Breaking down the basics of healthcare screening and best practices for OIG compliance

By Lorinda Walters

Lorinda Walters (lwalters@appriss.com) is Director, Healthcare Screening Solutions, at Appriss Insights in Louisville, KY.

No industry has remained immune to the challenges of this year’s labor shortage, but the demand for workers in the healthcare sector is more complicated than most. Healthcare organizations and employers are responsible for the safety of millions of patients, so at the same time as they deal with a dire need for new employees, they must ensure that the individuals they employ are properly licensed, have a clean history with their licensing board, and are not excluded from any state or federal programs.

According to data from the occupational employment statistics from the Bureau of Labor Statistics, in 2019 there were more than 20 million people working in healthcare and social assistance.[1] By 2029, the Bureau of Labor Statistics projects more than 23 million people to be working in healthcare, making it one of the largest and fastest-growing industry sectors in the United States.

The magnitude and complexity of the industry makes screening for issues challenging, and the process for screening providers in various healthcare-related, publicly accessible databases is not a smooth or easy one. The inter-relationships among government agencies that maintain their own exclusions lists can be opaque even to veterans of the industry.

The key to finding and retaining healthcare providers and maintaining quality standards is to understand the differences between three main industry compliance requirements—sanction, exclusion, and termination—as well as the best practices for screening out questionable providers.

Sanctions, exclusions, and termination

Enforced by the Office of Inspector General (OIG) at the U.S. Department of Health & Human Services[2] or a state Medicaid program, a healthcare sanction is handed out when an individual or entity is found to be in violation of an administrative rule, civil law, or criminal offense. An exclusion is one of several possible results of an OIG sanction in a federal or state-funded healthcare program. The purpose of the OIG is to prevent and detect fraud, waste, and abuse.

Individuals or entities that are convicted of committing Medicare or Medicaid fraud, along with various other offenses related to the delivery of items or services under Medicare, Medicaid, State Children’s Health Insurance Program, or other state healthcare programs are excluded from participation in all federal healthcare programs by the OIG.

But even if an excluded individual can no longer participate in federally funded healthcare programs such as Medicare and Medicaid, they can still provide care for private practice organizations—and can continue to put patients at risk. Although organizations that do not receive federally funded healthcare dollars will not be held liable by the OIG when providers practice privately, they should still perform due diligence to ensure they are doing everything possible to protect patients. By using the exclusion database provided by the OIG, checking state Medicaid lists, and performing checks for any disciplinary actions against a potential provider, healthcare organizations can protect patients and themselves from potential negative exposure.

There are two different kinds of exclusions enforced by the OIG.[3] Mandatory exclusions can occur if the entity or individual is convicted of patient abuse or neglect, or if they are convicted of a felony related to healthcare fraud. Permissive exclusions are imposed for incidents such as defaulting on student loans or a misdemeanor conviction related to healthcare fraud.

However, the most common kind of exclusion is a state-sanctioned revocation or suspension of a healthcare professional’s license. State Medicaid can also exclude for cause, not only for license actions. When this occurs in a single state, any excluded provider in one state should also be excluded in all states.[4] It is important to note that reinstatement does not occur automatically at the end of a term of exclusion, however, but that an excluded party must apply for reinstatement.[5] No national database exists to keep track of license revocations, so in some cases providers and practitioners who have had their licenses revoked in one state will “state hop” elsewhere and continue to practice.

Not all practitioners who have had their licenses suspended or revoked will be excluded by the OIG, since the OIG makes its own determination. Even if a provider is not excluded by the OIG but is excluded by state Medicaid, the healthcare organization is still at risk since providers who are excluded in one state are excluded in all states. This can lead to Department of Health & Human Services fines and penalties against the healthcare employer.

Figuring out why someone’s license was revoked or suspended isn’t always so simple, as the notes or minutes from the state licensing board responsible for the action don’t necessarily specify a reason, especially since the relinquishment could also have been voluntary. It is often necessary to dig deeper to ascertain the full picture, and even then, it may not be possible to gather all of the relevant details.

A closer look at all the relevant information requires access to a much more robust dataset than only the OIG and Systems for Award Management (SAM) exclusion lists.

Healthcare organizations can leverage a service provider to check not only these exclusions lists, but also state board actions, state abuse registries, the Centers for Medicare & Medicaid Services preclusion list (which is only available to certain organizations), and the Social Security Administration’s Death Master File. These additional datasets help provide healthcare organizations with the full picture.

The third category within the healthcare screening industry is termination, which is not, despite common misconceptions, the same thing as exclusion. According to a Centers for Medicare & Medicaid Services bulletin,[6] “termination” occurs when the state terminates the participation of a Medicaid or Children’s Health Insurance Program provider from the program or when the Medicare program has revoked a Medicare provider’s or supplier’s billing privileges and they are ineligible to appeal the decision. This means a provider could be terminated by the state and continue working at a private healthcare organization, as long as they don’t provide services that are billable to Medicare.

Being excluded from a federal healthcare program, such as Medicare, Medicaid, Children’s Health Insurance Program, and TRICARE, is one example of a penalty imposed on providers by the OIG. Providers that are excluded by the OIG have a much harder time maintaining their practices, as there is the additional obstacle of being unable to see patients using any federal healthcare programs.

There are serious consequences unique to healthcare employers that fail to properly vet their employees: civil monetary penalties, corporate integrity agreements, and the exposure to medical malpractice lawsuits and litigation. On the financial side, healthcare organizations can not only be fined more than $10,000 in civil monetary penalties, but also treble (tripled) damages for each service rendered by an excluded individual or entity.[7] In addition, medical malpractice liability costs the healthcare industry $55.6 billion dollars annually.[8] Not only can high-quality healthcare screening improve the quality of a healthcare organization’s workforce, it can be used to demonstrate due diligence in the event of a lawsuit.

Healthcare organizations should also maintain a corporate compliance program, since the federal government has provided clear guidelines to that effect. This kind of program is a group of protocols laid out by an organization to ensure adherence to industry standards and a high quality of care. Similar to most industries, the healthcare industry comes with myriad regulations, standards, and laws on both the state and federal level that must be closely followed. Noncompliance can carry fines and penalties.

In 1991, the United States Sentencing Commission put into effect organizational sentencing guidelines, which, according to the deputy general counsel of the U.S. Sentencing Commission, were designed to engender both “just punishment” (a punishment that fits the crime) and “deterrence” (incentives for organizations to identify and root out crime in their workforces).[9] While organizations can be held liable for criminal activity, the commission mitigated potential fines by as much as 95% if an organization can prove it was operating an effective compliance program—as long as offenses are reported promptly and high-level company personnel are not the offenders.

According to the OIG,[10] the seven steps include: the implementation of written policies and procedures, the designation of a compliance officer and committee, effective employee training and education, effective communication to all employees, internal monitoring and auditing, the consistent enforcement of compliance standards, and reasonable steps to prevent similar offenses in the future.

Best practices

OIG maintains the List of Excluded Individuals/Entities (LEIE), a database of individuals and entities currently excluded from federally funded programs. Anyone who hires an individual or entity on the LEIE may be subject to civil monetary penalties and can be held liable for any bad outcomes. To avoid these issues, healthcare employers should routinely check the LEIE, along with the System for Award Management (SAM) list maintained by the General Services Administration, to ensure that new hires and current employees are in good standing.

Keeping close watch on individuals who are excluded for any reason is of utmost importance. But the most severe damage to company brand and reputation comes when well-educated and ostensibly experienced doctors, nurses, and surgeons abuse the system and their patients. This sort of abuse falls well within the bounds of exclusionary action from the OIG.

These instances of abuse—though much more rare than other kinds of exclusions—earn frequent attention from media outlets. In 2019, Arizona nurse Laura Lynn Bell was caught continuing to practice under an alias after having her license previously revoked.[11] Bell pleaded guilty to fraud charges for using fake documents to acquire a medical license and was sentenced to three years of probation.

Without a license and with charges against her, Bell used five aliases and stolen identities of other nurses, forging documents and papers under her various aliases.[12] This was a skill she honed while working for the U.S. Department of Veteran Affairs, when she stole the identities of nurse practitioners and former patients to bill for medical services.

The damage to an employer’s brand from a situation like this one can be significant, and it opens up the organization to penalties from the U.S. Department of Health & Human Services. Because the cost of noncompliance can be so high, healthcare organizations need to mitigate compliance risk by using technology and a comprehensive view of primary source data to prevent instances of hiring and employing excluded individuals. It is also necessary to monitor for changes at least once per month, as the LEIE database is updated on a monthly basis.[13]

It is important, however, that healthcare employers are not blindly reliant on a simple search through the OIG database. While it remains the most comprehensive source in the industry, the database only includes the name known to the OIG at the time the individual was excluded. As a best practice, any former names used by the individual, including maiden names, previous married names, or other names, should be searched in addition to the provider’s current name.

Along the same lines, individuals with hyphenated names should be checked under each of the last names in the hyphenated name, and organizations should maintain documentation of the initial name search performed, as well as any additional searches, to ensure it is possible to validate the results of potential name matches.

After finding an individual or entity’s name in a search, healthcare employers would be well advised to take the final step of validating potential matches through a Social Security number or Employer Identification number for an entity, if available. Finding a name match is not sufficient, especially because common names will result in multiple search results, and there is always the possibility of misspelling and misidentification.

OIG recommends that healthcare employers review each job category or contractual relationship to determine whether the item or service being provided is directly or indirectly, in whole or in part, payable by a federal healthcare program. If it is, the best course of action is to screen any employee who performs under that contract or falls into that job category. Organizations should also screen, at minimum, all contractors and subcontractors, along with the owners of those organizations.

These screening practices are the best way to minimize the risk of hiring a sanctioned, excluded, or terminated employee or entity. Healthcare employers should screen any potential providers and their current roster against the LEIE, the SAM list, and the state Medicaid exclusions lists, along with screening all incoming employees for these exclusions. They should also keep track of practitioner licensure and monitor for any disciplinary actions taken against a practitioner by a state medical board.

Conclusion

When it comes to healthcare compliance, there is no such thing as an overabundance of caution. The screening and hiring processes for healthcare employees are stringent for a reason, and healthcare organizations benefit from maintaining a compliant workforce—or suffer the consequences of failing to do so. The shortage of healthcare workers will eventually ease, but until that happens—and even once it has—healthcare employers can leverage an understanding of healthcare sanctions, exclusions, and termination, along with these best practices, to keep their workforce compliant and keep patients safe.

Takeaways

  • Understanding the difference between sanctions, exclusions, and termination is the key to maintaining Office of Inspector General compliance.

  • Even if an excluded individual can no longer participate in federally funded healthcare programs, they can still put private practice patients at risk.

  • The most common exclusion is a revoked license, but no national database exists to track licenses, so a provider could continue practicing in another state.

  • Healthcare organizations can leverage a service provider to check exclusions lists, including state board actions and abuse registries, the Centers for Medicare & Medicaid Services preclusion list, and the Social Security Administration’s Death Master File.

  • Following these best practices is the surest way for healthcare organizations to keep their workforces compliant, keep patients safe, and avoid monetary penalties and litigation.

 
1 “Employment by major industry sector,” Employment Projects, U.S. Bureau of Labor Statistics, last modified September 1, 2020, https://bit.ly/36qg9Yf.
2 “Background Information,” Exclusions Program, Office of Inspector General, U.S. Department of Health & Human Services, accessed July 9, 2021, https://oig.hhs.gov/exclusions/background.asp.
3 “Exclusion Authorities,” Exclusions Program, Office of Inspector General, U.S. Department of Health & Human Services, accessed July 9, 2021, https://oig.hhs.gov/exclusions/authorities.asp.
4 U.S. Department of Health & Human Services Office of Inspector General, “The Effect of Exclusion From Participation in Federal Health Care Programs,” special advisory bulletin, September 1999, https://oig.hhs.gov/exclusions/effects_of_exclusion.asp.
5 “Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs,” U.S. Department of Health & Human Services Office of Inspector General, May 8, 2013, https://oig.hhs.gov/exclusions/files/sab-05092013.pdf.
6 Peter Budetti and Cindy Mann, “Affordable Care Act Program Integrity Provisions - Guidance to States -- Section 6501 - Termination of Provider Participation under Medicaid if Terminated under Medicare or other State Plan,” CPI – CMCS Informational Bulletin, May 31, 2011, https://bit.ly/2VtBD4f.
742 U.S.C. § 1320a–7a .
8 Reuters Staff, “Malpractice liability costs U.S. $55.6 Billion: study,” Reuters, September 6, 2010, https://reut.rs/3yY5obZ.
9 Paula Desio, “An Overview of the Organizational Guidelines,” United States Sentencing Commission, accessed July 9, 2021, http://bit.ly/2XfsiIt.
10 Department of Health & Human Services Office of Inspector General, Health Care Fraud Prevention and Enforcement Action Teams, “Health Care Compliance Program Tips,” accessed July 9, 2021, https://bit.ly/3gm8ddk.
11 Joe Enea, “Woman with revoked nursing license pleads guilty to fraud,” ABC 15 Arizona, September 3, 2019, https://bit.ly/36sOaXL.
12 Joe Enea, “AG: Psychiatric nurse with revoked license treats VA patients,” ABC 15 Arizona, August 6, 2018, https://bit.ly/3wPqPKS.
13 “LEIE Downloadable Databases,” Office of Inspector General, U.S. Department of Health & Human Services, last updated July 9, 2021, https://oig.hhs.gov/exclusions/exclusions_list.asp.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings