As providers face diminishing margins, compliance-related costs are more of a concern than ever – but compliance initiatives can lead to additional costs and diminished efficiency.

To improve compliance and prevent the loss of additional funds, leaders of home- and community-based services (HCBS) are advocating for a shift in approach that reframes compliance as a proactive strategy, rather than relying solely on reactive measures. By leveraging technology and addressing the full range of compliance considerations, providers can enhance compliance without incurring significant overhead costs, experts told Home Health Care News.

“Everyone is feeling a sense of urgency or pressure surrounding regulatory oversight at all levels, from the federal government down to the state and even the managed care organizations,” HHAeXchange CEO Paul Joiner told Home Health Care News. “They’re feeling the desire to both remain in compliance and be in a defensible position.”

Founded in 2008, New York-based HHAeXchange is a home care management software company that specializes in serving the Medicaid HCBS population.

Data backs up the claim that providers are laser-focused on compliance. Over 70% of HCBS providers prioritize compliance more than cost reduction and operational efficiency, according to a survey by HHAeXchange. Providers face a balancing act, Joiner said, as they seek to improve compliance while minimizing the impact on their overhead and overall business efficiency.

Although compliance is increasingly a priority, many agencies’ approaches to compliance need strengthening to avoid common mistakes, according to J’Non Griffin, senior vice president at SimiTree. Agencies relying on government reimbursements that lack a proper compliance program or fail to follow health care regulations risk facing hefty fines, imprisonment, or exclusion from payer programs.

“Most agencies tend to be reactive rather than proactive regarding compliance. Unless they have an accreditation body requiring them to maintain compliance, they typically wouldn’t have roles like compliance officers,” Griffin told HHCN.

Griffin noted that while agencies frequently focus on ensuring OASIS compliance and may perform billing audits, they often overlook broader strategic aspects, such as conditions of participation and HIPAA compliance, during regular daily activities.

“Many smaller agencies lack the manpower or staff to do it; they may not have the knowledge, or they may have only been in home care for a couple of years and not understand all the nuances,” Griffin said. “We encourage agencies to consider conducting a gap analysis because they might not have that capability internally to identify where they’re falling short of regulatory or compliance standards.”

SimiTree is a technology-driven consulting platform serving post-acute and behavioral health agencies, based in Hamden, Connecticut.

Staying proactive and being prepared for audits is crucial, Joiner said, but providers run into challenges when keeping staff trained, not being prepared for an audit or not fully leveraging their technology partners.

To mitigate compliance risks in HCBS, agencies should develop a strong compliance program, provide ongoing training, carry out internal audits and leverage technology for effective management. Key focus areas include HIPAA, proper documentation and caregiver qualifications, according to Joiner.

However, ensuring compliance involves several steps.

“Pick a reliable technology partner who values and prioritizes compliance, making it a key focus,” Joiner said. “Ensure that compliance is integrated, automated and maintained within your technology solutions. Prioritize training and awareness, embedding it into the company culture. Be prepared for audits, as we are seeing more and more of them.”

According to Griffin, appointing a compliance officer is crucial for establishing a robust compliance program. The officer’s duties include staying up-to-date with evolving compliance laws, developing written policies and procedures, and providing training to employees.

She advised HCBS providers to regularly check the websites of the Office of Inspector General, the Department of Justice and national associations to stay updated on current compliance issues and focus areas.

“Make sure that as part of your compliance program, you have best practices and that you manage risk,” Griffin said. “No one is going to be risk-free. There’s always going to be mistakes, but you need to have as many processes in place to reduce that risk as possible.”

By ensuring compliance, an organization gains a program that provides cost savings, enhances the quality of care and promotes cohesiveness and transparency in its operations.

Training and transparency

Having a thoughtful approach to employees and training is a critical component of a thorough compliance plan.

It is essential that agency leadership, including the appointed compliance officer, is approachable so that staff feel comfortable asking questions or raising concerns about compliance, according to Griffin. They should also be confident in learning from these leaders. Employees need training on what, when, and how to report suspected compliance violations, with protocols clearly outlined in a written plan, Griffin recommends.

Staff should also be aware of where to find this plan and informed of any updates. This training should be inclusive of all staff, including volunteers and contractors, with a focus on HIPAA, patient privacy and data security.

“Compliance training should be part of every orientation, no matter what level – everyone needs to understand what compliance is,” Griffin advised. “If they see something that’s non-compliant, they should know how to report that. At least annually, training needs must be documented in personnel files. Organizations must have proof of that training.”

Any reported or arising compliance issues should be thoroughly reconciled and properly documented to serve as a training resource in the future, she noted.

“Documentation is a challenge in home health, and I believe it’s because of the many different regulatory functions and agencies involved,” Griffin said. “For example, if [an agency] is documenting for billing while also documenting for surveyors, having a strong documentation program that covers both billing and compliance with participation requirements would be the best approach.”

Additionally, organizations should make sure caregivers fulfill all required qualifications and training, Griffin advised. She also recommended that providers reveal any financial ties between referral agencies to prevent even the suggestion of wrongdoing, comply with anti-kickback and self-referral laws such as the Stark Law and ensure transparency in all financial dealings while avoiding improper incentives for referrals.

Audits and technology

All providers fear auditors and worry about losing their licenses, particularly those in the Medicare-certified sector, because of the unified national compliance framework, according to AlayaCare Co-Founder and CEO Adrian Schauer. He described compliance as “the cost of doing business.”

“It’s a mental state that home health agencies have been in for a long time on the Medicaid side, and now there’s been a ramping up of sensitivity to fraud, waste and abuse,” Schauer told HHCN. “Payers are trying to dig into compliance, and on the Medicaid, personal care side, there’s an increasing set of sensitivities around compliance.”

Founded in 2014, Montreal-based AlayaCare is a software platform and secure cloud system that offers clinical documentation, client and family portals, remote patient monitoring and mobile caregiver features. The company’s platform uses artificial intelligence-based predictive models.

HCBS providers should conduct annual audits to identify and address potential compliance issues. This includes conducting pre-billing audits to verify that claims meet requirements before submission, Griffin noted.

“It might be beneficial to have an external auditor review your billing, since they could provide a different perspective compared to someone within the agency, similar to how a government regulator might interpret records differently,” Griffin explained.

Using technology such as electronic health records (EHR) systems can aid in managing patient data and improving documentation accuracy. Agencies may also consider using compliance software to facilitate tracking, documentation and reporting, especially when a dedicated compliance officer is not available. Nevertheless, Griffin advises against overly relying on technology such as AI.

“It can certainly assist and make processes faster, but it shouldn’t take the place of human beings,” she noted.

For some, technology helps overcome cost challenges that are becoming increasingly critical as margins continue to narrow.

“Margins keep declining in this industry, and compliance generally adds costs when everyone is trying to cut expenses,” Schauer explained. “For software providers, this presents an opportunity. If you want to tighten compliance without increasing or hiring staff, technology can be your solution.”

Schauer added that HCBS is now entering the era of agentic AI and recommends automating all agency compliance audits with AI agents, thereby making the process continuous.

“The framework is shifting,” he said. “Instead of humans conducting occasional audits, AI agents will perform ongoing compliance checks.”

When choosing a compliance vendor, agencies should ask key questions, Schauer advised.

“With probabilistic models, you need to ask benchmarking questions like, ‘Is 70% good enough? Is 90% acceptable?’ and how the provider escalates to a human if AI can’t make a confident decision. That’s the new parallel,” he explained.

Most organizations will use cloud-based software, Schauer noted, and cloud providers are responsible for HIPAA and other regulations, providing a framework for reliance. However, “holes” can occur, such as unsecured texting or emailing of patient information.

“The biggest threat isn’t hacking the cloud but phishing employees for credentials and using those to steal data,” Schauer warned.

To stay compliant and secure data, he recommends implementing multifactor authentication and strong passwords. If issues arise, investigate and resolve them promptly. Establish transparent reporting processes and plans for data breaches or incidents.

“Whether you’re a small operation or a large organization, you can’t ignore this,” Joiner emphasized. “It must be a priority throughout the year, with ongoing attention from leadership and staff. Everyone should understand the importance of compliance.”