Updated on: November 29, -0001

How to Mitigate the Risk of Audits: Get Insurance

By
Original story posted on: May 25, 2016

Healthcare providers can mitigate the risks of audits by purchasing insurance. But there are many types of insurance to choose from, and what is covered varies widely from one policy to another. Understanding a few of the basics can help providers be smarter consumers.

First we will examine the threat, then look at ways to mitigate risk. Finally, we will examine a few channels available to purchase what is needed.

Threat Assessment

In general, there are three key categories of threat challenging healthcare providers. The first is a traditional RAC-type audit; the second is the secondary threat of regulatory actions; the third is the possibility of class-action suits that might be filed seeking gigantic damages.

Readers of RACmonitor are most familiar with claim audits performed by a Recovery Auditor (RA), Zone Program Integrity Contractor (ZPIC), Comprehensive Medicaid Integrity Plan (CMIP), or another authorized auditor. It starts with an innocent request to review a few claims, then eventually it can turn into a sample, and then a statistical extrapolation resulting in demands for repayment of usually large sums of money. In order to handle this challenge, the provider must hire legal counsel and a number of experts in statistical and claims analysis to develop a defense. This type of audit is becoming far more common, so the chances of being audited are skyrocketing.

Table 1: Representative List of Laws and Regulations that Pose a Substantial Risk for a Healthcare Provider

Law/Regulation

Citation

Threat

Civil Monetary Penalties Law (CMPL)

42 USC §13201-7

Fines of up to $5,000 per rejected claim; exclusion.

Health Information and Technology for Economic and Clinical Health Act (HITECH)

Title XIII of Pub.L. 111-5

Fines and penalties for mishandling of electronic health records (EHRs); can result from data breach by hackers.

False Claims Act (FCA)

31 USC §3729-33; 18 USC §287

Severe punishment for submission of bad claims.

Anti-Kickback Statute (AKS)

42 USC §1320A-7b(b)

Getting anything of value for referral in any federal healthcare program. Possible imprisonment, fines, treble damages, $50,000/violation; exclusion.

Physician Self-Referral Law (Stark Law)

42 USC §1395nn

Financial interest in referral of Medicare patients. Possible denial of payment, mandatory refunds, civil monetary penalties, and/or exclusion.

Criminal Health Care Fraud Statute

18 USC §1347

Broad fraud statute; fines, prison up to 20 years.

Fair Credit Reporting Act (FCRA)

15 USC §1681

Originally for credit data, but not extended to any breach of privacy for individuals. Enforced by Federal Trade Commission (FTC).

Health Insurance Portability and Accountability Act (HIPAA)

Pub.L. 104-191; 110 Stat. 1936

Comprehensive, but generally associated with privacy protection for patient medical records.

State privacy statutes

Examples of many: N.M. Stat. Ann. §61.6.15; Cal. Civ. Code §56.14, §1280.15, §56.36; Fl. Stat. §458.331, §395.3025

States have hundreds of laws and regulations that can be broken if patient information and privacy is mishandled. If there is a HIPAA violation, a state prosecution likely will follow in parallel.

Emergency Medical Treatment and Active Labor Act (EMTALA)

42 USC §1395dd

Mishandling of emergency patients, up to $50,000 per violation.

Regulatory actions pose an even graver threat. There are many laws and regulations involved, too many to list, particularly when looking at the state level. Refer to Table 1 for a few of the most commonly cited. Many of these are actions that can be taken against the provider even though there is no intent to defraud. For example, if hackers attack your information system and steal data, it is possible to be fined by the Federal Trade Commission, because it has extended its jurisdiction into privacy. The types of penalties vary; some are mostly fines and mandatory refunds, but violations of criminal statutes can lead to imprisonment. Almost all can lead to exclusion.

The third type of threat is the class action suit. Filed by consumers, these suits can grow in size quite quickly, especially if there already is a showing of a regulatory violation.

Common Risk Factors

Regardless of the type of problem encountered, there are common themes that should govern the provider’s response. All of these cost money. Legal counsel must be retained. There may be fines and penalties to pay. It may be necessary to hire a number of experts to present your defense. It may be necessary to perform a self-audit. There may be damages to your reputation or brand, or even libel and slander issues to examine. In addition, any massive breach of privacy requires extensive notification, and if there are thousands or even hundreds of thousands of persons involved, these costs also can be quite large. An easy way to look at this is simply to say “let’s pay legal costs and obtain everything else required to formulate a defense and settle the issue.” 

Cyber Risk

Even the best information systems can be hacked, and they are, on a daily basis. Recently, a number of hospitals became victims of extortion by hackers who inject malware into their systems and then demand untraceable bitcoin to unlock the data. It is a big business, and it is growing. Stolen health records have a price-per-head on the dark web. The problem for providers is that even if they have made their best efforts and adopted state-of-the-art security practices to protect patient data, still they can be subject to regulatory action as well as class-action suits. Apart from the legal costs, the provider must pay out for restoring their information system, hiring experts to handle crisis management, and in many cases managing patient notification. Then there are the penalties and fines.

Choosing an Insurance Provider

There are a number of insurance options to explore. Two major categories available are directors’ and officers’ (D&O) liability coverage and errors and omissions (E&O) liability coverage. For example, Manchester Specialty Programs in New Hampshire, Beacon Insurance Group, Inc., and Avanti Business and Insurance Services] write D&O liability coverage for RA, ZPIC, and Medicare Integrity Contractor (MIC) audits, covering both fines and penalties. Oros Risk Solutions LLC in Florida covers EMTALA, HIPAA, STARK, and computer network security breaches. The bulk of the coverage available appears to be E&O. The Professional Liability Insurance Group, licensed in New Jersey, Pennsylvania, and Delaware, plus NAS Insurance Services, LLC, and McGrieff, Seibels & Williams, Inc., write coverage for EMTALA, HIPAA, and STARK violations, covering legal costs as well as fines and penalties. Arthur J. Gallagher & Co. in Houston covers those risks but also FCA allegations and suits from commercial payors. They also write in coverage to retain experts (statistics, coding, etc.) for your defense. Gracey-Backer, Inc. in Florida and Mints Insurance Agency] also write coverage for state privacy laws, breach of computer and network security, data recovery, and notification.

Wrapping Up

In general, all policies reviewed offer coverage for legal expenses. You might find, however, that you must use an attorney that is “authorized” by the insurance company. These law firms have a contract with the insurance provider and generally are paid lower hourly rates than what are available for you on the open market. A number of policies also provide coverage for audit fines and penalties. But be careful. It is not permissible for a U.S.-based insurance company to write protection against the fines resulting from conviction of a criminal act. It is possible, however, to purchase this type of protection offshore, but it can have high premiums. In addition, like all insurance policies, there are upper limits for payout, and these may not be enough to handle the treble damages plus per-claim costs demanded by laws such as the CMPL. Finally, there are some policies that make provisions for self-audit costs as well as the hiring of experts and consultants to bolster your defense. On the cyber side, policies can cover extortion costs, crisis management expenses, data recovery and system restoration costs, as well as patient notification. Large companies such as Chubb Group of Insurance Companies in New Jersey and American International Group (AIG) provide a menu of coverage options that can be combined as needed, either individually or as add-ons to existing policies.

The risk of suffering substantial harm from the consequences of an audit is increasing. Apart from continuous improvement in operations and attention to detail, insurance offers an important option to cope with the fallout of malicious hacking, negligence of your employees, or errors in filing claims. The number of options is great, so the goal should be to pick a policy that most closely matches your organization’s needs. And one more thing: read the fine print.

About the Author

Edward M. Roche is the founder of Barraclough NY LLC, a litigation support firm that helps healthcare providers fight against statistical extrapolations.

Contact the Author

Roche@barracloughllc.com

Comment on this Article

editor@racmonitor.com

This email address is being protected from spambots. You need JavaScript enabled to view it.