Episode Transcript

CJ: Welcome everyone to another episode of Compliance Conversations. I am CJ Wolf with Healthicity and today's guest is my good friend and colleague Brian Burton. Welcome, Brian!  

Brian: Hi CJ, I am so glad to be here! 

CJ: We're so glad to have you, and we thought everyone it would be fun today to talk about the recent conferences, the big conferences, coding compliance, and all that sort of stuff. Before we do that though, let's let Brian just introduce yourself real quick so that they all know what you do. I know you've been on many times before, but tell us what you're doing for Healthicity and a little bit about your compliance background.  

Brian: Yeah, absolutely! Thanks, CJ! For those of you who haven't met, welcome to the podcast. Glad to have you. My name is Brian Burton, and I am currently the chief compliance and Privacy Officer for Healthicity. I've been here now almost four years. Can you believe that CJ will be four years in July?  

CJ: Awesome, yeah! 

Brian: Time flies by when you're having so much fun. Here I have the luxury and the privilege to really help Healthicity manage our internal compliance and privacy program internal to the business. I also work with our sales team to promote the products that we offer to our clients and work with the product team to help deliver better solutions. And then, we also have a small consulting side of our practice, what we call advisory services here at Healthicity where we can help our clients manage their compliance and privacy program and the variable activities and challenges that present themselves.  

CJ: And both Brian and I were attending these conferences. So, most of the listeners will know of the Healthcare Compliance Association or HCCA, they have their annual compliance institute. I think this was, I can't remember the number 27 or 28, 27th or 28th Annual Compliance Institute and it was in your hometown, Nashville.  

Brian: It was! It's always a fun party in Nashville, right? I little embarrassed at the at the level of partying, going across from your Music City Center this year. But we had a great time, we really did. It was great to see everybody who had the chance to stop by our booth. It was certainly a privilege to be able to attend the sessions and try to, like all of us, trying to expand my knowledge and familiarization of all the compliance and privacy activities that are out.  

CJ: Yeah! And so this was for those of you listening later, maybe this is the those conferences were April 14th through 17th around that time frame, HCCA in Nashville, and then later in the podcast, we'll talk about the APC's Health Con, which does do compliance too, but also kind of revenue cycle, coding, billing, that sort of stuff that was in Vegas at the same time that week. Normally these are different weeks and I get to go to both like the whole time, but I had to split my time.  

Brian, tell us what kind of your key takeaways were, you got to spend the whole time there? You talk to people, you listen to sessions, you got to a good grasp on kind of the overall environment and stuff. What did you come away with?  

Brian: There were so many talented and intelligent presenters throughout the entire week. I feel like I'm taking a shortcut, talking about the keynote and the OCR and OIG guidance, but those were the highlights for me, but I want to recognize every presenter that had an opportunity to contribute to this year's Compliance Institute. It was a phenomenal session. If you're not attending in person, you are certainly missing out on a great opportunity to learn real-time and network with really expert professionals in the compliance industry.  

But my favorites were, and again, I feel like it's a shortcut, but my favorites were the keynote address from Chief Counsel Robert DeConti, his presentation and describing us as compliance professionals as heroes was a bit humbling, but, you know, probably had a good ounce of truth in it, right? Ensuring that as compliance professionals, we really are rolling our sleeves doing the hard work of evaluating our organizations' activities, the patients, and the communities we're serving and then measuring what are the regulatory requirements for that particular area of practice. 

And most compliance professionals, especially those working in, you know, if you're that multiple hat compliance professional where you have multiple responsibilities, you really are a hero, and it really does translate good healthy mature compliance programs, I've said this for years now, translates to better patient safety, better patient care, and we really do think all the compliance professionals and privacy professionals that are contributing to the compliance programs. And I think Mr. DeConti did a great job of describing and recognizing those efforts.  

CJ: Yeah, I really liked kind of his theme of, you know, Hero's journey or I can't remember the exact title, and he, you know, collectively, he used the story, but collectively we've all been there, as compliance officers we've all had some of those experiences that he was describing, you know, maybe identifying some non-compliance, trying to convince executive leadership of the issue and maybe a payback and this and that and this and that. Yeah, I really enjoyed It!  

Brian: And then, you know, for me, it was a great story, it was a great reminder and sometimes, and maybe and hopefully really, a rewarding look in the mirror for a lot of compliance professionals that we are having a positive impact to the healthcare industry. But a couple of takeaways that I found in his keynote address were the concentration of efforts on artificial intelligence and private equity. And talking about artificial intelligence and CJ, I'd like to get your thoughts as well, but what I thought was unique, was the hint that we got that the OIG would also begin using artificial intelligence to implement better prevention and detection systems. What do you think?  

CJ: Yeah, absolutely! I attended a False Claims Act case or not a case, session at HCCA on Sunday. So, I guess that's the pre-conference. And they were talking about how the number if you look at like 30 years’ worth of like False Claims Act cases, you know, up until just the last 6-7 years, almost all of those cases were whistleblower cases. They have seen a huge uptick in the government doing their own, and that all has to do with data analytics and this concept of artificial intelligence and following the money and looking at all this sort of stuff, they're not waiting around anymore just for whistleblower cases. Of course, those will be strong cases because whistleblowers often bring inside information, but there were hundreds of cases last year that were initiated not by whistleblowers but initiated by the Department of Justice themselves, and that had to do with data analytics and the artificial intelligence and all that kind of stuff.  

Brian: I couldn't agree more. Do you remember, was maybe four, maybe five years ago, the key phrase of the conference and the buzz or the key buzz phrase was big data and what do we do with it, right? Do you remember that? 

CJ: Exactly! yes! 

Brian: Well, now we know what we're going to do with that big data we're going to put it in a big database and we're going to turn loose on artificial intelligence machine to start trolling through. And do what we as humans can't do efficiently, and that is to source and compare all of those results and help streamline those analytics so that we can create visualizations that are easily digestible and then ultimately, you know, pull out the outliers, and then how do we respond?  

CJ: Yeah, it's finding those needles in the haystack, right? Still, you know, we may be jaded a little bit because we work in compliance. We talk about all the bad things that can happen. The vast majority of healthcare providers are honest, ethical, working hard, you know, doing great work. And so, you got these mounds of data and really what they're focusing on is trying to find those needles in the haystack, the bad apples and the ones that are doing things on purpose, or maybe just abusing, so to your point, finding, you know, using algorithms and to find the ones that are most likely those outliers. And of course, you still have to then audit and dive deep and say; "Okay, is it a valid outlier?" Someone's got to be an outlier because that's just statistics, but is it defensible?  

Brian: Yeah, exactly! And I think that transitioning to that, I think the key take away is additional key takeaways from Mr. DeConti's presentation there was, how can we as internal compliance officers, how can we leverage artificial intelligence to help us prevent and detect and are we thinking about budgeting for those things, right? those are tools and many of them are not cheap. But are we communicating with our IT professionals and our CIOs, how can we leverage those tools and resources that are that are emerging within our organizations to use them for a compliance tool?  

And then last but not least is, you know, keeping our finger on the pulse of various vendors just like Healthicity and everyone else, what AI services are we using? How are they being implemented? What value are they bringing? And then are there certain instances where we're using artificial intelligence to shortcut the medical documentation process? Do we have the ability to over-code something and is that artificial intelligence tool misleading an organization or leading an organization down a path that might create overpayments?  

CJ: Yeah, exactly! And you know, you kind of mentioned kind of private equity and kind of following the money and I'm not trying to make any judgments, cause obviously there's good people in all places, but the point that they're trying to make is that if investment returns trump that whole patient safety and it's possible to do both right to get returns plus to do things well, usually those go along with each other, but at the expense of it's, you know if it so, it's new entrance into... right?  

Brian: Yeah! To your point, that's a difficult balance, right? To leverage, and I guess for me, I'm a firm believer that there is definitely a need for, for private or even, you know, not for or for-profit healthcare providers to exist, right? There's a lot of innovation that occurs in for-profit healthcare, but at the same time like to your point, do we have the appropriate controls in place to prevent financial gain decisions negatively impacting the negatively impacting the delivery of care.  

And I think we just got to be mindful of it, right? And it doesn't necessarily, you know, if I'm a compliance officer working in an entity, it doesn't necessarily have to be a private equity firm that drives that thought process. If I'm a compliance professional, I'm thinking about those things all the time, right? What are we doing as an organization to increase our ability to deliver care?  

CJ: That's right! You just have to be careful, you know, because you can't speak out of both sides of your mouth in private equity, they expect returns, you know, for profit that is part of their mission is to deliver profits to their shareholders and they're required to do that, right? They have a duty to do the best they can to do that. It's like you mentioned, it's just this delicate balance and it can be done. It's just they drew attention to the fact that they just want to watch that closely.  

Brian: Yeah, and you know, final thought there I mentioned it earlier, but to end on a positive note. There are tons of innovations in healthcare delivery through for-profit and even private equity healthcare, right? There is a place there is a place for that in our healthcare system. It helps create innovations and better delivery.  

CJ: Yeah! That was really a great kind of keynote. What other things in the conference that there was keynote from OCR, right? Do you have any thoughts on that? 

Brian: Yeah, absolutely! I keep hearing about the security rule updates, right? I'm losing fingers counting, super excited about seeing what that might look like. I think we also heard that we would see some privacy rule updates specific to the reproductive healthcare and our responsibility as healthcare providers. But then also big takeaways from the OCRs' perspective is prioritizing their HIPAA investigations around ransomware and their threat and other threat actors like hacking and so on and so forth. I think those are emerging issues we've all seen if you haven't seen change healthcare in that particular ransomware event, you'll do a quick Google search it is worth a little, even if you're the revenue cycle expert in your compliance department, understanding the threat that ransomware had with change Healthcare is worth understanding. And if your focus is more privacy and security, then you definitely should be intimately familiar with those details, and so is the OCR, right? What do you think, CJ?  

CJ: Yeah, well, just hearing you talk about it, just made me think that might be a good one for us to do a deep dive on at some point because it was such a major event, like I have people who know I work in kind of healthcare compliance, they don't really know exactly what I do like doctor friends and nurses and friends and stuff. And like; "Hey, did you hear about this? I bet that's going on in your world right now." I'm like, "Yeah, I've heard all about it." So it's like, the point is that story got beyond the compliance nerds, if you will, it went to...  

Brian: Yes, and well outside and well outside the normal channels of cybersecurity and IT and information systems management, right? That story, you know, hit the financial news market, right? It was on CNN, you know, it made national news and it's worth, it all goes, you know, I don't want to go too far down that rabbit hole yet, but to your point, maybe we should do another session on this, yeah. But the threat actors are coming back to them, right? You know, allegedly, a ransom has already been paid, and now they're being solicited for our second ransom. And so, I think that's the risk of, you know, seek legal and law enforcement advice before you make that decision.  

CJ: Yeah, but the fact that it got a lot of popularity in the news or a lot of, I guess headlines in the news as compliance officers, part of what we're supposed to be doing is being the messenger. And so, if there's that awareness in people who are normally not kind of in this space, use it, right? Get some mileage...  

Brian: It's a good time to leverage as an educational opportunity, right? You have that presence and visibility in the news cycle if you will, use it to your advantage.  

CJ: Exactly! 

Brian: Another thing real quick, if we're still talking about the OCR, you know they highlighted the importance of following up with some of the civil rights priorities specifically around section 1557 and non-discrimination healthcare programs and those activities and finalizing proposed rule changes there and also with section 504 of the Rehabilitation Act from 1973. So, they're also those who are still focusing on several other changes from a civil perspective.  

CJ: That's right. Yeah, I mean, that's their job, right? They're not just. I shouldn't say just, but they're more than HIPAA and privacy.  

Brian: Exactly!  

CJ: Right! They're the Office for Civil Rights, and so they're looking at all sorts of things, important things.  

Brian: And it's important for us to remember as compliance and privacy professionals, while maybe the majority of our interactions with the OCR, come from that HIPAA administration, we still have responsibilities in healthcare to other civil rights responsibilities.  

CJ: Exactly! I was just going to say, let's take a quick break and we'll come back and maybe finish talking on HCCA and then and then maybe turn to the other conference. But let's just take a quick break everybody and we'll be right back in a moment.  

Brian: Thank you! 

CJ: Welcome back everybody from our break, this is CJ Wolf with Healthicity and I'm with Brian Burton from Healthicity and we're talking about these wonderful conferences that happened this spring in 2024, April 2024 and we were kind of finishing up some of the highlights on HCCA's Compliance Institute in Nashville. Brian, any other thoughts that you had before?  

Brian: Yeah, I saved the, for me. I saved the best for last. If you're not aware that the OIG published a general compliance program guidance in November of 2023, shame on you. And I'm sure Sarah and the marketing team will post a link to that program or excuse me to that program guidance here in the podcast. And you can find it elsewhere throughout the Healthicity resources and throughout the OIG website. But it was big news, right? We've talked about it a bunch, CJ, we've, and we continue to talk about it. We're also looking forward to the industry-specific guidance that's forthcoming, but it was good to see the OIG come in and really double down on the importance of following the guidance, right?  

I heard a quote, I'm going to paraphrase briefly, but I heard a quote; "This is not a regulatory requirement. It's not enforceable, but it's readily available, and if you choose not to use shame on you. Hope we don't find a problem."  

CJ: Yeah, exactly! I don't know why anyone would not want to use the guidelines. And maybe there's a valid reason that I'm just not thinking of off the top of my head. But if I were in a position where that was kind of the culture of my organization, I just would want to maybe ask myself, "Is this the right place for me?" Because you know, you should be doing proactive things. You shouldn't always just be waiting; "Well, what's mandatory? What's required, what's required?" Well, part of what we should be doing is, you know, being proactive and that's what's really the best thing.  

Brian: Absolutely! And I think, you know, before we move on, I'm super interested in your thoughts on HEALTHCON, but I want to remind everyone, but why OIG is still soliciting feedback on the guidance document and how it works, right? You can e-mail them at compliance at oig.hhs.gov.  

CJ: Yes!  

Brian: And provide your feedback. Maybe you want to do that anonymously. Maybe you don't, but you know it's there. It's an extremely valuable resource. It is far and away improved from previous program guidance that we've gotten and I'm super excited to use it on a daily basis.  

CJ: I was just going to say, you know, and we are using it, right? Like you said, we're already doing deep dives into each subsection of that guidance. It's a big guidance, 8090 pages. And so, you and I have been doing some of those webinars. We're writing a lot about different bits and pieces of it and you already mentioned this. But, let's just go back a couple of years, you know, OIG said they were going to modernize, right? And so, we knew this was coming, then they announced it would come and then it did come. And now don't forget they're announcing, like you mentioned, the industry segment-specific guidance. So, this, the general one is general. It's for all types of entities. We're going to be looking forward to seeing what the OIG has told us this year, Medicare Advantage. So, managed care guidance specific and nursing facilities. And then they said the next two after that would be lab and hospital. We don't know when all these will come out but that starts to get us excited and stay tuned to all the work that we do because when those things come out we'll start you know doing deep dives into those industry-specific ones too.  

Brian: Absolutely! And so, CJ, without further ado, cause I did not have the chance to travel from Nashville and go to HEALTHCON. What was your experience at HEALTHCON like?  

CJ: Yeah! So, HEALTHCON was in Vegas and you know where we're talking about Vegas. I think next year's HCCA Compliance Institute, which will be the 29th I looked up during the break, will be in Vegas. So, Vegas is Vegas, we've probably all been there. So, the setting was fine. I basically stayed inside and went from hotel to. conference but it was great. Lots of people, lots of excitement. Healthicity had a booth there, you know, talking about audit manager and some great things. The keynote is always good. Bevan, who's the CEO, AAPC CEO, always does a great kind of intro discussion, talked about AI. You know, that was kind of big, talked about all the things that are going on in the world of coding and revenue cycle and management and you know business management and those sorts of things.  

Sessions were really, really fun. One that I well, if I talk about themes, like one that I saw, I went to a couple on this topic, but there were so many I just couldn't go to. All of them, just the whole risk adjustment and Medicare Advantage, right? We just said that OIG will be publishing guidance specific to the Medicare Advantage World Managed Care World, and that was hot topic. All the different codes and the conditions that are at risk, you know to put things into context, more than half of all Medicare beneficiaries are now enrolled in Medicare Advantage. So, this fee for service, you know the traditional Medicare kind of payment methodology that a lot of us that have been around a while are used to, at least from coding and reimbursement perspective is starting to get smaller and smaller. It's still obviously a huge area of compliance and it will be for a while, but we just see the growth of this risk adjustment and Medicare Advantage and just all the audits and all the coding and things that are going on. And so that was probably one of the biggest themes that I saw at HEALTHCON.  

Brian: Perfect! So, did that revolve around the whole or the idea of value-based care and all that?  

CJ: Yes, exactly! So, for the last 20 years, 25 years, you know, docs I get paid off of that CPT code, right? Yes, ICD codes are important because they tell you what the diagnosis or the sign or symptom is, and sometimes payment can be based off of those diagnosis codes. But reimbursement is generally off of that CPT or HCPCS codes. So yeah, with it's all this value-based type of care. And so we're kind of flipping it a little bit and now you get essentially, simplifying things, and so I apologize to those who are experts in this field, but essentially payment is based off of how sick and complex patients are and the way that you show how sick and complex patients are is by their diagnosis codes. And so, some things that came up, for example, you know, major depressive disorder, not everyone who has depression has major depressive disorder. You can have less severe types of depression, and there are certain severity levels that kind of kick you up to that next reimbursement level if you will. And so that was an example of something that was discussed another one is cancer, right? You might have a history of cancer that's not the same thing as actively being treated for cancer. You might have a history of a stroke or a history of a myocardial infarction, but that doesn't mean you have an active episode of it. And so these kinds of conversations were really interesting. But yeah, it all has to do with the value-based payment.  

Brian: And so, did you have a chance or did or did the conference, any sessions related around accountable care organizations or CEOs, and how those are structured?  

CJ: I'm sure there were some I did not attend any. But if I were to look back, you know, and I think it was similar to HCCA where, you know you, the breakouts there may have been 10 choices, right? For each breakout hour or hour and 15 minutes. And so there were probably some, I'm not recalling any off the top of my head but you know one other thing Brian outside of this risk adjustment and Medicare Advantage, E&M was a big topic. So, Evaluation and Management coding I presented on that myself I presented on the case. So a lot of listeners are probably familiar that E&M coding, these are the office visit or even hospital visit codes, they're the non-procedural codes. It's when a doctor you know does your history, physical exam and says take two and call me in the morning, right? It's all that cognitive work and we used the 1995 and 1997 guidelines for decades well in 2021 and 2023 those guidelines that E&M documentation guidelines changed, and so now we're living in this world of using those guidelines, and I presented on a case. That's the first one that I'm aware of, it was a settlement; False Claims Act settlement, using the new guidelines, that's what was in question, not the older guidelines. So, and then there were a bunch of other sessions on E&M, so that was always an important topic at HEALTHCON for sure.  

Brian: That's fantastic! Were there any other surprises or interesting tidbits that you picked up from HEALTHCON?  

CJ: Yeah! So maybe just to end on HEALTHCON, I always make a goal to attend something that I know very little about, as painful that may be, and so I attended an anesthesia coding session that was excellent, it was co-presented by a coder and an anesthesiologist, so that was really interesting to hear kind of the clinical side and the coding side and anesthesia coding and billing is much different than other kinds of coding and billing. And so that was fun for me because I, you know, push yourself a little bit, try to learn something that you don't deal with every single day. But lots of great things, lots of great people, a lot of good fun activities that were there. And yeah, so I would say HEALTHCON was a success. I think their next conference next year, I was looking ahead because I'm like; "Please guys, don't schedule these on the same week," and it looks like they are in different weeks. HCCA is a different week than HEALTHCON. I think HEALTHCON is going to be in Orlando, it's still in the spring. But it seems like we might be able to do both.  

Brian: That will be more fun!  

CJ: Yeah, right! 

Brian: That will be more fun. I'm looking forward. Maybe we can make a trip together this next time.  

CJ: Yeah, absolutely! Well, Brian, I think we've probably talked a lot and probably need to wrap it up any last-minute thoughts on anything that either with the conferences or anything else that's going on in the compliance world? 

Brian: Again, I'll close with if you don't have an opportunity to attend these conferences, I highly encourage it. Plan ahead budget for the travel and expenses. In-person attendance to these conferences can't be replaced with the podcast and our podcast or the webinars, right? The in-person attendance is where the real value is.  

CJ: Yeah, I agree with you and you know, if you missed this, you know the Compliance Institute is their big conference every year, but they do have kind of national conferences but more topical so like, I'll be speaking later at the higher education and Clinical Research Compliance Conference that they have every year. There's a clinical practice one. So, they, you know, they have these other ones too that if you're more niche in what you're doing you might be able to find some other conferences, but I agree with you, Brian. Attend in person if you can. I know it's hard. It's hard to get away from work. And but it sharpens the saw.  

Brian: Absolutely! CJ, thank you so much. And to our marketing team and Sarah, a fantastic team of people love participating in these. And thanks for having me today.  

CJ: Yeah, absolutely! And thanks for being a part of it, Brian, and thank you to all of our listeners that listen to the podcast. Please share these with colleagues and friends that you think might enjoy them. And we always make this invitation, if you know of other topics that you'd like addressed, please reach out to us. And if you know of other subject matter experts who might make a good guest, please reach out to us. We'd love to to bring you what you want to hear. So, thanks, everybody! Have a great day!