Continuous changes in the healthcare industry are delivering exciting innovations and new opportunities, but they are also creating new threats. Healthcare organizations face changing operational and enforcement environments that together are producing a confluence of new compliance risks. As federal agencies ramp up enforcement efforts and continue to crack down on fraud, abuse, potential Stark Law violations and kickbacks, prudent organizations are taking steps to limit risks and to position themselves advantageously.

More aggressive enforcement

Last year, the Department of Justice recovered more than $3.5 billion in settlements and judgments involving fraud and false claims against the government. Healthcare fraud accounted for more than half—$1.9 billion—of those recoveries, bringing total recoveries from healthcare fraud to $16.5 billion since 2009. Meanwhile, hospitals were involved in nearly $330 million in settlements and judgments in 2015, with the most notable instance involving nearly 500 hospitals that allegedly violated Medicare payment criteria.

Importantly, several investigations in 2015 concerned violations of the Stark Law, with settlements ranging from $11.5 million to $69.5 million. With more expansive False Claims Act (FCA) enforcement efforts involving Stark Law violations, healthcare organizations need to be highly vigilant about potential Stark law liability. Recent revisions to Stark regulations may help to mitigate some technical non-compliance, but the revisions don’t address many issues that have arisen in recent Stark cases, and the rules and relationships are still complex. Of particular concern for the healthcare sector is that this complexity creates an uncertainty in how these rules will be enforced, a situation that is affecting what would normally be non-issue business transactions.

DOJ is no longer interested in pursuing organizations alone. As enforcement efforts are focusing on the healthcare sector, the Department has renewed its emphasis on individual liability. A memo issued last September by Deputy Attorney General Sally Quillian Yates, now known as the Yates Memorandum, emphasizes the Department’s commitment to using the FCA and other enforcement tools to focus on wrongdoing by individuals. Notably, the Yates Memorandum has changed the threshold for receiving cooperation credit in both criminal and civil investigations – requiring organizations to identify all the individuals involved in wrongdoing, regardless of their standing, and to provide details about their misconduct.

The Office of Inspector General of the US Department of Health and Human Services (HHS-OIG) has a team of attorneys focused on healthcare fraud that, among other things, fills enforcement gaps by pursuing cases the DOJ doesn’t. The Health Care Fraud and Abuse Control Program (HCFAC) has returned over $29.4 billion to the Medicare Trust Funds since 1997. In 2015, OIG investigations resulted in 800 criminal actions against individuals or entities engaged in crimes related to Medicare and Medicaid, and 667 civil actions, which include federal false claims and unjust-enrichment lawsuits, civil monetary penalty settlements, and administrative recoveries related to provider self-disclosure.

At the state level, increasing fiscal pressure from the Affordable Care Act (ACA) is leading to a more aggressive approach to Medicaid fraud enforcement. In 2015 alone, these investigations led to 1,387 fraud indictments, 1,553 convictions and 795 civil settlements and judgments, yielding a grand total of $745 million in recoveries.

Beyond the DOJ, HHS-OIG, and state Medicaid enforcers and regulators, healthcare organizations can expect greater scrutiny from the Federal Trade Commission and state attorneys general regarding antitrust issues. The bottom line: given the myriad changes taking place, relationships that might have been viewed as compliant a few years ago – even agreements that may have been approved with all appropriate due diligence at the time – may need to be re-examined. Antitrust enforcement is at a high mark, and many of the government’s recent antitrust efforts have been aimed at the healthcare sector.

On top of the enforcement crackdown is an increasingly complex regulatory environment, including ICD-10 and the Medicare 60-day rule, as well as new IT security and privacy rules. All the while, the regulatory environment continues to evolve: the administration works to finalize ACA rules and regulations; the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) drives participation in alternative payment models; CMS finalizes an expected rule on Medicaid managed care; and new guidance is released on the 340B drug pricing program.

Independent compliance assessment: A practical approach

In this rapidly evolving environment, healthcare organizations can mitigate these risks by redoubling their compliance efforts. Reassessing compliance programs and reviewing internal investigation policies is the best place to start, and these efforts should be part of an ongoing process. Compliance programs are strongest when they are organic and continually adapt to the changing landscape.

In order to determine how their compliance programs should be enhanced, healthcare organizations can undertake a proactive compliance assessment to determine the most practical and effective next steps. Some best practices include:

  1. Educate board members, senior leadership and other stakeholders about the implications of the current environment.
  2. Conduct an independent compliance program assessment, —by someone other than existing compliance counsel, vendors or employees—to avoid blind spots or potential conflicts.
  3. Complete the assessment under attorney-client privilege and attorney work product protection.
  4. Look ahead to identify practical recommendations and next steps that can elevate the compliance program to the next level (rather than getting mired down in past problems).

A forward-thinking approach can not only help prevent future crises, but also pay dividends if a hospital is subjected to government investigation or action in this aggressive enforcement environment. Having an ongoing and robust independent compliance assessment process demonstrates that an organization is dedicated to rigorous compliance and continuous improvement.

Change will always generate new challenges, and the changing regulatory and enforcement environment is no exception. Healthcare organizations that take advantage of the opportunity to proactively elevate their compliance programs will have an advantage over those that take a wait-and see-approach.