04/15/2010

Health Care Alert: New Health Care Reform Law Includes Mandatory Compliance Programs for Medicare or Medicaid Suppliers and Providers

On March 23, 2010, President Obama signed into law Public Law 111-148, the Patient Protection and Affordable Care Act (PPACA). The law, as passed, is 2,409 pages and addresses a massive number of issues related to health care. This e-Alert, however, focuses only on mandatory compliance programs. In the near future, any provider or supplier wishing to enroll or stay enrolled for Medicare or Medicaid reimbursement must establish a compliance program meeting certain minimum elements. P.L. 111-148 § 6401(7)(A). This requirement for all providers or suppliers under Medicare or Medicaid to have a mandatory compliance program is extremely broad. Prior to this law, a health care provider or supplier was only required to have a corporate compliance program if it was operating under a Corporate Integrity Agreement or had a contract with the federal government in excess of $5 million and lasted longer than 120 days (73 Fed. Reg. 67,064 (Nov. 12, 2008)). Now, every Medicare or Medicaid supplier or provider must have a corporate compliance program.

The requirements for these compliance programs will be set by the Secretary of Health and Human Services (HHS), in consultation with that agency's Office of Inspector General (OIG). P.L. 111-148 § 6401(7)(B). The PPACA itself mandates the requirements of compliance programs for only one category of health care provider: skilled nursing facilities. The program has to be "reasonably designed, implemented, and enforced so that it will be generally effective in preventing and detecting criminal, civil and administrative violations under [the PPACA] and in promoting quality of care." P.L. 111-148 § 6102. In addition, the compliance program is required to have the following elements:

1. Established compliance standards and procedures;
2. A senior-level compliance officer with sufficient resources and authority;
3. Due care to limit discretionary authority to wrongdoers;
4. Training and communications;
5. A reporting system for employees as well as monitoring and auditing systems;
6. Consistent enforcement, including employee discipline;
7. Reasonable responses to detected misconduct, including program modifications to prevent further similar offenses; and
8. Periodic reassessment of the compliance program.

These requirements borrow heavily from the Federal Sentencing Guidelines Chapter 8: Sentencing of Organizations as well as Compliance Guidance from the OIG of HHS. It is reasonable to anticipate that when Secretary Sebelius sets requirements for compliance programs for other types of organizations, she will most likely use the skilled nursing facility requirements as a baseline and add additional requirements. For example, the OIG's Compliance Guidance documents have similar core compliance suggestions and add specific recommendations to address unique risks in each sector of health care. So, if your organization is seeking reimbursement from Medicare or Medicaid, you will have the requirement, and not merely the recommendation, in the near future to create your own corporate compliance program according to requirements set by HHS.

For additional information regarding this e-Alert or health care compliance requirements in general, please contact Patty Zieg, Carl Bowman, Kirk Doan or Russ Berland.