Venson Wallin (vwallin@bdo.com) is Managing Director, National Healthcare Compliance and Regulatory Leader, The BDO Center for Healthcare Excellence & Innovation in Richmond, VA.
On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS), respectively, issued proposed revisions to the Stark Law[1] (aka, the physician self-referral law)[2] and the Anti-Kickback Statute[3] (AKS).[4] The revisions are intended to promote increased quality and care coordination by enabling more value-based arrangements.
Under the current state, arrangements between various providers are restricted in the interest of mitigating self-referral among these providers. However, this can inhibit innovation and discourage outcomes-based arrangements that could better serve patients. Providers have been reticent to enter into arrangements that could be perceived as being self-referring among each other, because they could receive significant fines and penalties as a result.
The proposed revisions to Stark and AKS, however, are intended to provide more leniency in the development of innovative provider arrangements in the form of new safe harbors. The promotion of patient engagement, technology sharing, and care coordination are all examples of new innovations that the OIG and CMS are hoping to encourage with the creation of these safe harbors. Their goal is to remove some of the barriers that providers feel prevent them from realizing a truly value-based level of care—higher quality and lower cost.
To date, with the existing Stark and AKS rules limiting the relationships that providers can enter into, variations of provider arrangements have been limited as well. This has resulted in the documentation of these arrangements being consistent across the industry, with few exceptions. These changes in Stark and AKS will result in a multitude of different value-based arrangements, and with them will come several new policies, procedures, and associated documentation. As a result, organizations will need to address new compliance challenges to ensure the benefits associated with these new arrangements outweigh any potential risk for fines and penalties resulting from a failure to follow the requirements of the changes in the law.
More diligence
The OIG and CMS share the goal of promoting innovative provider arrangements that will lead to higher quality, less costly patient care. However, they also realize that with the easing of restrictions to accomplish that goal, the opportunities for fraud and abuse could increase as well. To that end, providers can be assured that scrutiny by CMS and OIG of any new provider arrangements will remain vigilant and could even increase in intensity. Accordingly, providers will need to redouble their diligence efforts in monitoring compliance with Stark and AKS. The following are examples of procedures and activities providers can undertake to augment their compliance policies.
Government affairs office/department
Larger providers have some form of a government affairs or regulatory affairs office or department. This department is typically charged with monitoring the latest changes in existing laws and regulations, as well as any new or proposed laws and regulations on a state and federal basis, and how they may impact the organization. Small- to medium-sized providers often do not have the resources for such a department, and the responsibilities for monitoring regulatory developments fall to one or two individuals.
When issued in October 2019, the OIG and CMS expressed their belief that there will be changes in the proposed Stark and AKS rules, based on industry input during the comment period. Although changes to the proposals are expected, organizations may use the proposed rules to begin strategic planning efforts and negotiations with other providers and healthcare-related organizations to explore innovations in their patient care delivery. This can help them avoid being left behind in the future wave of expected value-based arrangements.
Monitoring the suggested changes to the rules between their proposal and finalization periods will be key, allowing providers to modify any planned arrangements so they can implement them, once the rules are finalized. Additionally, it is anticipated that subsequent to finalization, the rules will continue to be updated by the OIG and CMS based on actual executed arrangements to address any fraud and abuse that results from loopholes or unintended consequences of the new rules.
Organizations should consider regulatory review as an ongoing and systematic requirement of the organization, and the process should be formalized for all providers, regardless of size. Larger providers should reexamine their government/regulatory affairs department’s policies to ensure that they incorporate this type of review into their activities to ensure compliance with revisions to the rules. Small- to medium-sized providers must specifically identify who will be responsible for conducting these reviews and establish, if not already done, a set of policies around the monitoring of regulatory developments. All providers should consider delivering regular updates to their respective boards of directors to keep them updated on any changes in regulations and implications for strategy.
Increased legal review
Historically, any provider arrangement documentation must comply with a generally accepted format that has been reviewed by internal and/or external counsel. Providers have a comfort level that if the agreement follows the format that counsel recommends, then they should be in compliance with Stark and AKS. Many providers still have each new agreement reviewed by counsel, but others instead use the counsel-reviewed “template” for new arrangements without submitting them to counsel review prior to execution. This process works under today’s versions of Stark and AKS, because they’re restrictive, and most provider arrangements are standardized, given providers’ limited options.
The proposed changes to Stark and AKS, however, will introduce a wide variety of new provider arrangements, and, as a result, more arrangement documentation will require counsel review. The “you’ve seen one arrangement; you’ve seen them all” approach will no longer work. Instead, providers will need to focus on making sure that all new arrangements receive the appropriate review by counsel with a background in Stark and AKS. The number of safe harbors added by the proposed changes to Stark and AKS would increase the complexity of the rules themselves and require that someone well versed in both laws weigh in on whether the documentation is enough to meet the rules’ requirements. The use of healthcare-specific practice attorneys in conjunction with the review of new provider arrangements will become even more important, as they will have the experience necessary to identify any potential Stark and AKS compliance issues.
Data analytics
The proposals from OIG and CMS would require organizations to report evidence-based outcomes as part of the new arrangements. The measures must be related to true increases in patient quality and lowering of cost and not simply improvements in patient satisfaction.
One example the OIG provides is:
a specific evidence-based, valid outcome measure in the context of a hospital’s provision of a care coordinator to a SNF [skilled nursing facility] could be an increase in the target patient population’s average mobility functional score by a certain percentage over the course of a year, contributing to earlier, medically appropriate discharges of patients to their homes and fewer readmissions to acute care.[5]
As you can see, this relates specifically to quality as it measures the provider’s ability to effectuate earlier discharges to home with a corresponding reduction in readmissions back to acute care.
Bottom line: Participants in these arrangements will need to specifically demonstrate, through data analytics, the benefits of an arrangement for it to be compliant with the proposed revisions to Stark and AKS.
Data analytics
The use of data analytics brings its own set of compliance issues, though, requiring providers to address the following challenges.
Garbage in, garbage out
Measures are only as good as the data used to generate them. Providers must truly understand the data their organization houses and uses to produce applicable reports. The consolidation that has occurred in the industry over the last several years, as well as the number of information system updates during that same time period, have resulted in several disparate systems at providers across the country. These disparate systems may be generating different data elements for the same data field, depending on which system the data is being drawn from. Understanding where the data is coming from and the validity of that data will become even more critical as providers enter new arrangements and use data analytics to mitigate compliance risk associated with changes proposed by the OIG and CMS. Providers should begin assessing their systems and data sources now to provide a basis for reliance on them when the time comes to report out on the new arrangements. The OIG or CMS could even audit some of the data providers would use in the measures, requiring providers to have analytics that can stand up to such scrutiny.
Education and understanding of key data
It is important for all stakeholders to understand what measures are being included in the arrangements and what parameters within those measures are appropriate. Issues to consider include:
-
What indicates compliance versus noncompliance?
-
How often are measures reported?
-
Who are measures to be reported to?
The answers to these questions may be different depending on the stakeholders. Parties to the arrangements may want to see measures reported on a more frequent basis than, say, the provider’s board of directors (which may be quarterly or semi-annually) or to the OIG or CMS (which may only want to see them annually). Regardless of the frequency, all stakeholders should understand the origin of the measures, the data elements generating the measures, and whether the results indicate compliance or noncompliance. This understanding will better enable them to manage the arrangements and to maintain a compliant environment.
Cloud storage and vendors
Cloud storage has continued to evolve over the past few years, and cloud vendors are emerging in the market at a rapid pace. With the advent of new data measures in new arrangements resulting from the proposed Stark and AKS revisions, the use of cloud storage is likely to increase as well. In fact, many of these vendors may end up being part of the new arrangements themselves relative to the sharing of patient data among providers.
The need for strong data security policies and procedures—and enforcement of those policies and procedures—cannot be overstated here. Cloud storage is still evolving and security around it is evolving as well. Providers should remain aware of all new developments around cybersecurity and ensure their systems—and those of their vendors—reflect the latest in cybersecurity hardware and software.
Additionally, providers must know who they’re working with. As vendors flood the market, differentiating between reliable resources and nonreliable resources will become more challenging, and due diligence on any new relationships will be crucial. Examples of questions to ask include:
-
What is their technical background?
-
Who have they worked with in the past (or are you their first customer)?
-
What is the size of their company?
-
Do they have enough resources to staff the engagements they have and still develop new software for a continually changing security environment?
Answering these questions, among others specific to an organization, will be important to determining which data storage and security partner to engage.
Revisions to the compliance department work program
The proposed Stark and AKS revisions would also create new challenges for providers’ compliance departments.
The chief compliance officer (CCO) should reexamine the annual work program to identify updates necessary to address issues such as data validity testing, arrangement documentation review-and-approval compliance, data security compliance, vendor assessments, and others. The CCO should be a key team member in the development of new arrangements to ensure he/she has a thorough understanding of the underlying relationships, so the compliance department can create work steps specific to the details of the arrangement. Complying with the new Stark and AKS revisions could be more of a challenge, given the greater leeway the OIG and CMS are providing organizations, and the compliance department should be a major player in leading these compliance efforts.
Navigating new risk to promote triple aim
These proposed changes would give healthcare the opportunity to embrace innovation and take the triple aim—better care at the right cost and with better outcomes—to new heights.
New technology, greater access to points of care, and increased levels of patient information sharing are all anticipated benefits of the proposed Stark and AKS revisions. To fully capitalize on these benefits, though, organizations must stay vigilant around associated compliance issues.
Takeaways
-
The revised Stark and Anti-Kickback Statute present many benefits, but with those come many compliance challenges.
-
An organization’s government affairs office/department will need to have a renewed focus on understanding the fluid nature of the revisions and their organizational impact.
-
A diverse number of new arrangements between providers and/or other organizations will result in expanded internal and external counsel review of associated documentation.
-
Data analytics requirements incorporated within the revisions will necessitate new data validity testing, stakeholder education, and vendor assessments.
-
The chief compliance officer should be a key arrangements development team member, and compliance work plans should be revised to incorporate compliance testing for these arrangements.