangements, as physician involvement in hospital management becomes more and more popular?
TT: Co-management is a relatively new area that started over the last few years, and my own personal view is that hospitals and physicians should be very careful before they enter into a co-management relationship. On the one hand, co-management agreements are becoming a popular vehicle for aligning hospital/ physician interests to enhance quality and efficiency, particularly in high cost service lines, such as cardiology and orthopedics. A co-management relationship can be structured as a contract between the hospital and (i) a physician group or (ii) a joint venture (e.g., LLC) owned by the hospital and one or more physician groups in that specialty. The hospital pays the co-manager a management fee which is usually composed of a base fee and an incentive based on performance, to the extent that pre-determined quality, efficiency, patient satisfaction and other service line objectives are met.
However, these arrangements are often utilized for the higher revenue producing service lines for the hospital and typically involve physicians who are the primary referral sources for those services. Therefore, if the government looks at this arrangement 3-5 years down the road, the initial questions will be, "Why were you really doing this?" Was it to maintain or increase your referrals from these physicians?" It therefore behooves the hospital to look hard at the need they are trying to fill and see if there are other ways of meeting that need.
If there are not, then co-management makes sense, but the hospital should make sure that if these arrangements are challenged at a later time, it can say, "Prior to going down this road, we identified a specific issue we needed to address, we brought in consultants to help develop with the compensation model and performance objectives consistent with fair market value, and we chose this option because it best met the needs we had at the time." There are a number of laws that are implicated by these arrangements, such as the anti-kickback statute, the Stark law and the IRS private inurement/ private benefit restrictions if the hospital is a non-profit, tax exempt entity, but they can be structured to fit within applicable safe harbors or Stark exceptions.
The final arrangement should also be approved by the hospital's governing board or disinterested committee if the entity is a 501(c)(3) organization. There should also be a re-assessment every few years to make sure compliance is not getting out of line and revise the relationship as necessary. If the hospital has that type of evidence showing its good intent from the beginning, it will reduce its risks of a drawn-out investigation or liability significantly. Too many hospitals jump right in with physicians, and the next thing you know, they have signed the co-management agreement. The need is never specifically identified, there's no study, no analysis and no approval by the board of trustees. Then, when they receive a government inquiry years later, they are forced to try and re-create the thought process and need analysis, but by then it may be too late.
Here Debbie Wheeler, director of regional compliance for Tenet Healthcare's Florida Region, and Thomas M. Tammany, shareholder with Buchanan Ingersoll & Rooney and former chief counsel for the University of Pennsylvania Health System, discuss the top legal and regulatory challenges facing hospitals in 2011 and how facilities can work to achieve compliance.
Q: How can hospitals work with employees and physicians to ensure legal compliance is promoted through the system?
Debbie Wheeler: Compliance is promoted when the chief executive officer and leadership team are champions of the compliance program. When the chief executive officer sends a written message supporting the hospital's code of conduct and standards to new employees and routinely [appears] at physician and employee meetings, they are reminded that compliance is expected.
If an organization has an ethics program, it is clear to the physicians and employees that the organization has set expectations beyond compliance to demonstrate a culture of both compliance and compassion. When compliance is tied to quality of care within an organization, physicians and employees are reminded that legal compliance is part of best practices from a clinical and a business perspective. Training and education that emphasizes the priorities of legal compliance in health care in a clear and organized method of delivery ensure that employees and physicians are more likely to understand compliance, ask questions for clarification and comply with policies and procedures that reflect legal and regulatory compliant practices.
An active multi-disciplinary compliance committee working on behalf of the organization to effectively address ethics and compliance issues is [also] paramount to involving employees and physicians in addressing the compliance program.
Q: Data breaches have been all over the headlines lately, with HHS issuing monetary fines for privacy violations starting in Feb. 2011. How can hospitals protect themselves against data breaches, and what is the best course of action once a breach has occurred?
DW: Of course, the best protective measure is a strong and proactive compliance program and compliance and privacy officer endorsed and supported by the board. Privacy and security policies that are reviewed and updated accordingly and ongoing education of staff, physicians and contractors are obvious areas of focus, as well as strong access control measures that focus on network security, laptop, portable media and stored password encryption and restriction of access.
Items identified through annual and ongoing risk assessments and incident trends should be included in an annual work plan. Additionally, routine audits and testing that include preventive and priority indicators, items identified through the risk assessments and any new regulatory or industry focus are a required component of a solid privacy and security program.
The United States Department of Health and Human Services/Health Information Privacy site should be utilized as a resource. The site is very user-friendly, and signing up for their listserv is a great way of getting updates and useful information. The site provides basic information on privacy and security and related statutes and rules. [Hospitals can also access information on] enforcement activities, results, actual case examples and corrective actions that the Office of Civil Rights has obtained from covered entities. Additionally, the frequently asked questions section is extremely thorough, inclusive and up-to-date.
While prevention is the very best way to avoid the consequences of a security breach, if a security breach does occur, depending on the circumstances, important steps including investigation, disclosure, remediation plans and potential regulatory involvement of state, federal, law enforcement and licensing agencies are necessary.
Q: How can hospitals protect themselves from violating the Anti-Kickback Statute? Where are the challenges in promoting compliance with AKS, and how can hospitals ensure financial relationships with physicians are legal?
Thomas Tammany: In general, the anti-kickback statute prohibits anyone paying or providing anything of value — whether it's money, services, or the like — to induce or in return for Medicare and Medicaid referrals. So you've got to start with a culture of compliance at your institution. The Office of Inspector General of the U.S. Department of Health and Human Services has published what it believes are the key elements of model compliance policies for hospitals and other health care providers, which should be adopted in one form or another. The key, however, is that compliance has to be part of the culture and embraced from the top down. The board of directors and senior management have to want to make compliance part of the culture. That means communicating it, reinforcing it and providing education to employees and physicians, and auditing your progress from time to time.
We do a lot of work for hospitals, and many physicians have seen their clinical incomes adversely affected by cuts in reimbursement over the least few years. They hear stories about their colleagues in other health systems, or other parts of the country contracting with hospitals or engaging in joint ventures to supplement their clinical practice income (which may or may not be true), and more and more they want similar arrangements. Unfortunately, they often have high compensation expectations and are suspicious of the whole process. That is where education comes in. The OIG has issued certain "safe harbors" over the years, and as long as the arrangement meets the requirements of the applicable safe harbor, it is perfectly permissible for a hospital to pay physicians for services they provide.
The Personal Services and Management Contracts safe harbor, for example, requires among other things that the arrangement between the parties be documented in writing, have a term of at least one year and have aggregate compensation that is set in advance and consistent with fair market value. There is no requirement that the parties obtain an independent fair market value analysis, but since the anti-kickback statute applies to both parties, it is usually advisable to do so for each party's protection, especially where the compensation is out of the ordinary for any reason. Hospitals may avoid having to deal with this on a case by case basis by providing periodic education to the medical staff on these issues, such as at the quarterly medical staff meetings.
Q: Do you believe the necessity of providing fair market value compensation will dissuade physicians from pursuing non-clinical duties once they realize the pay may not be as high as they may have thought?
TT: No, I do not. The vast majority of physicians are good people and have historically been providing administrative services (e.g., as department chairs, division chiefs and medical directors) for free as part of their medical staff responsibilities. Many are seeking compensation now as their clinical reimbursement has come under pressure, but they will understand the importance of staying within the fair market value range of compensation. They might say, "Why don't you pay me at the higher end of the range?", but they'll stay within the range. Historically, hospitals would just look at what their competitors were paying and negotiate the rate based on that. They would take the position that if they engaged in arms-length negotiations, that meant the rate was fair market value. They are beginning to use outside valuation firms more and more, based in part on the advice of outside lawyers, to help them withstand potential government scrutiny, but it's expensive — it can cost $5,000-$10,000 to get this kind of report, depending on the deal.
Where it could get complicated is with a highly productive physician. Hypothetically, say the median annual compensation for an orthopedic surgeon is $400,000, and the compensation at the 90th percentile is $800,000. You may have an experienced doctor legitimately making $1,000,000 a year because he's working 12-18 hours per day taking care of patients. That physician might say, "My time is more valuable, so you have to pay me more than the 90th percentile, or I will not provide the services" and that's a legitimate issue. But the hospital could not just agree to pay him an hourly amount based on his clinical income. Rather, it should obtain a fair market valuation analysis supporting the level of permissible compensation under those circumstances. The valuation firm will not usually base such a valuation on clinical income but will look to other factors, such as the physician's experience, national reputation, special skills, the number of similarly skilled physicians available or other relevant factors to support the ultimate compensation valuation.
The key question, however, before ever getting to the fair market value analysis, is whether there is a real need for the service in the first place. For example, if a group of physicians in a given specialty wants to be paid to be on-call (which is also becoming a more frequent request), the first question is whether the hospital has an unmet need for those services that would justify paying for it. If there are other physicians in that specialty that are willing to take call without being paid, the question becomes whether the hospital is really paying for something else, such as referrals.
Q: What do you see as the biggest challenges for hospitals regarding recovery audit contractors?
DW: The RAC program is now in full force. Past reviews were automated in nature, and now the RACs are more focused on complex reviews that involve the use of clinical judgment by a licensed medical professional or certified coding specialist to evaluate cases. Complex reviews are initiated when the RACs identify a significant probability that the service is not covered or when no Medicare policies or coding guidelines exist.
It is important for hospitals to stay aware of the audit issues posted by their applicable RAC, especially items and services where the RACs have focused their attention. By now, providers should know their RAC auditor and how to access resources, including audit areas of focus on their RAC's website. Maintaining effective pre- and post-admission review, coding and auditing and monitoring processes, providing ongoing staff education and maintaining an active multi-disciplinary task force is the best way to remain compliant and be prepared for any RAC inquires.
TT: One of the biggest challenges we are seeing is the lack of clarity in the regulations and the guidelines that have been issued over the years, either by the government or by the Medicare contractor. What happens is the RACs come in and review 200 charts and say, "Aha, you didn't document that XYZ was medically necessary under the industry standards," and the hospital says, "Well, we did document ABC because that's what we believed the standard was at the time." And the RAC will explain that today you have to document XYZ, so they're going back and recouping those payments. In many cases, the guidelines are gray or conflicting, and hospitals did the best they could, but now they're being second-guessed in hindsight.
It's also an issue of resources. There's a proliferation of all these agencies — RACs, Medicaid Integrity Contractors and Zone Program Integrity Contractors — and while hospitals are trying to take care of patients in an era of declining reimbursement, they have to devote more and more resources to responding to requests from several of these companies at the same time (e.g., making copies of voluminous numbers of records), preparing their cases and pursing appeals. Many hospitals are currently trying to handle this internally, without the use of outside consultants or lawyers, but as the amounts at stake increase or the RACs deny claims across a whole swath of similar services, the hospitals will be forced to devote more resources, internally and externally, to try and preserve that reimbursement.
Q: How can hospitals build compliant co-management arrangements, as physician involvement in hospital management becomes more and more popular?
TT: Co-management is a relatively new area that started over the last few years, and my own personal view is that hospitals and physicians should be very careful before they enter into a co-management relationship. On the one hand, co-management agreements are becoming a popular vehicle for aligning hospital/ physician interests to enhance quality and efficiency, particularly in high cost service lines, such as cardiology and orthopedics. A co-management relationship can be structured as a contract between the hospital and (i) a physician group or (ii) a joint venture (e.g., LLC) owned by the hospital and one or more physician groups in that specialty. The hospital pays the co-manager a management fee which is usually composed of a base fee and an incentive based on performance, to the extent that pre-determined quality, efficiency, patient satisfaction and other service line objectives are met.
However, these arrangements are often utilized for the higher revenue producing service lines for the hospital and typically involve physicians who are the primary referral sources for those services. Therefore, if the government looks at this arrangement 3-5 years down the road, the initial questions will be, "Why were you really doing this?" Was it to maintain or increase your referrals from these physicians?" It therefore behooves the hospital to look hard at the need they are trying to fill and see if there are other ways of meeting that need.
If there are not, then co-management makes sense, but the hospital should make sure that if these arrangements are challenged at a later time, it can say, "Prior to going down this road, we identified a specific issue we needed to address, we brought in consultants to help develop with the compensation model and performance objectives consistent with fair market value, and we chose this option because it best met the needs we had at the time." There are a number of laws that are implicated by these arrangements, such as the anti-kickback statute, the Stark law and the IRS private inurement/ private benefit restrictions if the hospital is a non-profit, tax exempt entity, but they can be structured to fit within applicable safe harbors or Stark exceptions.
The final arrangement should also be approved by the hospital's governing board or disinterested committee if the entity is a 501(c)(3) organization. There should also be a re-assessment every few years to make sure compliance is not getting out of line and revise the relationship as necessary. If the hospital has that type of evidence showing its good intent from the beginning, it will reduce its risks of a drawn-out investigation or liability significantly. Too many hospitals jump right in with physicians, and the next thing you know, they have signed the co-management agreement. The need is never specifically identified, there's no study, no analysis and no approval by the board of trustees. Then, when they receive a government inquiry years later, they are forced to try and re-create the thought process and need analysis, but by then it may be too late.