A Real Economy publication

Compliance trends in health care: Fall 2022

Aug 19, 2022

No Surprises Act compliance key takeaways

Noncompliance with the NSA may result in fines and penalties of up to $10,000 per violation.

New out-of-network protocols may be needed.

The internal auditor should have a seat at the leadership table to help navigate organizational risk implications.

Health care Economics

Portions of the following originally appeared in New Perspectives, Vol. 41, No. 3, Association of Healthcare Internal Auditors, by Jessika Garis and Michael Haas, RSM US LLP.

For years, patients have voiced their concerns about surprise bills and the rising costs of health care. In late 2020 the No Surprises Act (NSA) was passed. This consumer protection law helps curb the practice known as “surprise billing” for medical care. The law is a possible answer to the concerns regarding unexpected bills with large out-of-pocket balances. However, it poses significant compliance challenges for health care providers.

On Jan. 1, 2022, the NSA went into effect, restricting providers and other organizations from balance billing patients for out of network (OON) services. The following chart provides an overview of the types of billing that the NSA has changed.

No Surprises Act services affected

NSA services affected | No Surprises Act compliance
NSA services affected


Noncompliance with the NSA may result in fines and penalties of up to $10,000 per violation. Enforcement is underway by the Centers for Medicare & Medicaid Services (CMS) and state agencies to regulate balance billing. Health care organizations must determine how to manage the new regulations and what practices must be implemented to ensure patient bills are processed in accordance with the NSA.

In addition, the Office of Inspector General (OIG) has begun conducting audits to determine how bills were calculated for OON patients who were admitted for COVID-19 treatment. The OIG will review supporting documentation and assess procedural controls and monitoring to ensure compliance with the balance-billing requirement.

Health care organizations that have received Provider Relief Fund payments and attested to the associated terms and conditions will be subject to an audit from the OIG. The OIG has stated that these organizations are limited in pursuing collections of out-of-pocket payments from COVID-19 patients. Patients may not be required to pay more than what they otherwise would have been required to pay if the care had been provided by in-network providers.

OON billing

Some health care organizations have abandoned billing for OON rates. But others are implementing new protocols to obtain a patient's consent to balance bill them for OON charges in compliance with the NSA. Updated protocols should include, but are not limited to, the following:

  • Publicly post a one-page notice to consumers on patient rights regarding balance billing, including how to report violations. Organizations should post the notice prominently at their facilities and on their public websites and provide the notice directly to patients.
  • Validate patients’ insurance, provide notice and obtain consent for services considered OON at least 72 hours prior to a scheduled appointment.
  • Confirm at registration if the organization is in-network with the patient’s insurance, or recommend care elsewhere.
  • Notify self-pay/uninsured patients verbally and in writing of their right to receive a good faith estimate (GFE).
  • Provide a GFE for expected charges related to self-pay patients (including uninsured patients and patients who choose to forgo using their insurance) within one to three business days, depending on when the services are scheduled.
  • Implement an independent dispute resolution (a critical component to negotiating reimbursements for OON rates).

Additional strategies to consider when implementing the above protocols include, but are not limited to:

  • Ensure the adequacy of network information, including making up-to-date and transparent provider directories available.
  • Implement insurer transparency to allow patients to choose OON care in advance.
  • Reduce the gap between in-network and OON by setting up more external providers in-network with more payers. The strategy may seem challenging for the provider organization, but with the NSA, getting other providers in-network and collecting some amount of payment is a better option than keeping them OON and writing off the balance.
  • Keep patients out of billing disputes to secure patient satisfaction.

The following illustrates how patient financial responsibility is determined for provided services:

How patient financial responsibility is determined for provided services | No Surprises Act complaince

The role of an internal auditor

As an organization decides how to address OON balances and the other requirements related to the NSA, the internal auditor needs to have a seat at the leadership table to help navigate risk implications.

The following services should be top of mind and provided by the internal auditor:

  • Assess the organization’s billing practice by collaborating with stakeholders within key areas such as revenue cycle, legal, compliance and patient experience.
  • Review the patient billing policy.
  • Identify and assess existing internal controls to ensure that billing for emergency services or non-emergency services provided by OON providers is accurate and appropriately limited to in-network cost-sharing amounts.
  • Review the content and distribution of required notices, consents and GFEs.
  • Identify and assess the internal controls and procedures implemented to ensure that balance billings for excluded services do not occur.
  • Evaluate the organization’s patient-provider dispute resolution process.

Special considerations

Certain internal controls may require in-depth scrutiny to ensure compliance, including the following:

Cost sharing – Verify that the billing system automatically calculates the cost-sharing amounts in accordance with the regulations. Test a sample to verify that management reviews and signs off on the accuracy of the calculations prior to distribution. The calculation is required to be computed as follows:

  • An amount should be determined by an applicable all-payer model agreement, in accordance with section 1115A of the Social Security Act.
  • If no all-payer model agreement is applicable, the amount should be determined under a specified state law.
  • If neither of the above applies, the lesser amount of either the billed charge or the qualifying payment amount, which is generally the plan’s or the issuer’s median contracted rate, should be used.

Notice and consent – Determine that the organization’s procedures are compliant. Upon identifying patients who qualify for OON balance billing, a financial counselor should obtain the patient’s consent in a timely manner to ensure the billing is accurate and in conformance with state and federal regulations.

Timeliness includes providing the notice and consent at least 72 hours before an appointment for items and services scheduled at least 72 hours in advance, or no later than three hours prior to the appointment. Management should periodically review the patient consents obtained to ensure each patient meets the requirements for OON billing and that the consent was obtained in a timely manner.

Good faith estimate – The GFE should be automatically generated within the billing system through a system configuration and be provided to applicable patients within the required time frame. Management should perform daily reviews of the GFE report from the billing system and reconcile it to scheduled services to ensure timely notification and distribution of the GFEs. 

Ensure that the billing system is configured to require input in the necessary fields prior to the submission of the GFE to the uninsured or self-pay individual. Required fields should include:

  • Patient name and date of birth
  • Description of the primary item or service in clear and understandable language
  • Itemized list of items or services
  • Applicable diagnosis codes, expected service codes and expected charges associated with each listed item or service
  • Name, national provider identification number, and taxpayer identification number of each provider or facility represented in the good faith estimate
  • State(s) and office or facility location(s) where the items or services are expected to be furnished
  • List of items or services that the provider or facility anticipates will require separate scheduling and that are expected to occur before or following the expected period of care for the primary item or service

The bottom line

As regulators crack down on noncompliance with the NSA, and patients become more aware of their rights, internal auditors will need to collaborate across their organization’s silos to facilitate organizational agility and ensure compliance. As the health care industry becomes increasingly consumer-oriented, provider organizations should remain vigilant, because market share may erode if billing practices are viewed unfavorably. Organizations that remain forward-thinking will gain the trust and loyalty of patients and their families by reducing out-of-pocket costs and improving patient experiences.

RSM contributors

More from the fall 2022 health care industry outlook

RSM Virtual Health Care Day 2022

Join the chief medical officer for the national Blue Zones Project, RSM US LLP’s chief economist, our health care industry professionals and other industry leaders for this CPE-eligible event.

Thursday, Sept. 29, 2022
10 a.m. to 6 p.m. EDT

Subscribe to Health Care Leader Insights

Actionable insights to help health care industry leaders successfully navigate challenges and take advantage of opportunity.