This article first appeared in Corporate Compliance Insights on March 28, 2013.

“The only fence against the world is a thorough knowledge of it.”  – John Locke, philosopher (1632-1704)

In its bid to restructure the nation’s health care system, the 2010 Patient Protection and Affordable Care Act (the “ACA”) has created both challenges and opportunities in the areas of corporate compliance, governance and risk communities. In three short years, myriad regulatory clarifications have swollen this 906-page statutory giant into a 70,000-page behemoth whose might has been enough to overcome the judicial and electoral challenges of 2012, eliminating any doubts as to whether reform is here to stay.

At its core, the ACA means different things to different people. Patients typically focus on the promise of new guarantees and protections for health insurance for the populace, as well as the penalties for those who remain without coverage. But the ACA has also captured the attention of health care providers as they shift from a formerly cost-based system toward one that gauges success or failure primarily on patient experience. Even the insurance industry must yield to the new law and wend its way through a changing landscape complete with medical loss ratio requirements, the end of lifetime limitations, challenges to any increase in premiums over a certain percentage, and the soon to be introduced Health Insurance Exchanges.

While the infusion of elements such as innovation, preventative care and overall wellness provide the Federal Government with a new and as yet untested backup plan to ensure the success of health care reform, plenty of room still exists within the ACA to combat health care fraud, abuse and waste. The False Claims Act stands at the forefront in the government’s battle to preserve the integrity of health care resources, although the law has evolved considerably since first signed into effect by President Lincoln in 1863.  By ensuring the legacy of the FCA for future generations, however, the ACA has also created several compliance risks for companies across the nation.  Here are the top five:

60 Days to Pay

Last year the Federal Government made it unmistakably clear that health care providers must return federal overpayments within 60 days from the time the overpayment was first identified. Failure to follow this new requirement set forth in Section 6402(a) of the ACA throughout any ten-year “look-back” period creates potential liability under the FCA, including substantial monetary penalties and the risk of exclusion from health care programs in the future. Held to a standard of actual knowledge or “reckless disregard or deliberate ignorance” for purposes of identifying an overpayment under the new regulations, the Federal Government hopes this will provide “an incentive to exercise reasonable diligence to determine whether an overpayment exists,” or more specifically, whether one did exist at any time within the past 10 years.

Mandatory Compliance Programs

Section 6401(a)(7) of the ACA requires that all providers and suppliers who participate in Medicare must adopt a compliance program as a condition precedent. While the Federal Department of Health and Human Services (“HHS”) is charged with the task of outlining the details of this requirement, the Office of the Inspector General (“OIG”) has encouraged the industry “to exercise due diligence to prevent and detect criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law” consistent with the Federal Sentencing Guidelines for Organizations (“FSGO”), at least until the Federal Government promulgates something better. The seven essential elements within the FSGO should be a prominent part of any health care related environment, except perhaps a nursing home. Nursing homes would be wise to focus instead on Section 6102 of the ACA, especially since the deadline for all nursing homes to establish “a compliance and ethics program that is effective in preventing and detecting criminal, civil, and administrative violations” was March 23, 2013.

Physician Owned Hospitals

Section 6001 of the ACA limits the “whole hospital exception” under the physician self-referral prohibitions, more commonly known as the Stark Laws.  After the ACA, this exception applies only to physician-owned hospitals that had physician ownership as of March 23, 2010, and had obtained a Medicare provider number by the end of 2010. Section 6001 contains specific requirements for and restrictions on physician-owned hospitals, the regulations for which were promulgated at the end of 2011, including: (a) requirements for “grandfathered facilities”; (b) clarification of “physician ownership,” and specifically how said ownership can change but never increase; (c) limitations on the physical expansion (i.e., total number of beds) of physician-owned hospitals; (d) requirements for physician-owned hospitals to make certain disclosures to patients and the public so that their ownership structure is no secret; (e) restrictions on financial transactions, namely loans and guarantees of loans, among and between physician-owned hospitals and their owners, as well as reinforcement of the notion that all transactions must satisfy fair market value requirements; and (f) regulations relating to patient safety.

A New Kind of Audit

Medicare providers are all too familiar with the burdens placed upon them by the three-letter acronym “RAC” (recovery audit contractors).  With their roots in 2003 legislation that began as a three-year demonstration project using RACs to detect and correct improper payments within Medicare, the Federal Government has since expanded the idea to include new programs and new letters (including MACs, MICs, MIPs and ZPICs, among others).  The estimated $1 billion recovered in the program’s first year has grown each year for the Federal Government’s coffers, much like the record-breaking fraud recovery results that now exceed $4 billion annually.  Section 6411 of the ACA requires states to establish their own recovery audit program for Medicaid.  Clarified through November 2010 regulations, the burden to succeed placed on these Medicaid RACs is certain to increase exponentially in 2014 when Medicaid Expansion officially begins.

Physicians Get Sunburned

Enacted in February 2013, section 6002 of the ACA sets forth the Physician Payment Sunshine Act (the “Sunshine Act”).  Like most of the ACA, at its core the Sunshine Act is about transparency and public disclosure. The final regulations issued in February 2013 attempt to close practically every viable loophole that may have existed in prior versions of the Sunshine Act by requiring certain disclosures by manufacturers of drugs, devices, and biological or medical supplies who participate in any federally funded health care program.   Many group purchasing organizations (“GPOs”) must also make similar disclosures, including but not limited to (a) certain physician ownership or investment interests and (b) certain payment information made by these entities to physicians. The deadline for compliance pursuant to these regulations is August 1, 2013 (when these entities must begin to collect the information), and March 31, 2014 (the date by when these entities must report information to the Federal Government).

Even though the provisions within the ACA to prevent fraud, abuse and waste may not make daily headlines, these regulations have become firmly embedded in the culture of modern American health care.  These new requirements are an integral part of health care’s future as the Federal Government tries to reduce patient health care expenditures that result in nearly twenty percent of the nation’s gross national product, provided they do not put the providers out of business first.