Amy K. Fehn. I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program

Transcription

1 IMPLEMENTING COMPLIANCE PROGRAMS FOR ACCOUNTABLE CARE ORGANIZATIONS Amy K. Fehn I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program The Medicare Shared Savings Program ( MSSP ) was established by Section 3022 of the Affordable Care Act. The MSSP allows certain Medicare providers and suppliers to join together as an Accountable Care Organization ( ACO ) to be accountable for the care of a population of Medicare beneficiaries. An ACO will enter into Participation Agreements with groups of providers/suppliers who are identified by a separate tax identification number ( Participants ). If an ACO meets all program requirements, including certain quality standards, the ACO will receive a percentage of any savings in Medicare program expenditures during the performance year at issue, when compared to benchmark expenditures. Although the term ACO is not specific to the MSSP, the MSSP regulations include very specific requirements for ACOs participating in the MSSP. One such requirement is the development and maintenance of a compliance program that meets certain criteria as set forth in the MSSP: ACO Final Rule issued on November 2, 2011 ( Final Rule ) Fed. Reg (November 2, 2011). 1

2 II. MSSP Compliance Program Requirements While the ACO s compliance program does not have to be submitted with the ACO s application, it must be made available to the Centers of Medicare and Medicaid Services ( CMS ) upon request and must meet certain requirements. 2 Specifically, 42 CFR contains a requirement that, in order to be eligible for the MSSP program, an ACO must have a compliance program that includes at least the following elements (which are discussed individually in more detail below): A designated compliance officer who is not legal counsel and who reports directly to the ACO s governing body. Mechanisms for identifying and addressing compliance problems related to the ACO s operations and performance. A method for employees or contractors of the ACO, ACO participants, ACO providers/suppliers and other individuals or entities performing functions or services related to the ACO to anonymously report suspected problems related to the ACO to the compliance officer. Compliance training for the ACO, the ACO participants, and the ACO providers/suppliers. A requirement for the ACO to report probable violations of law to an appropriate law enforcement agency. 2 Note that the regulations at 42 CFR suggest that ACO s must submit a copy of their compliance program with their application for the MSSP, the 2013 Application Toolkit does not indicate that the compliance program must be submitted with the application: Payment/sharedsavingsprogram/Downloads/MSSP-Reference-Table-.pdf 2

3 In compliance with and updated periodically to reflect changes in the law and regulations. 3 In the Final Rule, CMS also stated that, when developing compliance programs, ACOs should reference the compliance guidance on the Office of Inspector General s ( OIG ) website, which the OIG has issued through the years for various industry segments. 4 Thus, where the Final Rule does not provide specific guidance, it is helpful to look to this guidance regarding CMS expectations. A. A designated compliance officer who is not legal counsel and who reports directly to the ACO s governing body. Consistent with previous compliance guidance issued by the OIG, CMS is requiring ACOs participating in the MSSP to have a designated compliance officer. CMS further specified that the compliance officer be separate from legal counsel and report directly to the governing board. CMS clarified in commentary to the Final Rule that the compliance officer can be trained as an attorney, so long as the compliance officer does not act as legal counsel for the ACO. CMS stated that the purpose of this requirement is to ensure independent and objective legal reviews and financial analyses of the organization s compliance efforts and activities by the compliance officer. 5 If an ACO is an existing entity, it may use the entity s current compliance officer, but only if the compliance officer meets the requirements set forth above (i.e., is not legal counsel and reports directly to the ACO s governing body). 6 Although the regulations are silent as to the necessity of a compliance committee, the OIG Supplemental Compliance Program Guidance for Hospitals issued in CFR Fed. Reg Fed. Reg Id. 3

4 suggests that, at least for hospitals, a Compliance Committee is integral to the establishment of an effective compliance program. 7 The OIG has also recommended the establishment of a compliance committee in its compliance guidance for other industries, including that issued for Managed + Choice Organizations. 8 B. Mechanisms for identifying and addressing compliance problems related to the ACO s operations and performance. The OIG, in its compliance guidance, has consistently promoted the use of internal periodic audits by individuals who are knowledgeable about health care regulatory requirements. 9 In determining how to conduct internal audits, it is helpful to consider the methods in which CMS plans to audit ACOs in order to determine compliance with the various MSSP requirements. For example, in the Final Rule, CMS stated that it may audit quality measures data by reviewing beneficiary records. 10 CMS has also stated that it may audit ACOs for accuracy of ICD-9 codes on which risk scores are based. 11 In addition, CMS stated plans to monitor for beneficiary risk avoidance by looking for patterns in changes in risk adjustment of the ACO s assigned population from one year to the next. 12 CMS has also indicated that it will monitor beneficiary surveys to determine whether ACOs are interfering with patient freedom of choice by improperly limiting or restricting referrals to providers within the ACO Fed. Reg Fed. Reg See e.g., OIG s Compliance Program Guidance for Medicare + Choice Organizations, 64 Fed. Reg Fed. Reg Fed. Reg Fed. Reg Fed. Reg

5 These potential areas of CMS audit are discussed in more detail below, as are other regulatory requirements that could post compliance risks for the ACO. C. A method for employees or contractors of the ACO, ACO participants, ACO providers/suppliers and other individuals or entities performing functions or services related to the ACO to anonymously report suspected problems related to the ACO to the compliance officer. CMS does not elaborate on the anonymous reporting requirement in the Final Rule. However, in past compliance guidance, the OIG has suggested the use of a hotline or drop box for the receipt of anonymous complaints. 14 D. Compliance training for the ACO, the ACO participants, and the ACO providers/suppliers. In the commentary to the Final Rule, some commenters requested that, to minimize the burden on ACOs, CMS require only training of the compliance officer. In response, CMS stated that the compliance training was necessary for all ACO participants and ACO providers/suppliers so that all associated providers/suppliers would understand their legal obligations and the ACO s legal obligations with respect to the ACO s operations, compliance risk areas and how to report compliance concerns. 15 E. A requirement for the ACO to report probable violations of law to an appropriate law enforcement agency. The Proposed Rule contained a duty to report suspected violations of law. In the Final Rule, commenters suggested that this requirement deviated from accepted compliance practices. Commenters specifically had concerns that the required reporting of suspected violations would not give the ACO an opportunity to resolve issues before reporting to law enforcement. 14 OIG Compliance Guidance for Hospitals and Medicare + Choice Organizations both discuss the use of hotlines, while the Compliance Guidance for Individual and Small Group Physician Practices suggests the use of a drop box Fed. Reg

6 In the Final Rule, CMS changed the duty to require reporting of probable violations of law, stating: [w]e believe ACOs should have a compliance program that allows for the prompt and thorough investigation of possible misconduct by ACO participants, ACO providers/suppliers, other individuals or entities performing functions or services related to ACO activities, corporate officers, managers, employees, and independent contractors, as well as, early detection and reporting of violations, thus minimizing the loss to the Federal government from false or improper claims and thereby reducing the ACO and ACO participants and its ACO providers/suppliers to applicable civil damages and penalties, criminal sanctions, or administrative remedies, such as program exclusion, as applicable. As such, ACOs should consider implementing a system for identifying and addressing possible violations when designing their compliance plan. We are modifying the final rule to provide that probable violations should be reported to law enforcement. 16 Thus, ACOs will likely want to craft compliance policies in a manner that requires participants and employees to report suspected violations internally, giving the ACO the opportunity to fully investigate whether a probable violation exists. F. In compliance with and updated periodically to reflect changes in the law and regulations. Consistent with previous OIG guidance, ACOs are required to update compliance programs periodically as necessary to reflect changes in the law and regulations. This is important because CMS noted throughout the Final Rule commentary that it will monitor and update the requirements as needed. 17 Thus, it is likely that requirements will be removed, revised or eliminated as the MSSP is further evaluated by CMS Fed. Reg CFR gives CMS the ability to update the program requirements during the term of the agreement. 6

7 In commentary to the Final Rule, CMS also indicated that one purpose of this provision was to require compliance with the new mandatory compliance provisions of the Accountable Care Act. 18 III. Specific Risk Areas and Associated Penalties The OIG frequently advises providers, when implementing compliance programs, to focus on risk areas specific to their provider type. Some of the areas that could potentially pose risk of noncompliance with the MSSP regulations, or other regulations related to ACO participation in the MSSP, include: A. Accuracy of Data Submitted Pursuant to 42 CFR , at the time data is submitted by an ACO, an individual with the legal authority to bind the ACO must certify the accuracy, completeness and truthfulness of the data and information to the best of his or her knowledge, information and belief. In addition, an individual with the legal authority to bind the ACO must submit an annual certification that, to the best of his or her knowledge, information and belief, the ACO and its Participants, providers and suppliers are in compliance with program requirements. The individual must also certify the accuracy of all data and information generated or submitted by the ACO, its Participants, its associated providers/suppliers and any individuals or entities performing functions or services related to ACO activities Note that pursuant to Section 6101 of the Affordable Care Act, the Secretary of Health and Human Services (HHS) is required to develop mandatory compliance program requirements for certain other health care providers or suppliers, as determined by HHS. Section 6401 requires mandatory compliance programs for Skilled Nursing Facilities (SNFs) but a final rule regarding specific requirements has yet to be issued CFR

8 The commentary to the Final Rule contains a reminder that knowingly submitting a false certification could trigger liability under the False Claims Act, as well as termination from the MSSP program. 20 Thus, it is important that ACO employees and Participants understand the importance of accurate submissions. B. Beneficiary Inducements The Final Rule also prohibits ACOs and its Participants from providing gifts or other remuneration to beneficiaries as inducements for receiving items or services from, or remaining in, an ACO, or with ACO providers/suppliers in a particular ACO. The Final Rule does provide exceptions for certain in-kind items or services provided to beneficiaries if they are reasonably connected to the beneficiaries care, are preventive care items or services, or advance a clinical goal for the beneficiary (such as adherence to a drug or treatment regime, a follow-up care plan or chronic disease management). 21 In order to use this exception, an ACO must be in good standing with regard to its participation in the MSSP program, and the goods or services must be reasonably connected to the medical care of the beneficiary. 22 The provision of such goods and services also requires waiver of the beneficiary inducement civil monetary penalties ( CMP ), as discussed in more detail below. In commentary to the Final Rule, CMS provided examples of the types of beneficiary inducements that are permissible, such as giving blood pressure monitors to patients with hypertension in order to encourage regular blood pressure monitoring. CMS also provided examples of the types of beneficiary inducements that are Fed. Reg CFR (a) Fed. Reg

9 impermissible, such as offering beneficiaries money or other gifs such as baseball tickets or gift cards to retail stores. 23 C. Screening of ACO Applicants The Final Rule states that all ACOs, including Participants, providers and suppliers will be reviewed initially and periodically to screen for any exclusions from the Medicare program or other sanctions as well as affiliations with individuals or entities that have a history of program integrity issues. 24 If CMS discovers excluded providers who are participating in or affiliated with the ACO, the MSSP application could be denied, or additional program safeguards could be put into place. 25 Therefore, it is important that ACOs have an effective screening process in place. D. Prohibition on Certain Required Referrals and Cost Shifting ACOs are prohibited from requiring that Participants refer within the ACO for non-aco patients. 26 The purpose of this requirement is to address concerns that, with the preliminary prospective beneficiary assignment, ACOs might incent participants to over utilize services related to beneficiaries who are not assigned to that ACO. 27 The Final Rule also prohibits ACOs from requiring that beneficiaries be referred within the ACO. 28 The purpose of this requirement is to maintain beneficiary freedom of choice Fed. Reg CFR (b) 25 Id CFR (c)(1) Fed. Reg CFR (c)(2) Fed. Reg

10 E. Updating Application Information ACOs are also required to update their application for any changes in National Provider Identifiers or Tax Identification Numbers submitted within 30 days of a change. 30 It may be helpful to include a reminder of this requirement in compliance training. F. Marketing ACOs must submit all marketing materials to CMS for approval and cannot use the information until five days after the submission to CMS. 31 ACOs must also certify that the marketing materials comply with the following requirements: Marketing materials must use template language developed by CMS, if available. The marketing materials may be targeted toward beneficiaries of certain races or with certain conditions, but must not be used in a discriminatory manner or for a discriminatory purpose. Marketing communications cannot violate the beneficiary inducement provisions discussed above and must not be materially inaccurate or misleading 32 G. Beneficiary Notification ACO participants must notify beneficiaries at the point of care that their providers/suppliers are participating in the MSSP. 33 Notification must be made by CFR (d) CFR CFR (c) CFR (a). 10

11 posting signs and via a standardized written notice. The ACO may also inform beneficiaries that they have been preliminarily assigned to the ACO. 34 It is also important to note that CMS views these notification documents as marketing. Thus, all such documents must meet all marketing requirements discussed above (including the submission of the materials to CMS). 35 H. Avoidance of At-Risk Beneficiaries CMS is required by statute to monitor ACOs for behavior that would indicate that the ACO is avoiding at risk beneficiaries. 36 While the Affordable Care Act does not define the term at risk beneficiary, CMS defines it in the Final Rule: At-risk beneficiary means, but is not limited to, a beneficiary who (1) Has a high risk score on the CMS HCC risk adjustment model; (2) Is considered high cost due to having two or more hospitalizations or emergency room visits each year; (3) Is dually eligible for Medicare and Medicaid; (4) Has a high utilization pattern; (5) Has one or more chronic conditions; (6) Has had a recent diagnosis that is expected to result in increased cost; (7) Is entitled to Medicaid because of disability; or (8) Is diagnosed with a mental health or substance abuse disorder. 37 If CMS determines that an ACO has been avoiding at risk beneficiaries, the ACO will be subject to sanctions, including possible termination from the MSSP. 38 Thus, it is important that participating providers understand the prohibition on avoiding at-risk beneficiaries. As discussed above, CMS will be reviewing changes in beneficiary assignment to audit for possible avoidance behaviors CFR (b) CFR (c). 36 Affordable Care Act Section CFR Affordable Care Act Section

12 This is an area where the compliance officer could take a proactive approach with self-audits. Other ways to self-monitor for these avoidance types of behaviors could include beneficiary interviews or requirements that a provider report to the ACO when he or she terminates a physician-patient relationship. I. Data Use Agreement and HIPAA Compliance Subject to beneficiaries rights to opt-out of data sharing, CMS may share beneficiary data with ACOs for activities such as quality assurance/quality improvement and population based activities. However, in order to receive such data, ACOs must sign a Data Use Agreement and must require all Participants (and associated providers/suppliers) to comply with the terms of the Data Use Agreement. 39 Failure to comply with the Data Use Agreement provisions will cause the ACO to be ineligible to receive beneficiary data and could subject the ACO to termination and other sanctions/penalties. 40 ACOs will also likely be considered a business associate of the Participants to the extent that they require protected health information from the Participants. 41 ACOs could, therefore, be subject to HIPAA fines and penalties for impermissible disclosures of protected health information. J. Anti-Kickback and Stark Concurrent with the Final Rule, CMS, jointly with the OIG, also issued an Interim Final Rule with Comment Period (the IFC ) establishing waivers of the application of the Physician Self-Referral Law ( Stark ), the federal anti-kickback statute (the AKS ), CFR CFR (a)(2) Fed. Reg

13 and certain CMP law provisions to certain ACO arrangements as necessary to implement the MSSP. 42 It is important for ACOs and their Participants to understand, however, that these waivers are limited and are not a wholesale waiver of these laws and regulations. The available waivers protect the following five arrangements/activities: ACO Pre-participation Waiver. This waiver protects startup arrangements that pre-date an ACO s participation agreement, so long as the parties forming the ACO are working with a good faith intent to develop an ACO that will participate in the MSSP during a target year. The parties to the arrangement may include the ACO and at least one entity that is eligible to become a participant, but may not include drug and device manufacturers, distributors, durable medical equipment ( DME ) suppliers, or home health suppliers. The parties developing the ACO must be taking diligent steps to develop an ACO that would be eligible for a participation agreement that would become effective during the target year, including developing a governing body. The governing body must make a determination that the arrangement is reasonably related to the purposes of the MSSP. The documented arrangement and authorization must be retained for a period of ten years. If the ACO does not submit an application for the MSSP, it must send an explanation to CMS. If all conditions are met, a pre-participation waiver would begin one year preceding the due date of a target year application and would end on the start date of an accepted participation agreement. Arrangements that were in place on the date of denial will continue to be protected by the waiver for six more months. An ACO that fails to meet the target application date may request a one-time extension Fed. Reg Fed. Reg

14 ACO Participation Waiver. This waiver is available for ACOs that have entered into a participation agreement with CMS for the MSSP and remain in good standing. The ACO s governing body must make a good faith determination that the arrangement is reasonably related to the purposes of the MSSP. The arrangement and the governing body s authorization must be documented contemporaneously and retained for 10 years. The waiver begins on the start date of the participation agreement and will end 6 months after termination or expiration of the participation agreement. However, if CMS terminates the participation agreement, the waiver period will end immediately upon termination. 44 ACO Shared Savings Distribution Waiver. This waiver is available for ACOs that are participating in the MSSP and distribute shared savings during the year in which the shared savings were earned by the ACO. The waiver also protects shared savings that are used for activities that are reasonably related to the purposes of the MSSP. However, the distributions cannot knowingly be made from a hospital to a physician to induce the physician to reduce or limit medically necessary items or services to patients under the direct care of the physician. 45 Compliance with the Physician Self-Referral Waiver. This waiver protects arrangements, as to applicability of the AKS or the gainsharing CMP, between ACOs participating in the MSSP and physicians provided that the arrangement meets a Stark exception. 46 Waiver for Patient Inducements. As discussed above with regard to beneficiary inducements, the AKS and beneficiary inducement CMP will be waived Fed. Reg Id. 46 Id. 14

15 where participating ACOs provide patients with healthcare-related incentives that meet certain criteria. The waiver will begin on the start date of the ACO s participation agreement and will end at expiration or termination. However, a beneficiary may keep any items received during the term of the participation agreement and receive the remainder of any service initiated prior to the termination or expiration of the participation agreement. 47 K. Anti-Trust Concurrent with the publication of the Final Rule, the Federal Trade Commission ( FTC ) and Department of Justice ( DOJ ) issued a final Antitrust Enforcement Policy with regard to ACOs participating in the MSSP. 48 Absent extraordinary circumstances, an ACO will fall within an antitrust enforcement safety zone if independent ACO participants that provide the same service have a share of 30 percent or less of the common service in each participant s Primary Service Area ( PSA ). Because of the qualification related to extraordinary circumstances, and because some ACOs will not fall within the safety zone, all compliance programs should provide guidance to ACO participants regarding conduct to avoid. For example all ACOs should avoid improper exchanges of prices or other competitively sensitive information among competing participants and should implement appropriate firewalls or other safeguards to protect against collusion among competing participants. 49 ACO Participant conduct that the FTC and DOJ would consider concerning when associated with an ACO with high PSA shares or other indicia of market power include: Fed. Reg Fed. Reg Fed. Reg

16 Preventing or discouraging private payors from directing or incentivizing patients to choose certain providers; Exclusive contracting with ACO physicians, hospitals, ASCs or other providers which would prevent or discourage those providers from contracting with private payers outside of the ACO; and Restricting a private payor from making costs, quality, efficiency and performance information available to aid enrollees in evaluating and selecting health plan providers, if that information is similar to the information used for the MSSP 50 L. Reporting Changes ACOs must notify CMS within thirty days of an addition or removal of an ACO Participant or any significant change to the initially approved structure. A significant change is defined as any change that would cause an ACO to not be able to meet the eligibility or program requirements of the MSSP. 51 M. Record Retention ACOs are required to retain records related to the MSSP program for a period of ten years unless CMS instructs the ACO to retain the records longer. Also, if there is a dispute, such as a termination or allegation of fraud, the ACO should retain the medical records for an additional six years from the date of any resulting final resolution. 52 IV. Conclusion Compliance plans are not only required by the Final Rule, but can also help ACOs to meet the many complicated program requirements. For effectiveness, it is essential Fed. Reg CFR CFR

17 that meaningful training take place and that such training reach all of the Participant s associated physicians. Self-monitoring, regular review, and update of the policies and procedures are other factors that will promote a culture of compliance within the ACO. 17