Featured Article

Post-ACA: Compliance is Critical

Posted By: Bret S. Bissey, MBA, FACHE, CHC, CMPE / March 22, 2016
This article was originally published in the March edition of AHIA’s New Perspectives on Healthcare Risk Management, Control, and Governance. Co-authors include Kenneth Zeko, Sean McKenna, and Billy Marsh.

Screen Shot 2016-03-17 at 2.31.16 PMThe Affordable Care Act (ACA) makes it more important for your organization to have an effective compliance program than in the years before its enactment. Failure to implement such a program could lead to dramatic adverse consequences. The risk is underscored by the pronouncements from the Department of Justice (DOJ) that it would scrutinize whistleblower suits under the False Claims Act (FCA) to develop criminal cases against corporations and their executives.

Aa condition of enrollment in Medicare, Medicaid or the Children’s Health Insurance Program, Section 6401 of the ACA requires providers to establish a compliance program. The ACA charges the Secretary of Health and Human Services (HHS) with establishing the core elements of an effective compliance program within a specific healthcare business sector.

In the intervening five years, HHS has yet to issue regulations providing enforcement protocols and timing. However, HHS has articulated seven core elements of an effective compliance program. These core elements can be summarized as:

  1. Written policies, procedures and standards of conduct
  2. Compliance office and program oversight
  3. Training and education
  4. Open communication
  5. Audits and monitoring
  6. Consistent enforcement of internal policies and procedures
  7. Procedures for corrective action

These elements are relatively noncontroversial from an implementation perspective. In addition to these core elements, we believe that a compliance program also should focus on risk management from financial, operational, strategic and regulatory perspectives. Effective compliance programs include three lines of defense. Employees at the operational level are the first line of defense. They should be accountable for identification of risks, internal controls, and compliance activities and monitoring. The second line consists of compliance, legal, risk and quality assurance personnel. They are tasked with creating and maintaining the compliance framework, formulating policies and procedures, conducting compliance monitoring and managing compliance issues as they arise. The third line involves a form of independent oversight including internal audit or external review. Either of these ensure that the organization carries out its respective compliance responsibilities.

Data analytics: an evolution

The ACA encourages government agencies to use data analytics in their pursuit to weed out fraud, waste and abuse. Such tools have revolutionized government enforcement. In fact, government personnel have reported increased productivity and collaboration and greater success in achieving their stated goals to limit erroneous and improper payments.

Given the recent push for data analytics, CMS has changed its approach to combating fraud and now employs a “twin pillar” approach.

The first pillar is the Fraud Prevention System (FPS). FPS was created in 2010 by the Small Business Jobs Act and uses predictive analytics to identify any suspicious or unusual billing patterns, not unlike algorithms employed by credit card companies. The three data analytic models underpinning the FPS include anomaly detection models, predictive models and social network analysis.

In 2014, CMS reported that the FPS analyzed every Medicare fee-for-service claim before payment nationwide since June 30, 2011. Boasting a 10-to-1 return on investment, CMS in July 2015 further claimed the FPS identified or prevented $820 million in “problematic” payments in the first three years of the program, and $454 million in calendar year 2014 alone.

The second pillar is an automated provider-screening program. Automated provider screening uses enhanced data-driven screening procedures to identify ineligible providers or suppliers before they are enrolled or revalidated. Providers now are required to revalidate and reenroll in government healthcare programs under the ACA. Coupled with this reliance on analytics, CMS has increased its enforcement staff.

With these new and enhanced tools, the government relies less on traditional investigative techniques and whistleblowers to enforce against fraud and abuse.

For instance, the DOJ indicted a physician based on his alleged participation in a $375 million scheme involving fraudulent claims for home health services. In a related press release, HHS noted that data analysts quickly discovered that this particular physician certified more than 5,000 patients for home health, while 99 percent of physicians who certified patients for home health had referred 104 or fewer people.

Proactive use of data analytics

Similarly, compliance and internal auditors can use data analytic tools to their advantage. For example, an organization could use analytics to scrutinize claims submitted by its providers. This analysis may reveal unusual coding patterns or indicate certain providers require more billing education and training.

Organizations also can use data analytics in other aspects of claim submissions such as volume, billing codes or claim amounts to identify outliers or other problems such as suspect referral relationships. By using data analytics, internal auditors can help their organization prevent or even eliminate certain gaps in compliance that could result in repayments or self-disclosures.

Data analytics with an interactive contract management system that has the capability to audit, monitor and report its contents can provide useful answers to the following questions related to high-risk contracts among referral sources:

  1. Have parties to an arrangement disclosed any potential conflicts of interest?
  2. Is business being done with riskier companies or arrangements (i.e., physician-owned distributorships)?
  3. Is there documentation that fair market valuation has been performed when acquiring physicians?
  4. Is there a documented business need established prior to the initiation of an agreement with a referral source?
  5. Has the compensation specified in the physician agreement been compared to the actual amount paid?

Proactive use of data analytics aids in identifying where actual problems emerge in contrast to what management may perceive. A focus on actual issues can lead to a more effective compliance program and the development of better responses and plans to mitigate future risk.

Because of the ACA’s reductions in reimbursement and focus on quality, analytics will play an even larger role in compliance, as well as permit effective programs to reap additional funds or at least avoid reductions in payments. Healthcare organizations should therefore spend the time and resources to create and implement proactive in-house analytic techniques to buttress their compliance programs.

Consequences of ineffective compliance

Effective compliance is critical since it can steer an organization clear of trouble with agencies such as HHS’s Office of Inspector General (OIG) and the DOJ. Generally, there are three levels of government enforcement: administrative proceedings, civil actions and criminal cases. Increasingly, noncompliant providers face all three types of proceedings at once.

At the administrative level, government agencies, including HHS or state agencies, can seek civil monetary penalties, suspension, exclusion, termination and revocation of billing privileges, among other sanctions. The rules and procedures in this forum are relatively relaxed. The rules of evidence applied in federal and state court settings are not applicable. Findings made by an administrative law judge or the agency itself have the potential to negatively affect a parallel civil or criminal proceeding.

In a civil action under the FCA, the government or a whistleblower usually seeks a monetary judgment for treble the damages (allegedly) improperly paid or received, as well as penalties between $5,500 and $11,000 per false claim. If a judgment is obtained, the defendant will owe treble damages, penalties (within reason) and likely attorneys’ fees.

Civil proceedings are problematic as individuals named as defendants will want to avoid making any potentially incriminating statements, all of which could be used adversely against them or the organization in a related criminal proceeding.

Criminal charges carry the most severe penalties. A criminal conviction results in automatic exclusion from government healthcare programs, in addition to restitution, fines and penalties, and incarceration for individual defendants. A finding made in a criminal case also applies to any parallel civil case.

Even if an organization could rebut administrative, civil or criminal allegations, the charges are not simply erased. The government or whistleblowers will always resurrect past questionable decisions, conduct or statements. For an organization or individual, the enforcement process can be a no-win situation due to the negative effects on employee morale, community reputation, and the company brand, let alone any adverse findings and consequences.

OIG and DOJ will frequently use corporate integrity agreements (CIA) to settle investigations and other claims the government might have against the organization. In exchange for the OIG’s promise not to exclude the organization from participating in any federal healthcare program, the organization agrees to certain compliance obligations. CIAs typically include, among other items, obligations to:

  1. Hire a compliance officer or appoint a compliance committee
  2. Develop written or more robust compliance policies and procedures
  3. Implement education and training programs for employees
  4. Retain an independent third party to conduct annual reviews and audits of the company
  5. Establish a disclosure program
  6. Report overpayments or other issues
  7. Provide periodic status reports to the OIG for five or seven years

The retention of an independent third party is very expensive and may cost upwards of $1 million dollars for a larger organization. Recent CIAs also include provisions that place specific compliance obligations on the board and senior management as well as claw-back of “excessive” management compensation.

Individual providers and corporate officers also have exposure to civil or criminal liability for compliance obligations. In fact, in September 2015, DOJ released a memo instructing U.S. Attorneys and other law enforcement agencies to focus more on individual wrongdoing when investigating corporate misconduct. The new focus will likely result in increased enforcement actions against individual defendants.

Questions for a compliance program

To evaluate the effectiveness of the compliance program at your organization, consider the following:

  1. What is the organization’s compliance risk profile?
  2. Do employees understand their compliance responsibilities?
  3. Are employees held accountable for compliance duties regardless of title?
  4. Are the organization’s compliance efforts satisfactory?
  5. Could a compliance officer certify that compliance efforts are satisfactory? Could the board? Could the executive leadership team? Could operational management? To the government?
  6. Has the compliance program ever been assessed?

Beyond the foregoing questions, you should ensure the compliance program follows policies and protocols, regularly updates policies and codes of conduct based on experience, and prioritizes compliance functions based on risk. As discussed, the organization also should consider using data analytics to identify potential organizational risks, and embedding the three lines of defense within the compliance program.


Compliance programs require significant time, special attention, and more resources in this post-ACA world. Organizations that can demonstrate an effective and robust program can avoid or mitigate the effects of an enforcement action. Providers that cannot demonstrate such an effective program will continue to encounter the government’s enhanced fraud and enforcement agenda.


Bret S. Bissey, MBA, FACHE, CHC, CMPE

Prior to joining MediTract, Mr. Bissey was the SVP, chief ethics and compliance officer at UMDNJ, where he successfully led the compliance program to adherence with a rigorous five-year Corporate Integrity Agreement with the DHHS/OIG that occurred following a Deferred Prosecution Agreement. Prior to UMDNJ, Bissey served as the director of the Regulatory Compliance Practice at IMA Consulting, the chief compliance and privacy officer at Deborah Heart and Lung Center (operating under a CIA) and the VP of compliance at Cabot Marsh/QuadraMed. Mr. Bissey earned a Bachelor of Science in business administration and marketing from Shippensburg University of Pennsylvania and an MBA in marketing and healthcare administration from Wilkes University. Mr. Bissey is a frequent national speaker on healthcare compliance and is the author of The Compliance Officer’s Handbook. He is a Fellow of the American College of Healthcare Executives and a member of the Health Care Compliance Association (CHC), American College of Medical Practice Executives and the Healthcare Financial Management Association.