Strategies for Managing Evolving Risks of Population Medical Management Models, such as ACOs

In this blog I typically address D&O liability and governance issues in an industry-neutral way. Some industries, however, demand specialized attention. Healthcare is one such area. In this week's blog, our healthcare practice provides an overview of the some of the key regulatory risk management challenges faced by both payors and providers engaged in networked partnerships such as accountable care organizations. While we know that changes to the ACA are eminent, it is clear that such networked partnerships enhancing coordinated, high-quality care delivery are here to stay.  His discussion includes important observations about the role D&O insurance can play when it comes to risk mitigation for these types of risks. -- Priya

In a drive to improve patient outcomes and reduce medical costs, more payors, healthcare insurers and managed care organizations, are teaming up with hospitals and physician groups to form their own networks of medical care providers, broadly  referred to as accountable care organizations (ACOs), whether they are technically CMS-defined ACO participants or not.

While ACOs vary in terms of structure, they have a uniform guiding principle. By providing healthcare services on a capitated, value-based model for each insured member of the group, ACOs strive to reward the highest quality, most efficient providers by sharing risks and or savings. At the same time, however, the risks facing ACOs are becoming increasingly complex.

Capitation risks. An emerging exposure for ACOs that share risk relates to the capitated service model. Instead of traditional fee-for-service billing arrangements, which provide itemized invoices for services, the network caps its payment for a procedure at a set amount, such as a flat 16,000 fee for an appendectomy regardless of potential complications. This helps reduce costs for member patients, which aligns with the aims of the Affordable Care Act (ACA) and enables networks to weed out inefficient providers.

Yet, if complications cause the network’s cost to exceed the capped amount, it must either absorb the excess costs from earnings or have insurance to help mitigate the financial risk. The issues increase when networks underestimate the cost cap for a procedure and the flat fee is repeatedly exceeded by actual costs. While specified stop-loss insurance can address risks involving single incidents and provider excess-of-loss reinsurance can respond to multiple overages, the coverages have become more restrictive and expensive.

Meanwhile, ACOs face several more substantial risk issues. While the concept of networking providers to facilitate quality care at lower costs appears in line with ACA objectives, these arrangements are experiencing serious growing pains.

Under an ACO, a hospital or group of hospitals contracts with various physicians, surgeons and medical providers who agree to perform specific procedures at designated network hospitals. Although this approach has clear advantages, the networks face potential Stark law violations, unfair practices and antitrust challenges, fraud allegations, and heightened HIPAA risks.

Stark Law violations. By creating a network of physicians and other medical providers in a city or geographic area who agree to perform certain procedures exclusively at a network hospital, they technically risk violating the federal Stark Law. The law comes into play when hospitals provide incentives to physicians for admitting patients; while this is subject to interpretation, it has been applied to bundled services models where physicians are aligned with hospitals in their network.

Unfair practices and antitrust allegations. Especially in smaller markets, networks may be cited for creating competitive disadvantages for other local hospitals denied access to the network’s medical providers, which may affect independent hospitals’ ability to provide these services.

Meanwhile, patients who lose access to existing providers not admitted to the network or removed from it may bring suits against the ACO alleging unfair trade practices.

Still other issues arise when ACOs include certain providers and omit others. Physicians not included in the network may file suits alleging anti-competitive practices.

Finally, the U.S. Department of Justice may bring antitrust actions against ACOs allegedly for monopolizing medical care in a geographic area.

Medicare/Medicaid fraud. The federal government might still view hospitals in bundled service networks with capitated fees as operating under a fee-for-service model. In some instances, this can lead to allegations of overbilling or fraud with respect to services provided to Medicare and Medicaid patients.  Of course, fraud exists with a handful of bad actors; however, it often simply involves a judgment call by coders differing from the CMS determination. These risks are compounded by the introduction of ICD10 codes, which has eight times the codes of ICD9.

HIPAA exposures. Certainly, there are clear technological efficiencies and improved outcomes when medical records and other protected data are shared among multiple providers in their systems treating the same patients. However, ACOs face elevated cyber and HIPAA/privacy exposures from a broader range of entities with varied information technology security that have increased access to patient data.

Risk managers need to be proactive

Although senior healthcare executives are generally familiar with regulatory risks and cyber-related privacy exposures, most have yet to understand how bundled payment models and related merger-and-acquisition activity exacerbate these issues. Risk managers are best positioned to elevate this issue with the ACO’s leadership, and to discuss steps needed to protect the organization.

The commercial insurance market has solutions for many risks that can arise or be exacerbated by ACOs and similar arrangements. The coverages include cyber liability insurance, directors-and-officers (D&O) liability insurance and certain errors-and-omissions (E&O) insurance policies.

Addressing cyber and privacy risks related to HIPAA requires a combination of measures, including investing in data security services, regulatory compliance, implementing sound procedures and practices for data use and storage, and procurement of appropriate amounts of cyber liability insurance. Today, more insurers offer information privacy and security insurance policies that include broad coverage for HIPAA issues; however, risk managers should examine carefully any policy sublimits that restrict coverage for potential follow-on regulatory actions.

Meanwhile, both D&O and E&O insurance policies can provide some coverage for defense of antitrust actions and allegations of other regulatory violations. Yet, many underwriters are restricting the financial protection they offer. Today, these policies require higher deductibles, impose sublimits for antitrust, exclude coverage for certain acts, and involve large amounts of coinsurance.

For antitrust exposures, a managed care E&O policy may be most suitable for ACOs. While many non-payor ACO members have not historically purchased this coverage, it is a valuable tool to for address exposures associated with ACO participation.

Allegations of fraud can be addressed somewhat by D&O insurance. Although these policies specifically exclude fraud, ACOs can obtain coverage for defense costs up to final adjudication, depending on the policy wording.

Thus, it’s important to examine your D&O contracts carefully; insurance company willingness to provide such coverage varies. Risk managers should work with their insurance brokers to negotiate with D&O insurers to obtain the broadest language. For example, while the D&O policy for an ACO member may have a $50,000 deductible overall, underwriters often will seek to increase it to $1 million specifically for antitrust allegations. At the same time, they will introduce co-insurance requirements and a sublimit, severely restricting protection for this risk.

Another insurance option for ACOs is a stand-alone “billing E&O policy,” which provides coverage for “False Claim Act” violations, alleged overbilling and a range of other regulatory liability issues. Designed to respond to actions brought both by commercial payers and government entities for Medicare or Medicaid billing errors and omissions, the policy can provide reimbursement for defense costs, external forensic audit expenses, as well as civil fines and penalties (where insurable by law).

Ramping up risk management

ACOs need to establish and maintain a sound risk management program, which also may help their negotiations with insurance companies. Key elements of effective risk management include:

• Retain an experienced healthcare attorney to audit the network’s billing practices and ensure it has a “clean bill of health”
• Implement written policies, procedures and standards of conduct
• Appoint a chief compliance officer and establish a committee
• Conduct ongoing internal training and education
• Maintain lines of communication across the organization
• Enforce ethics and quality standards through widely communicated disciplinary guidelines
• Establish and maintain an internal monitoring process and conduct regular audits
• Respond promptly to any detected offenses and act quickly to develop corrective action plans

Although ACOs and other bundled services arrangements may be here to stay, they require a thorough understanding of the risks and communication of them to senior leadership, along with the implementation of sound risk management practices, including the evaluation of existing insurance coverage and development of a comprehensive insurance program.