Using QAPI & Corporate Compliance as Integrated Risk Controls
Medical Director Oversight Draws Federal Attention.
OIG found medical directors made unsupported schizophrenia diagnoses to mask antipsychotic misuse and inflate star ratings.
Skilled Nursing Facility operators are stepping into a very different oversight environment than they have seen in years.
Regulators are not just reviewing outcomes anymore. They are looking closely at patterns, documentation, and how decisions are made across an organization. And in many cases, issues that used to be resolved through education are now leading to deeper investigations, penalties, and broader scrutiny.
That shift is changing the role of Quality Assurance and Performance Improvement (QAPI) and Corporate Compliance.
These are no longer separate programs operating in parallel. They are becoming two parts of the same system, working together to identify risk, escalate concerns, and document how the organization responds. When that connection is strong, organizations are better positioned to manage both regulatory pressure and financial exposure. When it is not, gaps become much more visible.
QAPI & Corporate Compliance:
Distinct but Interdependent
Corporate Compliance and QAPI serve different purposes, but regulatory risk frequently emerges at their intersection.
QAPI focuses on care processes, outcomes, and system performance. It helps organizations identify patterns and surface issues through data.
Corporate Compliance focuses on adherence to regulations, internal policies, and ethical standards. It defines how issues are escalated, investigated, and addressed.
Where organizations tend to struggle is in the handoff between the two.
A quality issue becomes a compliance issue when it is not identified, documented, or escalated in time. Regulators are increasingly expecting to see not just that a problem was recognized, but how it moved through the organization and what actions followed.
Affiliate Risk
What’s happening
Centers for Medicare & Medicaid Services (CMS) is expanding how it evaluates organizations by looking beyond individual facilities. Instead of reviewing locations in isolation, regulators are examining ownership structures, shared leadership, management companies, and medical director relationships.
This means risk is no longer contained to one location. It can extend across the entire organization.
Why this matters
This shift is creating new exposure that many organizations are not fully accounting for.
An issue at one facility can now influence how regulators view affiliated locations. Leadership overlap, shared ownership, and even administrative errors can trigger broader scrutiny. Cross facility data comparisons are also making it easier for regulators to identify patterns that may not have been visible before.
M3 in Practice:
Affiliate Risk Mapping.
We help clients create a structured view of affiliate exposure by:
- Assisting in mapping ownership, leadership, and medical director relationships across facilities
- Identifying shared roles that could trigger cross-facility scrutiny
- Highlighting areas where documentation or governance may not align
Where to focus
QAPI Responsibilities
- Monitor survey outcomes, enforcement activity, and quality trends across affiliated facilities.
- Identify recurring deficiencies or documentation gaps that indicate systemic issues.
- Report emerging patterns and cross‑facility risks to executive leadership and corporate compliance.
Corporate Compliance Responsibilities
- Conduct quarterly audits of PECOS, CMS‑855 filings, ownership disclosures, and key contact information.
- Document organization wide corrective actions, not just facility level responses
- Screen contractors and partners for affiliations with high-risk facilities.
- Review medical director and physician contracts to ensure proper disclosure obligations related to fraud, waste, and abuse.
Medical Directors
What’s happening
Medical directors are no longer viewed as passive or symbolic roles. Regulators are expecting to see clear, documented involvement in clinical oversight and decision making.
This goes beyond having the role in place. Facilities are expected to show how medical directors are actively contributing, including:
- Evidence of work being performed
- Documentation that supports compensation
- Participation in clinical governance and QAPI activities
- Alignment between contracts, payroll-based journal (PBJ) reporting, and documented oversight
Why this matters
If compensation is in place but documentation does not support active involvement, it can raise concerns tied to fraud, waste, abuse, and billing practices.
Regulators expect organizations to demonstrate that medical director responsibilities are actively carried out and supported by clear, consistent documentation that aligns with contracts and reported activity.
Where to focus
QAPI Responsibilities
- Require medical director participation in QAPI, infection control, and clinical governance meetings.
- Maintain detailed agendas, minutes, and logs documenting clinical input, recommendations, and follow‑up actions.
- Leverage medical directors to support physician engagement when resident care concerns require escalation.
Corporate Compliance Responsibilities
- Reconcile PBJ hours with meeting minutes, logs, and documented work.
- Maintain clear, documented communication among administrators, DONs, and medical directors regarding quality priorities.
- Implement a structured medical director work plan with regular reviews to confirm contractual alignment and regulatory compliance.
Antipsychotic Use & False Diagnoses
What’s happening
Federal audits are taking a closer look at antipsychotic medication use, particularly in instances where schizophrenia diagnoses appear unsupported, especially among residents with dementia.
Regulators are comparing multiple data points including MDS coding, physician documentation, MARs, care plans, and non-pharmacological intervention to identify inconsistencies.
Why this matters
Inconsistent documentation or unsupported diagnoses can raise questions around quality of care, billing accuracy, and patient safety. It is also an area that plaintiffs’ attorneys are increasingly focusing on in litigation.
Where to focus
QAPI Responsibilities
- Conduct interdisciplinary reviews of schizophrenia diagnoses across primary care, behavioral health, nursing, and pharmacy.
- Validate documentation of non‑pharmacological interventions.
- Use QAPI dashboards to identify outliers and emerging diagnosis trends.
Corporate Compliance Responsibilities
- Audit alignment between MDS coding, clinical documentation, and billing data.
- Escalate unsupported diagnosis patterns or chemical restraint concerns.
- Document and sustain retraining, corrective actions, and ongoing monitoring.
Strengthening QAPI & Corporate Compliance to Manage Risk
Managing risk in today’s regulatory environment requires coordination. QAPI identifies patterns and risk through data and performance review, while corporate compliance ensures appropriate escalation, accountability, and documentation.
Where Compliance Becomes Defensibility
Organizations that treat compliance as a checklist will remain reactive Those that connect QAPI findings to compliance oversight, escalation, and documentation are better positioned to demonstrate good faith governance and defend against regulatory, financial, and litigation exposure.
Yes/And: Our Take
There is a shift happening in how organizations are being evaluated. Yes, strong QAPI and Corporate Compliance programs are still essential for managing regulatory risk. And they are now playing a much bigger role in how organizations protect themselves financially.
Regulators, plaintiffs’ attorneys, and insurance carriers are all looking at similar signals. They want to understand what happened, what the organization knew, and how it responded. This is where many organizations face challenges.
Gaps in documentation, inconsistent oversight, or unclear governance can impact claim outcomes, increase litigation risk, and influence how coverage responds. At M3, we help organizations align operational practices, compliance structures, and risk strategy so they work together as a unified system.
If you have not recently reviewed how your QAPI and compliance efforts align with your broader risk strategy, now is the time. Connect with your M3 Client Executive or Risk Manager to walk through where gaps may exist and how to strengthen your approach moving forward.
