Throughout the COVID-19 crisis, there has been an unprecedented amount of Federal and state financial support and regulatory waivers issued to enable healthcare providers to maintain viability and effectively address the health needs of their communities. In addition to providing hospitals and other healthcare providers with grants and loans, Federal and state agencies have waived many long standing regulatory requirements, including some for telehealth, and have pledged enforcement discretion by oversight bodies. While these actions provide much needed resources and flexibility for healthcare providers to respond effectively to the public health emergency, they also present significant compliance challenges to keep up with and respond to additional and evolving regulatory requirements. In this article, we describe how healthcare providers should tackle the compliance risks posed by the COVID-19 crisis through their established compliance programs.

Understanding COVID-19-Related Compliance Risks

COVID-19 relief funding

There have been numerous sources of funding made available to healthcare providers during the COVID-19 crisis including, but not limited to, Federal grants and loans (e.g., Coronavirus Aid, Relief and Economic Security Act (CARES Act) funds, Federal Emergency Management Agency (FEMA) assistance, Medicare advance payments, etc.), business interruption insurance, and state and local government assistance. Each of these funding sources have unique “terms and conditions” that create the potential for significant compliance risk. Inventorying and tracking all funding received by the organization is a critical first step in assessing the significance of the risk. The organization’s compliance department (Compliance) should have an active role in analyzing the requirements of COVID-19 funding received to ensure that effective controls are in place to mitigate the risk of running afoul of applicable terms and conditions and reporting requirements.

Relaxation of regulatory requirements

The Department of Health and Human Services (HHS), as authorized under Section 1135 of the Social Security Act, has issued an unprecedented number of blanket, individual and state-specific waivers (1135 Waivers) to temporarily modify or suspend certain Medicare, Medicaid, Children’s Health Insurance Program (CHIP), and Health Insurance Portability and Accountability Act (HIPAA) requirements  in order to ensure that sufficient healthcare items and services are available to meet the needs of program beneficiaries during the public health emergency. The 1135 Waivers enable healthcare providers to continue to be reimbursed by Medicare and Medicaid, even if they are unable to comply with certain statutory and regulatory requirements. As long as the providers are acting in good faith, they will be exempted from sanctions for noncompliance, unless their actions constitute actual fraud and abuse to Federal programs.

Healthcare providers utilizing the flexibilities afforded by 1135 Waivers should have a robust process for documenting when, where and how waivers were relied on during the public health emergency. Additionally, understanding the applicability and timing of the various 1135 Waivers will be critical for effective compliance. Most blanket 1135 Waivers are effective retroactively to March 1, 2020, and extend through the end of the public health emergency. A compliance framework should be instituted by the organization’s Chief Compliance Officer (CCO) to identify, track and restore and/or adjust processes as waivers are extinguished once the public health emergency is over. Some key areas requiring focused attention due to the issuance of 1135 Waivers include:

Telehealth and telemedicine services. Telehealth and telemedicine services have increased significantly during the COVID-19 crisis. 1135 Waivers have expanded the scope of healthcare professionals who are eligible to furnish certain telehealth services and enabled additional forms of acceptable telehealth services, including audio-only telephone evaluations in certain instances.

Medicare Conditions of Participation and other certification requirements. A number of requirements have been relaxed to allow healthcare providers the flexibility to meet the needs of patients.

Emergency Medical Treatment and Labor Act (EMTALA). Sanctions have been waived for the redirection of an individual to receive a medical screening examination in an alternative location pursuant to a state emergency preparedness plan or transfer of an individual who has not been stabilized if the transfer is necessitated by the circumstances of the declared emergency.

Stark and Anti-Kickback Statute (AKS). Eighteen blanket waivers have been issued that apply only to direct compensation arrangements. The HHS Office of Inspector General (OIG) also indicated that it will use its discretion in enforcing certain Stark and AKS requirements. Arrangements with referral sources will continue to be a high risk to organizations. As such, all referral source transactions for which 1135 Waivers were relied upon should be carefully evaluated to determine that the waivers were appropriately applied. Organizations must also be prepared to unwind these transactions when the waivers are extinguished, once the public health emergency is over.

HIPAA privacy and security requirements. The HHS Office for Civil Rights (OCR) issued statements reminding organizations of their continued obligations under HIPAA but also provided guidance on how they could appropriately share protected health information (PHI) during the public health emergency. OCR indicated it will use enforcement discretion related to the good faith use or disclosure of PHI for public health activities as well as the use of certain communication applications for the provision of telehealth services.

COVID-19 related billing and reimbursement

Numerous changes have been made during the course of the COVID-19 crisis on how healthcare providers bill for services to Federal programs, especially those related directly to testing for and treatment of COVID-19. The Centers for Medicare and Medicaid Services (CMS) has released rulings and extensive guidance related to Medicare fee-for-service billing during the public health emergency. Organizations should implement measures to ensure clinicians and staff are able to document and bill appropriately.

Increased government oversight and enforcement

Because the Federal government has appropriated hundreds of billions of dollars in COVID-19 relief to healthcare providers, there will be significant oversight and monitoring by government agencies (e.g., OIG, CMS, OCR) related to the COVID-19 risk areas discussed above — relief funding, application of the 1135 waivers, and COVID-19 billing and reimbursement. In fact, $100 million has been appropriated to the OIG to provide fraud oversight as required in the CARES Act. Recently, the OIG released its strategic plan for oversight of the COVID-19 response and recovery efforts, and one of its key planning and oversight goals is to protect the funds appropriated to HHS, including the $175 billion for the Provider Relief Fund, and ensure they are used appropriately. The OIG’s oversight efforts will include audits of organizations that received funds to assess whether they met use, reporting and other requirements. Other agencies, including CMS and OCR, will also be conducting focused survey and auditing activities related to COVID-19 provisions.

Addressing Compliance Challenges and Risks Posed by the COVID-19 Crisis Through Existing Compliance Programs

The numerous compliance risks and increased government oversight posed by Federal and state actions to address the COVID-19 crisis can be best addressed through the normal processes of a healthcare provider’s existing compliance program. The OIG has long advocated that healthcare compliance programs adhere to “Seven Elements” set forth by the OIG in order to have an effective compliance program. From the development of necessary policies and procedures to risk assessment, monitoring and auditing, and implementation of corrective actions, the Seven Elements of compliance programs can be used to effectively evaluate COVID-19 risks and direct appropriate resources and activities to mitigate those risks. The following provides examples of how COVID-19 risks can be incorporated into a healthcare organization’s existing compliance program under the Seven Elements framework:

1. Standards, policies and procedures

As new provisions and requirements brought about by COVID-19 are introduced, it is important to review and revise existing, and/or develop new, written policies and procedures designed to address these changes. Policies and procedures should be considered to address COVID-19 risk areas including: grant funding, balance billing practices and arrangements with referral sources. Organizations should consider adopting a new, written, overarching relief fund policy that describes its commitment to complying with all applicable terms and conditions. It should also clearly outline the steps for complying with each term and condition, including such provisions as eligibility, appropriate use of funds received, and documentation and reporting requirements.

New and revised policies and procedures related to COVID-19 provisions should be disseminated throughout the organization to applicable staff. Consideration should be given to instituting acknowledgements by staff of their receipt and understanding of such policies to ensure that impacted staff have received information.

2. Compliance program administration and oversight

The healthcare organization’s compliance department and CCO should lead, or be directly involved in, the analysis of and planning for the added risks and requirements presented as a result of the COVID-19 crisis. Both the board and management compliance committees should be kept informed and approve of the resources and activities that will be deployed to address COVID-19 risks. They should be informed of key findings from compliance risk assessments of COVID-19 risks and recommended actions to be incorporated in the organization’s compliance workplan, including additional monitoring and auditing activities. Workplans may have to be adjusted to prioritize activities related to COVID-19 risks.

Compliance committees should be kept apprised of the results of auditing and monitoring activities as well as the related recommended corrective actions. Compliance dashboards and metrics designed to support effective compliance program administration should integrate COVID-19-related risks and the associated mitigation activities (e.g., number of hotline calls related to COVID-19 compliance concerns, COVID-19 training completion records, compliance percentage rates of COVID-19 monitoring and auditing, and detail of the use of grant funds). Of particular focus should be the terms and conditions associated with the various grants and loans provided by the Federal and state government. Special consideration should be provided to such areas as double dipping, balance billing and executive compensation requirements.

3. Effective lines of communication / Reporting compliance and ethical concerns

Communication is essential during a public health emergency. Open lines of communication through the use of internal reporting mechanisms and anonymous hotlines are an important and critical feature in an organization’s compliance program.

As was learned from prior Federal stimulus bills, whistleblower activity escalates significantly following increases in Federal monetary assistance and can expose an organization to significant legal and financial risks. Communicating the organization’s commitment to non-retaliation for reporting concerns and ensuring that Compliance is actively monitoring and investigating hotline reports related to COVID-19 concerns and responding timely are important. Information obtained should be used to not only identify potential compliance issues, but also to track and trend areas of confusion and misinformation that are in the work environment. Identifying, investigating and responding in a prompt and efficient manner may help prevent a costly qui tam action or Federal criminal or civil investigation.

4. Communication, education and training on compliance issues

In the midst of the public health emergency, training and education programs are important to keep the organization informed of changing requirements. Educating staff on what can and cannot occur under the various 1135 Waivers will be a key challenge to Compliance. Staff members will most likely be on information overload during this extremely stressful time, so being able to effectively communicate the do’s and don’ts is essential. Training may also be needed on how Federal funds can be spent and how spending must be tracked and audited. Processes should be implemented by Compliance to track and document staff completion of required COVID-19-related training.

As the COVID-19 crisis period ends, retraining will be critical to ensure that staff have a clear understanding of the rules and regulations, and what is and is not permissible. The “rolling back” of the relaxation of certain regulatory requirements may cause confusion within the workplace, so emphasis should be placed on the current / new requirements to reduce any confusion. Training should focus on the organization’s commitment to following regulatory guidance and clearly define the expectations going forward. Consider instituting a “Compliance FAQ” process so that staff may submit questions and receive written responses. This will also allow for a better understanding of where confusion may lie within the organization.

5. Risk assessment, monitoring and auditing

The compliance risk assessment process traditionally used by the compliance department and CCO should be utilized to assess COVID-19 risks and to determine and prioritize actions. The organization’s compliance workplan should be adjusted, as necessary, to prioritize activities related to COVID-19 risk areas. Additional monitoring and auditing activities may be needed to appropriately mitigate the organization’s risk.

Focus areas for internal compliance monitoring and auditing activities related to COVID-19 risk areas should include relief funding terms and conditions, billing requirements, including balance billing and flexibilities implemented as part of the 1135 Waivers. This will better prepare the organization for anticipated government oversight actions. Since there is a significant amount of areas to monitor and audit, Compliance leaders should look to the risk assessment findings to prioritize focus areas.

6. Investigations and corrective action

The compliance program should have a process in place for investigating reports of suspected non- compliance related to COVID-19 requirements and for responding appropriately to identified problems. Ensuring that Compliance conducts a timely and thorough investigation, including a root cause analysis, to determine appropriate corrective actions is a critical component of the organization’s compliance program. As mentioned previously, investigating and responding in a prompt and efficient manner to COVID-19 concerns may help prevent a costly qui tam action or a Federal investigation.

7. Discipline for noncompliance and screening and evaluation of employees, physicians, vendors and other agents

The organization should clearly communicate that its policies and procedures addressing enforcement of compliance standards and discipline of individuals who violate them are applicable to COVID-19 requirements. Consistent application and appropriate documentation of disciplinary measures remains a critical component of the corrective action process. Compliance may want to review disciplinary actions taken as a result of COVID-19 infractions for consistency and fair administration.

The processes in place to screen and evaluate employees, physicians, vendors and other agents (Individuals) may be even more critical during the COVID-19 crisis due to the number of new Individuals who may have been engaged, sometimes expeditiously, to provide needed services and/or supplies to address the public health emergency. The requirement that the organization must screen Individuals before hire / contract and periodically thereafter to ensure they are not sanctioned did not change as a result of the crisis.

Summary

Most, if not all, healthcare providers will have increased compliance risks associated with Federal and state actions and programs implemented to address the COVID-19 crisis. At the same time, organizations will be strapped for resources, especially now and into the near future, and may have the tendency to overlook these COVID-19 risks and the impending government scrutiny. Fortunately, most well-organized healthcare organizations already have effective compliance programs that operate under the OIG’s Seven Elements rubric. Healthcare organizations will benefit from timely incorporating COVID-19-associated risks into their existing compliance program activities, as well as ensuring their compliance programs and CCOs are integrated into the organization’s plan to account for Federal COVID-19 funding and to comply with any associated regulatory waivers.