Don't Set It & Forget It: The Importance of Evaluating & Evolving Healthcare Compliance Programs

According to fiscal year (FY) 2019 data released in June 2020, the federal government won or negotiated over $2.6 billion in healthcare fraud judgments and settlements that year. The DOJ also opened 1,060 new criminal healthcare fraud investigations and 1,112 new civil healthcare fraud investigations in FY 2019. These trends have continued apace, as illustrated by the DOJ, HHS-OIG, and multiple other federal agencies coordination of a national healthcare fraud and opioid takedown on September 30, 2020 resulting in charges against 345 defendants responsible for more than $6 billion in alleged fraud losses, including more than $4.5 billion connected to schemes involving telemedicine. The federal government's investment of resources toward combatting fraud, waste and abuse in healthcare can be expected to continue in full force, irrespective of a change in political administration. Accordingly, it is important for healthcare companies to focus on maintaining flexible and effective compliance programs to not only avoid government scrutiny but also satisfy government expectations and mitigate costs in the event of an investigation.

Recent DOJ and HHS-OIG Compliance Guidance

The updated DOJ Guidance, among other things, focuses on the following as indicia of a compliance program's strength:

• Whether the company tracks and incorporates into its periodic risk assessment "lessons learned" from the company's own prior compliance issues or those of similarly situated companies;
• Whether the company's risk assessment is "based upon continuous access to operational data and information across functions," rather than limited to a "'snapshot' in time";
• Whether compliance personnel have "sufficient direct or indirect access to relevant sources of data to allow for timely and effe2 ii) periodically test the effectiveness of the hotline; and
• Whether the company routinely updates existing policies and procedures, and tracks electronic access to such documents to understand which policies are attracting more employee attention.

The DOJ's heightened focus on ensuring that compliance programs are practical, dynamic, and continuously evolving based on the organization's size, industry, geographic footprint, regulatory landscape, and other factors, is not unique among federal government enforcement and oversight agencies, particularly those charged with enforcing laws and regulations designed to ensure integrity in the healthcare industry. Specifically, HHS-OIG has for years touted the importance of periodically measuring the various elements of an organization's compliance program and modifying the program as necessary to meet changing needs. For example, it is standard practice for HHS-OIG to require all organizations entering into a Corporate Integrity Agreement (CIA) as part of a civil False Claims Act (FCA) resolution to develop and implement a centralized risk assessment and internal review process to identify and address risks associated with activities that impact federal healthcare programs. As part of this process, companies are required by the terms of their CIAs to have their compliance, legal, and relevant department leaders annually: 1) identify and prioritize key risk areas; and 2) develop, implement, and track internal audit work plans and, as necessary, corrective action plans to address those risks.