Managing to Succeed: Keeping Up With Compliance
By Nicodemo “Nico” Fiorentino
Vol. 22 No. 6 P. 10
Compliance is vital to your organization’s health.
As the COVID-19 pandemic begins to wind down and life returns to a “new normal,” now is a good time to check the pulse of the compliance program in your radiology practice. Creating and maintaining an effective compliance program ensures your organization is identifying and addressing the most impactful risks. It is your organization’s health insurance policy.
Over the past year, despite the pandemic, government efforts to enforce federal fraud and abuse laws have not slowed, nor has the threat of cyberattacks that compromise patient information. It’s important to know the basics of establishing an effective compliance program, two critical laws that organizations overlook at their peril, and relevant case examples involving radiology practices.
Radiology practices and their administrators are likely familiar with the requirement for an established compliance program, as set forth in the Patient Protection and Affordable Care Act, as a condition of enrollment in Medicare, Medicaid, or the Children’s Health Insurance Program. However, it may be overwhelming to bring that program to fruition within your practice.
According to the US Department of Health and Human Services (HHS), an effective compliance program includes the following seven fundamental elements:
• written policies, procedures, and standards of conduct;
• designation of a compliance officer and compliance committee;
• effective training and education;
• effective lines of communication;
• internal auditing and monitoring;
• enforcement of standards through well-publicized disciplinary guidelines; and
• prompt response to detected problems through corrective actions.
Reviewing your internal compliance activities and planning against these elements can highlight opportunities for improvement or creation of new practices. Some of the best resources to help organizations get started are offered by the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) for HHS.
The “Affordable Care Act Provider Compliance Programs: Getting Started Webinar” from CMS provides detailed information about the seven elements as well as the dos and don’ts of implementing a compliance program. This is a good place for practices creating or reviewing their programs to start, offering key insights and details that may not be top of mind.
Additionally, OIG’s Compliance Resource Portal provides resources on complying with relevant federal health care laws and regulations. Organizations should review compliance program guidance, which are guidelines tailored to various segments of the health care industry that provide further information on the expectations of compliance programs.
For organizations looking to assess their existing compliance program, the OIG’s compliance checklist is extremely helpful; it contains suggestions for evaluating a program’s effectiveness against these seven elements. Putting repeatable, systematic risk assessments in place and consistently measuring program effectiveness enables practices to proactively identify and address risk rather than waiting for an incident to expose a concern.
Key Laws and Recent Cases
The ability to identify specific concerns and risks to your organization involves an understanding of key federal and state laws and regulations, such as the False Claims Act (FCA) and HIPAA. A compliance program built to address these areas provides a high level of proactive mitigation and some peace of mind for your practice.
The FCA is the government’s primary weapon to combat health care fraud; since the law’s 1986 amendment, the government has recovered more than $64 billion in settlements and judgments from civil cases involving fraud and false claims against the government. The filing of false claims is a significant area of risk in medical practice and, unfortunately, one that runs rampant among less ethical practices and practitioners. Beyond intentional fraud, a practice may unintentionally find itself in violation of federal regulations, including those related to supervision and accreditation. The examples that follow illustrate how organizations with an effective compliance program may still have practices not aligned with federal and state laws and regulations. Those without a comprehensive program face even greater risk.
Over this past year, several settlements involved allegations of submitting false claims for unsupervised radiology studies. Another case included allegations of submitting false claims because certain facilities lacked proper accreditation. That case also required the organization to enter into a three-year Integrity Agreement with the HHS-OIG and implement compliance-related obligations, such as training, auditing, and monitoring designed to address the conduct alleged in the case.
Another significant risk area involves compliance with HIPAA, which, among other things, sets forth national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HHS is responsible for HIPAA’s implementation and has issued numerous rules that are likely to impact your practice, including the following:
• the Privacy Rule, which addresses the use and disclosure of an individual’s protected health information (PHI);
• the Security Rule, which protects all individually identifiable health information created, received, maintained, or transmitted in electronic form (ePHI); and
• the Breach Notification Rule, which requires covered entities and their business associates to provide notification following the breach of unsecured PHI.
The HHS Office of Civil Rights (OCR) serves as the enforcer of HIPAA and its rules. One recent example of OCR’s enforcement concerns a medical imaging services company server that allowed uncontrolled access to more than 300,000 patients’ PHI by allowing internet search engines to index the PHI and remain visible even after the server was taken offline. OCR’s investigation uncovered a failure by the company to comply with HIPAA requirements, such as conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities affecting the confidentiality, integrity, and availability of all its ePHI. Ultimately, the company paid $3 million to settle potential violations of the HIPAA rules, including the Breach Notification Rule. The OCR also required the company to enter into a six-year resolution agreement and corrective plan to address its noncompliance that led to the uncontrolled access.
Cyberattacks on the Rise
To underscore the severity of cybersecurity risks that health care organizations face, ProPublica published an investigative report in September 2019 revealing that millions of medical images and health data, generated from PACS, existed on unprotected internet servers that were easily accessible by anyone with basic computer expertise.
In March 2020, Fortune published an article that discussed the results of a threat report finding that 83% of internet-connected medical imaging devices were vulnerable to attack, compared with 56% in 2018. Five months later, an imaging company announced it was subject to a ransomware attack that caused a data theft affecting almost 245,000 patients. In February 2021, another imaging company notified patients that their data may have been accessed by unauthorized parties for 18 months, due to a security vulnerability involving third-party hardware that stored and transmitted information between medical service providers.
For radiology practices, knowing the risks associated with the vendors they choose and having a robust compliance program to monitor external threats can provide an added level of protection. Organizations with an effective compliance program stand a better chance to detect and respond to the risks posed by cybercriminals and others. Therefore, it is critical that radiology practices regularly review and evaluate their compliance programs and take the opportunity to gather internal stakeholders, ensuring policies are up to date and being implemented as expected. Finally, when in doubt, never hesitate to turn toward a compliance expert, whether it be your in-house department or outside counsel, for help. After all, they are on your side.
— Nicodemo “Nico” Fiorentino is the compliance counsel for Guerbet.