Webinar: Regulatory Pitfalls & Business Opportunities in Behavioral Health

Recent rapid growth in the behavioral health industry has been driven by national awareness of the opioid crisis, including the Support for Patients and Communities Act.

Join Alicia Macklin and Robert Miller from Hooper, Lundy & Bookman as they discuss the expansion potential in behavioral health as well as the unique licensing, regulatory, and compliance concerns in this space. Get practical tips for both day-to-day operations and due diligence for mergers/acquisitions.

Register here for the educational webinar taking place March 18, 2020 at 1:00 PM ET.

Upcoming Hot Topics in Privacy Webinar hosted by WK

Wolters Kluwer will be hosting an educational webinar Tuesday, October 29 at 1:00 PM EST. The webinar, titled Hot Topics in Privacy — Moving Beyond the Buzz Words and into Action, will be presented by legal experts and shareholders Katie Kenney, Elizabeth Harding, and Iliana Peters from Polsinelli PC. The presenters will cover topics related to HIPAA, GDPR, and the California Consumer Protection Act.

Register now for the webinar. If you miss it, please register for the replay.

Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

What compliance professionals should know about auditing physician compensation arrangements

In an environment of increasing integration and financial relationships with physicians; a rigid and technical regulatory framework; aggressive government enforcement; and disproportionate penalties and enterprise risk under the Stark Law (42 U.S.C §1395nn), it is incumbent for health care organizations to have an audit plan and process for physician compensation arrangements to ensure such arrangements comply with Stark law requirements. In a webinar presented by the Health Care Compliance Association (HCCA), Curtis H. Bernstein, Principal, Pinnacle Healthcare Consulting and Joseph N. Wolfe (Hall, Render, Killian, Heath & Lyman, P.C.) provided insight into considerations for managing risks, an overview of the Stark Law and its exceptions, and tips for planning an audit and the audit process.

Managing the risk

Wolfe stressed the importance of ensuring that compensation arrangements with referring physicians are defensible. When it comes to compensation arrangements, organizations should ask, “How will the organization defend itself?” Wolfe recommended that the organization focus on the Stark Law’s technical requirements, which were updated in 2016, and the three tenets of defensibility: (1) fair market value, (2) commercial reasonableness, and (3) not taking into account the value or volume of referrals. Wolfe emphasized the need for health care providers that enter into physician arrangements to ensure that individuals involved in the process have an in depth understanding the Stark regulations and the exceptions

The plan and the process

Bernstein explained that the scope of the audit depends on the size and complexity of the company, prior experience with the process under audit, recent changes in the company or company’s operations, and previously recognized deficiencies, as well as circumstances that may arise during the audit. The audit process involves several steps.

  • A list of currently executed physician contracts must be compiled.
  • Compliance personnel must interview individuals commonly involved in physician relationships. The individuals conducting the audit should understand interview processes, including strategy, documentation, approval, and selection of interviewees.
  • The interviews must be reconciled to currently executed physician contracts. Common issues arising in reconciliation include the use of space, office equipment, and other items by physicians for professional or personal use, and payment for services not provided.
  • Time sheets or other attestation forms must be reviewed for completeness and accuracy.
  • Fair market value and commercial reasonableness must be documented for each agreement. Consider:
    • Who is providing the service?
    • Why are the services required?
    • When are the services performed?
    • How are the services provided?
  • All other terms of agreement and necessary steps must be performed in executing agreements and verified.

Bernstein noted that other items to consider during the process include the compensation structure, the length of a fair market value opinion versus the length of the contract, whether the compensation was set in advance, if the agreements were executed, and whether the agreements expired.

The compliance component

While the basic elements of an effective compliance program apply to physician arrangements, Wolfe explained that as compliance applies specifically to physician arrangements, it should be compensation focused and documentation and governance should support defensibility. He recommended that organizations adopt a compensation philosophy, have a written compensation plan, establish parameters for monitoring compensation, and form a compensation committee. In addition, organizations should (1) ensure that policies align with the new Stark technical requirements; (2) establish a consistent process for obtaining third party valuation opinions; and (3) periodically audit physician compensation arrangements. Finally, organizations should continue to monitor the enforcement climate.