Podcast: Everything You Never Knew You Needed to Know About ACO Compliance

Rebecca Latchis landed in healthcare compliance after a HIPAA project in law school guided her to a new path. Now, she’s a rising star in the industry and an expert in ACO compliance, or as I like to call it, compliance of the future.

In this week’s episode of Compliance Conversations, Latchis explains how the Medicare shared savings programs (MSSP) differ from the provider side of compliance. “The regulations that spell out the compliance program obligations for the MSSP identify five required elements for the compliance program that is different from the 7 elements…” Said Latchis. Then, she took us on a regulations deep dive and a wild compliance ride.

Tune into my most recent episode of Compliance Conversations: Everything You Never Knew You Needed to Know About ACO Compliance, to learn about the landscape of ACO compliance, the ins and outs of MSSP, and where, oh where, to find compliance professionals who think just like you.

 Listen Now >>


CJ: Welcome everybody to another episode of Compliance Conversations, I’m CJ Wolf, Healthicity’s Sr. Compliance Executive, and today my guest is Rebecca Latchis. Welcome Rebecca.

Rebecca: Thank you so much, I appreciate you having me on the show.

CJ: Absolutely, and we’re grateful for your time and expertise and I look forward to talking about some of these things, but before we get into some of the topics that I wanted to discuss I was wonder if you’d just briefly introduce yourself and tell us a little bit about your compliance career and how you’ve landed where you are now.

Rebecca: Sure, I’d be happy to. I started off as a healthcare regulatory attorney and worked in Louisville, KY and then in Washington, DC. About 11 or so years ago I responded to a headhunter and ended up at Bon Secours Health System, we are a large non-profit catholic health system that operates mostly on the East Coast, but all the way into KY as well, and I’ve been doing healthcare compliance ever since. Probably the first 8 years or so at Bon Secours I was the director of corporate responsibility for the health system and really focused on the programmatic aspects of our compliance program. A few years ago, I transitioned to working primarily on the population health efforts for Bon Secours, so I am the compliance officer for all our ACO’s, accountable care organizations, all of our clinically integrated networks and really anything else that has to do with population health. So that could be the CPC+ program it could be bundled payments, managed care, kind of everything that falls under that large umbrella I will look at from a compliance perspective. I also have my own podcast that I do kind of on the side, so that it what I am doing right now.

CJ: That’s great, thank you, now tell us the name of your Podcast.

Rebecca: Sure, it’s called Compliance Masterminds.

CJ: Excellent, and I appreciate you having some of that expertise as well. It’s funny how you kind of mentioned how you ended up in compliance. I’m not sure any of us grow up thinking we’re going to be a compliance officer, right?

Rebecca: Definitely not. I think I always knew I wanted to be a lawyer, but didn’t really know what that meant, so I’m very thankful that I ended up doing a project when I was a baby law student, I did a project on HIPAA, and fell in love with healthcare and healthcare compliance, and yup, that’s how I got to where I’m at.

CJ: It’s so interesting. I think I shared with you privately that my educational training is as a physician, as an MD, and when I was in medical school, towards the last part of medical school, I remember somebody telling me as we were doing our clinical rotations, someone from administration was educating us on what had to be in the medical record, this was in the midst of all the PATH audits, the physicians teaching hospitals, and I remember from that day, wait a second, there is a whole different world here of what you can and can’t do in healthcare that doesn’t necessarily have direct contact with patients, but it’s this whole different world of healthcare compliance, so it’s kind of funny how we all end up where we are.
Rebecca: Yeah, absolutely, I’m very grateful for that last-minute project that put me on a much different path than what I thought I’d be on.

CJ: And thank you for your introduction, because one of the reasons I wanted to speak with you a little bit more was your expertise in ACO compliance, which is probably the way a lot of healthcare is going with this shared savings program, and bundled payments, and these sorts of things, that a lot of us have heard about from a healthcare reform perspective, but you’re on the front lines of that world in a compliance perspective, and so I’m hoping we can talk a little bit about that and my first question to you is; how do the compliance program requirements for Medicare shared savings program differ from, let’s say what a lot of us know on the provider side of compliance.

Rebecca: Sure, and they do differ, but I think as I kind of get into it a little bit you’ll see they are probably not all that much, much different. But like I said, I work with the ACO’s in the Medicare shared savings program, and the really nice thing about the MSSP is that there is a regulatory framework. You don’t get very specific regulations in all the population health initiatives that CMS puts out, but the MSSP, there are specific regulations. So, the regulations that spell out the compliance program obligations for the MSSP identify five required elements for the compliance program, and again, that is different from the 7 elements, but I’ll just highlight them at a very high level and I think you’ll see how the 7 can really fit into the 5 that are identified in the MSSP. Very similar to your 7 elements, there is a compliance officer, that is a requirement for the MSSP, they did specify that person cannot be legal counsel, and that person needs to report directly to the board, so that is more specific than what you get from some of the other compliance program guidance. The next requirement is a mechanism for identifying and addressing compliance programs. And again, this is consistent with the seven elements. What I think of with this requirement I’m thinking of risk assessments, the type of monitoring activities you would do no matter what type of provider that you are setting up a compliance program for. The third element is the method for employees and your ACO participants, which are your providers and you provider groups, and it’s a mechanism for them to anonymously report compliance problems. So that’s your hotline, it’s any other mechanism that you have, on the web or on the phone, for reporting. And again, that’s very consistent with the 7. Compliance training is the 4th element, and then a mechanism to report probable violations of law. So, all that is consistent with the 7 elements. The one that really stands out to me is not being officially addressed are the policies and procedures, but certainly you can plug that into all 5 requirements of the MSSP compliance program.

CJ: Exactly, now it’s kind of interesting the difference between identifying problems and communicating issues, but then there is a specific requirement when there is a probable breaking of the law. Did I hear that right?

Rebecca: There is, so it says very specifically, and I think it’s broad, a mechanism to report probable violations of law. And the description of probable violations of law, and in my opinion, that could really mean anything, so that’s why I think it’s really important for the compliance officer to really be involved in the operational aspects of the ACO, really understanding everything that is going on so that if something were to happen, they might think might triggers this probable violations requirement, that they’d be able to at least tap into the legal team, and really anyone else to kind of sort that out. I will tell you, I’ve talked to a lot of ACO compliance officers and everyone really thinks that this is broad, I’m not sure how tested it is. I’ve also seen similar language in the bundled payment program, so I don’t think it’s language that’s going away, maybe hopefully down the line we’ll know a little bit more about the whole scope of the language.

CJ: So, you’ve mentioned that you’ve spoken to other compliance officers and ACO’s, maybe I should take a step back and ask you in general, what’s the landscape of ACO’s in the country? I mean, how many are there, how big is this, is it on its way up, or is it on its way down? What are your thoughts of that in general.

Rebecca: Sure, I definitely don’t think ACO’s are going away any time soon. I think more and more ACO’s are joining the Medicare shared saving program. There’s also another Medicare ACO called next generation, so there is next gen ACO’s, and I think there are still some pioneer ACO’s out there. I don’t know exactly the numbers, but I do know that every year more and more entities are applying to become an ACO, and really what you do when you apply is sign up for a 3-year program. And so, you have your first program, your second and third, and then at the end of the 3rd, you’ll either renew or decide you want to do something else, and I think the majority of ACO’s are sticking around for longer than their 3 years. The other thing about ACO’s is that there’s different tracks. Track 1 is kind of the upside only, which means there is only an opportunity to share in the savings, which is great, it kind of gets people in the door. Than there’s tracks 2 and 3, and 1+ and all of those have different risk profiles, but I definitely don’t think that ACO’s are going away anytime soon and as far as talking with other ACO compliance officers, you know it’s new, and a lot of us are kind of feeling our way around this. So it’s really helpful to have a community of other ACO compliance folks to be able to tap into, because it is new.

CJ: And that’s kind of what I was going to ask you, where does somebody start if they are new to this, and my suspicion is, with a lot of newer areas of healthcare if they are having compliance officers, they typically draw from the population of compliance officers that may be for hospitals or for health systems, so people maybe have a compliance background in general, but they don’t know the specifics about what’s unique about compliance in ACO’s, where would somebody start if they got a new job, or they are looking into that.

Rebecca; Yeah, and I can tell you where I started, and where a lot of my fellow ACO compliance officers start, and that is go back to the regulations, pulling out, and not just for compliance program, really look at the nitty gritty details of what’s required for an ACO. So, all the way from what is required for the governance side of things, what type of board you need to have, the composition of the board, and move all the way through to what’s required in the ACO participation agreement, what type of quality program do you need to have, how do you share savings. All of that, really start there, because it is a little bit different. The next place that I would look is the participation agreements that you have with your ACO participants. So, this is really the agreement that is with the ACO and any of the independent providers, providers recruits, hospitals, anyone that is signed on to be a participant in your ACO. I think this is a document that is going to tell you, you want to look at it just to make sure that it complies with the regulations, but there is a lot of other stuff in this document that will tell you what is expected of your ACO participants. What’s expected of the ACO, and I think those are really important things to monitor.

CJ: Right.

Rebecca: as an ACO compliance officer.

CJ: So if I could just take you back to where you said to start the regulations, I think that’s a great starting place for a lot of things in compliance. So where would somebody go, are these in finalized rules in the federal register, is it in law, where would you say the foundational documents reside?

Rebecca: Yep. They absolutely are in the federal register. Its 42-cfr something or other, but if you go the MSSP CMS website they list all of the regulations. There have been a few amendments over the last couple of years that I think are important, but that is definitely where I would start, and the other thing that I think has been really helpful to look at is the MSSP application. Most people might not think to look there, but the application is a really full document. It kind of identifies the certifications, the things that you are saying you are going to do as an ACO, and there’s a number of extended kind of essays, if you will, that you need to provide for the Medicare shared saving program for them to evaluate you as a potential applicant. And those range from your quality program, how are you going to engage beneficiaries, all of that really gets to, what did your ACO say it was going to do, and how did it think it was going to be effective and kind of meet the fundamental obligations of the ACO requirements, and I think look at that, and really understanding what your operational leadership anticipated doing is another really key way to understand your ACO and the way it anticipates meeting all of its requirements.

CJ: Yeah, I think that’s a really good point, and it rings another bell on my mind, not to take us too far off track, I don’t know if your familiar with these descrip programs that are typically Medicaid programs that are state type of awards that the federal government can, you know. It’s very similar what I’m hearing you say with descript programs you have to know what your organization promised, these are innovative type of organizations, they suggest and promise they can deliver on certain things. So the compliance is not with a CPT code that has a national definition, it’s what you promised in the agreement, or in the grant, or that sort of thing, so I’m hearing those same similar themes as an ACO, as an organization you had certain goals and deliverables, is that accurate.

Rebecca: Absolutely, and you know the other thing that has struck me over the last few years is to what is different with an ACO, and partially as an ACO compliance officer, is just the need to not embed in a not independent way, but really understand the operations, and that goes finding out what did they say we were going to do, and what are we doing, and really understanding the operational aspects of your ACO. I don’t think it’s enough to just make sure you have the foundational documents. That’s the easy part in my opinion. But really understanding what, how it works, and the compliance pitfalls associated with it.

CJ: Yeah, you’re probably certifying to certain things on a periodic basis, so it’s what are you certifying to, are those true and accurate, and what are the flow of funds. What key things are you saying yes and no to that get you funds, or financial incentives. Is that also something to be thinking about.

Rebecca: Yeah, absolutely. The way that the funds work is, if you do end up with a particular level of shared savings. You will share in that, and each of your ACO’s will have a distribution methodology, and it’s really understanding how your ACO’s going to divvy up those shared savings, and then distribute it to the physicians. That’s really in my opinion, potentially a big risk area, and one that the ACO compliance officer should really understand.

CJ: Yeah, I think it’s kind of follow the money type of thing. I remember years ago, again a little bit off track, but I think it’s an analogy that might fit here. When the incentive payment program for EHRS was coming out, I remember saying to everybody, look this sounds great, you’re getting money, but you are going to have to certify to something when you get those funds that you’re using EHRS in a certain way, well low and behold a few years later, and you can see the OIG has it on their work plan, they essentially follow the money, and in compliance these skills are applicable in so many ways, and I think something similar to that is probably going to be in the realm of enforcement of ACO’s, is that right?

Rebecca: Yeah, I think so. I think CMS is kind of feeling it along just as we are. We have not seen any big enforcement actions with ACO’s, but they are doing audits, and they are looking at your quality, they are looking at some of the components, the structural components of your ACO, and I think they are really using that to get their feet under them. Kind of evaluate the program as well. We have not seen any big enforcement but that doesn’t mean it’s not on the horizon.

CJ: Exactly. And that’s kind of how, I think that’s the cycle of compliance. Money gets distributed and it’s a few years later that the start, you know, doing some of those audits and start doing some of the enforcement. With that in mind, you may have already mentioned some, but are there key risk areas that you recommend ACO compliance officers keep a close watch on.

Rebecca: yeah, definitely. I think ACO’s are not healthcare providers. Rationally. So, there is one version of an ACO where there is only one tax ID number and you might be able to kind of be your hospital and ACO at the same time. But most ACO’s are separate legal entities, and they are legal entities that are not considered covered entities under the HIPAA rules, and instead your business associate. And because you’re not providing the care most of the time, practically all of the time, data. What you have, and your benefit to your participants is the data. How you look at it, how you analyze it, how you make it actionable for your participants. I think that’s really kind of the backbone of what an ACO does. And because of this, you have all of the legal pitfalls that anyone with a large amount of health data would have. In addition to kind of having the foundational HIPAA and privacy business associate arrangements, kind of all of that contractual documentation that you would expect between a business associate and a covered entity. You also have to sign, the ACO has to sign a data usage agreement, this allows you to get the claims data, that’s really one of the big benefits of being in an MSSP ACO, and so you get all of this data that you didn’t otherwise have access to, and the data use agreement is very specific, and in some instances is more onerous than a business associate obligation, and is just something else for ACO compliance officers to monitor and ensure that if the CMS claims data is being used outside of your ACO, let’s say you have an analytics firm that is helping you with analytics, or care management folks coming in, if you’re sharing that data with them for any reason, they have to sign a data use addendum, and it has to be approved by CMS, so all of these kind of foundational aspects to be able to use the data and share the data, I think, is just a really key risk area for the ACO.

CJ: So like information security is probably a big portion of a compliance initiative and program, is that right?

Rebecca: Ya know, it is, and maybe in your typical healthcare compliance security might be something separate but I think as an ACO compliance officer, you have to understand how that is working with your ACO. And it may not be kind of top of the mind for your information security folks that they need to think about this differently, but I think that’s kind of our obligation to kind of walk them through, and put out some scenarios out there. I do think information security, and obviously privacy, is a big risk.

CJ: Absolutely, well Rebecca we are kind of coming close to the end of our time here, I wanted to ask maybe one quick question, taking you back to the resources available. You have just an immense knowledge here, I’m sure if there are other ACO compliance professionals that are listening they would want to know where would they go to connect with people like you, obviously you have your podcast, Compliance Mastermind, but are there working groups, are there list servers, are there groups that get together at national conferences. What kind of professional communities are out there?

Rebecca: Yeah, so I wish I could say there was kind of this one stop shop for ACO compliance officers, but I have not found it.

CJ: Maybe you should create it!

Rebecca: That would be great. However, there are a lot of organizations, if you’re part of, you know, we happen to be part of catholic health associate, and it started kind of a group of other ACO compliance officers there. If you’re part of a group purchasing organization, they may have a group for compliance, ACO compliance officers as well. I think really reaching out to, well, you know another place to kind of look and see if there is anybody else to connect with is LinkedIn. I know that’s kind of hit and miss sometimes, but that’s another opportunity as well. And I know that there are ACO associations and that sort of thing. It’s been my experience that with the clinical and administrative side of things, that really all of these ACO associations kind of focus on, sometimes it is still hard to find the compliance folks. But if anybody wants to reach out to me, I’d be happy, I have a big network of ACO compliance officers, and I’d be happy to talk with them.

CJ: Well thank you so much Rebecca, wealth of knowledge, appreciate your time and expertise. Again, one last shout out, your podcast is called Compliance Mastermind, Correct?

Rebecca: That is right, thank you so much.

CJ: Absolutely, and thank you for joining us. And thank you all for joining us today on another episode of compliance conversation. Until next time.

Questions or Comments?