Regardless of the industry vertical your organization operates in; there is no getting away from compliance with the regulatory framework under which it operates. From the way in which personnel are onboarded (were there any kind of discriminatory actions during the selection process?) to the work conditions which must be adhered to ― health and safety norms set by OSHA and others ― to pay parity; there are numerous laws, regulations, rules, and professional standards which every organization, even those in healthcare, must abide by. Every organization, which benefits from government programs, needs to assure their integrity to stay out of OIG crosshairs.
Fraud and Abuse of the System Hurt the Common Citizens
From enrollees being assigned more than one enrolment number to claiming federal reimbursement on behalf of beneficiaries who had already died; different healthcare units under Medicaid and Medicare abused and cheated the system in 2022-2023 which cost the federal government dollars that could have been put to use where they were genuinely needed. Lack of oversight of managed care organizations (MCOs) by states like New York led to denials of service ― denials which did not comply with federal and state requirements ― were identified by federal authorities. In certain cases, it is vital for healthcare providers to get prior approval of services to prevent denial of claims, and in some cases, denial of service. Remember, any denial of service means that access to care is getting limited. In other instances, manufacturers were not told by states to apply rebates in their invoices leading to wrongful overpayment.
Vital to Meet Federal and State Requirements
Both the HHS Office of Inspector General (OIG) and the United States Department of Health and Human Services’ Office of Civil Rights (US HHS OCR) instituted investigations, and carried out audits on reports they received to facilitate compliance, and exclude wrongdoers from access to benefits. Where any healthcare organization claimed reimbursement on incorrectly calculated Cost Accounting Standards-based nonqualified costs, and received improper payment; it will be liable to return the money to Medicare, or whichever carrier it claimed the reimbursement from. Therefore, the onus is on healthcare providers to ensure that the coding and billing meets federal and state requirements.
Fraud in Other Areas Hurt Both the Government and the People
Investigations into Improper Payments by HRSA, and Findings
As in the HIPAA Privacy Rule, consent is central to use of personal data under GDPR, even when any information is collected from a visitor to a website. Just collecting consent once won’t serve for a lifetime. You must seek consent everytime there is a transaction on your website, even if it is simply access to a medical journal analyzing prevention methods of certain ailments, or healthcare newsletter for professionals which you publish. Analyze whatever data you store on your website’s server to calculate which will be greater — the cost of deletion, or the cost of encryption.
This included an investigation into a complaint that the Health Resources and Services Administration (HRSA) within HHS which had been selected to provide day-to-day oversight and management of the COVID-19 Uninsured Program (UIP) had permitted payments to healthcare providers for providing care to patients for complaints unrelated to Covid-19, testing of symptoms unrelated to Covid-19, lack of documentation to support claims, and on occasion, billing for services not provided. What is worse, these patients had valid health insurance. The OIG recommended that the HRSA recover the improper payments of $294,294 from those already identified recipients whose claims did not fall within federal requirements. It also recommended that the HRSA take remedial action after investigating other improper payments which the OIG estimates were around $784 million.
Federal Requirements to Assure Better Services and Improved Outcomes
Hospitals, post acute care (PAC) units like skilled nursing facilities (SNFs), and long term care (LTC) units like nursing homes and home health care agencies (HHAs) must comply with federal requirements for life safety, emergency preparedness, and infection control. This means that if HHAs fail to report falls suffered by patients that led to major injuries, and even hospitalization on patient Outcome and Assessment Information Set (OASIS) assessments; then it can mislead the Centers for Medicare & Medicaid Services (CMS) which uses these assessments to determine quality of care provided by HHAs. It is important to keep in mind that quality of care is a major paradigm on which their reimbursement is based. It also means that this failure can lead to misleading results on the Care Compare website.
Consumer Protection and Anti-Competitive Activities Are Still on the Feds’ Radar
When companies indulge in anti-competitive activities which delimit consumer options, it will bring them on the radar of federal authorities sooner or later. Antitrust actions will be spurred if any organization indulges in wage fixing of its personnel, since the enforcement authorities point out that wage fixing hurts everyone, especially workers. When it is done to enable the owner of the set up to sell the company at a higher price, it is outright fraud. Similarly, if a doctor or facility limits patient choices of drugs, especially life saving drugs through price fixing or collusion with manufacturers for market allocation; it attracts investigations into antitrust conspiracy. As everyone knows, once the investigations begin, the authorities rarely stop at simply what was brought to their notice. When they keep digging, you never know just what they might uncover. Information blocking by healthcare facilities and other providers can attract a penalty of $1 million per violation. Therefore, companies whose actions are less than transparent need to fall in line.
Discrimination Based on Disability, Gender, Ethnicity, and Religion a Major Red Flag
HHS has proposed a new rule called Nondiscrimination on the Basis of Disability in Programs or Activities Receiving Federal Financial Assistance, to update Section 504 of the Disability Act. It is expected to improve access to care for people with disabilities, and bolster prohibitions against any provider, participating in health and human service programs of the government, and denying service, or excluding patients from healthcare based on disability. Secretary Xavier Becerra said in a September 7 press release, “We celebrate the inclusion and access promoted by this landmark civil rights law for people with disabilities, by taking action in this proposed regulation to clarify and strengthen the protections afforded by Section 504, reflecting over fifty years of advocacy by the disability community”.
Providers Need to be Inclusive
The HHS has displayed concern that the quality of service might be adversely impacted if providers allow their medical judgment to be clouded by preconceived notions, biases, and prejudices. It is vital that patients are not discriminated against because they suffer from certain health conditions such as HIV, Down’s Syndrome, any of the diseases listed under autism spectrum among others. Not merely in healthcare service, but discrimination in matters of employment, such as exclusion from certain work profiles; job opportunities despite equal education and skill set; and denial of equal pay for equal work remain on the federal authorities’ radar.
Data Security, Privacy, and Audits Remain a Priority
Government institutions, financial and healthcare organizations, those in public service and in hospitality, e-marketplaces, BPOs, cloud service providers, and just about anyone who has access to sensitive data must ensure data security to prevent data breaches which jeopardize data privacy, or expose classified information with the potential to cause harm to the person or persons whose data has been breached. Therefore, you must comply with the all data security and privacy laws, regulations, and rules with special reference to the state laws. If your business operates outside US territory, then you must remain compliant with the data privacy and security laws of that area.
Protect Data with Regular Audits of Information System and Infrastructure
Have data security audits carried out at least annually to ensure that you know what vulnerabilities exist in your organization’s systems. An unsecured server might lead to improper disclosure of individually identifiable information (III) such as credit card and social security numbers, geographic location, gender, telephone numbers, which in turn can be used for identity theft. Identity theft is serious business for the victims as it can lead to denial of service, or even access to service. However, penetration testing and risk assessment which is carried out during an audit would enable your organization to identify vulnerabilities in the information system like an unsecured server, procedural issues, inadequate security measures like weak password management, poor firewall configuration, lack of training which could lead to risky behavior by personnel (internal threats), and infrastructure security, including application and OS security.
Don’t overlook data security in telehealth encounters: In case of healthcare providers who service hard to reach patients through telehealth, as well as those who use telehealth to assure a seamless experience to patients requiring face to face encounters in setting up appointments, scheduling and reminders; data security remains one of their biggest challenges.
Get the Necessary Certifications, or Risk Loss of Trust
Few people realize the importance of acquiring certifications, not just at the personal level, but also at the organizational level. When an organization acquires certifications such as ISO 27001:2022, ISO 9001:2015, SOC 2, and PCI DSS, it indirectly tells its clients, customers, and vendors that it is to be trusted, and is compliant with various industry standards like HITRUST CSF.
If you are at a stand, and don’t know whom to reach out to for carrying out audits, or acquiring certifications, just contact us at: service@frigg2pc.com.
Key Takeaways
- There is no getting away from compliance with the regulatory framework under which any organization operates.
- The areas of compliance enforcement embrace a broad range of activities from combating fraud and abuse of the system to improper payments to consumer protection and anti-competitive activities.
- Fraud and abuse of the system hurt the common citizens.
- It is vital to meet federal and state requirements as fraud hurts both the government and the people.
- OIG has directed that investigations into improper payments should lead to recovery.
- Healthcare organizations need to meet federal requirements to assure better services and improved outcomes.
- Providers and employers need to be inclusive, and avoid discrimination based on disability, gender, ethnicity, and religion.
- Data security, privacy, and audits remain a priority. So, protect data with regular audits of information system and infrastructure.
If still in doubt or Need Guidance or Immediate Assistance?
Why don’t you contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com.
We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.
About the Author
Pranith Kumar serves as a Senior Analyst at Frigg Business Solutions, operating out of both the USA and India. As an information security auditor with over 3 years of experience, Pranith has developed expertise in Vendor Security Risk Assessments, as well as HITRUST, SOC, and ISO testing. He is adept at evaluating and ensuring compliance with industry standards, backed by a solid grasp of Risk Management practices, Regulatory requirements, and Security Controls.
Pranith has played a pivotal role in the successful implementation of the Health Information Trust Alliance (HITRUST) Common Security Framework across various organizations, achieving 100% compliance in multiple instances. His leadership and specialized knowledge have significantly contributed to the advancement of information security within these environments.
Pranith with his excellent people-handling skills lead a team of 25 senior resources, including team leaders, to train them to excel in business operations and deliver the highest customer satisfaction scores.