From Risk to Resilience: Identifying and Mitigating Compliance Risks in Academic Medical Centers and Teaching Hospitals

While there is no one-size-fits-all approach, compliance programs typically are comprised of a set of systems, processes, and reporting mechanisms that help organizations identify, monitor, audit, mitigate, and prevent fraud and abuse. Compliance programs are especially important in the health care industry, given the myriad of laws, rules, and regulations that govern the industry.

This article  provides an overview of the compliance considerations specific to the health care industry, addresses some risks that may be of particular interest to academic medical centers (AMCs) and teaching hospitals, and suggests certain strategies for these institutions to mitigate compliance risk.  This article is not intended to be inclusive of all compliance risks specific to AMCs and teaching hospitals—or all strategies for mitigating such risks.  The Department of Health and Human Services Office of Inspector General's (OIG’s) website provides additional resources discussing compliance risks and strategies, including, among other materials OIG’s General Compliance Program Guidance, OIG’s Hospital Compliance Program Guidance, and OIG’s Work Plan. 

OIG’s GCPG

In November 2023, OIG published the General Compliance Program Guidance (GCPG) to offer all participants in the health care industry a resource to help develop and implement a successful compliance program while also navigating within a complex federal regulatory environment. The GCPG outlines the seven elements of an effective compliance program and highlights key federal laws that are relevant to all entities engaged in health care.[1] AMCs and teaching hospitals should consider referring to the GCPG—and other OIG resources--in structuring their respective compliance programs.

OIG also plans to issue a series of Industry Segment-Specific Compliance Program Guidances (ICPGs). OIG has announced its intention to publish ICPGs covering nursing facilities, managed care organizations, hospitals, clinical laboratories, hospice, and pharmaceutical manufacturers.[2]

Compliance Programs in the Health Care Industry

Compliance is a critical facet of the health care industry and involves a multi-prong approach. Health care providers must comply with federal, state, and local laws. They should adhere to their own internal policies and procedures as well as government and third-party billing requirements. Without an effective compliance program, health care providers face potentially significant financial, legal, and reputational risks, including civil and/or personal liability, criminal prosecution, fines and monetary penalties, exclusion from federal health care programs, and loss of health care-related licenses.

All providers and suppliers that enroll in Medicare, Medicaid, and the State Children’s Health Insurance Program are required to have in place a compliance program as a condition of enrollment.[3] Among other elements, an effective compliance program includes a regular and systematic audit of compliance risks, an investigation of any potentially non-compliant activity, and remedial steps for correction and prevention of future non-compliance. According to OIG, an effective health care compliance program should include the following seven elements:

• Written policies and procedures;
• Compliance leadership and oversight;
• Compliance training and education;
• Effective lines of communication with the Compliance Officer and Disclosure Program;
• Consequences and incentives;
• Risk assessment, auditing, and monitoring; and
• Responding to detected offenses and developing corrective actions initiatives.[4]

Select Risk Areas for Academic Medical Centers

AMCs and teaching hospitals operate in an environment with a number of risk areas, including, for example, research compliance, financial reporting, and grants management. AMCs and teaching hospitals are often connected with large universities or medical schools and maintain a mission that includes education, research, and patient care. Moreover, AMCs and teaching hospitals increasingly partner with community hospitals and other health care providers to expand their clinical reach and to increase capacity at the flagship hospital. As a result, both federal fraud and abuse and higher education risks surface through the intricate relationships that AMCs and teaching hospitals develop and maintain. As stated above, this section does not endeavor to cover all risks that AMCs and teaching hospitals face but identifies select risks that may be particularly relevant. Again, additional resources identifying additional—and important—compliance risks are available on OIG’s website and elsewhere.

Fraud and Abuse Law Considerations

AMCs and teaching hospitals must be mindful of risks stemming from financial relationships that can lead to misuse, fraud, and abuse. Failure to follow applicable laws can result in criminal, civil, and administrative liability and exclusion from participation in the federal health care programs. The federal fraud and abuse laws are discussed in more detail below.

1. Physician Self-Referral Law:

The Physician Self-Referral Law (PSL), commonly referred to as the Stark Law, prohibits a physician from making referrals for designated health services payable by Medicare to entities with which the physician or an immediate family member has a financial relationship, unless an exception applies and its requirements are satisfied.[5] Financial relationships include direct and indirect ownership or investment interests and direct and indirect compensation arrangements. The items and services that are “designated health services” include, but are not limited to: clinical laboratory services, physical therapy services, radiology services, radiation therapy services and supplies, prosthetics, orthotics, and prosthetic devices and supplies, and inpatient and outpatient hospital services.[6] Violations of the PSL can result in denial of payment, as well as civil and administrative liability and exclusion from participation in federal health care programs.[7]

Financial relationships between and among referring physicians and the various components of an AMC may implicate the PSL. There are a number of exceptions to the PSL’s prohibitions on referrals and claims submission that may be applicable to such financial relationships, including the exceptions for services provided by an AMC, bona fide employment relationships, personal service arrangements, fair market value compensation, and indirect compensation arrangements.[8]

2. The Federal Anti-Kickback Statute:

The federal Anti-Kickback Statute (AKS) is an intent-based criminal statute that, as a general matter, prohibits remuneration in exchange for referrals of federal health care program business. More specifically, under the AKS, it is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to induce, or in return for, the referral of an individual to a person for the furnishing of, or arranging for the furnishing of, any item or service reimbursable under a federal health care program. The AKS’s prohibition also extends to remuneration to induce, or in return for, the purchasing, leasing, or ordering of, or arranging for or recommending the purchasing, leasing, or ordering of, any good, facility, service, or item reimbursable by a federal health care program. For the purposes of the AKS, “remuneration” includes the transfer of anything of value, directly or indirectly, overtly or covertly, in cash or in kind. Violations of the AKS are considered felonies punishable by a maximum fine of $100,000, imprisonment up to ten years, or both.[9] Remuneration prohibited by the AKS may also lead to civil or administrative liability under other federal laws including, for example, OIG’s exclusion authority, the Civil Monetary Penalties Law, and the False Claims Act.

Joint ventures and other increasingly common affiliation arrangements among AMCs, teaching hospitals, and other health care providers may implicate or violate the AKS and could lead to the harms against which the AKS is designed to protect, including improper steering, unfair competition, and overutilization, because they facilitate referrals or recommendations of federal health care program business among the involved hospitals and physicians. That said, such arrangements could present opportunities for the associated parties. For example, AMCs could benefit from expanded capacity at the flagship hospital facility, allowing the AMC to preserve patient access to tertiary and quaternary services. AMCs may also benefit from expanded access to training sites for medical students, residents, and fellows. Community hospitals may benefit from increased patient volume and expanded access to clinical trials. While these partnership and affiliation arrangements may offer the AMC and community hospital mutual benefits, all parties must remain attentive to—and comply with—the AKS and any other applicable law. Importantly, any benefits derived from these arrangements do not immunize them from potential liability under the AKS. 

There are other arrangements that AMCs and teaching hospitals may enter into that implicate the AKS. And again, such arrangements could result in certain harms, including corruption of medical decision-making and increased costs to federal health care programs. For example, in an AMC, the AKS may be implicated by financial relationships among various stakeholders including doctors, researchers, and pharmaceutical and device manufacturers. When pharmaceutical and device manufacturers offer or pay or provide anything of value to an AMC or teaching hospital in exchange for referrals, the AKS is implicated and may be violated.

The AKS also may be implicated in the context of items and services that hospitals may wish to provide to patients, as discussed in greater detail in the next section, including items and services that may improve the health of a patient population. Provided that all safe harbor requirements are satisfied, the safe harbor for arrangements for patient engagement and support (PEAS) protects a broad range of tools and supports that may include, among others, health-related technology, patient health-related monitoring tools and services, and supports and services designed to identify and address a patient’s social determinants of health. The PEAS safe harbor may be available to AMCs and teaching hospitals participating in value-based enterprises to engage beneficiaries in improving their health. AMCs and teaching hospitals may also consider utilizing the additional value-based safe harbors under the AKS to drive innovation and improve quality of care.^[10] Although these safe harbors were effective in early 2021, they offer health care providers another means to transition from fee-for-service to value-based care.

Given that the value-based safe harbors include requirements that may necessitate significant resources for appropriate monitoring and documentation, AMCs and teaching hospitals may consider engaging legal counsel early in the development and implementation of related arrangements. As of September 2024,OIG had not published any advisory opinions interpreting the applicability of the value-based safe harbors; if issued, such advisory opinions may provide insights regarding OIG’s assessment of specified arrangements to AMCs and teaching hospitals that maintain complex arrangements with other hospitals and with faculty and community physicians.

Finally, AMCs and teaching hospitals are often at the forefront of voluntary models established by the CMS Center for Medicare and Medicaid Innovation (CMMI). Until the relatively recent promulgation of the safe harbor for CMS-sponsored models and the safe harbor for CMS-sponsored model patient incentives, providers participating in CMMI models relied on waivers that were issued by CMS (i.e., PSL) and OIG (i.e., AKS and Beneficiary Inducements Civil Monetary Penalty Law (Beneficiary Inducements CMPL)) for certain models. AMCs and teaching hospitals should appropriately consider and comply with the applicable program integrity requirements in any model agreement and review any financial arrangements under the model for compliance with the federal fraud and abuse laws.

3. Beneficiary Inducements:

The Beneficiary Inducements CMPL provides for the imposition of civil monetary penalties (CMPs) against any person who offers or transfers remuneration to a Medicare or state health care program beneficiary that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for the order or receipt of any item or service for which payment may be made, in whole or in part, by Medicare or a state health care program.[11]  Note that AMCs and teaching hospitals considering arrangements implicating the Beneficiary Inducements CMPL should also assess whether such arrangements comply with the AKS.[12]

There are two exceptions under the Beneficiary Inducements CMPL that may be particularly relevant for AMCs and teaching hospitals. The first is the “Promote Access to Care Exception.” This exception provides that remuneration does not include items or services that improve a beneficiary’s ability to obtain items and services payable by Medicare or Medicaid, and pose a low risk of harm to Medicare and Medicaid beneficiaries and the Medicare and Medicaid programs by:

• being unlikely to interfere with clinical decision making;
• being unlikely to increase costs to federal health care programs or beneficiaries through overutilization or inappropriate utilization; and
• not raising patient safety or quality-of-care concerns.[13]

The second exception is the “Financial Need Based Exception.” This exception provides that remuneration does not include the offer or transfer of items or services for free or less than fair market value by a person, if:

• the items or services are not offered as part of any advertisement or solicitation;
• the offer or transfer of the items or services is not tied to the provision of other items or services reimbursed in whole or in part by the program;
• there is a reasonable connection between the items or services and the medical care of the individual; and
• the person provides the items or services after determining in good faith that the individual is in financial need.[14]

These exceptions to the Beneficiary Inducements CMPL may be particularly useful for AMCs and teaching hospitals, which care for a disproportionate share of underserved patients. AMCs and teaching hospitals should develop written policies that are administered uniformly (i.e., not according to payer) and identify when remuneration could implicate the Beneficiary Inducements CMPL.  Some elements of the programs AMCs and teaching hospitals implement to address social determinants of health (e.g., child care support, technology that supports access to care) could satisfy the Promotes Access to Care exception, provided the conditions of the exception are satisfied.  As AMCs and teaching hospitals develop programs to meet the needs of patients and address social determinants of health, they should ensure their compliance programs have the tools to review and monitor these programs.

With regard to the Financial Need Exception, Compliance Officers should consider providing education to team members to ensure that items and services that are intended to meet the Financial Need Exception meet the applicable elements of the exception.  For example, Compliance Officers should consider monitoring information provided to patients to determine that such communications comport with OIG guidance on appropriate advertisements or solicitations. OIG’s updated “Frequently Asked Questions” provide additional guidance in this regard.[15]

Higher Education Risks

As an additional consideration, by their very nature, AMCs and teaching hospitals exist within the higher education sphere. This connection brings its own set of risks. These risks include: (i) possible conflicts of interest involving payment models, research, and delivery of quality care; and (ii) potentially competing interests from health care, education, and research perspectives. While conflict of interest policies and disclosure protocols seek to safeguard against emphasizing “profits” rather than education, research, and patient care, AMCs have faced scrutiny in recent years for apparent violations of such policies and protocols and related monetization of research – through ties to drug companies, for example – for personal financial gain. AMCs should hold accountable their administrative leaders, board members, faculty physicians, researchers, and other stakeholders to ensure that decision making remains unbiased and focused on education, research, and patient care goals, rather than profit. An effective compliance program should include policies and procedures to minimize these types of risks, and executives and governing body members should routinely audit and monitor physician and researcher conduct to mitigate compliance risks.

Strategies to Manage Compliance Risk for AMCs and Teaching Hospitals: A Private Practice Perspective

In addition to developing and implementing an effective compliance program that accounts for the risks inherent to AMCs, many AMCs have developed compliance policy checklists as part of their compliance programs, notwithstanding OIG’s longstanding position that compliance program functions cannot be implemented under a simple “check the box” approach.  Some private practitioners believe that an effective checklist that incorporates guidance from OIG and other regulatory agencies is one tool that AMCs may use to reduce the risk of fraud and abuse. AMCs should review the checklist and policies contained therein on an annual basis.

Legal counsel to AMC and teaching hospital clients frequently advise that such organizations complete a compliance risk assessment (CRA) to test the effectiveness of their programs on an annual basis. When developing a CRA, health care providers, including AMCs, should consider the following elements:

• The health care provider’s objectives (e.g., providing high quality health care and combining education, research, and patient care)
• The value-added benefits for the provider (e.g., preventing legal, financial, and reputational harm; developing training, policies, and monitoring mechanisms to detect and prevent fraud and abuse; mitigating risks through remedial actions)
• The laws, regulations, and contractual obligations that govern (i.e., Medicare and Medicaid requirements and applicable state law requirements)
• Whether to use internal or external resources to conduct the CRA

Once an effective CRA has been developed, the AMC or teaching hospital must execute it. Legal counsel to AMC and teaching hospital clients recommend the plan for execution include:

• An experienced compliance expert to advise on appropriate content and process for the CRA
• A working group of internal and external CRA team members
• Adequate timing (i.e., conducted at least annually)
• A work plan with benchmarks, dates, audit sampling methodology, lists of documents and data to be reviewed
• Identification of the risk areas
• Identification and scheduling of stakeholders, managers, and employees to be interviewed
• Scope of the assessment
• Progress meetings
• Written report of CRA results

The results of the CRA should be carefully reviewed by the organization’s Compliance Officer, Compliance Committee, and governing body members for audit plans to be developed, deficiencies to be investigated, and remedial efforts to be developed to prevent recurrence of problems. If instances of non-compliance or misconduct are discovered, a root cause analysis should be conducted. Once the root cause has been identified, a corrective action plan should be put in place to investigate and address the non-compliance. Corrective action plans can include training and education, discipline for non-compliance, measures to prevent reoccurrence, and monitoring mechanisms to ensure the corrective action plan is working. The health care provider must also determine whether the non-compliance needs to be reported to the government. As noted in the GCPG, between compliance risk assessments, the Compliance Officer should continue to scan for unidentified or new risks, by, for example, monitoring for legal and regulatory changes, enforcement actions and OIG Work Plan developments, and new entity acquisitions, strategies, or initiatives, and evaluating audits and investigation results.

Conclusion

While compliance programs play a critical role in managing and mitigating fraud and abuse risks in any industry, these programs are especially important in the health care industry and in AMCs where the complex combination of education, research, and patient care intersect. Compliance programs will take AMCs a long way in identifying and mitigating potential legal, financial, and reputational harms.

Authors: Michelle Garvey Brennfleck, Buchanan Ingersoll & Rooney PC | Tiana L. Korley, United States Department of Health and Human Services Office of Counsel to the Inspector General

Disclaimer: The views expressed in this article do not necessarily reflect the views of the Department of Health and Human Services Office of Inspector General or its government partners.  This article combines contributions from both authors and should not be attributed to the Department of Health and Human Services Office of Inspector General. The views expressed in this article are those of the authors and should not be attributed to Centers for Medicare & Medicaid Services (CMS). 

* The authors would like to thank Megan E. Smith, third-year law student at Penn State Dickinson Law, for her contributions to this article and Carly Barnes, Associate, Buchanan Ingersoll & Rooney PC; Rudd Kierstead, MBA, MPP, Director, Veralon; and Evan M. Luellen, Associate, Buchanan Ingersoll & Rooney PC for their review of this article.