A Guide to Healthcare Compliance Regulations
Last Updated July 12, 2023
Healthcare is one of the most regulated industries in the United States, making healthcare compliance a crucial and growing field within the industry. The Bureau of Labor and Statistics projects the overall need for compliance officers to grow by over 8% from 2016 through 2026.
Healthcare compliance professionals are needed to help clinical facilities and organizations address the ever-growing government regulations that set privacy and usage standards for patient information, ensure quality patient care, prevent fraud and protect healthcare staff. How extensive are the compliance requirements? Here’s an overview of some of the major laws, acts and regulations that healthcare organizations need to stay in compliance with and that compliance professionals need to know, even when the government inevitably amends them again.
Safeguarding Privacy and Ensuring Quality Care
The U.S. Department of Health and Human Services’ (HHS) Office of the Inspector General (OIG) is the governmental wing responsible for protecting patient privacy, ensuring quality care and combating fraud by ensuring healthcare organizations are compliant with federal healthcare laws and HHS programs.
The Healthcare Information Portability and Accountability Act (HIPAA), passed in 1996 and implemented in 2003, spurred the need for healthcare compliance across the industry. HIPAA mandates (among other things) industry-wide standards and processes for the protection and confidential handling of patient health information.
The Health Information Technology for Economic and Clinical Health Act (HITECH) promotes standardized electronic health records (EHR). The act was implemented in 2009 to address the privacy and security concerns of patient data, EHR files and how they’re shared. HITECH strengthens the enforcement of HIPAA’s protected patient information rules, requiring the Department of Health and Human Services Office for Civil Rights to conduct periodic provider audits and stiffening penalties for breaches of information, meaning a provider or facility found noncompliant can face a fine of up to $1.5 million.
The Emergency Medical Treatment and Labor Act (EMTALA) ensures public access to emergency services regardless of a patient’s insurance coverage or ability to pay. The Act specifically obligates Medicare-participating hospitals that offer emergency services to provide medical screenings and stabilizing treatment to patients experiencing a health emergency. For healthcare compliance, EMTALA continues to be a “high-risk area” as identified by the OIG, primarily due to conflicting legal interpretations of what constitutes a “medical screening” and “stabilization.”
The Affordable Care Act (ACA) brought mandatory, subsidized healthcare to the U.S., but this is only one part of the ACA. The full name is “The Patient Protection and Affordable Care Act,” and it’s the “Patient Protection” portion of the act that has arguably had the biggest impact on healthcare compliance.
The law requires healthcare providers implement a compliance and ethics program as a condition for reimbursement for patients enrolled in federally funded healthcare programs. The ACA outlines seven core elements for organizations to follow in establishing an effective compliance program, with the OIG providing best-practice guidance. The Affordable Care Act also establishes a number of quality and performance improvement programs, including the Medicare Shared Savings Program for establishing Accountable Care Organizations (ACOs). By coordinating patient care within an association of physicians, hospitals and other healthcare providers, the goal of the ACOs is to keep costs down and improve patient outcomes, incentivizing healthcare providers with a “pay-for-value” model rather than the traditional “pay-for-service.”
The Centers for Medicare and Medicaid Services (CMS) within the HHS is responsible for the administration of Medicare, Medicaid and the Children’s Health Insurance Program (CHIP). However, administering these programs includes the enforcement of a web of compliance statutes and reimbursement steps that healthcare organizations must follow. CMS oversight also includes the Electronic Health Record (EHR) Incentive Programs, which sets incentives and criteria for meeting standards set by HITECH for the implementation of electronic health records; the 2015 Medicare Access and CHIP Reauthorization Act (MACRA), which includes the Quality Payment Program and its Merit-Based Incentive Payments System (MIPS), reimbursing physicians and healthcare organizations based on quality of care and patient outcomes; and implementing the Medicare Shared Savings Program that coordinates ACOs.
Fighting Fraud and Abuse
As of 2016, U.S. healthcare spending reached $3.3 trillion, according to the Centers for Medicare and Medicaid Services (CMS). Of that figure, roughly 3% to 10% is lost to fraud based on estimates by the National Health Care Anti-Fraud Association and Federal Bureau of Investigation. A number of laws, statutes and even entire units exist to combat fraud and waste. For physicians and compliance professionals, understanding these laws is crucial, as violations can result in criminal charges, fines and, for physicians, possibly the loss of their medical license.
Medicaid Fraud Control Units (MFCU) investigate and prosecute Medicaid provider fraud (which falls under the False Claims Act), as well as patient abuse or neglect in healthcare facilities. Each state has its own MFCU, usually a part of the State Attorney General’s office, with the OIG responsible for exercising oversight. An important role of healthcare compliance is working with the MFCU, or depending on the size of the facility, setting up an internal Medicaid fraud control team to ensure compliance through auditing and monitoring for fraudulent activity.
The False Claims Act dates to the Civil War and was originally implemented to combat fraud by defense contractors supplying the Union Army. The False Claims Act establishes “civil liability for offenses related to certain acts, including knowingly presenting a false or fraudulent claim to the government for payment.” Additional amendments to the act under the Reagan Administration enhanced recovery incentives for whistleblowers reporting fraud. Although the Act targets many types of fraudulent claims, healthcare fraud constitutes the majority of cases. According to the Department of Justice, of the $3.5 billion recovered from False Claims Act cases in 2015, $1.9 billion came from healthcare organizations.
Federal Anti-Kickback Statute: As the name suggests, this statute prohibits healthcare professionals from accepting any kind of “kickback” (i.e. money, contracts, products) as rewards for referrals or providers recommendations to patients on federally covered medical programs, such as Medicare and Medicaid. The statute covers the payers of kickbacks as well as the recipients of kickbacks, with physicians who pay or accept kickbacks facing penalties of up to $50,000 per kickback.
The Physician Self-Referral Law, also known as the Stark Law after Representative Pete Stark of California who sponsored the bill, prohibits physicians from referring patients covered by Medicare or Medicaid to treatment or service entities (i.e. care facilities, pharmaceutical drugs, etc.) that the physician has a financial relationship with or stands to profit from. While the Physician Self-Referral Law may seem like a straightforward regulation against referrals-for-profit, it has proven to be an example of what can happen when government regulation contradicts itself and compliance professionals are forced to comply with new policies without violating existing ones.
Among its multiple provisions and exceptions, the Law specifies that healthcare services be at fair-market prices. The Affordable Care Act’s creation of ACOs with incentives that “pay-for-value” (and quality) over “pay-for-service” put these two laws squarely at odds. The CMS and OIG ultimately issued waivers for portions of the Physician Self-Referral Law as well as the Federal Anti-Kickback Statutes for ACO participants. However, the HHS observed that current “fraud and abuse laws may serve as an impediment to innovative programs that align providers by using financial incentives to achieve quality standards, generate cost savings and reduce waste.”
Protecting Healthcare Workers and the Public
While the OIG and the above-mentioned regulations are designed to ensure fair billing practices, combat fraud and protect patient health and rights, compliance protocols in place under OSHA, FEMA, and the DHS protect healthcare workers and the public.
The Occupational Safety and Health Administration (OSHA), created by the Occupational Safety and Health Act of 1970, within the U.S. Department of Labor sets and enforces workplace safety standards. This includes a multistep compliance process for protecting healthcare workers, covering everything from the handling of x-ray machines to protocols dealing with infectious agents and diseases in accordance with prevention control guidelines set by the Centers for Disease Control and Prevention (CDC).
The National Incident Management System (NIMS), developed by the U.S. Department of Homeland Security (DHS) and managed by the Federal Emergency Management Agency (FEMA), sets a systematic approach for government, private sector, and nongovernmental organizations to work together in preparation, prevention and response to large-scale incidents (from epidemics to bioterrorism), with the HHS requiring healthcare organizations implement NIMS to remain eligible for preparedness funding.
Staying On Top of Regulations
In a fluid regulatory landscape, healthcare compliance will only grow more complex, and the need for qualified professionals to lead organizations through the regulatory minefield will grow more intense. Experience in public policy, law, loss prevention, and strategic management, coupled with an agile workstyle and innovative mindset, are some of the valuable knowledge bases, and skill sets expected in the role. A master’s degree in healthcare management can help to provide the needed expertise and credentials for tomorrow’s successful compliance leaders.