In 2015 over $3 Billion in investigative and audit receivables was collected by OIG-sanctions and exclusion violations. Several studies have reported that breaches involving Business Associates account for anywhere between 10% and 40% of all HIPAA breaches, with more recent statistics putting the percentage at around 30%. Between Jan. 1, 2016 and Aug. 31, 2016, approx. 30% of incidents on HHS’ public breach tool involved a business associate or vendor. With healthcare data demanding high value on the black market, healthcare organizations need to take every precaution to ensure that the individuals and organizations they are doing business with meet strict security guidelines and have the necessary business protocols in place to prevent costly and very public data breaches. Healthcare facilities of varying sizes were fined millions of dollars for working with business associates and third-party vendors who appeared on the sanctions list. For example, North Memorial was fined $ 1.55 Million for an HIPAA violation and PHI breach which affected approximately 9,497 patient health records when they were compromised by Accretive Health Inc., a business associate of the covered entity. Accretive Health was given access to a hospital database containing the ePHI of 28,994 patients. Under HIPAA Rules, covered entities must obtain a signed Business Associates Agreement from any vendor that provides functions, activities or services for or on behalf of a covered entity that requires access to patient ePHI.
An example of an OIG violation occurred in 2016, when Alternative Consulting Enterprises, Inc. (ACE) located in Pennsylvania, self-disclosed conduct to OIG and agreed to pay $126,102.38 for allegedly violating Civil Monetary Penalties Law. OIG alleged that ACE employed an individual that it knew or should have known was excluded from participation in Federal healthcare programs.
With data breaches and violations receiving public notoriety resulting in negative brand exposure healthcare organizations are not only facing significant fines, but the lack of customer confidence typically results in declining revenues. The merger and acquisition activity taking place in the healthcare industry also impacts the necessity to ensure that all entities – business associates, third party vendors, contractors, employees, new hires – are screened in a timely manner to minimize vulnerabilities that could result in costly fines and public shame.
Seven Advantages of Real-time OIG Exclusions Screening and Sanctions Monitoring
With healthcare organizations leveraging the services of hundreds of third party vendors and business associates not to mention hundreds of full-time employees, migrating traditional cumbersome manual processes to a SaaS-based automated approach can save enormous amounts of time, not to mention the ability to minimize risk faster. Healthcare risk management monitoring software enables healthcare organizations to conduct OIG screening, sanctions checking and employee backgrounds in real-time with no need to wait days, weeks or months. Abnormalities are identified immediately. With an automated solution that provides continuous monitoring of all sanctions and exclusions across more than 42 Federal and State exclusions databases, immediate action can be taken for resolution mitigating any possible risks.
Although there are many advantages to real-time continuous monitoring, below are seven key business advantages:
- Automate and streamline the overall process eliminating manual cumbersome time-consuming processes for greater operational efficiencies
- Achieve full transparency across the organization by enabling everyone across multiple business units to access the same information from anywhere at anytime
- Onboard new business associates and/or third party vendors faster – in minutes, not weeks or months
- Mitigate the risk of costly fines and penalties
- Reduce the risk of not receiving payment for services rendered because an employee or entity is on the exclusion list
- Gain peace of mind by receiving real-time text messages and/or email notifications of any known exclusions that require immediate action
- Eliminate the perils of negative publicity to preserve brand integrity