We have discussed in prior posts the unique regulatory enforcement climate that providers and investors currently find themselves. It is critical that anyone contemplating investment in a healthcare business not only understand the regulatory risks and pressures of that industry but carefully review the target company’s compliance protocols for dealing with those challenges in a proactive way. And the Patient Protection and Affordable Care Act (aka PPACA, ACA or healthcare reform) makes having an appropriately structured compliance plan even more essential than ever.
Under PPACA, certain healthcare providers, as a condition to participation in Medicare, must have in place a compliance plan that meets the requirements to be laid out by the Secretary of HHS. The PPACA lists several detailed requirements for the compliance plans of skilled nursing facilities (SNFs), likely due to the industry’s historical scrutiny and highly publicized investigations from the SNF industry in the past few years. SNFs must implement these compliance plans pursuant to the requirements of Section 6102 of the PPACA within 36 months following passage of the PPACA, and regulations must be issued by the Secretary of HHS for SNFs with additional guidelines no later than two years following passage of the PPACA on March 23, 2010.
The Secretary of HHS is also mandated with determining which additional provider types must have compliance plans in place and what those plans must entail. HHS has informally indicated that it would likely roll out the compliance plan requirements on an industry-by-industry basis. Although HHS has been laden down with rule-making obligations resulting from PPACA in the past 18 months, the agency has indicated that the requirements for most industries will closely follow the key components of the DHHS Office of Inspector General model compliance plan published for healthcare providers in 1997, which has subsequently been updated. These core elements for a compliance program are as follows:
i. Compliance standards and procedures must be adopted and followed.
ii. Specific individuals with authority and sufficient resources must be assigned to oversee compliance.
iii. The organization must exercise due care to ensure that the above authority is not delegated to an individual with a propensity to engage in PPACA criminal, civil and administrative violations.
iv. The organization must take steps to educate its employees and agents of the compliance program.
v. The organization must take reasonable steps to achieve compliance with its standards.
vi. The standards and procedures must be consistently enforced.
vii. If an offense is detected, the organization must respond appropriately and prevent similar offenses.
viii. The organization must periodically reassess the compliance programs and make changes necessary to reflect changes within the organization.
When reviewing a company’s compliance plan, it is essential that the provider and investor not only ensure that there is a plan in place but also that the plan is well-tailored for that company’s key risk management needs. To be truly effective the plan must be specific to that company’s industry and risks, with associated useful training and response tools such that the plan can really be the guide for a full compliance program. Both providers and investors should ask, how is the plan truly used and made a part of daily operations? Understanding a company’s compliance culture can help everyone assess the risks it may be taking with investment in the company and what challenges, if any, may be on the horizon for the company.