Experts talk about what it takes to stay compliant
Three experts discuss strategies to avoid legal pitfalls of federal programs
Editor’s note: The following is an edited excerpt of a full transcript of a Nov. 30, 2011 editorial webcast, “Staying compliant,” conducted by Modern Healthcare. The panelists were Marti Arvin, chief compliance officer at UCLA Health System and the David Geffen School of Medicine at UCLA in Los Angeles; David Matyas, a healthcare compliance
Joe Carlson: Marti, is there anything meaningful that a compliance officer can do, say in the first hour, after you hear there’s been a data breach? Do you have some kind of a specific emergency call that needs to be made when a data breach has been reported?
Marti Arvin: It’s difficult to say in the first hour, Joe, what you would exactly do because, obviously like many compliance issues, it’s going to be based on the nature of the issue. When you get that phone call that says, “My hard drive has been stolen,” then obviously you want to make calls to the appropriate key leaders in the organization and then very quickly, maybe not within the first hour, you want to get your media relations folks involved because you don’t know who else may learn that information. In the particular case we had recently, there was a police report and so we didn’t know if others might acquire that police report in some way, so it’s making people aware and starting to analyze what’s the nature of the data and were there protections around it that might help minimize your risk and the risks to the patients whose information was on the device? So the key thing for us is notifying those appropriate people in the organization and very quickly getting the process started to analyze the information so that as quickly as possible you can notify the impacted patients, particularly if there’s highly sensitive information on the device.
Carlson: David, you mentioned Medicare suspension being a possibility under provisions in the Patient Protection and Affordable Care Act for credible allegations of fraud, and I was thinking back to that, remembering when the law came out. When the initial rulemaking came out, I was under the impression that that had more to do with kind of your fraud hot attorney with Epstein, Becker & Green in Washington; and James Sheehan, the former Medicaid inspector general for the state of New York. In an exchange moderated by reporter Joe Carlson, the panelists discussed strategies to address the new legal compliance challenges created by the Patient Protection and Affordable Care Act. spots. You know, your Miami durable medical equipment providers and that type of thing. Would that also apply to hospitals and sort of general healthcare providers?
David Matyas: It absolutely can and could. One of the problems that we have with a piece of legislation like the Affordable Care Act, which was drafted and passed behind closed doors, is there is no legislative history associated with it, so we don’t even have the benefit of commentary when it was being adopted. While you’re correct, Joe, some of those hot spot areas—i don’t disagree that if there is the notion of an entity that’s engaged in fraud, why should the government continue to dole out any money to them when they believe that there’s fraud there? And, therefore, we’d be sending more money out to someone who’s cheating the system. But it is correct, as you said, at how it could be applied to any organization, and a lack of a definition of what it means for there to be credible evidence of fraud. There are national investigations that go on day in and day out on various topics where the government takes the position that general practices that have been engaged in by many organizations have been the submission of false claims. And they would potentially argue that they have credible allegations of fraud because they see a systemic problem even within the whole system. Does that mean that any and all of those hospitals otherwise should be subject to having their payment stopped— suspended—for a period of time? I don’t think so. And I don’t think that the government would go down that road. It’s just somewhere where we need more clarification.
Carlson: What additional pressures and workload has the RAC program placed on compliance officers? And if you could, Marti, please define the RAC program.
Arvin: The recovery audit contractors obviously have been creating closer scrutiny of a number of different compliance areas, so it’s a matter of both ensuring that when you get a RAC request that you’re responding to it and getting all the applicable documentation to the recovery audit contractor, and then also if you note that there’s a particular issue, if a RAC has requested 50 records on a particular issue, then it is often the case where you would want to actually evaluate those same records yourself to see if there’s any sort of concern or systemic issue in your organization. So that adds to the workload that you may already have, just what I would call your more routine auditing and monitoring in your compliance program. So RACS can definitely increase that workload, and obviously if you happen to find a substantial issue where your organization is not doing something as well as they should, then