The following “top ten” list sets forth a few of the key legal and compliance issues health care providers should be looking out for this year.

1. Adjusting to Federal Health Reform

Federal health insurance reform, known as the Affordable Care Act (ACA), that passed in March 2010 is now fully effective (well, mostly). The rollout of health care exchanges was messy. As a result, providers will have to deal with the complicated process of working out benefit and coverage rules for patients. Keep an eye out too for complex rules related to the 90-day grace period for patients with federally subsidized coverage.

2. Managing the Medicaid Expansion

For states that opted to expand their Medicaid programs under the ACA, there will be growing pains associated with significant increases in enrollment. In Oregon, expansion is expected to add 250,000 covered lives to 600,000 already enrolled. The expansion likely will cause administrative budget challenges for states, access issues in low provider coverage areas, and questions regarding the economic effect of a shifting payor mix on medical practices.

3. Hardline HIPAA Enforcement

Last year brought covered entities and their business associates the HIPAA Omnibus Rule, this year will bring more enforcement as the Office for Civil Rights (OCR) continues to transform itself from an educational agency to more of an enforcement agency that assesses significant fines against non-compliant medical offices. Providers should be updating their HIPAA compliance efforts including risk analysis and management, clearer policies, and communicating with patients and staff about privacy rights and responsibilities. For example, patients now have a right to restrict what information a health plan may be provided if the patient pays in full for the service. While the concept sounded good on paper, OCR never quite addressed the practical issues for providers who are struggling to implement the rule cost-effectively without having to completely re-write electronic health record (EHR) and billing systems.

4. Government and Commercial Payor Audits

Providers are becoming routinely subjected to audits by both government and commercial payors. Records requests can be burdensome and timeframes to respond rather short. Audits may involve more than just billing issues and may cover areas such as meaningful use certification and EHR documentation. Providers should be mindful of the impending transition to ICD-10 in October 2014, and future audits regarding the accuracy of diagnosis coding versus just procedural coding.

5. Payment Models and Exclusionary Contracting

While it may seem like there is a bottomless pot of money in the health care system, the reality is someone has to pick up the tab. The ACA mainly was about access to insurance or benefits, and not so much about the cost of health care. As federal and state governments start to focus more on cost (because they will have to) the likely result will be attempts to get services provided for less money. Providers will begin to see different payment models emerge (some good, some bad) and other cost-cutting measures such as exclusive contracting to keep costs contained.

6. Overpayment Risk

The ACA created a compliance game changer for providers who bill Medicare or Medicaid. Once a provider identifies an overpayment by either federal program, they have a short 60 days within which to return the monies. Failure to do so could create potential false claim liability where basic penalties are $11,000 per claim. Providers should be careful when conducting internal audits as well as responding to inquires about any particular bill.

7. EHR Fraud

While the federal government incentivized the adopted of EHRs, it also now questions the abuse by providers of EHRs for maximizing billings or even engaging in outright fraud. Providers should be careful when using auto-fill functions, cutting and pasting health information, and accurately completing charting to reflect both the diagnosis and treatment that support the billing function. Third party payors, including Medicare, are engaging in more detailed analytics of massive amounts of electronic data to locate abuses and fraud.

8. Emergence of Concierge Practices

Frustrated by the complex work of negotiating health plan contracts and the myriad of rules and procedures to bill insurers, some providers are opting to move to concierge or retainer practices. There are a few different models of practices, and providers should be careful to engage in some due diligence before making such a leap (especially if the intention is to conduct a hybrid practice of charging a membership fee while still billing third party payors). Some states like Oregon have special laws in place too for non-hybrid models that only charge retainers and do not bill insurance. Even Medicare has special rules for providers who opt-out from billing for beneficiary care.

9. Identity Theft and Abuse

Obtaining someone else’s personal information to use for illicit purposes is far easier in an online world. Notably, the Internal Revenue Service disclosed that it paid out $4 billion in refunds in 2012 due to fraudulently filed tax returns. For the first time too, ACA health insurance exchanges are gathering both personal health and financial information in one location. Security of that information is by no means perfect. Providers today should be evaluating not only their own risk for loss of personal health and financial information, but also guarding against the risk of abuse by what hopefully is only a few bad apple patients who intend to fraudulently obtain items or services.

10. Protecting Provider Businesses with Compliance Plans

Doing business in the health care industry today is far more complicated than just three short years ago when federal health reform first emerged. Implementation of new regulatory programs is by no means perfect, and unfortunately providers are expected to “know it all” and “right away.” The ostrich approach of burying the head in the sand by folks here and there in the provider community is not much help either. As a result, providers today should be devoting some resources to developing a response to learn about changes in laws and effectively work toward compliance with various legal requirements. A compliance plan is one way to identify risks and implement internal responses to guard against those risks. This is not rocket science and makes good business sense in the long run.