As we look back at the activity regarding physician practice acquisitions for the past few years, there is much to be learned from the diligence process. Private equity (PE) firms have created a sizable shift in the market where hospitals were trending previously. While hospitals understand healthcare compliance, PE firms are reflecting a steep learning curve. However, we have observed a quick pivot to understanding healthcare compliance by many firms through an increase in compliance-related diligence, implementing compliance programs, and a better understanding of the risks encountered in this arena.
Healthcare compliance is guided in part by government scrutiny. From qui tam suits to False Claims Act (FCA) cases, PE firms are awakening to healthcare compliance realities. For example, there were $5.6 billion in FCA settlements and judgments recovered by the U.S. Department of Justice (DOJ) in fiscal year 2021, and over $1.6 billion of that arose from lawsuits filed under the qui tam provisions of the Act.[1]
The specifics of cases teach us to monitor certain aspects of our practices. The Diabetic Care RX case revealed issues with leadership’s knowledge of improper marketing schemes, leading to physicians prescribing creams and other items without patient consent or seeing the patient. The Gores Group case is similar but further highlights that once an issue is known, it is expected to be resolved. In the H.I.G. Capital case, we see issues regarding unlicensed or unqualified staff performing services.
September 2019 – United States ex rel. Medrano v. Diabetic Care RX, LLC et al.[2]
-
Riordan, Lewis & Haden (RLH) Inc., a private equity firm, was also named a defendant.
-
Allegations that the pharmacy improperly paid kickbacks to receive lucrative referrals of patients eligible for compounded medications.
-
DOJ alleged RLH had a “controlling stake” in the compound pharmacy and “planned to increase [the pharmacy’s] value and sell it for a profit in five years.”
-
DOJ perspective – RLH focused on profits over patients to make a fast payback and was not mindful of the complex legal and regulatory landscape governing healthcare fraud.
-
Private equity firms on notice to take steps to reduce risk of being targeted by the government for FCA violations.
November 2020 – Johnson & Johnson and The Gores Group (TGG)[3]
-
FCA violations by a former TGG portfolio company.
-
As part of the settlement, the Gores Group agreed to pay an additional $1.5 million to resolve allegations that the portfolio company continued the alleged improper sales and promotion practices after TGG acquired the company.
October 2021 – H.I.G. Capital[4]
-
H.I.G. agreed to pay $19.9 million in the largest FCA settlement to date involving a PE firm to resolve claims against a mental health company it owned.
-
Billed Massachusetts’ Medicaid program for services provided by unlicensed and unqualified staff
With PE firms solidifying their space in the healthcare industry, they are no longer viewed or considered as “passive investors”; thus, it is difficult to claim a lack of familiarity with regulatory mandates governing that industry. As a result, PE firms have come to appreciate the potential historical risk assumed when investing in physician practices and better understand the importance of compliance’s role in the deal. While there is room for improvement to create solid and robust compliance programs post-close, compliance focus is increasing in preacquisition due diligence activities.
Per the Federal Sentencing Guidelines, physician practices are required to have a compliance program in place, albeit the common historical perception is that this is “not as applicable” in the physician practice space. This perception is incorrect, because robust compliance and solid operational processes can not only limit risk to the practice, but also can increase its value as they go to market.
Consolidation of physician practices has been expected for years in anticipation of value-based payment structures. Larger entities become bigger audit targets; however, the small physician practice should not expect to fly under the radar. Whether you are leading an independent physician practice or looking to take the practice to market, there are key components in practice operations that support a strong foundation and are equally the source of common issues that we find during diligence.
Key components of a strong foundation and common cracks
The revenue cycle is one of the greatest risk areas; therefore, having a strong foundation of revenue cycle processes and internal controls is important. Regular reviews of the following key components and identifying when common issues (cracks) are revealed can mitigate risk and improve the health of the practice:
-
Patient registration– Identify the process by which patient demographic and insurance information is captured, verified, and entered into the billing system.
-
Common cracks – Poor staff training on the significance of capturing accurate information, inefficient use of electronic health record (EHR) functionality.
-
-
Pre-certification/prior authorization – Identify the process for obtaining required pre-certifications and pre-authorizations prior to billing insurance companies.
-
Common cracks – Poor staff training, not obtaining prior authorization in advance of the procedure/appointment.
-
-
Time of service collections – Identify the process by which staff collects copayments, deductibles, and past-due balances at time of service.
-
Common cracks – Poor training of staff and lack of staff empowerment to request and require contractual payments.
-
-
Financial controls– Identify the controls in place to support accounting for funds collected at the time of service.
-
Common cracks – Lack of strong reconciliation processes in place.
-
-
Staff complement and workflows – Identify the current number of revenue cycle staff by job category.
-
Common cracks – Inadequate staffing.
-
-
Discounts – Review establishment and management of self-pay payment discounts and courtesy adjustments.
-
Common cracks – Waiving required copayments and billing “insurance only,” inappropriately writing off patient responsibilities.
-
-
Payment posting – Review the processes for posting insurance and patient payments, including electronic funds transfer and any payments received directly, as well as processes for writing off accounts, resolving credit balances, and issuing refunds as needed.
-
Common cracks – Delays in payment posting.
-
-
Patient collections– Identify patient collection processes, including patient billing cycle and any other collection activities. Analysis of the processes in place for collecting patient-responsible balances, such as fee estimates, deposit requirements, and payment plan establishment/monitoring.
-
Common cracks – Lack of a clearly defined payment plan policy, including lack of payment plan parameters and patient-signed acknowledgment.
-
-
Patient responsible balances– Identify existing processes for handling write-offs, transfers to patient responsibility, and patient collections.
-
Common cracks – Poor accounts receivable management.
-
-
Reimbursement– Evaluate processes for identifying and properly resolving overpayments and credit balances, particularly government payers.
-
Common cracks – Lack of monitoring and timely resolution of credit balances.
-
Poor operational processes can lead to potential compliance risks. Critical components of operational compliance include:
-
Policies and procedures– Every compliance program should include written policies and procedures that address specific risk areas in the organization. Policies and procedures are a cornerstone to any organization by clearly defining the organization’s policy to any related topic, as well as detailed processes for carrying out the organizations’ business.
-
Common cracks – Lack of updated policies and procedures for the organization.
-
-
Human resources (HR)– HR and compliance must work in tandem to ensure appropriate compliance education, including Occupational Safety and Health Administration (OSHA) and HIPAA Act training, are provided at time of hire and annually. Specifically, OSHA training must be completed at the time of initial assignment to tasks where occupational exposure may take place followed by offering the Hepatitis B vaccination within 10 days of the employee’s start date. Office of Inspector General (OIG) exclusion checks should be conducted at time of hire and ongoing monthly as a best practice. HR is also responsible for appropriate personnel file management, including documentation of tuberculosis testing, Hepatitis B, and flu vaccinations, as well as verification of current licensure and credentialing information for all providers and staff.
-
Common cracks – OSHA training not completed, and the Hepatitis B vaccination not offered within 10 days of the start date. OIG exclusion checks not conducted at time of hire and are not ongoing monthly.
-
-
OSHA and facility safety– OSHA and facility safety include several operational compliance components including but not limited to: appropriate hazardous waste storage and disposal; soiled linen storage, processing, and disposal; maintenance of shred bins and protected health information (PHI) disposal; personal protective equipment and how it relates to COVID-19 patients and potential workplace exposure; fire extinguishers, posted evacuation routes, documentation of drills and attendance; and physical security of the building.
-
Common cracks – PHI not disposed of in the Shred-it bin. Evaluation routes not posted.
-
-
Laboratory compliance– Laboratories must meet the in-office ancillary exception to meet Stark compliance and have an active Clinical Laboratory Improvement Amendments Certificate.
-
Common cracks – Structure and location of laboratory do not meet certification or exception requirements. Additionally, the billing of such services must be supported with documentation of medical necessity by the physician or authorized provider in the patient’s record.
-
-
HIPAA privacy and security– Information security and privacy are also a focus of increasing due diligence activities, including but not limited to: HIPAA incident documentation, annual HIPAA security risk assessment with corresponding action plan, periodic email and system password changes, policies for encrypting email, secure transmission, and storage of medical records, physical security of information technology with access restricted to appropriate personnel, access logs and monitoring for unauthorized use and/or disclosure of PHI, and executed business associate agreements with vendors where applicable.
-
Common cracks – Unencrypted devices, the use of texting in an unsecured environment, as well as servers in an unlocked closet or room.
-
-
Monitoring and auditing– While best practice is for physician practices to employ certified coding professionals, it is not uncommon to find noncredentialed billing staff. Regardless, a practice should have an external documentation and coding audit performed annually and subsequent coding education provided. Further, additional auditing controls should be implemented if the practice utilizes advanced practice providers (APPs) and participates in incident-to and/or split-shared billing practices.
-
Common cracks – Auditing is not performed, the staff does not have the capacity, or the skill set to conduct audits, and APP services do not meet incident to or split-shared guidelines.
-
-
Education and training– All operations, clinical staff, and physicians should receive annual regulatory compliance and billing compliance training.
-
Common cracks – Physicians are not trained on coding and billing requirements; staff receives minimal training.
-
Self-assessing and building a stronger foundation
Payers are monitoring claims data for aberrant activity, and we can utilize our EHRs and other analytic tools, such as Microsoft Power BI and others, to analyze our own data. Payer analytics are performed at the provider level and quickly reveal outliers regardless of the size of the practice. Practices are best served with EHRs, which have robust reporting functions.
Current procedural terminology and Healthcare Common Procedure Coding System codes, as well as modifiers with high utilization and collections, should be included in compliance work plans for risk-based auditing. Reviewing the associated claim for documentation support of coding compliance and medical necessity is vital for reducing denials and overpayment issues. Also, monitor regulatory agencies such as the OIG, the Centers for Medicare & Medicaid Services, recovery audit contractors, etc., for audit activity, focus areas, and findings (corporate integrity agreements, comprehensive error rate testing and comparative billing reports, and issues lists).
Major audit areas for 2023 which should be on practices’ work plans are services provided under the public health emergency exceptions, telehealth, and telepsych services, other remote services, evaluation and management (E/M) services using the new E/M guidelines, Medicare split/shared visit billing compliance, and billing for services associated with substance use disorder and other behavioral health.
Takeaways
-
We can learn how to assess our own practices by focusing on the same areas as those reviewed in the due diligence process and watching for the common cracks often identified.
-
Consolidated physician practices are bigger audit targets; however, the small physician practice should not expect to fly under the radar.
-
Assess your revenue cycle and operational processes to reveal issues creating compliance risk.
-
Leverage data analytics to monitor potential compliance concerns and inform risk-based auditing.
-
Reinforce your foundation by assessing the key components of your practice’s infrastructure and filling the gaps by implementing effective internal controls and providing regular education and training.