Healthcare compliance monitoring has never been easy. Cloudy regulations, disparate data sources, and a lack of internal resources make it a complex yet crucial aspect of the healthcare industry.
So, what makes an effective compliance monitoring program? As part of ProviderTrust’s Impact Compliance™ initiative to raise the bar on compliance monitoring industry-wide, ProviderTrust has established a comprehensive compliance spectrum that outlines a range from minimal compliance coverage to the gold standard of compliance monitoring.
The compliance spectrum helps organizations of all sizes identify the effectiveness of their compliance monitoring based on three key factors: population, primary sources, and frequency. These three factors each contribute to your overall impact on eradicating fraud, waste, and abuse within the healthcare system.
1. Evaluate Your Population
First, look at the populations whose eligibility you monitor to find your place on the compliance spectrum. At a minimum, you should verify the licenses and credentials of every provider employed at your organization at hire and expiration. You’re also required to monitor multiple populations against federal and state exclusion lists. Most organizations are on top of employee monitoring. But do you know the current status of your ordering and referring physicians? What about vendors? Here are the general parameters we’ve observed that define different levels of coverage:
- Status Quo: Organizations at this level perform license and credential verification for all employed providers and exclusion monitoring for employees at the federal level through OIG-LEIE and GSA’s SAM.org. They typically monitor a limited number of state-level exclusion lists, generally only in the states where the organization provides care.
- Regulatory Standard: This level includes everything in the basic category with the addition of exclusion monitoring for every state list available, not just a select number of states. Most organizations also add exclusion monitoring for vendors at this level.
- Gold Standard: In addition to comprehensive employee license verification and exclusion monitoring for employees and vendors, organizations with the highest standards monitor all of their active ordering and referring physicians for exclusions at the federal and state levels. To maintain organization-wide consistency, Human Resources and Compliance departments should align on which populations they monitor and why.
It’s important to consider the full picture of your organization when mapping out which populations to monitor. The Office of the Inspector General (OIG) Advisory Opinion and Official Guidance is clearly designed to avoid using federal healthcare dollars to pay for services from individuals or entities who have committed fraud, waste, or abuse. This applies to employees, providers, ordering and referring physicians, and vendors alike. These regulations aren’t always enforced for various reasons, but a lack of enforcement shouldn’t result in a lack of adoption. We can—and should—do better to protect the safety of the communities we serve.
2. Outline Your Primary Sources
Accessing primary source data is perhaps the most important part of the compliance monitoring process, yet it’s one of the most challenging pieces of the puzzle. Provider license and credential data are notoriously difficult to access, with countless sources, numerous data formats, inconsistent data uploads, and varying access requirements.
And then there’s vendor data, which tends to be a black hole for most organizations. Collecting and verifying vendor data can be a daunting task. Still, it’s important to treat vendor exclusion monitoring with the same level of rigor as the rest of your monitoring population. Oftentimes, bad actors hide behind the corporate veil within the vendor segment, taking advantage of a murky data environment to go undetected.
- Status Quo: At a basic level, most organizations verify credentials and monitor for exclusions at the primary source. However, the disparate nature of this data makes it difficult to complete these tasks manually, so organizations without an automated system may not have the complete picture. Data integrity plays a role here, too, so those without strong data hygiene may be using primary sources to verify information that isn’t accurate in the first place, causing further manual work and increasing the likelihood of error. Vendor data collection is minimal and irregular; organizations generally don’t verify vendor data at this level.
- Regulatory Standard: Many organizations at this level utilize low-cost vendors for primary source verifications and exclusion monitoring, which may offer coverage at a surface level but can often lead to missed exclusions due to a lack of data integrity. Organizations at this level can get bogged down by “potential matches” returned by their vendor that require manual intervention and additional resources. They may technically be collecting vendor data to maintain compliance. Still, it’s typically not verified due to a lack of resources, which leaves the organization vulnerable to a higher level of risk.
- Gold Standard: Organizations that reach the highest level of this spectrum utilize a seasoned automated solution for primary source verifications and exclusion monitoring to ensure the integrity of their data and the accuracy of their results. The most trustworthy automated solutions are HITRUST-certified, which indicates they’ve attained the highest level of cybersecurity practices in the industry. At this level, organizations gather vendor data annually and verify it with their vendor population to ensure their data integrity. This usually involves vendor data attestations, custom questionnaires, and a strong understanding of their first-tier, downstream, and related entities (FDR) population. We recommend that provider organizations integrate payment eligibility statuses into their AP system.
3. Establish Your Frequency
A compliance monitoring program is only as strong as its data. But data goes stale quickly, so it’s important to ensure you’re working with the most accurate data possible. For that reason, the frequency of your license verification and exclusion monitoring makes a huge difference in their effectiveness and your compliance.
- Status Quo: Every organization is required to verify licenses and credentials at hire and at expiration. Since there can be a multi-year gap between checks at this frequency, an ineligible provider could be caring for patients for quite some time undetected—whether they’ve simply missed an expiration date or they’ve acquired a disciplinary action, for example. Most organizations at this level aren’t updating their ordering and referring physician data, relying on stagnant exclusion data that may be long outdated. At the vendor level, most organizations may initially collect data for new vendors, but they’re unlikely to regularly update their vendor data.
- Regulatory Standard: Though regulations require license and credential verification at hire and expiration, most provider organizations verify more frequently. The majority of organizations verify licenses and credentials on an annual basis, according to a 2024 industry survey by ProviderTrust and Healthcare Dive. Organizations at this level likely perform exclusion monitoring for their referring and ordering physician population, but they’re not monitoring this population on an ongoing basis, so they’re often relying on stale data. These organizations do collect vendor data but don’t verify the data or enforce vendor compliance with their data collection practices. Data hygiene plays a huge role here for both ordering and referring physicians and vendor populations. If your records for each population aren’t updated regularly, you may be spending resources to periodically monitor a provider or vendor that isn’t even active. With a smaller, more accurate list, you may be able to increase your monitoring frequency without taking away from other compliance efforts.
- Gold Standard: To reach the highest level of compliance coverage, the frequency of your monitoring should match the frequency of the primary source updates. Generally, ProviderTrust recommends a monthly cadence for license verification and exclusion monitoring. Most primary sources are only updated every month (if that), and more frequent verification is often a waste of resources since there will be no change to the primary source. Monthly ongoing exclusion monitoring and license verification for your entire population—including employees, ordering and referring physicians, and vendors—protects you from unnecessary risk while maximizing the effectiveness of your resources.
As you evaluate your organization’s practices in each category, it’s important to also consider how Human Resources and Compliance can work together to improve data practices and compliance coverage organization-wide. HR and Compliance should be aligned in each area not just for the sake of accuracy and oversight but also for the efficiencies that can be gained under a more streamlined system.
Ultimately, each organization’s coverage depends on its risk tolerance. Those who leave cracks in their coverage leave the door open for fraud, waste, and abuse to enter the communities they serve. At ProviderTrust, we’re committed to setting a new standard that prioritizes comprehensive compliance monitoring on the front end to prevent fraud, waste, and abuse from impacting patients in the first place.
Ready to learn more about Impact Compliance? Book an assessment today for an in-depth, personalized evaluation of your organization’s compliance monitoring program.
Book Your Compliance Spectrum Assessment
- Data accessibility
- Data accuracy
- Data completeness
