So far, there haven’t been audits or enforcement actions directly aimed at accountable care organizations (ACOs), clinically integrated networks (CINs), alternative payment models (APMs), population health and other value-based programs, but they’re inevitable as the health care industry shifts in that direction and away from fee-for-service reimbursement. Hints appear in the HHS Office of Inspector General’s plan to audit quality of care reporting, and there are compliance requirements for all value-based programs. Satisfying them with independent partners dispersed throughout a region is a new ballgame, and the risk areas are turned upside down, with overutilization replaced by lemon dropping and cherry picking.

“A lot of the compliance pieces are a little counterintuitive to what compliance people have dealt with,” says Dawnese Kindelt, senior compliance director at Dignity Health, which has hospitals in California, Nevada and Arizona. For example, hospitals normally court disaster under the Stark Law, Anti-Kickback Statute and beneficiary inducement civil monetary penalty law if they give money, goods or services to referring physicians or patients, but the incentives are different in the Medicare Shared Savings Program (MSSP) ACOs and other value-based programs, which is why CMS and OIG established fraud and abuse waivers. “It’s a whole new perspective how we look at things,” Kindelt notes. There’s also the challenge from the slightly different demands of each program. While the fundamentals of compliance—the seven elements—apply to every program, policies and training have to be customized. “You have nuances for each of the programs,” she says. For example, each program requires its own compliance plan addendum, compliance education to specific subsets of people and distinct beneficiary notifications. Also, HIPAA policies have to incorporate all CINs and organizations, such as an Affiliated Covered Entity and an Organized Health Care Arrangement, that are sharing beneficiary data.