Compliance in Value-Based Care: Legal Strategies for Healthcare Providers

Care that is reimbursed on a value basis is intended to do three things: improve the outcomes for patients, cut back on the costs associated with their healthcare, and link provider payment to the kind of care they give. High-quality care is what we should expect as a matter of course; low-cost, high-quality care is distinctively American and should be the unfailing goal of our system. But navigating the complex landscape of laws that govern our healthcare system without running off the road requires paying very close attention to a few guiding strategies. Those strategies can help keep you on the road, can keep your venture in good shape.

Key Compliance Requirements for Value-Based Care Models

When you are structuring care models that provide for their value, you absolutely must make sure you’re complying with both federal and state regulations. Otherwise, you’re courting disaster, as many of the recent healthcare enforcement actions show. Even the forthright federal prosecutors responsible for those actions would concede that knowing the law is half the battle. Healthcare stakeholders must adopt legal strategies that align with the multitude of federal and state regulations that apply to value-based care models.

Structuring Value-Based Agreements to Meet Anti-Kickback Safe Harbors

The Anti-Kickback Statute forbids any type of payment in return for patient referrals. Yet, recent updates to the regulations have carved out safe harbor protections for certain value-based care models. These safe harbors are meant for coordinated care arrangements involving shared financial risk and performance-based incentives. To understand the specifics of how these safe harbor protections function and the value-based care arrangements they cover, visit https://oig.hhs.gov/compliance/safe-harbor-regulations/.

For compliance, payments to doctors in value-based agreements have to reflect fair market value. This ensures that the financial incentives in these contracts are based on actual performance—like how well your doctor manages your blood pressure—not on the number of patients referred to the hospital. The Office of the Inspector General (OIG) requires that you maintain documentation that details the arrangement’s structure, goals, and duration (in other words, “how it’s supposed to work” and “for how long”).

Navigating Stark Law Exceptions for Value-Based Care Arrangements

The Stark Law limits doctor’s self-referrals for designated health services (DHS). While this might seem like a bad thing for coordinated care, the truth is that the reforms that the Stark Law has undergone in recent years make it much more possible for healthcare providers to have the kinds of financial relationships that help them provide the better cohesive care that today’s healthcare models require. Most modern exceptions to the Stark Law are structured around full or partial risk arrangements, which are, for all intents and purposes, the healthcare insurance plans of the future.

The following are necessary for these exceptions to apply and be deemed compliant: When performance-based, as opposed to referral volume-based, metrics determine the compensation; When all aspects of value-based agreements between DHS entities and potential referral sources are documented with clear articulation of the logic model that outlines how the mission of the agreement will be fulfilled; and When all aspects of the payment structure are adequately identified. A healthcare network did all of this and managed to document it in a way that made it comprehensible to auditors. More details on Stark Law value-based exceptions are available at https://www.cms.gov/newsroom/fact-sheets/modernizing-and-clarifying-physician-self-referral-regulations-final-rule-cms-1720-f.

Managing Patient Data Privacy Under HIPAA in Value-Based Care Models

Value-based care necessitates that providers share data. Therefore, value-based care requires that those who practice it be HIPAA-compliant. Under HIPAA, as you may recall, providers must safeguard “protected health information” (PHI) even when they are sharing it for good and reasonable purposes—like for the shared treatment of a patient, say. More information on HIPAA’s privacy rule can be found at https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.

Electronic health records (EHRs) and data-sharing systems must be made to comply with HIPAA. Security standards established by HIPAA must be met. Those security standards require “covered entities” (like EHR vendors and healthcare organizations) to protect electronic health information (ePHI) in several ways:

• through encryption;
• through access controls; and
• by ensuring that information is transmitted securely.

When shared data is managed by a third-party vendor, these compliance concerns are often handled by executing a Business Associate Agreement (BAA) with that vendor.

Conducting Compliance Audits and Training for Value-Based Care Initiatives

Value-based care models present legal risks that regular compliance audits and employee training can identify and reduce. Audits are necessary to establish that financial agreements comply with the Anti-Kickback Statute (AKS) and the Stark Law, which together prevent referral-based incentives that could undermine the integrity of the healthcare system. Regular audits serve as a principle check against the kinds of noncompliant arrangements that could exist if left unchecked. They help ensure that the organization is in good legal standing and allows value-based care to function as it should, without noncompliant arrangements acting as speed bumps in the way of necessary healthcare.

Training programs for staff should center on policies governing the sharing of data under HIPAA, standards for fair market value, and the requirements set forth by the Anti-Kickback Statute (AKS) and Stark Law. If a healthcare facility finds that it is employing non-compliant practices in internal or external audits, those practices need to be stopped. Corrective actions must be taken. Agreements must be revised. Documents must be updated. Security protocols must be shored up.

Common Legal Risks and Penalties for Non-Compliance in Value-Based Care

Not adhering to the Anti-Kickback Statute, Stark Law, or HIPAA can lead to serious negative outcomes, such as being fined, getting kicked out of federal healthcare programs, and/or suffering damage to your reputation.

Consequences of not complying with these laws can include:

• Financial penalties and exclusion from Medicare and Medicaid (for AKS violations).
• Legal actions, hefty fines, and demands for repayment of claims (for Stark Law violations).
• Penalties, along with tough scrutiny of your operations.

Meeting federal regulations is a basic must for healthcare providers who wish to implement value-based care. The provider first must understand and set up their financial arrangements so that they are aligned with both the Anti-Kickback Statute (AKS) and the Stark Law. Then providers must safeguard the patient’s data and ensure regulatory compliance with HIPAA. To sort out all these essential elements and to gain regulatory peace of mind, many turn to the Cohen Healthcare Law Group.