Your healthcare entity is at risk if these elements aren’t part of its compliance plan.
As healthcare workers, it’s our responsibility to know and understand that the Office of Inspector General (OIG) expects all healthcare entities to follow and abide by its self-proclaimed seven elements of an effective compliance program. The first element, implementing written policies, procedures, and standards of conduct, is the focus of this article. We will review four compliance policies and procedures all healthcare entities should have in place to protect their practices from the repercussions of noncompliance.
Plan for Compliance
It’s recommended that every healthcare entity have a working compliance program, even if it isn’t mandatory for the provider to have one. Policies and procedures are the key to ensuring that guidelines are established for patient and employee safety, that federal and state laws and guidelines are followed, and to help promote consistency in practices.
It’s also important for all employees to have knowledge that a compliance program exists. Employees should have an in-depth knowledge of the compliance program through a team review or individual testing. This will help employees know how to respond when an allegation or concern is raised by another employee or third party, or when they feel the need to report a concern.
Not every allegation or concern raised will result in an investigation, but all allegations or concerns should be taken seriously and logged by the compliance officer for tracking purposes. If an allegation or concern results in an investigation, there may be other departments that will need to be involved such as human resources, finance, and clinic/hospital leadership.
Having a written compliance program in place that is shared with all employees and adhered to sends a clear message that there is a high ethical standard and that employees are encouraged to come forward to share a potential compliance risk or concern.
Key Elements for Compliance
If your organization is audited by the Department of Justice (DOJ), it will ask to see your company’s compliance program. A DOJ review may consist of ensuring proper updates have been made to the program, that it contains the required safeguards in place to protect employees who come forward with concerns, and that proper follow-up has occurred and is documented. Here are four elements your compliance plan should contain:
- Investigation policy – A good investigation policy should be clear on its purpose and intent, what the protocol is when an allegation or concern is raised to the compliance department, and the corrective action process, if proven necessary. It should also be abundantly clear that no retaliation will be taken against a person who comes forward with a suspected allegation or concern and that they will remain anonymous, if possible.
It’s important to state in the policy who will handle investigations and at what levels additional outside counsel will be brought in. (It’s also recommended that legal counsel be well-versed in the potential issues.) All investigations should include reviewing and preserving all documents related to the allegation, interviewing all appropriate individuals, and reviewing policies and procedures applicable to the allegation. Any corrective or disciplinary action that will take place, if necessary, should also be defined in the policy.
To safeguard compliance, it’s key to outline the general steps in a clear and specific way. However, these steps should not be so detailed that the investigation process might put the organization at risk for noncompliance if the steps are not followed to the letter. Since not all investigations will have the same level of severity, having a flexible investigation policy is advisable.
2. Overpayment or self-disclosure policy – At some point, every practice will identify a compliance issue that will result in a payback. Your compliance plan should outline how to identify when there is a need for a payback. It should outline the process of identifying the universe of claims that may need to be included in the sample and when a statistician may be required. Many think they can handle this step themselves, but the OIG recommends someone who is a statistician (or equivalent) to perform the statistically valid sampling to facilitate the appropriate payback. The sample may need to go back as many as six years if the situation has been going on that long.
Questions to ask when determining the sampling universe are:
When did the provider join the practice?
Has this been a recent acquisition and/or is this is a new service or service line added recently?
Are there multiple providers involved or one particular provider?
It’s also important for practices and hospitals to identify whether an error is truly a mistake or more egregious and potentially an intent to defraud the government. Mistakes will happen, no one is perfect; the most important thing is how the practice or facility responds when an issue is discovered. This may be a good time to reach out to internal/external legal counsel. Note that even if you discuss the matter under attorney client privilege (ACP), any data analytics and information that have already been obtained is discoverable. It depends on the situation as to whether a situation should be put under ACP. Some practices want everything discussed and discovered under ACP and others prefer full disclosure.
- Coding compliance policy and procedure – All health information management, coding, compliance, and billing departments should have written policies and procedures that designate who will assign the medical coding. Policies should also describe who will append modifiers, when necessary, and what the process will be to carry these actions out. Are the billers allowed to append modifiers or does the encounter need to be returned to coding so they can append the modifier if the documentation supports it?
To ensure proper code selection, all personnel who hold a position where they will be selecting or reviewing medical coding should be certified by an accrediting body. It’s equally important to provide continuing education opportunities for individuals who hold this position because codes and guidelines are updated frequently.
- Screening for individuals excluded from the federal healthcare programs – Every healthcare entity performs background checks; however, some have not fully understood the importance of screening for those individuals who have been excluded from the federal healthcare programs (e.g., Medicare). If an excluded individual has been involved with the care of patients, even running their labs, all the monies received for that care must be refunded. One of the sites you can check for excluded individuals is https://exclusions.oig.hhs.gov.
The OIG recommends healthcare entities screen all new hires, as well as check the national databases on a monthly cadence to identify excluded providers who may not have been in the federal databases when the person was first hired. Healthcare entities should also keep a log (either electronically or on paper) of these monthly checks as evidence. Should an issue occur, this record will prove that you performed due diligence.
Should you discover an excluded provider, consult your legal counsel for next steps. These steps should also be outlined in the compliance policy. One recommendation is to stop billing claims for patients with which this provider has potentially been involved or encountered. While there are some instances where an excluded individual can be employed, the OIG has been clear about the positions they cannot hold in a healthcare entity.
An excluded individual is not prohibited by the OIG from owning a healthcare entity participating in a federal healthcare program. The individual must own less than 5 percent of the entity and cannot hold a management or administrative position within the organization, however, or face the possibility of civil monetary penalties.
Scraping the Surface
The first of the OIG’s seven elements of an effective compliance program is probably the hardest. Once that is done, you can work on the other six steps:
- Designate a compliance officer and compliance committee.
- Conduct effective training and education.
- Develop effective lines of communication.
- Conduct internal monitoring and auditing.
- Enforce standards through well-publicized disciplinary guidelines.
- Respond promptly to detected offenses and undertake corrective action.
Although only certain healthcare providers are required to adopt compliance programs, the OIG recommends all healthcare entities make compliance plans a priority.