Streamlined Reporting and Investigations
By automating the process and removing paper, the risk of duplicates and differing reports is eliminated.
The post The OIG Exclusions List: First Line of Employment Defense appeared first on First Healthcare Compliance.
]]>Checking the LEIE, or List of Excluded Individuals or Entities, also known as the OIG Exclusions List, should be a fundamental piece of any medical practice’s compliance program. Yet so few people working in the healthcare space, even some compliance specialists, have never even heard of the list, or do not know how to check their employees or vendors on it.
Since our goal at First Healthcare Compliance is to protect medical practices from compliance risks, we have been covering this topic extensively. Yet there is always more to learn. As such, here are a few of the FAQs which your practice needs to know the answers to.
What is the Exclusions List?
The LEIE compiles individuals and corporate entities ineligible to participate in federal healthcare programs due to criminal activity or serious professional misconduct. Excluded persons are prohibited from furnishing administrative and management services that are payable by the Federal health care programs, including Medicare and Medicaid.
What happens when an organization run afoul of the Exclusions List?
Employing, or contracting with, an individual or entity on the list can prevent your organization from participating in federal healthcare programs. This includes both Medicare and Medicaid, and, in addition, potential Civil Monetary Penalties may apply to those organizations found in violation of the Exclusions list.
Who would be liable for organizations?
Both existing employees or vendors, and prospective employees or vendors.
How often should a practice check the List?
The LEIE updates monthly, and it is the responsibility of the organization to check on every employee and every vendor each and every month. Any contract, whether with an employee or a vendor, could appear, and is worth checking.
Checking the LEIE is an important piece of any medical practice’s compliance program. If the monthly check of all employees and vendors seems like a daunting task given the size of your practice, there are resources available to help. First Healthcare Compliance, as a part of our compliance management program, offers automatic screening of the LEIE for both employees and vendors.
As long as your practice knows that the list exists, checks it for any new employees or vendors, along with every month, then this can be a compliance requirement you can count as fulfilled.
The post The OIG Exclusions List: First Line of Employment Defense appeared first on First Healthcare Compliance.
]]>The post Medicare Advantage in the Crosshairs: Risk Adjustment, the False Claims Act, and AI appeared first on First Healthcare Compliance.
]]>
Kevin Chmura
Welcome to 1st Talk Compliance. I’m your host, Kevin Chmura, CEO of Panacea Healthcare Solutions. Today we’re digging into an area the Department of Justice and CMS have flagged as a top enforcement priority. Fraud in Medicare Advantage, which now covers more than half of all Medicare beneficiaries. We’ll walk through how risk adjustment creates an incentive to make patients appear even sicker than they are. Why the False Claims Act remains the government’s number one fraud fighting tool, and how AI is adding an entirely new layer of compliance risk.
To help us make sense of it all. I’m glad to welcome back Rachel Rose. Rachel is principal at Rachel V. Rose, Attorney at Law PLLC and holds a JD and MBA. She’s a published author whose practice sits at the intersection of healthcare compliance and cybersecurity with deep expertise and experience in False Claims Act litigation and whistleblower representation. The last point matters today. Rachel had a front row seat to one of the cases we’ll be discussing. She represented the whistleblower in a fraud case that resulted in a significant settlement. She brings firsthand insight into how these cases actually unfold and what providers can do to protect themselves and their practices.
Rachel, welcome back to the podcast.
Rachel Rose
Thank you, Kevin. Always great to be back.
Kevin Chmura
Great. So maybe we just start at the very top and lay down some background information for everybody, and then we’ll dive deeper into the topic. So basic question, how does Medicare Part C, otherwise known as Medicare Advantage, differ from Medicare Part A and B, you know, sort of traditional Medicare?
Rachel Rose
Great question and a foundational question at that. So for those who are in healthcare, Medicare Parts A&B are known as traditional Medicare and they came into being in 1965. Having said that, Part A deals with inpatient and facility care, where Part B deals with outpatient and outpatient services. And the way that the Government [a collaboration of sorts between CMS and Congress] sets the physician fee schedule every fall that typically becomes effective on January 1 of the impending year, has traditionally been a fee for service program. And if you recall, with the Affordable Care Act passage in 2010, we began to see some value-based programs as well, whether it was MIPS, whether it was value-based care, whether it was the reduction of infections. All of those types of programs are your typical methods for reimbursing. Again, Congress sets the physician fee schedule and Medicare then reimburses off of that typically. Now, if we look at Medicare Advantage, it’s also known as Medicare Part C, and it was quite a while before we saw Medicare Part C come into play. In fact, it was in the early 2000s. So if you think about the time span between 1965 and the early 2000s, we’re dealing with over 35 years. So that’s a pretty significant shift in terms of how Medicare was administered as well as options. Around the same time, as a side note, we also saw Medicare Part D, which is specific to prescription drugs come into play as well. So what is Medicare Advantage and how does it differ from the traditional Medicare Part A and Part B? Well, first, Medicare Advantage is private sector based. And basically, what it does is Medicare gives plans an agreed upon amount per plan enrollee in exchange for assuming financial risk and complying with program rules. So under traditional Medicare, one would elect to work directly with CMS. Under Medicare Advantage, it’s your third party plan such as Aetna, Cigna, Blue Cross, Blue Shield, Humana, et cetera, which are the conduits or the intermediaries for administering these Medicare Advantage plans. So unlike the fee for service, how in the physician fee schedule, which is how our traditional Medicare is reimbursed, under Part C, we’re looking at MA premiums, which are calculated on a geographic basis through a benchmark bid rebate formula. Additionally, there is a risk adjustment and a coding intensity for the Medicare Advantage plans. And risk adjustment, stated another way, is a method to calculate what to pay a health provider based on a patient’s health, their likely use of healthcare services and the cost of those services. And the risk score, which is generated, represents the predicated cost of treating a specific patient or group of patients compared to the average Medicare patient based on certain criteria.
Just to wrap that up, Kevin, before we go into the next question, basically, Medicare beneficiaries may opt out of our traditional Medicare. However, these Medicare Part C plans are required to offer the same coverage for goods. And when I say goods, I mean durable medical equipment and other types of items that are billed for as well as services. So how this all comes together is that in order to make the risk adjustment, CMX collects medical diagnosis codes from the Medicare Advantage organizations. And these diagnoses must be supported in the medical record, which any time a claim is submitted, whether it’s to a government payer or to a private insurer, you have to meet what’s known, and I know Panacea and First Healthcare Compliance deal with this all the time as medical necessity, as well as some other predicate items, including that initial face-to-face visit between a patient and a provider and having the required or affected patient care treatment or management at a particular visit for outpatient visits. So all of this to say this is another area that is ripe for potential fraud.
Kevin Chmura
Totally, totally. You know, my many, many years in revenue cycle, you know, there’s just mantras that you pick up and, you know, one of them is, you know, if it’s not in the medical record, it never happened, even if it did, and you better not bill for it, right? That’s just, just, just, just that simple. So, so, so,
Rachel Rose
Yeah, yeah.
Kevin Chmura
So, and now, based on latest statistics, I’ve seen more Medicare beneficiaries are in Medicare Advantage than in traditional Medicare. It’s 50-50 or even better at this point. It just speaks to the proliferation that started in the early 2000s. So, it is something, and yeah, and becomes an area of focus. So let’s dive into that a little bit because you touched on something that I think is where this starts to potentially hit people’s pocketbooks, if you will, right? So the US Department of Justice and CMS, they’re prioritizing Medicare Advantage fraud as a top priority.
Because it is ripe for the potential for fraud. So based on your experience, can you give me some insights into what specific areas of fraud that the government is looking at and seems to be interested in?
Rachel Rose
Sure, as a general matter, as you just articulated, Medicare Advantage is 1 area. Cybersecurity continues to be another hot area for the government in terms of Department of Justice and CMS priorities. Another area is basically your vanilla health care fraud, such as fraud, waste, and abuse violations, including those five areas that HHS OIG has espoused for years. And those five areas are the Federal False Claims Act, the Stark Law, the anti-kickback statute, civil monetary penalties, and exclusionary. Authorities, those are still in play in a very significant way. And as it relates to the aggressive risk adjustment enforcement and litigation, DOJ has expressly stated that it will continue to target risk adjustment practices coding intensity. So there is there upcoding? Is there a code that’s being rendered where there is no medical necessity that is documented? And then prior authorization abuses in MA plans. And prior authorization abuses really begin to weave in artificial intelligence and some of that area of software. So here you’re seeing the convergence potentially between the cybersecurity focus of the DOJ and CMS coupled with how that can play out with Medicare Advantage plans.
Kevin Chmura
Wow, yeah, that I don’t think it’s possible to do a healthcare podcast or a thought leadership article without at least touching on AI these days. It’s near impossible because the acceleration of the technology is brisk. And, you know, the thing we teach our auditors at Panacea relative to coding audits and what you really auditor coders are supposed to take the kind of revenue neutral, revenue agnostic way of looking at things, just code what you see. But the demands and the margin squeeze at providers is such that there’s a opportunity and the motivation to be aggressive. I don’t want to accuse anybody of fraud, but the motivation to be aggressive is there sometimes just for the survival of the practice. So it’s a tough one and so tough, tough stuff. So you touched on something that we’ve covered in the past. And so I think it’s good to dive into, and that’s the False Claims Act. Still the government’s number one fraud fighting tool, I’m sure. And, you know, moving into the real world now, there’s two notable False Claims Act.
Settlements involving Medicare Advantage, and those include a settlement with Kaiser and a group called Matrix, which I’ll let you tell us more about. Now, in the interest of disclosure, Rachel, you represented a whistleblower in the Matrix case. So this is great. We have firsthand front row visibility into this. So wondering if you could just tell us as much as you can, knowing that you participated in this. Can you provide some highlights of both the Kaiser and Matrix cases and settlements?
Rachel Rose
Absolutely. And before I delve into that, I just wanted to highlight something that you said, Kevin, about AI and how it’s utilized. There is a very significant trend among states to incorporate the requirements of a physician to review what is in the medical record before it’s signed off on. And as you know, when after a medical record is signed off and quote un quote closed, that’s when the claims process can begin. And in Texas, for example, in June of 2025, Governor Abbott signed into law a Texas Senate Bill, 1188. And what’s material about that and how that really plays a gatekeeping role in terms of False Claims Act and the use of AI is that the onus is on the physician or other medical provider who has the authority to sign off on a chart to review what’s in that chart for accuracy and make sure that everything is correct before it is submitted for a claim. If you think about AI and how it works, it basically is this huge data scraper. And by scraping data, it may in fact come up with wrong diagnoses, wrong codes, wrong notes. For example, what if someone took opioids 10 years ago and now through AI’s creativity, they now say this patient has substance use disorder. Well, just because you had opioid use as a result of a total hip replacement is a far leap to saying that the person has substance use disorder or opioid use disorder. Another item that’s very relevant is mental health care. And this lays the foundation into some of the items in the matrix case. AI, you can see how by having inaccurate. AI prompts that end up in the record. If someone had depression, say they note depression because a family member died or they were in a major car accident, or if you think about the number of people post-9-11, a lot of people had depression. It doesn’t mean that they’re manic depressive, it doesn’t mean that they have a history of psychotic disorders or anything like that. And so really for the provider, making sure that what AI is generating is in fact accurate for that particular patient is going to be very material, not only in terms of their own licensure, but also in terms of the claims that were submitted. So before I go into these cases, is there any question you have about that?
Kevin Chmura
No, but 100% a comment. I think that what we’re seeing now in our practices at Panacea and across revenue cycles especially, and it’s where it’s intersecting with compliance, is something you said, which is kind of AI never forgets and it tries to build on all knowledge it ever had. And I gave a story to some of the folks here that are working on some AI initiatives for us on the exact same thing. I had stitches on my knee in like the 3rd grade. And now at age 54, it really doesn’t factor into my any future medical diagnosis, AI would factor it in, right? And it’s not relevant anymore. And so it really speaks to the limitations of the technology and the need for governance when you start to adopt it. And it’s challenging because the ability to take cost out of the equation.
Rachel Rose
Correct. Correct.
Kevin Chmura
And an increased volume, and volume is important in a medical practice to maintain margins. It’s a, you know, there’s a tug and pull there, there’s a tug of war that is, that’s hard to ignore, really. So, and I have a feeling you and I will be talking over the next several years about specific both use cases and also problems relative to AI. I think that’s fair to say. We’ve got future content coming.
Rachel Rose
I would say that that is an apt prediction as to what is to come. So let me cycle back into these two cases because they are very material. First, I’ll lead with the Kaiser Permanente case. And in January of 2026, the DOJ announced that Kaiser and its affiliates would pay approximately $556 million to resolve allegations related to the submission of invalid diagnosis codes for their Medicare Advantage Plan enrollees in order to receive higher payments from the government. So if you think about Medicare Advantage fraud, that’s where that nexus really does come into play. And so here, as we mentioned at the outset, CMS pays MAOs more for sicker beneficiaries expected to incur higher health care costs and less for healthier beneficiaries expected to incur lower costs. So when I think of this, I remember my health law class at Vanderbilt with Professor Blumstein, and he analogized health care to car insurance. And it’s that same risk basket, right? What are the factors that are going into your pool? And some people are reckless drivers, some people are average drivers, and some people don’t go one mile an hour over the speed limit. That’s kind of the way I think of the… beneficiaries and how the Medicare Advantage model works. So how does this come into play with the risk adjustments? Well, CMS collects medical diagnoses codes, as we mentioned, and those diagnoses, again, must be supported by the medical record across a lot of fronts.
So in Kaiser, Kaiser owns and operates MAOs that offer Medicare Advantage plans to beneficiaries across the country. And to your point earlier, more than 50% of Medicare beneficiaries are in fact enrolled in the Medicare Advantage Plan. So by submitting claims and submitting data that is inflated or factually false, Medicare relies on the accuracy of that data and information submitted by the plans in order to ascertain what the reimbursement will be for the next year. So really the incentive is to have quote sicker patients and that’s why that AI factor is a very significant item to keep in the back of one’s mind too.
Since I did have the courtside seats to the Matrix case. The DOJ announced the settlement regarding Matrix Health Fair and Health Fair founder James Ekbatani in June of this year. And essentially, I represented Dr. Oristaglio. There was more than one case that was filed, and that raises a whole host of fund procedural issues within the False Claims Act space and area of litigation. But in essence, these defendants agreed to pay $56.5 million to resolve allegations that they violated the FCA by causing the submission of false or invalid diagnosis codes to the Medicare Advantage program. And what we’re seeing generally in this space, Kevin, is that sometimes there’s a concerted effort between a company and a particular insurer to do that. A particular MAO to make that happen. And in that instance, you’d have more of a co-conspiracy because both the… in this case, Matrix and whatever the MAO would have been, would have benefited from higher reimbursement rates from the United States government. And so the government’s position is that, and rightly so, it’s a breach of trust when providers look to make more money by making their patients appear sicker than they actually are.
So if I would say the one take away for this type of fraud, it’s absolutely that. Making patients appear sicker than what is substantiated in order to skew the risk adjustment score and obtain higher reimbursement rates. So just as we heard about with the Kaiser case, some of the issues at play in the matrix cases had to do with utilizing, for example, potentially tests that weren’t, I will call it best in class, and knowing that potentially not getting accurate outcomes and then using those inaccurate outcomes as the basis of a documentation in the medical record.
Another area that did come up, and this is public, is the depression code that a lot of people received. And so when you stop and think about depression, like I said, I actually worked for Eli Lilly and sold Prozac. So, this area I happen to know pretty well. And basically someone could have depression in an episodic manner, like we suggested with someone being in a bad car accident or losing a close loved one or a spouse or whatever the case may be. And it doesn’t mean that they’re chronic. It doesn’t mean that they’re manic depressive or bipolar or borderline personality or any of those, but or major depressive mood disorder.
Kevin Chmura
And a lot of the jumps that are often seen in this area is that jump from a depression, which is may be accurate or to your point earlier with the stitches when you were in the 3rd grade, it may have been accurate at one point in time, but is it necessarily accurate now? And how does one make the leap from depression to major depressive mood disorder?
Rachel Rose
That’s a whole different kettle of fish, especially when there is not documentation that’s consistent with the DSM-5 criteria, nor are there referrals to psychologists or other licensed professionals who would be more appropriate to deal with someone with that level of depression. It’s not going in saying, you know, I’m a little depressed, blah, blah, blah. My kid went off to college and you asked for an SSRI, a selective serotonin reuptake inhibitor, or an SNRI selective norepinephrine reuptake inhibitor that a primary care or another basic physician can write. You start getting into major depressive mood disorder that requires a very, I’ll use the word intimate relationship between the patient and a mental health professional because of the importance of talk therapy. And if you read the literature that’s out, whether it’s for PTSD or talk therapy or things of that nature, there is a huge correlation about the positive impact on not only treating but maintaining the diagnoses with PTSD or major depressive mood disorder. So those are a lot of areas that are coming into play along those lines.
There were also [allegations] in the Ekbatani case that Health Fair providers had made certain diagnoses, including but not limited to AIDS, HIV, metastatic cancer, and mesothenia gravis without documentation establishing or confirming the existence of the condition. And as we know, HIV is a precursor to AIDS. So that’s a very different animal. And with all the drugs that are out there now, just because you have HIV, it does not necessarily mean that a person may in fact end up with an AIDS diagnosis. Also, the other types of diagnoses included were rheumatoid arthritis, coagulation defect, drug dependence, which we talked about, morbid obesity, the major depressive mood disorder, which is what I just went into, and then chronic obstructive pulmonary disease. And so diagnosing congestive heart failure and heart arrhythmia despite contradiction by electrocardiogram and electrocardiogram results and also some thrombophilia solely based on separate diagnosis of atrial fibrillation. So just because you have one diagnosis – to our earlier discussion – doesn’t mean you can make that leap that you’re automatically going to have the separate diagnosis which has separate criteria associated with it.
Kevin Chmura
Right, and the risk involved in in the you know in a provider sort of up coding those is so high because much of what you just described is is proven by diagnostics, right? We can we we’ve got tests that will tell us, or there’s a measurable that says whether or not you’re morbidly obese.
And so very easy to disprove. And just sort of speaks to, I think, the, I guess the attractiveness of potentially seeing what you can get away with, but it’s not worth it because what I heard you say there was [an approximate total of $611 million] in settlements on these 2 cases alone. And that’s a real-world pocketbook impactor. So be careful. So in that light, maybe what we can end on, given those massive settlements out there, is it, you know, give some people some practical knowledge about what they can do and how maybe they can evolve their compliance program to help guard against some of these.
Rachel Rose
I think that’s a great question to end with, Kevin. And I always start with the seven core requirements of a compliance program. And those, as we know, include training policies and procedures, a compliance officer, adequate avenues for whistleblowers to be coming to fruition and reporting their concerns within a company. That is another area to focus on.
And so if you look at the factors and translate that to the Medicare Advantage, the 42 CFR for 83.85, which does set forth the compliance and ethics programs, it means it needs to be set up across a continuum. So it should not be siloed. And the most effective approach is to have an enterprise risk management approach, which gets all of the players involved. As we know, whenever a person goes into a doctor’s office or a hospital, their first touch point, their logging in, if you may, or sitting down and verifying their appointment time, and then their medical information and medical history and things of that part. That is where the first step is.
From there, we have the providers, and if nurses are taking notes, are the nurses taking notes accurately, or are they relying on AI solely without reviewing it? If the doctor relies on that and takes it at face value, there can be downstream liability in terms of, as I mentioned, the Texas Senate Bill 1188. And really physicians are fiduciaries just as lawyers are fiduciaries. So, what we’ve seen lately play out in the federal and state courts with lawyers not reviewing their pleadings and just submitting it and getting sanctioned for using hallucinated cases, hallucinated facts, expert witnesses, submitting expert reports without fact checking and coming up with hallucinations in those, those can be very costly. And I think a key take away on that point is that it can affect a physician’s license just as it can affect a lawyer’s license. But instead of going to a State Bar to file a complaint or a court referring a lawyer to a State Bar with a complaint, the same thing can happen with physicians.
I would say that there’s even more of a gravitas there because if the physician blindly relies on AI and it’s inaccurate, or as we know, one word can change an entire course of treatment, you could actually end up with an adverse patient event or a patient death. And so the stakes in healthcare are much higher than just coding and a related note to compliance is, you should always put the patient first. That patient-centered home, which evolved as a term in the Affordable Care Act, is something that is still very prevalent today, and especially in AI. So, when I advise my clients, we always make the patient and the clinical side first.
In my experience with the DOJ, one of the first questions they ask me, and the whistleblowers that I represent is right out of the gate, was there harm to patients? So as you’re moving through all of the stakeholders in this enterprise risk management system, from intake to clinical, to fact checking the medical record, to billing, to clearing house, to final submission, you really need to think how the organization is looking at this, not only from a coding compliance perspective and that side of fraud, waste, and abuse, but also the patient harm. And is there substandard care involved. And I think that’s an area that we’d likely see a lot of interest in, especially if there are a large number of adverse patient events.
Kevin Chmura
Rachel, this has been a valuable and sobering conversation. We came in thinking about financial risk and fraud, but where you left us is exactly where everybody’s mind should be. The real-world impact on patients. When AI puts a wrong diagnosis in the record, the risk isn’t just financial. It could be substandard care or an adverse outcome. The patient has to come first. A quick recap for our listeners. Medicare Advantage now covers more than half of all Medicare beneficiaries. The DOJ and CMS have made fraud a top enforcement priority. Risk adjustment is where the incentive to game the system lives. The False Claims Act remains government’s number one tool as the Kaiser and Matrix cases make clear. And AI needs real governance because the onus stays on the provider to review the medical record before it’s signed and submitted. These topics are not going away, so I’m sure Rachel and I will revisit them again soon.
Rachel, thanks again for your time and your insights. And to our listeners, thanks for joining us on 1st Talk Compliance. We’ll see you next time.
The post Medicare Advantage in the Crosshairs: Risk Adjustment, the False Claims Act, and AI appeared first on First Healthcare Compliance.
]]>The post Navigating the HIPAA Security Landscape: A Comprehensive Guide to Security Risk Assessments appeared first on First Healthcare Compliance.
]]>
In the ever-evolving world of healthcare, safeguarding patient information is not just a best practice – it’s a legal imperative. The Health Insurance Portability and Accountability Act (HIPAA) sets the stage for securing Protected Health Information (PHI), and at First Healthcare Compliance, we understand the critical role of a HIPAA Security Risk Assessment in achieving this goal. Below, we unravel the basics of this essential process.
A HIPAA Security Risk Assessment is not just a compliance checkbox; it’s a proactive approach to safeguarding patient information. By understanding the basics of this process and integrating it into the organizational culture, healthcare entities can navigate the HIPAA security landscape with confidence, ensuring the protection of ePHI and maintaining the trust of patients and stakeholders.
The post Navigating the HIPAA Security Landscape: A Comprehensive Guide to Security Risk Assessments appeared first on First Healthcare Compliance.
]]>The LEIE, or List of Excluded Individuals or Entities, also known as the OIG Exclusions List, is a fundamental piece of any medical practice’s compliance program. Yet so few people working in the healthcare space, even some compliance specialists, have never even heard of the list, or do not know the details of checking it.
The post The Importance of the OIG’s Exclusions List appeared first on First Healthcare Compliance.
]]>
Kevin Chmura
Hi, and welcome to 1st Talk Compliance. I’m your host, Kevin Chmura, CEO of Panacea Healthcare Solutions and 1st Healthcare Compliance. Today we’ll be covering an important topic and one that probably doesn’t get enough attention. We’ll be talking about the LEIE OIG’s exclusion list. With me today is Mike Herold. Mike is a Client Service Specialist here at 1st Healthcare Compliance. He’s worked with hundreds of hospitals and other providers over the last five years, particularly on issues surrounding the LEIE and their staff. So, Mike, welcome.
Mike Herold
Thank you, Kevin. Good to be here.
Kevin Chmura
It’s great to have you. So, look, you’re our foremost expert on this topic, but it’s one that admittedly in my now 30th year of health care has not gotten a lot of my attention, really not until I tripped over from revenue cycle into compliance. And so judging from my lack of experience, maybe it’s best to start, or we just say, you could just give us a rundown of what is the LEIE?
Mike Herold
Absolutely. So it’s the LEIE, officially the List of Excluded Individuals or Entities, and it compiles individuals and corporate entities ineligible to participate in federal healthcare programs due to criminal activity or serious professional misconduct. So the LAIE itself is maintained by the Office of the Inspector General, or OIG, which was established by the Department of Health and Human Services. In a quote that I actually pulled directly from the OIG’s website, OIG has been implementing exclusions since about 1981. And yes, the official government website says about 1981, so I found that interesting. But the Department of Health and Human Services first began imposing these exclusions in 1977. So, excluded persons are prohibited from furnishing administrative and management services that are payable by the federal health care programs, which include Medicare and Medicaid, which is obviously more relevant than most others. The exclusion and the payment prohibition actually continue to apply to an individual, even if he or she changes from one health care profession to another while they’re on the exclusions list, and the prohibition applies to all methods of federal health care program payment, whether that’s from itemized claims, cost reports, fee schedules, capitated payments, perspective payment system, or under other bundled payment, or any other payment system, and applies even if the payment is made to a state agency or a person that is not excluded. So it’s very wide ranging, and the exclusions prohibitions extend beyond even direct care and to any individual involved with an organization at large. So this can include leadership, anyone involved in the transport of patients or anyone in build services, any build services actually. And so if any person or any vendor, because it does include entities or pretty typically vendors, if anyone in the chain is in violation of the exclusions list, penalties may apply to the entire organization.
Kevin Chmura
Wow, that’s the definition of the weakest link, I guess, in any given chain. And just footnote, I doubt the website was operational in 1981 because that would predate the Internet. That’s a lot of people that could be on the list. It takes a lot of people to run any given health care organization, any vendor supporting health care providers, so everybody has to pay attention. How does somebody end up on the exclusion list?
Mike Herold
Good question. There are several ways, and many of them, most of them even, are the first things that spring to mind when you think about a list like this. But a few of them might be surprising, and the result is the same. It doesn’t matter how you end up on the list, it’s the same, you know, end. And so knowing about all of them is definitely the best idea for healthcare entities and honestly for the employees themselves. So there’s two types, two different levels, I should say, of exclusion types. There are mandatory exclusions for which the OIG is required by law to add the offenders to the list. And then there are permissive exclusions where the OIG has discretion to decide if the action is worth adding to the list. So I just want to, you know, knowledge is power. So we’re going to go over kind of the breakdown here. We’ll start with the mandatory list. The mandatory list is primarily dealing with those higher level, you know, immediate, well, this is a fraud or abuse or illegal action. So we’re talking about Medicare or Medicaid fraud, as well as any other offenses related to the delivery of items or services under Medicare, Medicaid, SCHIP, or other state health care programs. It also includes patient abuse or neglect, felony convictions for other health care related fraud, theft, or other financial misconduct, and then felony convictions relating to unlawful manufacture, distribution, prescription, or dispensing of controlled substances. So all of those make up the mandatory list. So do any of that and you’re on the list, no questions asked. The permissive list, though, has, you know, it’s where the OIG has some discretion. And so those offenses would include misdemeanor convictions related to healthcare fraud other than Medicare or a state health program, fraud in a program that is not a healthcare program, but is funded by any federal, state, or local government agency, misdemeanor convictions related to the unlawful manufacture, distribution, prescription, or dispensing of controlled substances, suspension, revocation, or surrender of a license to provide health care for reasons bearing on professional competence, professional performance, or financial integrity, provision of unnecessary or substandard services, submission of false or fraudulent claims to a federal health care program, engaging in unlawful kickback arrangements, and here’s my personal favorite, defaulting on health education loan or scholarship educations, which is the one trips most people up because that’s the unexpected one. And then also controlling a sanctioned entity as an owner, officer, or managing employee. So, like I said, the list is, it’s not as varied because a lot of it relates to fraud of some sort. But there are a couple things in there that, you know, might trip people up. You wouldn’t expect, I guess.
Kevin Chmura
No, totally. Make sure you’re paying your student loans for medical school, right? This is what I’m taking away from that end one. So look, Mike, lots of people in the delivery chain and all of the support areas and lots of ways to get on the list. I guess it’s probably safe to say that this is something that everyone in health care needs to know about, right?
Mike Herold
Absolutely. And for some reason, and I have not been able to figure out why, most people don’t. Even amongst the people I talk to frequently, which many of them are compliance experts, they’re specialists for their practices, they’ve been doing this for 20 years, somewhere between 99 for 95% of the people I have talked to have never even heard of it, despite its importance. So that’s kind of why we’re trying to shine a spotlight on it today, because people should know.
Kevin Chmura
Yeah, 100%. And there are myriad ways and people that can find themselves on the list. And you are right. I mean, again, going back into my own personal experience, having spent my entire career in revenue cycle management, this is something that my awareness of has probably only really tipped over the last three or four years, really, probably since got to know you, Mike. So, it’s interesting. So, given that, I think it’s maybe important to understand what specifically happens when an organization runs afoul of the exclusion list.
Mike Herold
Yeah, that is definitely good to know. So, specifically, employing or contracting with, either one counts the same, an individual or entity on the list can prevent your organization from participating in federal health care programs. This includes both Medicare and Medicaid, which generally is considered to be not good in the medical field. And in addition to that, potential civil monetary penalties may apply to those organizations who have been found in violation of the exclusions list.
Kevin Chmura
So I think what’s important there is employing or contracting with, and that second one really opens you up to a lot of exposure, right? Because you have to know that all of your vendors are monitoring all of their staff against the exclusion list. Well, we’ll talk about that in a sec, but what would an organization be looking at in terms of penalties?
Mike Herold
So they would be steep. So the OIG may impose those civil monetary penalties of up to $10 ,000 for each and every item or service furnished by the excluded person for which federal program payment was sought, as well as an assessment of up to three times the total amount claimed. And that’s in addition to the program exclusion that could be just as costly as all that.
Kevin Chmura
So let me double click on that one for just one second and make sure I understand. So, if I’m a physician office and I’ve outsourced my billing to another company and they have a Medicare biller who is on the excluded list and he or she submits a hundred claims in any given month, would each one of those bills be subject to the $10 ,000 because it’s an item?
Mike Herold
Yes, each and every one. It’s a May, so the OIG doesn’t have to do it for every single one, but they can. And like you said, $110 ,000 a pop, that’s a nice million dollars.
Kevin Chmura
Yeah, really. So not having awareness of the LEIE as probably one of the bigger financial risks that a provider could face, and they don’t probably really even have the awareness they deserve of it. So, okay, so that was penalties to an organization. Who’s liable for an organization?
Mike Herold
Pretty much everyone. It’s existing employees or vendors, prospective employees or vendors. And it is also worth noting that some of the excluded practitioners will still have valid licenses or drug enforcement agency DEA numbers. So it’s really important not to assume that just because a prescription contains a valid license number or DEA number that you can’t assume that the practitioner is not excluded. So basically, unless you’re specifically checking the OIGs list, you cannot be certain that a person or a business is not on it because it’s kind of its own entity.
Kevin Chmura
Okay, wow, so this keeps getting better and better, Mike. So let me ask a practical question. How does one check the list? Asking for a friend, but to be honest, I know that our organization monitors and so I’m okay, but how would one go about checking the list?
Mike Herold
So checking the list itself for an individual person or vendor is very simple. The OIG has a website which is free for hhs.gov or you can also just you know Google OIG exclusions list and it typically brings it to the page and then once you’re there checking the list is fairly simple you can search by an employee or a vendor’s name and if there’s a potential match found because you know if someone has a common name there’s going to be 10 different results but you can verify using the appropriate taxpayer identification number for either a person or a business. And it is important to note that the LEIE updates monthly and it is the responsibility of the organization to check on every single employee and every single vendor each and every month. Cause literally any contract you have could appear. And so that is worth checking and it could, you know, it changes every month. So someone could be added at any time.
Kevin Chmura
So, wow, that’s a daunting task, even at a small organization. But I can only imagine as it scales up to larger organizations. Is there a way to make it easier or maybe automatic?
Mike Herold
Yes, directly through the OIG, there’s sort of an alert system. You’re limited to an email list that you can sign up for and you receive an alert that the list itself is updated. but that’s kind of where 1st Healthcare Compliance comes in. We, as part of our compliance management program, we do offer automatic screening of the LEIE for both employees and vendors. So our system, you know, our IT department is amazing, and they provide a check both upon first entering an individual or an entity into your profile, which you can do even before you hire someone, which is always the recommendation just in general. Anytime you’re going to hire someone, check the list, make sure they’re not on it. But then again, our system also checks it during each month after we get that email from the OIG, so that we ensure that any organization that works with us is fully aware of any potential exclusions, really realistically, as soon as you could be. So yes, but not through the OIG, I guess is the answer.
Kevin Chmura
Okay, good. So is it possible, like how common would it be for a person to be on the exclusion list and not know it?
Mike Herold
It would be rare. So the OIG sends notices directly to the person. So typically if someone or a vendor is on the list, then they know about it. That doesn’t always stop them from working in a healthcare field. And that’s why it is so important to check the list before hiring someone or signing with a vendor. And in the odd case that a person does not know, because things can always fall through the cracks. It’s usually because of one of the less serious permissive infractions. Loan defaults certainly being the common reason for this. So it’s rare, but it does happen, I guess.
Kevin Chmura
Yeah, so if you’re doing background checks on new employees, you’ll want to add this. And if you’re not background checking individuals, you’ll at least want to check potential new hires against the LEIE, and it’s I guess not really that intrusive.You’re not running a background check on people. You’re just finding out whether or not they’re excluded, why they’re excluded is less relevant to you at that point. So, and then I guess make sure your vendors are doing the same, right?
Mike Herold
Yeah, oh yeah, absolutely.
Kevin Chmura
Totally, so, okay, so let’s run the doomsday scenario. What does a person or entity do if they find they’re on the list or they’re employing somebody that’s on the list.
Mike Herold
Right. So I’ll tackle the organization level first because that’s a little bit easier. So if you’re a healthcare entity and you find out that it’s an individual or vendor who’s already under contract and they’re on the list, you definitely cannot wait to do something about it. Depending on the reason for the individual or entity to have ended up on the list, which you can, you can see that when you do check the list. You have to like narrow it down and then you can see the why. Depending on the reason, the next step might be obvious. You know, you might make a quick judgment call. But in those cases where it seems less serious, there are experts all over the place. 1st Healthcare Compliance, we do have experts who can provide either guidance on the next steps to take or, you know, as I say all the time to our clients, we can at least point you in the right direction. If it, you know, if it’s a valuable employee and it seems like this is something that could be cleared up, you know, we can say, hey, here’s where you can find out. So, you know, each individual case can be different. So navigating the best path forward might not be simple, but, you know, it can be worth looking into depending again on why they’re on the list. For the actual like individuals or you know entities who are on the list themselves getting reinstated can actually be possible depending on the type of defense obviously and then if the exclusion was for a defined period. So this is again this information is pulled directly from the OIG. So if there is a defined period of exclusion of you know 5 years 10 years etc. You may begin the process of frame statement 90 days before the end of the period specified in exclusion notice letter. Requests received earlier than 90 days will just not be considered. And if the exclusion period is indefinite, you may apply for reinstatement when they have kind of regained the license referenced in the exclusion notice. So under some conditions, you may apply for early reinstatement without regaining the license referenced in the exclusion notice if you have obtained a different health care license in the same state or any health care license in a different state. So reinstatement may be available if you do not have a valid health care license of any kind in any state and have been excluded for a minimum period of three years following the OIG’s consideration of all the factors specified in the regulations. So early reinstatement is not available if your license was revoked, suspended, or otherwise lost or surrendered for reasons relating to patient abuse or neglect. Those are pretty much hard. You’re just out. So yeah, that’s I think so.
Kevin Chmura
So great, so so perhaps not an automatic career death sentence, but but unless you’ve done something very egregious. So Mike, look, this was super informative. I learned a few things and I’ve been paying attention to this, so this this is helpful. I guess let me open it up to you. Is there anything else people should know?
Mike Herold
I think we’ve covered it. As long as people know that the list exists and a jacket for any new employees or vendors, and then again every month, then they are meeting their compliance requirements, which is obviously our focus. And lucky for all our clients, they are already covered, so we’re good there.
Kevin Chmura
All right, great. Well, Mike, thank you so much.
Mike Herold
Thank you for having me. Great.
Kevin Chmura
For our listeners, this has been 1st Talk Compliance. As we like to say, there is no exclusion list for listening to our podcast, so please tune in to our future episodes. We’ll be releasing more content soon. Thank you.
The post The Importance of the OIG’s Exclusions List appeared first on First Healthcare Compliance.
]]>The post OSHA Recordkeeping in Healthcare: Answers to Frequently Asked Questions appeared first on First Healthcare Compliance.
]]>
Maintaining accurate and up-to-date records is crucial for healthcare organizations to ensure workplace safety and compliance with the Occupational Safety and Health Administration (OSHA) guidelines. OSHA recordkeeping requirements in the healthcare industry may have specific nuances that healthcare providers need to understand. Below we address common questions related to OSHA recordkeeping in the healthcare sector, providing insights to help healthcare organizations navigate the requirements effectively.
OSHA requires most healthcare facilities, regardless of size, to keep records of work-related injuries and illnesses. This includes hospitals, nursing homes, clinics, medical offices, and other healthcare settings. However, certain low-risk industries within healthcare may be partially exempt from recordkeeping requirements.
Healthcare organizations must maintain three essential records:
a. OSHA Form 300: Log of Work-Related Injuries and Illnesses
b. OSHA Form 301: Injury and Illness Incident Report
c. OSHA Form 300A: Summary of Work-Related Injuries and Illnesses
In healthcare, a recordable injury or illness includes those that result in death, days away from work, restricted work activity, medical treatment beyond first aid, loss of consciousness, or a significant injury or illness diagnosed by a healthcare professional. It is essential to evaluate each case based on OSHA’s guidelines to determine if it should be recorded.
Yes, needlestick injuries and bloodborne pathogen exposures are generally considered recordable incidents in healthcare. These incidents should be documented in the OSHA recordkeeping forms, as they pose significant risks to healthcare workers.
Healthcare organizations must retain OSHA records for a minimum of five years. The five-year retention period begins from the end of the calendar year covered by the records. It is crucial to keep these records readily accessible for review and inspection purposes.
Yes, healthcare organizations can utilize electronic recordkeeping systems to maintain OSHA records, provided that the system meets OSHA’s requirements. The electronic system should be capable of generating the necessary forms, retaining records for the required duration, and providing access to employees and OSHA representatives.
Healthcare organizations are required to post the OSHA Form 300A, the Summary of Work-Related Injuries and Illnesses, in a conspicuous location where employees can easily access and read it. The form should be displayed annually from February 1 to April 30 of the following year.
Adhering to OSHA recordkeeping requirements is essential for healthcare organizations to ensure workplace safety and compliance. By understanding which healthcare facilities are subject to recordkeeping, maintaining the necessary forms, identifying recordable incidents, retaining records for the required duration, utilizing electronic recordkeeping systems, and posting the Summary of Work-Related Injuries and Illnesses, healthcare providers can meet their OSHA recordkeeping obligations effectively.
It is crucial for healthcare organizations to stay updated on OSHA guidelines and consult with relevant resources to ensure compliance with specific recordkeeping requirements in the healthcare industry. This will contribute to creating a safer working environment for healthcare professionals and maintaining a culture of safety within healthcare facilities. For more information, please view our products Fundamentals Course and OSHA Training for Healthcare Providers.
The post OSHA Recordkeeping in Healthcare: Answers to Frequently Asked Questions appeared first on First Healthcare Compliance.
]]>Learn how the policy landscape has shifted in recent months—especially around telehealth flexibilities, controlled substance prescribing, and the 2026 CMS payment rules.
The post Telehealth Extensions & 2026 Compliance Priorities: A Compliance Cliffs Update appeared first on First Healthcare Compliance.
]]>
In this episode of 1st Talk Compliance, Kevin Chmura is joined by Robyn Johns, as they discuss recent updates to their November live webinar, Compliance Cliffs: Navigating Telehealth Waivers and Reimbursement Changes.
Learn how the policy landscape has shifted in recent months—especially around telehealth flexibilities, controlled substance prescribing, and the 2026 CMS payment rules.
Kevin Chmura
Welcome to 1st Talk Compliance. I’m Kevin Chmura, CEO of Panacea Healthcare Solutions. Today we’re bringing you a timely update on our November live webinar, Compliance Cliffs: Navigating Telehealth Waivers and Reimbursement Changes.
Since that webinar, several policy changes have moved quickly, especially in telehealth flexibilities. Controlled substance prescribing and 2026 CMS payment rules. Before we jump in, just a quick note. 1st Talk Compliance is brought to you by 1st Healthcare Compliance, a part of Panacea Healthcare Solutions. We help healthcare organizations strengthen their compliance programs with practical education tools and compliance management support. So teams can reduce risk, keep pace with regulatory change and operate with confidence.
Now I’m pleased to welcome back Robyn Johns from Med USA.
Robyn, thanks for coming back.
Robyn Johns
Thanks, Kevin. I’m happy to be here.
Kevin Chmura
Great. So, let’s jump in. So, in November on the webinar, we spent a lot of time on what people were calling the telehealth cliff, which was creating a tremendous amount of uncertainty on whether flexibilities would expire. Can you catch us
up on what the status is now?
Robyn Johns
Yeah. The major update is that the spending package released on January 20th includes extensions of the telehealth flexibilities all the way through December 31st of 2027.
Kevin Chmura
So that’s a pretty meaningful runway. That’s great, but I guess doesn’t eliminate compliance obligations, but it is reducing near-term uncertainty which give everybody some time to standardize workflows. So, it’s in the news, but maybe you could tell. So, what’s in the spending package at a high level and what should healthcare leaders like us be paying attention to?
Robyn Johns
Right. So, it was the one from the 20th was a $1.2 trillion spending package released by the House Appropriations Committee and it was just passed yesterday on the 22nd in two separate votes by the full House. So, those bills included the remaining six of the twelve appropriations necessary to avert a government shutdown. So that’s good news for everyone. If we can get them across the finish line, they funded many of the federal government agencies such as HHS, Labor, Defense, HUD, and also Homeland Security. That was a contentious one. That’s why they had to do two separate votes. It funds them through fiscal year 2026, which ends on September 30th of this year.
Kevin Chmura
So, OK, so we have a funding package with multiple healthcare policy riders. Not, I guess not too surprising in today’s day and age. So, besides the telehealth through 2027, what else is included in there that compliance and operational leaders should know about?
Robyn Johns
So the writers also include PBM reform and it extends hospital at home actually through 2030, which is another one that hit a lot of facilities hard with the government shutdown. It extends Medicare dependent hospital and low volume hospital programs, which is really beneficial for our rural providers and it delays the Medicaid disproportionate share cut again until fiscal year 2028. Notably, for a lot of people, it does not include an extension of the ACA subsidies, which were such a sticking point in the government shutdown last fall.
Kevin Chmura
Yeah, that that that last point is operationally really important and coverage instability often turns into eligibility churn and puts real pair mix pressures on the you know same patients, different coverage, right.? And that’s just you know probably increases downstream compliance and documentation stress. Yeah that’s a that’s a tough one. So what’s the timing of congressional action now?
Robyn Johns
So with the House passing all of the bills, they now send the full appropriations package to the Senate. The Senate will take all of that up when they return from recess on Monday the 26th, and will hopefully pass them all ahead of the January 30th deadline. And hopefully without any significant changes which might require them to go back to the house because the house will be on recess next week.
Kevin Chmura
Wow. So split schedule, it’s why we should keep ourselves in a monitoring posture. I guess we should always be monitoring, but things are moving pretty quickly right now and you sort of get into that world of what is expected is not what’s in effect.
Which is always, always a tough place to operate, but hey, that’s healthcare, isn’t it? So, given the extension to 2027, in your opinion, what should compliance teams be doing now? Like what’s some practical next steps?
Robyn Johns
First, you’ll want to make sure that your internal policies and educational materials reflect what’s currently in effect. No major changes since most of those telehealth things were extended, but it’s always good to double check because lots of things change around the beginning of the year. Also validate your payer specific rules. Medicare policy direction is influential, but commercial payers and state laws differ. So, you got to make sure that you are matching up with those differences. And then third, we should we talk about strengthening your auditing of documentation, the modifiers, your place of service, medical necessity, all of those things that can vary depending on the payer and the specific situation of the patient.
Kevin Chmura
Yeah, that that payer variation point is where a lot of organizations end up being exposed, I guess, right? Telehealth’s not really governed by one rule. You’ve got federal policy, state overlays, and then you have commercial policy updates really coming at you a number of different ways. So, I guess a good controls to maintain maybe a payer policy matrix and try to align it into your documentation and coding guidance. Probably a solid piece of advice.
Robyn Johns
Absolutely.
Kevin Chmura
Yeah. So, let’s move on to probably one of the highest risk areas that we covered in the webinar, and that’s controlled substance prescribing via telehealth. What’s the latest there?
Robyn Johns
Good news there as well. At the end of the year, DEA and HHS extended the telehealth flexibilities for prescribing controlled substances through this year, December 31st of 2026. There are a few rules that can apply, but because they extended the flexibilities, it’s pretty much status quo until they change it again at the end of the year.
Kevin Chmura
Cool, so that’s a critical compliance area because of the high risk profile and it that really includes some regulatory scrutiny and enforcement, not really just a reimbursement issue.
Robyn Johns
Yes, it’s highly watched.
Kevin Chmura
Yeah. And I guess as well, it should be. So given that, what control should organizations prioritize right now to reduce risk in that area?
Robyn Johns
Definitely you’ll want to have clear prescribing policies, good documentation standards, and role-based training. Also, usually they want to include identity verification and required checks when they’re applicable, and consistent auditing to ensure that your process is followed, not just written down. This is another area where state regulations can vary, so you would want to make sure that you are compliant in every state where you see patients.
Kevin Chmura
Yes and you’re the expert, not me. But I guess I’d add if you expand health to if you expand the telehealth quickly, take time now to ensure your governance is mature. And I’m thinking credentialing, supervision, documentation and audit trails always the basics that can help you pulled up under scrutiny.
Robyn Johns
Definitely. When you expand quickly, sometimes you sacrifice certain things for speed. So, you have a minute now to go back now that you’re sure that those policies aren’t changing anytime soon to just go back and make sure that everything’s in place, all of those areas.
Kevin Chmura
Yeah, I mean like any business runs better and with certainty, but at healthcare we rarely have that. So, great. So, moving on to the 2026 CMS updates that that we talked about a little bit.
So, there’s been some changes in payment policy that are driving operational changes and it’s where those operational changes come in, where we introduce compliance risks if teams can’t keep pace and often they can’t. So, what are the 2026 physician fee schedule highlights?
Robyn Johns
Yeah. So, we talked about these back in November and of course they went into place at the beginning of this year. So, a little bit of good news there with the conversion factor. It included the 2.5% increase that had been mandated by Congress. It also included a .75% increase for clinicians in advanced APMs or a
.25% increase for clinicians who participate in MIPS or who are exempt. And then there was also a .49 budget neutrality increase.
Kevin Chmura
So, so the real impact varies by payer mix, site of service and quality of participation. What about RVU related changes?
Robyn Johns
So that’s kind of the devil in the details there. It also implemented a -2.5% efficiency adjustment on certain non-time based services to the physician work RVU and there is also a + or -50% practice expense RVU adjustment for facility based services. So, it’s -50% if it’s facility based services or a +50% for non-facility based services.
Kevin Chmura
Wow. So site of service is increasingly strategic and it’s where we see compliance issues often arise, right? You get inconsistent documentation, coding and policy adoptions across different departments and locations. Certainly not easy.
Robyn Johns
No. Something you definitely need to watch closely because it is different depending on where you are and what services you’re providing.
Kevin Chmura
Yeah. So, one other hotspot or another hotspot that that we often see is incident to. What’s going on there?
Robyn Johns
So the physician fee schedule in that they updated the definition of direct supervision for incident to billing to permanently allow supervision through real-time audio video communication except for services that have a 10 or a 90-day global surgery period. So, the supervising physician no longer has to be physically present in the office suite, they just have to be immediately available through real time audio video communication.
Kevin Chmura
OK, so that’s operationally pretty significant, right? But I guess the compliance take away is relatively simple. If you’re using remote supervision, your incident to workflows must be precise. I guess who supervises, how it’s documented, and where the exceptions apply as precise as you can make all of those, huh?
Robyn Johns
Yes, absolutely. Because you are relying on remote supervision, you’ll want to make sure that that is documented very effectively.
Kevin Chmura
Yeah, cool. So, what about the OPPS and ASC final rule highlights for 2026?
Robyn Johns
Yeah. For those that these apply to, there was a 2.6% increase as well in the payment rates. They also expanded hospital price transparency requirements and we’re seeing a lot more attention and probably enforcement in that as well. There was a three-year phase out of the inpatient only list. Site neutral payments were expanded to include Drug Administration Services and the ASC covered procedures list is expanded much in relation to the inpatient only list Phase out.
Kevin Chmura
Yeah, that that that that’s an interesting one. So the phase out of the inpatient only list is a real operational shift and it’s one of those opportunities for providers to move volume to better cost locations, but really your compliance needs to follow those patients, right and where you’re having them. And so, when your volume moves, audits and education have to move with it, which is probably a challenge and what we know and we at our parent company, at Panacea, price transparency just remains a compliance and reputational priority because failures lead to penalties, but bad data also leads to a lot of scrutiny. So, good that there’s some, you know some guidance there, but it’s clear that those are going to be things that really need to be paid attention to from a compliance perspective.
Robyn Johns
Yes, for sure.
Kevin Chmura
So it was hard to watch the news over the last, I don’t know, six to twelve months without talking about the One Big Beautiful Bill Act. So, we’ve been tracking it. I know you’ve been tracking it. So, what’s the timing on practice impacts that you expect?
Robyn Johns
So most of those One Big Beautiful Bill Act Medicaid requirements that are likely to impact practices, they don’t actually begin until January of 2027. So, practices still have some time to continue their assessment and preparation for those. The immigrant eligibility changes do take effect on October 1st of this year, 2026. So that’s a little bit shorter period of time, but you do have a little bit of time to continue to figure out how that may affect your practice if you have a high number of Medicaid patients, and prepare for the ways that you can offset those eligibility changes and payment requirements.
Kevin Chmura
Yeah, that clarity on the effective dates really can help teams allocate resources correctly and that’s often a challenge especially when you’re tracking proposed rules versus final rules and not sure when things will go into effect. So that’s good. So, as you’re looking out on the landscape in 2026, what are some of your top compliance priorities that you’re advising organizations to focus on?
Robyn Johns
Yeah, we’re currently focused on probably five or so top priorities for 2026, not in any specific order, but we are watching data privacy and security. Part of that is because HIPAA updates are underway to both the privacy and security rules, though timelines are unclear. We’re not sure when or i f we’ll see any final rules on those, but we do know that healthcare remains a prime target of cyber-attacks, so we have to constantly be vigilant to that and related to that, but also separately, is AI and other emerging technologies.
AI is changing the landscape for the types of attacks we receive, but also the way we have to respond to them. It also is changing the landscape of healthcare generally, both in the provider office and at the payers and at the government. Those other emerging technologies like digital tools, those can increase the compliance risk in your environment, and we need to remember that both government and commercial payers are using AI to identify outlier claims faster and increase their auditing.
Then we also have the fraud, waste and abuse enforcement. CMS we know has currently been focused a lot on Medicare Advantage, but that scrutiny can shift oversight over to providers as well because that’s where so much of the data that the Medicare Advantage plans use comes from. The OID also continues to focus on telehealth. There are other focuses are drug device and biologics and program integrity areas such as DME, Hospice and Drug Administration. So, want to make sure that you’re watching all of those if you practice there.
Fourth one we have is vendor and third-party oversight. Many of the largest breaches that have we’ve seen have originated with third parties. So, organizations really need to make sure that you have careful oversight and maintain good monitoring on your third-party vendors and others who may have access to your systems and data.
And finally, we know we’re going to continue to see those rapid regulatory updates. Federal and state changes often conflict. We have lots of states that are currently in their legislative period. So that will bring out some changes. And then in addition to that, commercial payers are tightening their policies and auditing in response to the pressures that are being put on that on them, whether from the government or just from a financial perspective.
Kevin Chmura
Yeah, it is something the pace of acceleration of some of the advances in technology and how they how they’re going to impact us. But I guess you know that’s really the reality of 2026 and beyond. You’re going to see an uptick in in in speed to policy changes, faster detection, which will be something and probably more third-party exposure as we rely on more and more vendors and others to help us do what we need to do every day, but I’m sure you know the advice I’ve heard you give many times and we have to agree with it. A strong compliance program has to be built to adapt. That means clear governance, repeatable monitoring and targeted auditing tied to the current risk with an eye on the future and where everything’s going.
Robyn Johns
Yeah, definitely. It’s an exciting time, lots of opportunities for improving our programs and really tightening things up to make sure that we’re protecting ourselves and all the information that we are responsible for.
Kevin Chmura
Yeah, great. So, Robyn, thank you for the update and for helping our listeners translate policy movement into practical compliance actions. To everyone listening, if you want the full context and deeper discussion, you can access the webinar on demand at 1st Healthcare Compliance’s website. It’s called Compliance Cliffs:
Navigating Telehealth Waivers and Reimbursement Changes.
Thank you for listening to 1st Talk Compliance and we’ll see you next time. Thanks, Robyn.
Robyn Johns
Thanks, Kevin.
The post Telehealth Extensions & 2026 Compliance Priorities: A Compliance Cliffs Update appeared first on First Healthcare Compliance.
]]>The post Naughty or Nice? The Rules of Giving and Receiving in Healthcare appeared first on First Healthcare Compliance.
]]>The post Naughty or Nice? The Rules of Giving and Receiving in Healthcare appeared first on First Healthcare Compliance.
]]>The post FWA in Healthcare: How to Respond Appropriately to Detected Offenses appeared first on First Healthcare Compliance.
]]>
When a potential FWA offense is detected, it is crucial to recognize the gravity of the situation. Understand that FWA can harm patients, compromise the organization’s reputation, and lead to legal consequences. Responding appropriately is vital to address the issue and prevent further harm.
Upon detecting a potential FWA offense, initiate a thorough investigation to gather evidence and assess the impact of the offense. Engage the expertise of your internal audit, compliance, and legal teams to ensure a comprehensive and objective assessment.
Involve legal and compliance professionals early in the response process. They can provide guidance on the applicable laws, regulations, and reporting requirements. Their expertise will help navigate complex legal issues and ensure the organization’s response is aligned with regulatory expectations.
Take swift action to address the detected FWA offense. This may involve suspending involved individuals, initiating disciplinary measures, and implementing immediate corrective actions to mitigate any potential harm or ongoing risks.
Depending on the severity and nature of the offense, it may be necessary to collaborate with regulatory bodies and law enforcement agencies. Notify relevant authorities, such as the Office of Inspector General (OIG) and cooperate fully with their investigations.
Responding appropriately to detected FWA offenses in healthcare is essential for safeguarding patient care, preserving organizational integrity, and maintaining regulatory compliance. By understanding the gravity of the situation, conducting thorough investigations, engaging legal and compliance professionals, implementing immediate corrective actions, and collaborating with regulatory bodies and law enforcement agencies, healthcare organizations can take decisive steps to address FWA offenses and minimize the potential risks they pose.
Remember, a proactive and timely response demonstrates a commitment to ethical practices and upholds the highest standards of patient care and trust. Mitigate risk by contacting the team at First Healthcare Compliance. Together, we can foster a culture of integrity, protect patients, and strengthen your healthcare organization.
The post FWA in Healthcare: How to Respond Appropriately to Detected Offenses appeared first on First Healthcare Compliance.
]]>The post 6 Areas of Potential Liability for Healthcare Providers appeared first on First Healthcare Compliance.
]]>
The post 6 Areas of Potential Liability for Healthcare Providers appeared first on First Healthcare Compliance.
]]>The post 5 Benefits of Automating Incident Reporting in Healthcare appeared first on First Healthcare Compliance.
]]>Incident Reports are a typical part of risk management in the healthcare setting. In theory, properly reporting incidents provides an opportunity for a resolution by the right people at the right time. In any medical organization there are myriad reasons for completing an incident report.
Potential vulnerabilities can include, but are not limited to: patient complaints, medication errors, equipment malfunctions, policy violations, HIPAA and cyber risks, and physical safety and violence threats.
With the goal of rectifying any issues and preventing future problems, incidents need to be reported quickly and with as much information as possible. As some incidents may end up in court cases years later, timely and accurate reports can prove vital.
With all that is at stake, for many healthcare practices it makes sense to invest time and resources in an automated system of incident reporting.
Automated Incident Reporting has five main benefits:
Processes and forms for incident reporting vary by organization, but an electronic management system may help streamline efforts and yield more accurate results.
To learn how First Healthcare Compliance facilitates incident reporting, check out our comprehensive compliance management solution.
The post 5 Benefits of Automating Incident Reporting in Healthcare appeared first on First Healthcare Compliance.
]]>