Real-time, continuous sanction and exclusion checking of third-party vendors, contractors, business associates, medical staff, and employees is critical for minimizing risk exposure. Covered entities or healthcare providers don’t want to find themselves the center of bad publicity or facing costly fines and penalties.
As Congress continues to increase funding to hire and mobilize more auditors responsible for monitoring and investigating covered entities conducting business with individuals listed on the Federal and State exclusions and sanctions lists with the focus on recovering millions of dollars through penalties and fines, employers need to invest in safeguarding their organizations. Employers or covered entities need to put practices and protocols in place to protect themselves against costly penalties and fines by validating the integrity of business associates, vendors, contractors, medical staff, and employees on a continuous basis.
With the OIG and OCR working in tandem to protect patients and patient healthcare information (PHI) from being disclosed through data breaches or falling into the wrong hands, the risk of covered entities suffering severe fines and reputation shame are increasing. By law, covered entities that participate in government health care programs may not employ an excluded individual. Penalties for violation typically range between $ 30,000 and $300,000, but can also be in the millions of dollars depending on the number of violations. The fine for submitting a claim performed by a sanctioned vendor or business associate can be up to $ 11,000.00 per claim. Not to mention the risk of personal jail time. According to the 2016 Cost of Data Breach Study by IBM and Ponemon Institute, in 2015 over $ 3 billion in investigative and audit receivables was collected by OIG-sanctions and exclusion violations.
According to data released May 3, 2018, in the Protenus Breach Barometer, approx. 1.13 million patient records were compromised in 110 healthcare data breaches in the first quarter of 2018. And in the most significant breach disclosed in the first quarter, an unauthorized third-party gained access to an Oklahoma-based healthcare organization’s network that stored patient billing information for 279,856 patients. Do you have safeguards in place to prevent insider wrongdoing?
Who are the OIG and OCR?
The OIG (Office of Inspector General) for the United States Department of Health and Human Services (HHS) is required with identifying and combating fraud, abuse, embezzlement and mismanagement of any kind in the more than 300 HHS programs including Medicare and programs conducted by agencies within HHS such as the FDA. The Office of Inspector General’s List of Excluded Individuals/Entities (LEIE) provides information to the healthcare industry, patients and the public regarding individuals and entities currently excluded from participation in Medicare, Medicaid, and all other Federal health care programs.
The OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that the OCR carries out this responsibility is to investigate complaints and conducts compliance reviews to determine if covered entities comply. If the OCR accepts a claim for investigation, the OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.
What is an OIG Exclusion and LEIE?
OIG’s LEIE provides information to the healthcare industry, patients and the public regarding individuals and entities currently excluded from participation in Medicare, Medicaid, and all other Federal health care programs.
LEIE is a list of all excluded individuals and entities that cannot participate as a healthcare provider in any healthcare program funded by the federal government. A healthcare provider who is listed as an excluded individual in the OIG exclusion list and is practicing medicine or delivering any form of healthcare can be fined and sentenced to criminal charges. OIG excluded individuals and entities can include MDs, Pas, RNs, LPNs, CNAs, therapists and others.
LEIE is continuously updated to include individuals and entities that have abused or taken advantage of Medicare and Medicaid programs.
How often should employers or covered entities validate the integrity of business associates?
The minimum requirement from the federal regulators is at least once a month. However, to ensure patient data and the organization is protected, OIG screening should be conducted in real-time. The risk of conducting business with an excluded individual is exceptionally high. Since integrity checking third-party vendors is not once n’ done, validating and verifying vendors on a continuous daily basis is recommended.
Traditionally, screening is conducted manually. However, with modern automated software-as-a-service solutions available, covered entities can now set up automated checks and be notified via email alerts of potential risks. LEIE, SAM and 40 state databases including Medicaid provider sanctioned lists can be continuously checked. Some solutions also provide color-coded dashboards that highlight sanctioned vendors or individuals at a glance enabling providers to take immediate corrective action to avoid costly fines and penalties.
Covered entities conducting business across multiple state lines should consider automating the practice of performing real-time integrity checks of business associates to automate and streamline workflows. With an automated solution, all state and federal database integrity checks can be centralized to increase productivity and minimize risk exposure as all key stakeholders can access one system. Multiple staff members and key stakeholders across the organization can easily have access to a cloud-based solution. Materials management, compliance, medical staff, human resources, procurement, legal counsel, and purchasing can access the system from anywhere at any time. Automating time-consuming processes brings uniformity, mitigates risk and saves time and money.
Multiple people can easily have access to a SaaS-based solution that automates and streamlines the workflows of validating the integrity of third-party vendors, contractors, business associates, medical staff, and employees.
Third-Party Vendor Risk Management Best Practices
Beyond ensuring that the critical clauses for HIPAA protection are included in the business associate agreement, all covered entities should conduct their own audit to proactively identify vulnerabilities by self-checking and self-monitoring their risk exposure daily. Checking and validating the integrity of vendors once a year or once a month can dramatically increase the odds of conducting business with a sanctioned individual leading to costly fines.
Creating a “golden record” or central repository from all the lists of organizations and individuals that are sanctioned or excluded safeguards covered entities from reputation shame, and costly fines.
Find out how to quickly and easily deploy protocols for real-time, continuous screening and credentialing of third-party vendors, watch the on-demand webinar Strengthening Third-Party Vendor Risk Management and Assessment.