As I have worked with a variety of physician practice groups and other smaller healthcare organizations, I have seen repeatedly that there are compliance gaps that can become expensive if left unattended.
The Practice Administrators aren’t being deliberately negligent, typically. They just don’t know about certain things they are supposed to be doing. They are, after all, incredibly busy people running a practice. This situation most often arises with practices that aren’t closely aligned with a hospital. Hospitals will often provide compliance training and tools to affiliated practices; after all, it’s in everyone’s best interest to make sure everyone is following the rules.
So, what are some of the key issues that repeatedly arise? I will share the most common here.
- HIPAA, HIPAA, HIPAA. Most providers do have a Privacy Notice, and hopefully are getting an attestation from all patients (and providing them with the Notice). But, are they doing everything the Notice says they are doing? Patients have a number of rights, and the Practice needs to review that list and just make sure. When the Office of Civil Rights, who enforces HIPAA, does an audit, they check those patients rights issues.
Business Associates are another big risk area. Do you know who actually qualifies as a Business Associate? If a vendor is using, accessing, or disclosing patient health information, you should have a Business Associate Agreement. A breach by a Business Associate, such as a billing company, can create a big problem for you.
Lastly, related also to HIPAA, is the Security Risk Assessment. It is not just required under MIPS, it’s required under HIPAA, and should be done annually. Once it’s done, the gaps need to be addressed.
2. Background Checks. Are you thoroughly vetting and credentialing everyone working on behalf of the Practice? Although most Practices do credential providers, in terms of verifying education, etc., many do not do a comprehensive review of all employees, students, providers, or temporary employees. Some of these can be handled by way of a contract provision requiring, for instance, any temporary nurses are checked by their agency before being sent.
Also related to background checks is the requirement to check state and federal exclusion lists. This is commonly not known in a smaller practice. The Office of Inspector General (OIG) for Health and Human Services has a list of Excluded Individuals and Entities. These are people excluded from participation with Medicare or Medicaid. You should be checking that up-front and monthly, for anyone the Practice hires or contracts with. The states have comparable lists to check. Why do you care? If you have such a person providing services on your behalf, and the government identifies that (and they do run audits), you can face fines into the tens of thousands, as well as other possible sanctions.
3. Compliance Education. Most practices do not require new employees have compliance training or, if they do, it is only HIPAA and/or OSHA. And most do not have annual training. It doesn’t have to be onerous or expensive, but topics like fraud and abuse and compliance for coders and billers (and for physicians doing their own coding) is very important.
Those are a few of the heavy hitters, the biggest compliance topics that I see being missed regularly. This is particularly a risk for growing or merging practices that may have more to lose and represent a bigger target/deep pocket in the event of a breach or other incident. It doesn’t take much to get your practice reviewed, and most practices need help with just a few issues, such as the above. But, be aware, the OIG does expect small physician practices to have a form of compliance program, so you might want to add this to your 2019 list of ‘to-do’s’.