As the opioid crisis deepens—with more than two million Americans said to be dependent on prescription pain pills and street drugs—opioid treatment centers are part of a burgeoning industry estimated to reach over $42 billion by 2021. The 21^st Century Cures Act, enacted in 2016, allocated a full $1 billion over two years for the expansion of opioid treatment and prevention programs in all 50 states.

While the majority of these treatment programs legitimately offer hope and help to addicted individuals, unfortunately a few bad actors have muddied the waters and drawn increasing state and federal regulatory scrutiny. The Opioid Fraud and Abuse Detection Unit within the Department of Justice is one avenue for federal oversight, with DOJ additionally appointing U.S. attorneys to shepherd opioid health care fraud cases in 12 jurisdictions. Similarly, state attorneys general have initiated investigations and enforcement proceedings against addiction treatment providers.

To be sure, many of these enforcement and regulatory measures are helping to tamp down fraudulent and abusive tactics that put an already vulnerable population at greater risk. These include patient mining, with kickbacks designed to entice addicted people into sober homes and certain residential facilities, which then begin collecting reimbursement for services. Unfortunately, the clinical services delivered are often fraudulently misaligned with what’s advertised, with the addicted individual suffering the consequences. Other, overtly fraudulent insurance practices, including excessive urinalysis is testing, also have come to light.

So how can legitimate behavioral health providers—especially independent facilities without the backing of large hospital groups—be sure they meet an evolving patchwork of regulatory and law enforcement measures that are designed to prevent fraud, but potentially expose all providers to risk? The answer lies in having a plan, and ensuring that this plan is fully implemented. The development of a robust compliance program can help providers shore up their procedures and eliminate vulnerabilities in the context of scrutiny from federal and state law enforcement. Yet a surprising number of addiction treatment providers—large and small—lack fully developed compliance programs.

Here are eight key considerations as you build or review your own organization’s compliance plan:

1. Make an Appointment. Appointing a Compliance Officer is a first step toward ensuring that your compliance plan evolves with state and federal regulation, and key stakeholders in the organization are bought in. Your Compliance Officer should have a direct line to your CEO, board of directors, and all senior management.
2. Review and Write. If you have an existing compliance program, now is the time to drill down and ensure it adequately addresses the moving target of regulatory and enforcement issues in the addiction treatment space. If you don’t have one, now is the time to put one down on paper.
3. Look at Licensure. A primary issue that should be addressed within a comprehensive compliance program is that of licensure. Historically an area with less state regulation involvement, treatment program licensure has gained attention and scrutiny in recent years.  States across the country are reexamining the scope and extent of licensure oversight of impatient, residential, and outpatient treatment facilities. Your program should confirm appropriate licensure of your facility, prescribing practices, and any remote or telehealth services you provide.
4. Assess Billing and Coding. It’s imperative to assure that provider operations related to insurance coverage are assessed through a compliance program. For addiction treatment providers, this should entail all key interfaces with insurance providers, including lab and prescription charges.
5. Pay Attention to Privacy. The proliferation of electronic infrastructure and increasing use of digital tools by providers have put privacy and security front-and-center for state and federal regulatory activity. To keep risk from falling through the cracks, make sure your program incorporates HIPAA and other federal and state privacy and security requirements, especially in the context of e-health records and other internal approaches that rely on electronic patient data.
6. Cover Contractors. All third-party partnerships should similarly cover data privacy, as recent case law has held provider organizations themselves accountable for patient data breaches involving their digital health vendors.
7. Scrutinize Your Services. Are your clinical offerings aligned with your program outreach and marketing language? Is such language over-promissory in any way? Is your reimbursement commensurate with actual high-quality services rendered?
8. Educate All Stakeholders. Once your program is defined, a robust educational initiative should follow, to ensure that your compliance policies and procedures are well understood by key stakeholders throughout the organization. Ongoing auditing is also a must, to verify that the program is executed as intended over the long term.

Whether your treatment organization plans to operate as a sole entity for the foreseeable future or ultimately attract venture investment, a comprehensive compliance program will help to ensure that your policies are fortified and your services are compliant. In developing a compliance program, it’s important to assure that the program becomes part of the culture of the enterprise at every level, and that adjustments are made to operations, as needed, to be compliant. This requires ongoing vigilance and buy-in from the governing local and senior management of your organization.

Our legal team is available to partner with your legal counsel and Compliance Officer to identify the strategies you need to complete your compliance program—and confirm that you and your patients are protected.