Shannon Sumner, Principal and Chief Compliance Officer, PYA, and Ritu Cooper, Attorney, Hall Render Killian Heath & Lyman PC, discuss some of the top considerations they are currently seeing as they work with clients to develop compliance work plans. They also discuss some of the top risks they are currently seeing as they conduct risk assessments for clients. Sponsored by PYA.
To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.
Support for ALA comes from pya. For nearly 40 years, PYA has helped clients find value in the complex challenges related to mergers and acquisitions, clinical integrations, regulatory compliance, business valuations, and fair market value assessments and tax and assurance. PYA is recognized by Modern Healthcare as one of the nation's top 20 healthcare consulting firms, and by inside public accounting as a top 100 accounting firm. Learn email@example.com.Speaker 2:
Well, hello everyone. I'm Shannon Sumner, a principal and shareholder with pya in our national office. I lead our firm's regulatory compliance service line, and our team specializes in helping our clients with implementations of compliance programs, serving as an independent review organization to health systems and physician practices under corporate integrity agreements, to serving as onsite and remote resources to compliance departments and fulfilling their compliance work plans. And joining me today is Retu Cooper and attorney with whole render in their Washington DC office. Retu, thank you so much for being here today. And can you tell our audience a little bit about your practice?Speaker 3:
Sure. Shannon, thank you so much for inviting me to join you today. I am thrilled to be here and I just, I love sitting down with you, so this is, this is great. Um, as Shannon mentioned, I am a shareholder with Hall Render. Uh, Hall Render is the largest healthcare focused law firm in the country. I co-chair the compliance service line at the firm. Uh, my practice consists of representing, uh, healthcare providers such as hospitals, health systems, physician practices, um, and life sciences companies, all in the regulatory and compliance space. My particular area of focus is counseling on fraud and abuse and compliance, um, assisting with conducting internal investigations that may lead to voluntary, voluntary disclosures, as well as responding to government investigations. As of late, for some reason, I have been doing quite a bit of work with providers who have been under CIAs, helping them manage the requirements to ensure compliance with their CIA requirements. Um, so Shannon, I I know you and your team, uh, conduct risk assessments for a number of different healthcare providers. Can you please describe your experiences in conducting these risk assessments for clients? And any thoughts regarding the process and considerations that they should, should keep in mind?Speaker 2:
Yeah, absolutely. Um, we actually, we have conducted risk assessments for many different types of providers over the years. And as you all know, you know, conducting a risk assessment is that first step in creating that compliance work plan. But there are a few things that I have seen of late with our clients as we review their compliance programs, and in particular their risk assessment process. Some of our clients have experienced what I like to call risk assessment fatigue. So it's similar to covid fatigue. And for some of us who have gotten out of the fitness routines, we also experience that muscle memory loss, use it or lose it. And conducting a risk assessment process since the start of covid is, is quite similar. And because of covid, some providers were not actually able to complete their work plan items from 2020. They were so overwhelmed with the disruption that covid caused. So instead of conducting a risk assessment, many of them really have just carried over the work plan from the previous year or still are in a reactionary versus that versus that proactive mode of identification and mitigation of key risks. And not to mention work from home has been great, but it has not done any favors to the risk assessment process, meaning many of our clients have voiced how important the face-to-face meetings, the team huddles walking the halls are to building relationships and raising organizational awareness to compliance risks. And, you know, as a result, compliance professionals actually have had to work harder in many ways to identify compliance risks that may be hiding under the surface that historically would've been elevated by management during these impromptu meetings.Speaker 3:
Shannon, you're totally right about fatigue and goodness. I hope my trainer is not listening to this podcast because I did not show up today. Um, but that's a different story anyways. I, I feel like so many of us have felt like we're just hamsters in a wheel, right? We're just, there's no clear break between where work ends and home life begins. And, and that fatigue, I think we all are experiencing it at different levels. So in light of the challenges that you've just mentioned, Shannon, what should providers do when conducting their own risk assessments?Speaker 2:
Well, I think there's, there's actually a number of things that providers can do to make the risk assessment process a little less daunting. We've recommended that providers focus on the inputs to the process. And so as you're familiar, my background includes internal audit. And so when I was in internal audit and conducting risk assessments, I realized how important it is to understanding what your risk universe is. And that's really that first step. And personally, I've learned so much about the ever changing organization from the identification of maybe new joint ventures to new service lines, to various new strategic initiatives that truly did require that analysis of compliance risks. Now, I also learned, um, not to overcomplicate the process, I was so focused on using the quote right risk ranking system that I really lost sight of the bigger picture and trying to force the complex methodology. And so we are seeing some, some clients really struggling in that area. And I, I think it's also important to realize the importance of the compliance department in educating the organizational leaders as well as the compliance committee on those emerging compliance risks. And without this engagement, the compli by the compliance department, rather than just, you know, relying on questionnaires, a risk assessment could easily be influenced by a leader's own personal experiences versus risk to the organization at present. And that is the things that I truly did learn when I was doing those risk assessments is sometimes those areas of focus could be really, um, heightened by someone's personal history in that area and not necessarily the risks present at that current moment, but re two, you know, based upon your involvement with providers, particularly those involved with corporate integrity agreements, what have been your observations regarding these risk assessments?Speaker 3:
You know, one specific requirement, um, in the CIAs is to draft a risk assessment and internal review process. And not only is it to draft it, but organizations have to submit that document, the risk assessment and internal review process to the OIG monitor with their implementation report. That's usually due at 120 days from the start of the cia. And over the years, um, as the OIG monitors have reviewed that risk assessment internal review process, we've realized that OIG has very specific expectations for the involvement of management in that process. Um, in fact, in the latest CIAs, the OIG has included language related to the compliance committees duties that specifically state that this compliance committee has responsibility for implementing and overseeing the risk assessment and internal review process as well as any corrective action. So they, they really are focusing on, um, the risk assessment being bigger than just the compliance department. So we're seeing our providers being much more deliberate in leveraging the knowledge of these operational leaders. Um, some providers are creating a risk assessment subcommittee to their compliance committee, uh, because as you can imagine, right, these compliance committees have 10, 12, maybe more individuals on there. You can't have everyone in that room involved with the risk assessment process to the granular level, even though they all may be involved with providing comments or filling out a survey or sitting through a, uh, an interview. But really having this subcommittee leading the charge for the risk assessment process as opposed to the compliance department. Um, and then those providers that are under CIAs, um, are likely to see their OIG monitors be very critical with them on every stage or at every stage of the risk assessment process to ensure that operational leaders really are involved with evaluating the risks and then that the compliance department isn't doing it in a silo all by all by themselves. Um, so, you know, I think you were mentioning about education and educating operational leaders and also having them look at their, uh, their experiences. I think that is right on point of what we need and what, what we're dealing with right now and, and will satisfy the OIG and, and the OIG monitors. So Shannon, with that in mind, what are some of the top risks that you're seeing as you're assisting clients in assessing their risks in, in their processes?Speaker 2:
Well, one area that we are seeing is a, a greater emphasis on three 40 b. I mean, many organizations rely very heavily on the savings from the three 40 B program to provide patient care. I mean, savings can range anywhere from a million dollars to some large health systems to over a hundred million, really dependent upon the size and nature of the organization. Now, the three 40 B program certainly has been under fire, um, certainly recently from pharmaceutical manufacturers, some of which have actually stopped supplying drugs to pharmacies covered by the discounts. Um, you also have insurers that allegedly have lowered reimbursements for discounted medications, and then pharmacy benefit managers that allegedly have excluded entities covered by the program in exchange for rebates for manufacturers Layered onto that you ha also have congressional interest in the program that has led to recommendations to actually require covered entities in the program to report their savings under three 40 B and then how those savings are used. So I think with just all of those inputs, I think it's so critical to continuously monitor and assess whether you, you know, whether the program meets the requirements under the annual her survey certification program in order to truly protect this program. Um, more to come on that, I'm sure another area that, um, we are seeing and, and it's actually been on work plans for, for quite some time, but to make sure that you do have cyber security. I mean, it's definitely top of mind for our clients and their boards and board subcommittees and, you know, healthcare providers are targeted because they provide, in most cases, urgent high risk services that if they are shut down for any length of time, it could result in patient harm or even loss of life. I mean, hence they are susceptible to hackers, ransomware, criminals who promise the return of data or access to critical systems if they respond to these ransomware, um, requests. And the criminals know this. I mean, they know that many health organizations haven't implemented sufficient security measures to anticipate them, especially the rural providers and clinics. And that is an area that we are starting to see more and more, um, attacks because these rural providers and these clinics really don't have a lot of the resources that the larger health systems do. And so obviously the, the, the criminals are, they're smart, they know that too. And I think responding to these risks requires not only that robust security program, and when I say robust security program, it also includes the end users. I mean, that is really one of the top reasons for some of these attacks is because, you know, we, we clicked a button, um, and so many organizations have really robust fishing campaigns, and that is something to really stay on top of, particularly now as we're coming into the holiday season. You know, one of the, the areas that, that we've heard of and we've actually, um, have been as, as some of the services that we provide is on these fishing campaigns. I mean, you get an alert from Amazon saying your delivery is missing. I mean, who's not gonna click on that, right? Um, but those are just the things that people have to really stay on top of. And you know, I think it's also important that that compliance work plan, or better yet, a robust enterprise risk management plan should really include an assessment of whether that organization has in place that robust disaster recovery program. Because if you get hit, you're gonna get hit. Um, and that should really be tested frequently through tabletop exercises. And as we have really seen in these recent events, um, these bad actors will likely not keep their promises. Um, they do have some good customer support, so they'll tell you, you know, how to, how to get that information to you and how to get your Bitcoins, but it really is that, that they will post your information anyway on the dark web and will not provide you that encryption key. So your inventory of risks should also include those connected medical devices. You know, we all hear about the, the, the terminology called Internet of things. I mean, there's so many, you know, sensitive documents that are, that are accessible, but there's also these very sensitive patient safety, um, types of equipment and medical devices that you really have to stay on top of. But we all know that Covid sped up the adoption of digital technologies and those platforms such as telehealth. And as a result, many organizations and providers really haven't added sufficient information technology staffing to really keep up with the risks present. Um, but those were two that came to mind. But Retu, what are some other areas that you're seeing that providers should, should consider for their risk assessments?Speaker 3:
Well, Shannon, speaking of telehealth, I I think the government has had, um, a few take downs in the last couple of of years related to telehealth. So I would definitely include telehealth on our, on our list of, of top areas. Um, you know, as you stated during Covid, we saw this increase in the use of telemedicine, right? I mean, I think before covid everyone wanted to get there. We were trying to figure out how to get there, and then all of a sudden, boom, we had to get there. And so, so many things were happening very quickly. Um, and with the relaxations that Covid brought, we've been operating in that world. So I think it's really important for clients or organizations, healthcare organizations right now to review the telehealth services that they're providing and ensure that they're still compliant. Many states have relaxed, um, so I mean relaxed those requirements, but now they're kind of unwinding those relaxations. A number of states have stated that they're no longer under a public health emergency, even though from the federal government we are. So since state law governs much of what, um, we look at in the telehealth space, I think organizations really need to look to see where do they fall and what states are they providing the services. As we know with tele telemedicine, the state in which the patient resides is the law that governs in terms of the practice of medicine. So organizations really need to take an inventory of, of what they're doing. You know, just yesterday, ironically enough, a client called and, and said that they have an issue where their physicians were out of the country when they were providing telehealth services, and those services were being provided through a contractual relationship. So now we're in the process of helping them investigate to think, to figure out were they permanently out of the country since they weren't their own providers, they were contracted providers, Were they permanently out of the country? Were they just on vacation? You know, what were the circumstances around that? And then do they have the proper licensure? Do they have the, you know, were they prescribing? I mean, just looking at all of that. And so I do think that organizations really need to stay on top of telehealth. I don't think telemedicine is going anywhere. Um, and so that definitely needs to be, needs to be on a, a work plan if an organization is providing, um, telehealth services. Another area I don't think we will ever get away from a provider not having, um, relationships with referral sources on their work plan. Uh, the focus may be a bit different in 2023. I mean, we always wanna make sure that the relationship with, with referral sources is compliant with Stark and Kickback. But this year I actually imagine more of those work plan items are gonna focus on value-based relationships as they did before. Um, you know, recall one of, of the benefits of meeting the value-based exceptions is that, and Safe Harbors, right? Whether you're looking at Stark or Kickback, is not having to meet fair market value and commercial reasonableness. Um, so that being said, if the organization doesn't meet the requirements of the value-based exception or Safe Harbor, then there really isn't a fallback exception or safe harbor for them to rely on. Um, since many of the non-value based, the non V B E exceptions in safe harbors include fair market value and commercial reasonableness as requirements. So I think it's gonna be really important for compliance to be aware on the front end of any of the vbe type arrangements organizations are, are getting into so that they can properly monitor them and then of course, on the backend to properly audit them because we know you only have a finite period of time to be able to correct any issues that you might, um, that you might have. So Shannon, I've added now three and four. Um, any other topics to, to round out our list?Speaker 2:
Um, I would say one area that has kind of been referred to as a sleeper risk, and that's the area of actually of real estate, especially real estate transactions involving those referral sources that you just mentioned. And this would include both leases two and laces from physicians or physician groups. And we have assisted clients in this area regarding, you know, the proper controls over rent collections fee, escalators, shared operating expense allocation, and certainly fair market value, um, of the rent per square foot. I know these seem like kinda a basic block of tackling areas, but from, just from my experience as also being an internal audit, a lot of times it's the execution of the contract that that does fall short. But as many of us have experienced, property values have also increased greatly in the past two years. And so as a result, I think it's important to make sure that your organization is conducting that market assessment to ensure that your rents have actually kept up with the market and that you're not putting your organization outside of a fair market value and a kickback safe harbor. And we recognize that many organizations also outsource their real estate management to an outside management company, but however, you can't outsource your responsibility for management of these arrangements. So we also encourage, um, many clients have some really great practices on what we call walk in the space. So it's a, it's an exercise whereby they actually visit the rented space to ensure that the provisions of the lease agreements, especially for timeshares, are being agreed to.Speaker 3:
So Shannon, I think that gets us to number five of our top five list for today, but, and I'm sure we could probably go on and on with other additional risk areas for work plans, uh, for our providers. But do we want to leave with any final thoughts before we we close out for today?Speaker 2:
Well, I know that we would said we would talk about the top five work plan items, but in the age of the public health emergency, we would be remiss if we did not include Covid on the work plan. Um, maybe one day that won't be on the work plan, but I think it should be going into 2023. And this is really to cover, um, a lot of the recent enforcement actions for that covid relief funding. But as we are aware, the, the PHE was actually extended for another 90 days, but we are recommending to our clients to review the utilization also of any waivers, um, that they may have taken advantage of, and then to determine what activities are required to compliantly wind down those transactions. So as we wrap up, I obviously would love to thank my co um, podcaster, uh, re too. Thank you so much again for joining me to discuss, which is our absolutely our favorite topic, which is regulatory compliance. So thank you re too.Speaker 3:
Oh, well, Shannon, thanks so much for including me, and I always enjoy sitting down and, and chatting with you and working with you. So I, I really appreciate you inviting me to join you today. Um, we'd also like to thank ALA for this opportunity and we hope that you guys enjoyed today's podcast. If you didn't have these five on your list, maybe include them on your list for, for your risk assessment and work plan. And I hope everyone has a great day.Speaker 1:
Thank you for listening. If you enjoy this episode, be sure to subscribe to a HLA speaking of health law wherever you get your podcasts. To learn more about ALA and the educational resources available to the health law community, visit American health law.org.