Healthcare organizations – ranging from physician practice groups to large, multi-state hospital systems – face a variety of risks, including fraud and abuse, as well as HIPAA privacy issues. Starting from a baseline risk assessment, healthcare organizations are often juggling among competing risks and responding to enforcement threats.

The design and implementation of an effective healthcare compliance program is extremely difficult and requires dedication, resources, and a real leadership commitment. In many cases, healthcare organizations, big and small, have become complacent and fail to recognize the need for continuous assessment and improvements.

Healthcare organizations that ignore the importance of encouraging reporting of complaints and responding to those employee concerns are only asking for trouble. There are plenty of whistleblower lawyers encouraging potential clients to bring False Claims Act suits in order to earn significant payouts under the qui tam compensation program.

A healthcare organization has to identify, understand and assess its risks. This process has to be continuous because risk profiles are not set in stone but change over time. Depending on the type of healthcare provider and the patient mix, a company’s risks will look different. A hospice has a very different profile than a physician group. A rural hospital has a different risk profile than a suburban hospital, and so on.

Looking over a healthcare organization’s risk profile means considering the application of the Anti-Kickback statute, Stark Self-Referral, False Claims Act and HIPAA privacy rule to the organization’s activities. These laws and regulations have a broad impact on a healthcare organization and require specific strategies to respond to relevant risks.

Starting with each general category for a relevant law, a risk assessment has to focus on financial relationships, information collection, storage and use, and patient reimbursement and revenue cycle issues.

AKS has become an increasing focus for civil and criminal enforcement. The AKS statute is broadly crafted to criminalize the payment or solicitation of money or other remuneration to induce the referral of patients for the delivery of any item or service that is reimbursed under the federal healthcare system.

AKS risks depend on whether your organization maintains relationships with other healthcare providers, whether you give or receive money or anything else of value to or from other providers (e.g. lab company, pharmacy) for referrals.

The AKS law includes a number of safe harbors that can apply to specific activities as well. If the amount of any compensation to a healthcare organization increases or decreases depending on the number or type of patient referrals, this can be a serious red flag that has to be analyzed.

The Stark law is a civil statute that is designed to protect against physician referrals to third-party entities with which the referring physician has a prohibited financial relationship and involves reimbursement by Medicare. Unlike the AKS law, the Stark law is a strict liability offense that carries financial penalties and can serve (like an AKS violation) as the basis for a False Claims Act violation.

Stark risks arise when patients in a healthcare organization refer patients to third parties with whom the physician has a financial relationship. There are certain exceptions to the Stark rule that may permit the referral relationship but these need to be carefully examined.

The False Claims Act is the government’s favorite enforcement tool against healthcare organizations. The Act, as amended in recent years, has been modified to include provisions that are favorable to government prosecutors. Violators face treble damages and civil penalties for each false claim, as well as potential exclusion from federal healthcare programs, which is a death sentence for any healthcare organization. The submission of claims to Medicare, Medicaid or any other federal healthcare program creates serious and significant risks that have to be addressed.

To identify and assess FCA risks, a healthcare organization has to focus on the employees responsible for coding and documentation requirements for claims submissions. If the healthcare organization relies on a third-party biller, the contractual relationship with the vendor has to be examined to ensure that it does not create a financial incentive for the vendor to submit incorrect codes and claims. Additionally, healthcare organizations have to develop specific protocols for situations in which they might receive overpayments from the federal healthcare program and seek to repay such funds in a timely manner. In order to mitigate risks in this area, healthcare organizations have to audit coding and billing practices annually.

To complicate matters further, HHS’ Office of Civil Rights has focused greater attention on HIPAA compliance and investigating privacy breaches by healthcare organizations. A violation of HIPAA can result in civil monetary penalties, and even criminal prosecution in a serious case.

A healthcare organization has to understand exactly what kinds of information falls within the definition of protected health information (PHI). The communication of PHI or the disposal of such information has to be conducted carefully and in accordance with strict requirements. Many healthcare organizations use encryption software on computers and mobile devices to protect PHI.