Compliance Is Not a 4-letter Word
By David Lane, PhD, CHC, CPC, CAPPM
“Compliance” often conjures up images of boring lectures, law enforcement, huge fines, scary “I’m from the government and I’m here to help” mentality, and worse. In reality, compliance is an integral part of the health field. And with health care reform and the Patient Protection and Affordable Care Act (ACA), compliance programs are mandatory.
Compliance is also inextricably linked to coding. With health care reform putting pressure on accurate documentation, coding, and billing, there are many benefits to having strong and accurate coding skills, a positive coding-compliance team, and an effective compliance program to ensure correct reimbursement. Having good partnerships may also strengthen an organization’s overall compliance program by increasing a hospital or medical practice’s revenue. Finally, coding and compliance working together can support audit or recoupment efforts and quality measurements; and cooperation can help meet electronic health record (EHR) meaningful use requirements.
Fraud. Waste. Abuse.
These three little words form the government’s mantra for audits and legal actions conducted by the Office of Inspector General (OIG), the U.S. Department of Justice (DOJ), the Office of Civil Rights (OCR), and the Centers for Medicare & Medicaid Services (CMS). As these government agencies look for ways to prevent fraud, waste, and abuse, there are four important federal laws that form the framework for an effective compliance program. Appropriate and effective coding is tied to each of them:
- False Claims Act (31 USC§3729).
- This Civil War era statute has been revised over the years to strengthen the legal underpinnings and penalties for any individual or entity that presents a false (i.e., inaccurate or wrong) claim to the government (i.e., Medicare or Medicaid or other federal health insurance program). When a submitted claim from a hospital is inaccurate, there is the potential that the False Claims Act is being violated.
- Anti-kickback Statute (42 USC§1320a). This law prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals or generate federal health care program business. This law directly affects referrals from physicians to hospitals for services and patient care.
- Stark law (42 USC§1395) or the physician self-referral law. Stark law is named after the California congressman who spearheaded the massive legislation. This law prohibits a physician from referring Medicare patients for designated health services to an entity with which the physician (or an immediate family member) has a financial relationship. Given the breadth of this law, any hospital referrals from a physician who receives any form of compensation from that hospital need to be regulated and monitored. Because hospitals, clinics, and physicians are inextricably linked, it is critical to meet the safe harbors, or exceptions, provided in these comprehensive laws regulating provider-hospital relationships. Huge fines, penalties, Corporate Integrity Agreements (CIAs), exclusion from Medicare, and jail are consequences of violation. Although typically not directly involved in physician financial arrangements, coders should at a minimum have confidence that all physician/hospital financial arrangements are appropriate. Coders are often the first to see irregular patterns of referrals, elevated service levels, and inappropriate orders—all possible signs of violations. You can ask managers, compliance officers, and legal departments how physician financial arrangements are monitored. When necessary, question any inappropriate or excessive referrals from a particular provider.
- Health Insurance Portability and Accountability Act (HIPAA) (45 CFR Parts 160, 162, and 164). This law, familiar to all coders, governs the transmission of medical records containing important medical information. HIPAA—under the purview of the OCR—also regulates the disclosure of patient protected health information (PHI). Professional coders know the importance of adhering to strict confidentiality when dealing with the thousands of bits of private medical information coming across their desks each day. With implementation of EHRs, HIPAA kicks in with full force. The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 increased regulations and requirements for preventing and reporting PHI breaches. For instance, a PHI breach affecting more than 500 patients in one geographical area requires notification to the U.S. Department of Health & Human Services (HHS), notification to affected patients within 60 days of learning about the breach, establishing a specific hotline number for patients to call, and other possible consequences. Data nationally indicates the cost for mitigating and responding to each breach is over $200 per record. Any misuse of patient PHI can cause the OCR to audit, investigate, and fine the perpetrator. The OCR has initiated over 100 HIPAA audits in 2012 to review practices of hospitals, clinics, and physicians across the United States. More HIPAA audits are probably on the horizon.
These four main laws, along with Medicare and Medicaid rules and regulations, and other state and federal laws, provide tools to guide effective compliance and coding practices. These laws also provide the leverage for the government to audit and review coding practices, patterns, and claims.
You Can’t Stick Your Head in the Sand
Historically, coders have said, “I just code what is given me; compliance is not my concern.” And in the past, perhaps, knowledge or awareness of some of the aforementioned compliance laws were not on the coder’s radar.
The landscape has changed. As these laws are revised and updated, deliberate knowledge is being removed as a requirement for violation. Laws now contain the verbiage “known or should have known.” For instance, the Anti-kickback Statute is an “intent-based” statute. This means that specific intent to violate the Anti-kickback Statute must be shown to prove a violation. Historically, however, federal courts have interpreted this statute broadly, ruling, for instance, that intent to violate this statute may be inferred from other circumstances.
Conversely, the Stark law is a “strict liability” law. This means that under Stark, lack of deliberate intent or knowledge is not an excuse and proof of intent is not necessary. If there is an improper or illegal physician financial arrangement in place, every referral from that physician is affected as long as the arrangement was noncompliant, and all claims coded and submitted by that physician are suspect.
The False Claims Act was modified in 2009 to make it clearly illegal—defining it as “fraud”—for a hospital or physician to knowingly keep overpayments or money paid to them due to a billing error or wrong payment (i.e., “credit balance”). Entities now have 60 days to repay an overpayment after they know, or should have known, about the improper payment.
In a nutshell: Ignorance of compliance in the changing health care landscape is not bliss. Compliance offices will need to work closely with coding and billing offices to ensure systems and practices are in place to adhere to strict law compliance.
The Government Is Watching
Hospitals and physician practices have seen an exponential increase in government audits and claim reviews. Coders will often be the front end of defense and offense when government auditors review and audit health claims.
The Recovery Audit Contractor (RAC) program is perhaps the most familiar these days, but Medicaid integrity contractors (MICs), Zone Program integrity contractors (ZPICs), Medicare administrative contractors (MACs), and the Comprehensive Error Rate Testing (CERT) program are closely related. All are designed to help the government discern fraud, waste, and abuse—and to recoup federal health care dollars that have been improperly paid.
The U.S. government has repeatedly reported that incorrect claims cost the taxpayers billions of dollars. Consequently, over the past several congressional sessions (both Republican and Democrat led), the OIG enforcement budget has increased dramatically. Government data shows that every dollar invested in compliance recoups anywhere from six to 10 dollars for the government.
The same holds true for third-party payers who have increased their scrutiny of claims, instigating their own independent reviews and audits. From a taxpayer viewpoint, RAC, MIC, MAC, ZPIC, OIG enforcement, etc. are all good ways to ensure Medicare/Medicaid dollars are being paid accurately. But from a hospital or physician practice viewpoint, these programs have added huge administrative burden and costs.
Good News for Coders
The “good news” for professional coders is that these governmental and third-party payer audits reinforce the importance of accurate coding, professional coding standards, and the involvement of coding in an entity’s overall compliance program.
One of the key seven elements of an effective compliance program, according to the OIG, is to have regular auditing and monitoring in place. The basis for most audits of claims is the medical documentation, underlying medical necessity, and then how that translates into the codes and the bill. Coders should increasingly be called upon to help review coding internally, set up effective coding practices, protocols, and procedures, and meet accurate coding benchmarks.
David Lane, PhD, CHC, CPC, CAPPM, is chief compliance and privacy officer at Hawaii Health Systems Corporation.