Keeping clean for compliance: constantly changing healthcare laws and regulations create risk for the unwary. Does your organization have a strategy to identify and monitor its exposure?

Healthcare Financial Management, June, 2005 by Lawrence A. Fogel, Joseph M. Watt

Federal healthcare programs, particularly Medicare and Medicaid, pose the greatest risk of business exposure to healthcare organizations. Recent landmark fraud settlements levied against large healthcare businesses include such giants as HealthSouth ($325 million), Pfizer, Inc. ($430 million), and Tenet Healthcare Corp. ($480 million), to name a few.

Some providers believe they are too small to be a target; others believe they are not on the radar screen because they are not-for-profit, governmental, or rural organizations. Still others may believe they are not at risk because there have been no government investigations or prosecutions of similar organizations in their area or state.

However, apathy and indifference do not protect those organizations from the truth: Government agencies will investigate any organization or individual at any time if there is reason to believe an unlawful act has been committed.

Providers that believe they are immune to investigations for whatever reason are particularly vulnerable to significant fines and penalties, sanctions, civil actions, and possible criminal prosecutions. Like an ostrich burying its head in the sand, a provider unprepared to face scrutiny is virtually helpless to defend itself against compliance violations. What if a hospital has not invested the time or the resources to operate a compliance program? Then, out of the blue, the federal government alleges the hospital has committed fraud by violating the antikickback statute. If management has been apathetic and calloused about corporate compliance, what is the defense? Typically, providers with effective compliance programs are treated more leniently when compliance violations occur.

The Risk Environment

Enforcement of antifraud regulations is widespread. As proof, consider the activities of the Office of Inspector General during federal FY04. The OIG's semiannual report for April 1, 2004, through Sept. 30, 2004, stated savings of approximately $30 billion. Most of the savings--$27.3 billion--resulted from implemented recommendations and other actions to use funds wisely. The OIG also reported $754.2 million in audit receivables, $8.3 million in additional audit recoveries, and $1.9 billion in investigative receivables.

The OIG also sanctioned individuals and entities for fraud or abuse of federal healthcare programs and/or their beneficiaries. The OIG's semiannual report outlined these sanctions:

* Exclusions of 3,293 individuals or entities for fraud and abuse of federal programs and/or their beneficiaries

* Convictions of 533 individuals or entities engaged in crimes against departmental programs

* Some 268 civil actions, including False Claims Act suits, Civil Monetary Penalties Law settlements, and recoveries related to provider self-disclosure matters

The OIG continues to investigate suspect organizations, even those believing they are not vulnerable to compliance risks, and may exclude or sanction individuals and entities that violate federal regulations and laws. The enforcement activities of the OIG, the corporate scandals, and overall public distrust have created a volatile environment burdening organizations to identify and monitor internal and external risks to avoid becoming another casualty.

Corporate Oversight: Who Is Responsible?

The key question is, "Who is ultimately responsible for regulating the compliance activities of the company?" In its 2005 Supplemental Compliance Program Guidance for Hospitals (Federal Register, Jan. 31, pp. 4858-4876), the OIG states, "Every effective compliance program necessarily begins with a formal commitment to compliance by the hospital's governing board and senior management." The OIG, the American Health Lawyers Association, and the U.S. Sentencing Commission address this issue in their publications.

In April 2003, the OIG and AHLA published Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors, which discusses fiduciary obligations of directors to their organizations. The primary principle is the "duty of care"--that is, the directors' responsibility to exercise the proper amount of care in their decision making. They need to act in good faith, with the level of care an ordinarily prudent person would exercise in like circumstances and in a manner they reasonably believe is in the organization's best interest.

Directors also have responsibility to monitor and oversee the corporate compliance program. Although they do not specify how to oversee the program, the OIG and AHLA guidelines include questions for management about the organization's compliance program.

The U.S. Sentencing Commission, too, says organizational leadership should be knowledgeable about the compliance program, committed to it, and understand the following basics:

* Content of the program

* How the program is implemented

* What risk assessments are conducted to identify exposure areas

* Overall compliance program effectiveness

To gain a minimum level of understanding and satisfy their oversight responsibilities, healthcare organizations' governing bodies need to: