The changing face of American healthcare is bringing new challenges for regulatory compliance. Value-based care is clashing with laws that were written to discourage fee-for-service fraud.

• Cybersecurity continues to create liability risks in healthcare.

• Licensing requirements are holding back the advance of telemedicine.

• Data analytics could help reduce liability risks.

Legal experts focusing on healthcare compliance say there will be plenty to keep healthcare risk managers busy in the coming months, with more emphasis on telemedicine, electronic health records (EHRs), and opioids. The continuing move to value-based care also is creating new challenges for compliance with laws that were designed in a fee-for-service era.

The challenges in healthcare compliance continue to expand, says Anjali N.C. Downs, JD, an attorney with the Epstein Becker Green law firm in Washington, DC. Healthcare entities must focus on cybersecurity to ensure that they have robust systems in place to protect the privacy and security of patient and consumer data, she says.

“In addition, EHR compliance will remain front and center. Medicare providers must meet the interoperability requirements, and in light of recent settlements, ensure that their EHR technologies are compliant. Fraud and abuse enforcement with an emphasis on criminal enforcement will continue to expand, as will an emphasis on individual liability in civil corporate investigations,” Downs says. “The opioid crisis will continue to receive government attention, and fraud enforcement in the opioid context is likely to expand beyond just federal healthcare payers.”

Downs says she is hopeful that 2019 will bring new Stark Law and Anti-Kickback regulations focused on easing the regulatory burdens and promoting value-based payment methodologies. Until then, healthcare entities wanting to focus on care coordination and value-based systems must continue to navigate the rigidness of fraud and abuse laws that were designed for fee-for-service payment methodologies.

“Expect regulatory reforms that are focused on drug rebates. The Office of the Inspector General of HHS issued a proposed rule restricting Anti-Kickback safe harbor protection for pharmaceutical rebates from manufacturers to Part D plan sponsors, Medicaid managed care organizations, and contracted PBMs [pharmacy benefit managers], while expanding protection for point of sale rebates that meet specific elements of the safe harbor,” Downs notes.

“If adopted, the proposed rule would go into effect Jan. 1, 2020, so those impacted by the proposed rule must watch developments to ensure that they have made any necessary adjustments or restructuring.”

In addition to the Anti-Kickback Statute, which will continue to play a role in fraud enforcement in the opioid crisis, the Eliminating Kickbacks in Recovery Act of 2018 (EKRA) contains specific criminal provisions to prevent fraud and kickbacks for referrals for substance abuse treatment payable by federal healthcare programs and commercial payers, Downs notes. EKRA appears to have a broad reach, potentially implicating all arrangements for laboratory services, she says.

“Likewise, as evidenced through the DOJ’s actions in seeking a permanent injunction against prescribing and practicing medicine of two physicians in Ohio, federal and state governments will continue to aggressively pursue fraudulent schemes in which providers write illegal prescriptions or submit claims to Medicare, Medicaid, TRICARE, and private insurance companies for treatments that were medically unnecessary,” Downs says.

Healthcare entities need to remain vigilant in staying on top of changing regulations and analyzing how those changes may impact operations and compliance activities, she says.

To address cybersecurity concerns, organizations should assess current practices and consider having a formal risk assessment and review of current cybersecurity infrastructure.

Regarding the opioid crisis, organizations should review and audit physician prescription practices, marketing activities, and relationships with vendors and substance abuse treatment facilities, she suggests.

Physicians Must Justify Decisions

For physicians, thorough documentation and justification of medical decisions is the key to compliance, says Brad Fell, MD, head of compliance for Allied Physicians Group, a pediatric group with 32 offices, 150 doctors, and more than 400 staff members operating in New York City.

Insurance carriers are constantly looking to take back money and require more and more prior authorizations to provide the proper care to patients, he notes. In addition, the patients are paying significantly higher insurance premiums but are receiving fewer fully covered services.

Patient responsibilities, including higher copays, deductibles, and noncovered or partially covered services, are damaging the patient-doctor relationship, he says.

“This could even prevent physicians from providing the proper standard of care as many patients refuse common services because they know their carrier is going to make it the patient’s responsibility to pay,” Fell says. “Then the physician is put in the ethical, moral, and compliance issue of providing the service and waive the fee — which is a compliance issue — or allow the patient to refuse, knowing their care is now substandard.”

The new tax implication for waiving or writing off patient payments has begun to affect hospitals and very large corporations in the past two years, Fell notes. The total expected taxable revenue will be the amount that was supposed to be collected, not the amount actually collected, he explains. That has led some organizations to forbid waiving fees.

Fell emphasizes the importance of establishing a comprehensive compliance program.

“[Perform] yearly audits on all providers to review if documentation is supporting the services billed out. Evaluate procedure productivity reports to make sure providers aren’t overperforming services unnecessarily. Provide corrective action plans for providers that your compliance plan has concerns about,” he says. “Provide yearly education to all staff and providers. Have regular compliance meetings with updates regarding new rules and regulations, as well as sending out education updates to the staff and providers.”

More Documentation at Encounter

Healthcare compliance is ever increasing, with several specific hot areas being risk adjustment, data security, quality reporting, Medicare Access and CHIP Reauthorization Act/Merit-Based Incentive Payment System (MACRA/MIPS), and changes to the Medicare Shared Savings Program, says Michael Meng, chief financial officer at Stellar Health, a technology services company in New York City that assists healthcare organizations with value-based care.

“In risk adjustment, there is an increased focus to push the completion of proper documentation and coding closer to the providers that are responsible for providing care to the patient. Historically, CMS has allowed end-of-year, retrospective RAPS [Risk Adjustment Processing System] submissions for risk adjustment, but increasingly we will see this moved toward the encounter, when the provider is treating the patient,” Meng explains. “This means it will be even more important for health insurers to work with providers to get them to carry out this documentation at the frontlines of care.”

In the transition to value-based care thus far, most of the solutions have focused on and ended at the contracting entity, Meng says. But to effectuate change, payers need to deliver value-based care to that last mile of workflow: the doctors and office support staff.

Meng says another major challenge and regulatory change in healthcare is the CMS Final Rule issued on Dec. 21, 2018, regarding the Medicare Shared Savings Program. This new rule sunsets the ability for accountable care organizations (ACOs) to remain upside-only and pushes them toward taking on two-sided risk much sooner than originally planned.

“While at first glance this seems to only impact ACOs and push them toward risk, most providers in this country have joined such ACOs, as they either have to take risk with MACRA/MIPS reporting or be part of a Medicare ACO,” Meng says. “This final rule essentially pushes all providers in this country toward either taking on MACRA/MIPS with rewards and penalty components or being part of an ACO program that also has both upside and downside risk to it.”

Value-Based Care Instituted Unevenly

The move toward value-based care is unevenly distributed, notes Michael B. Lampert, JD, partner with the Ropes & Gray law firm in Boston. In some areas, it is relatively mature; in many others, it is nascent or even still on the horizon, he says.

“But it has led to changes across the industry, as any change in reimbursement models would be expected to do. Reimbursement is money; money motivates, and the healthcare industry is no exception,” Lampert says. “New reimbursement models naturally, and by their very design, affect the behavior of payers, providers, suppliers, manufacturers, and patients. They create new incentives, call for new affiliations, put attention to new measures, and, as a result of all of that, create a new legal and regulatory risk environment.”

Lampert says there are three commonalities in value-based reimbursement arrangements that contribute to their presentation of new compliance risks. First, value-based reimbursement models intend to use financial incentives to change behavior in healthcare management and delivery. But many laws have developed over the decades specifically to keep financial considerations out of the picture. The collision of approaches inherently creates questions of compliance, he says.

Second, value-based reimbursement models seek to integrate health management and care delivery, calling on participants in the system to collaborate with others outside of their own organization and to find new ways of interacting with patients, sometimes more affirmatively.

“Cross-organizational coordination and patient engagement by its nature calls for different sorts of relationships amongst providers and payers and suppliers and others, and with patients, which present new questions of compliance, particularly with laws that were drafted anticipating a less connected environment,” Lampert says.

Third, value-based reimbursement models, by paying to a lesser or greater degree on value rather than on other metrics, obviously rely on value metrics when determining what payments to make.

“From a compliance perspective, however, the significance is that the accuracy of new kinds of information matters for payment purposes, and errors with respect to that information, which previously may have mattered only for an organization’s internal purposes — if at all — may carry both revenue exposure and compliance risk,” he says.

Conflicts With Old Laws

The issue for healthcare organizations is not so much the changes in regulation but the lack of change, or unevenness of change, Lampert says.

“Existing regulation in many ways aims at risks presented by prior business models and reimbursement models. But the change in incentives brought by a change of reimbursement makes many of those risks less important,” Lampert says. “The problem, however, isn’t that those elements of existing regulation have become irrelevant. They still apply, and they still constrain conduct, but changes in the reimbursement landscape have in many areas caused that conduct not to become as worrisome as it once was, and indeed in [some] areas to become desirable.”

Lampert offers the example of patient engagement. A variety of laws envision a medical system that in its ideal is almost passive, he says. A patient has a medical concern, engages with a physician, who might pass the patient along to a specialist, and the patient receives care. The process ends there.

“Envisioning that process flow, laws became anxious with provider-driven activity and engagements with patients that could interfere, increasing fees for the physician and exposing the patient to unnecessary services,” Lampert explains. “Now envision a model in which physicians are responsible for keeping a population healthy for the lowest aggregate spend. Those physicians are driven, by the reimbursement model, to engage with patients who might not be adhering to care plans, or even who might not be engaging at all with the medical community but might be leading unhealthy lives.”

“The engagement might be as basic as helping patients to engage in healthier living, which would include few professional fees at all,” he adds. “But providers remain hesitant to do so because the laws haven’t yet caught up.”

Lawmakers are catching up with some of these industry evolutions, but the legal changes are unevenly dispersed, Lampert says. While Medicare Advantage plans may feel more flexibility to engage with their members around health more generally, healthcare providers have yet seen little official change.

“It has been quipped that the future is here, but simply isn’t dispersed very evenly,” Lampert says. “That applies in healthcare regulation, and is a source of struggle for healthcare organizations seeking to engage effectively in the market.”

The most likely compliance challenge for organizations will be figuring out how to operate effectively in a reimbursement and legal environment that is in flux, Lampert says. Many organizations are developing reasoned approaches toward engaging in areas of subjectivity where they would not have dreamed to tread 10 years ago, he says.

Some are more reticent, in some cases because of organizational temperament, and in other cases because of the current inflection point in the organization’s business. For example, a company nearing a major transaction might fear that its prospective partners would find a new practice to be intolerably novel, Lampert explains.

“Overall, the biggest challenge for particularly innovating organizations will be figuring out where the lines lie. It is not a profound recipe, but the best strategies for organizations assessing how to position themselves are to assess first whether areas where they are being challenged to go are areas of legitimate benefit to patients and to the financing system, and therefore areas that ought generally to be supported,” Lampert says.

“They also should see whether there are partnerships or similar structures that can reframe a new proposal into something that may be better recognized from a regulatory perspective, and thus better grounded in a turbulent time. Look to see if there are pockets of regulatory change on whose coattails the organization might fairly hitch a ride.”

Telemedicine Laws Lag Behind Technology

The biggest challenges in healthcare are driven by the need to reduce costs, says Ron Lebow, JD, senior counsel in the Health Law Group with the Greenspoon Marder law firm in New York City. This means better care coordination and an increased focus on proactive consumer involvement through the internet, mobile apps, and other communication technologies.

However, telemedicine laws are still in the Stone Age, Lebow says, making it difficult for physicians with the appropriate expertise to coordinate care across state lines.

Physicians generally have to be licensed in each state in which the patient resides, Lebow says. This creates difficulty for telemedicine platforms — including those operated by providers and insurance companies — to implement internet or app-based solutions that draw users from across the country.

The laws permitting cross-state care have not caught up and not all states offer licensing reciprocity. These laws and implementation through regulation are nevertheless developing at a slow place, he says.

“Currently, they provide limited exceptions to in-state licensure for consultations directly with physicians in other states and increasing exceptions for hospital-to-hospital consultations, chronic care management for certain conditions that cost the system the most, and for care for developmental disabilities,” Lebow says “To complicate matters, even new mandates under the law for Medicare and insurance carriers to reimburse for certain telemedicine consultations provide room for insurers to limit reimbursement for these services depending on the timing of the consultation and the communication methods used.”

Medicare expansion of reimbursement for telemedicine also imposes limitations on the categories and qualifications for telehealth consultation to be covered, he notes. This can mean that investment in communication technologies in-house might not yield a return on investment. Providers have to make up the difference by charging already strapped healthcare consumers paying high premiums for insurance self-pay rates and by increasing their revenue generation efforts through third-party sponsorships and advertising, the latter of which is a risky proposition when dealing with personal healthcare matters, he says.

“To top it off, greater reliance on information systems creates what is perhaps the greatest exposure to consumers today: privacy and security. The risks include security breaches, identity theft, and consumer practices that sell information for marketing purposes without heed for privacy and dignity,” Lebow says. “This requires coordination of legal oversight not only over electronic medical record systems but also for credit card processing, banking, and marketing communications. The disparate laws and regulatory oversight governing information practices across these industries neglect to understand that they are more linked than ever.”

The growing use of telemedicine also is raising more questions about the informed consent process, says Jayme R. Matchinski, JD, an attorney and officer with law firm Greensfelder, Hemker & Gale in Chicago. With several physicians and healthcare organizations potentially involved in a telemedicine arrangement, it is important to be clear about who is responsible for obtaining informed consent and when, she says.

“The question often comes to whose patient is it. Who is doing the informed consent and the billing?” Matchinski says. “Every state has its own telehealth laws, so if I have a physician with a patient in Georgia but the other provider is in another state, you have to figure out the scope of practice for that other professional. What is the scope of practice for that professional and are we compliant with the laws in both states?”

Another challenge involves prescription standards to address questions such as who will provide durable medical equipment and medications, she says. The parties involved in telemedicine should determine such answers before proceeding to avoid any reimbursement delays or conflicts with state laws, she says.

Matchinski also expects cybersecurity to be a growing challenge for healthcare risk managers.

“The government has been more aggressive in seeking out HIPAA breaches, not just electronically but in other ways also,” she says. “States are taking a closer look at how you protect patient information, so I expect health information exchanges and how you protect that information to be a big issue this year.”

States such as California and New York have passed consumer protection laws that may have major implications for healthcare organizations. The former’s new consumer privacy laws are stricter than most, and the latter’s new security requirements for financial institutions are the strictest in the country, Lebow says.

Also, Europe entered the fray by passing highly complex rules for those catering to overseas residents, he notes. Because companies operate nationally and sometimes internationally, stakeholders are advised to adhere to the strictest of standards even if the regulations within their own state differ, he says.

Industry participants should of course look at the healthcare laws governing privacy and security. But they also need to ensure that they review consumer protection laws governing general privacy for consumers and the use of information for marketing purposes, he says.

“Further, healthcare providers should use online credit card processing companies that have their own direct relationships with the banking institution, so as to avoid going into the business of storing and managing credit card and financial data,” Lebow says.

An ongoing challenge that organizations and compliance officials will continue to face this year is whether and how available data are used to measure the effectiveness of a compliance program and to proactively identify potential areas for change or improvement, says Katie C. Pawlitz, JD, partner at the law firm of Reed Smith in Washington, DC.

Organizations have access to more and more data related to their own operations and how they compare to their peers, Pawlitz notes. This could be internal data as well as external data, such as Medicare utilization and payment data or Program for Evaluating Payment Patterns Electronic Report data. This information can be very beneficial to organizations when analyzed appropriately, she says.

Such analysis can be used to fulfill an organization’s obligation to engage in proactive compliance activities, like those outlined in the 60-day Overpayment Rule, Pawlitz says.

“At the same time, the availability of such data puts the onus on organizations to actually use it. Organizations that fail to engage in reasonable data analytics may do so at their own peril. This is because the government and qui tam relators also have access to data and are analyzing it themselves,” Pawlitz says. “As such, compliance officials cannot simply focus on responding to issues as they arise, which is already a huge challenge. They must also be proactively monitoring data to identify if there are other issues that may be percolating.”

The rapidly evolving privacy laws and regulations in the U.S. and abroad are presenting new challenges to healthcare organizations, says Kimberly J. Gold, JD, partner with the Reed Smith law firm in New York City.

Notably, she says, the California Consumer Privacy Act (CCPA), scheduled to go into effect on Jan. 1, 2020, provides for expansive individual rights and compliance obligations.

The CCPA contains several exemptions applicable to healthcare organizations, including for protected health information regulated by HIPAA, but the scope and applicability of these exemptions remain unclear, Gold says.

“We are still awaiting implementing regulations and further guidance from the California attorney general. Other states have proposed new privacy bills, and there remains uncertainty as to whether a privacy law will be adopted at the federal level that could pre-empt state privacy laws like the CCPA.”


• Anjali N.C. Downs, JD, Epstein Becker Green, Washington, DC. Phone: (202) 861-1899. Email: adowns@ebglaw.com.

• Brad Fell, MD, Head of Compliance, Allied Physicians Group, Melville, NY. Phone: (866) 621-2769.

• Kimberly J. Gold, JD, Partner, Reed Smith, New York City. Phone: (212) 549.4650. Email: kim.gold@reedsmith.com.

• Michael B. Lampert, JD, Partner, Ropes & Gray, Boston. Phone: (617) 951-7095. Email: michael.lampert@ropesgray.com.

• Ron Lebow, JD, Senior Counsel, Health Law Group, Greenspoon Marder, New York City. Phone: (212) 524-5088. Email: ron.lebow@gmlaw.com.

• Jayme R. Matchinski, JD, Greensfelder, Hemker & Gale, Chicago. Phone: (312) 345-5014. Email: jmatchinski@greensfelder.com.

• Katie C. Pawlitz, JD, Partner, Reed Smith, Washington, DC. Phone: (202) 414-9233. Email: kpawlitz@reedsmith.com.