What Are Your Compliance Red Flags?
10 Telltale Signs a Health Care Provider Is Not Interested in Compliance
by Robert A. Pelaia, Esq., CPC
Believe it, or not, there are still providers in the health care industry who do not take compliance activities seriously. The Office of Inspector General (OIG) of the Department of Health and Human Services’ (HHS) list of excluded individuals and entities continues to grow showing there are still many who don’t realize the importance of basic compliance activities.
Many different facets of health care delivery have unique regulatory requirements. As a result, coders often need to look beyond the four corners of their coding books to make sure they do not find their employer (or themselves) caught in the radar of an investigation. If an OIG investigator walks into your office right now, what would they see (or not see) to make them think that compliance is not taken seriously? Listed below are 10 tell tale signs that might prompt an observant investigator to take a second look. These signs are not listed in any specific order of importance and may not directly relate to coding.
1. Patient Records are in Plain Sight
Several years have passed since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rules implementation. The HIPAA privacy rules, effective April 14, 2003, established national standards to guard the privacy of a patient’s protected health information. After a few years of following HIPAA privacy rules, many fell back into pre-HIPAA bad habits. Today, most of the HIPAA lapses occur because people are lax and don’t follow the guidelines. You may have seen patient’s records in plain sight when you are at your doctor’s office or pharmacy. Coders deal with protected health information on a daily basis and they should adhere to required controls and safeguards, which ensure the confidentiality, integrity, and availability of confidential information.
2. No Compliance Contact Designated
Your office should designate someone to be in charge of compliance activities. In general, the OIG established a minimal expectation that an individual or group of individuals should be designated to serve as the focal point for compliance activities. This does not mean that one employee be responsible for compliance of the entire practice because it may not be feasible in smaller entities. Whether compliance responsibilities are the sole duty of a full-time employee or one of an individual with several responsibilities within upper management, it’s necessary to designate someone as the “go-to” person for compliance issues.
3. Outdated Coding Books on the Shelf
Coding is a field that is constantly changing. Coders must keep on top of all the newest coding changes. If it is May 2008 and coders are working from a 2006 CPT® book, a 2007 HCPCS Level II book and a 2005 ICD-9-CM book, chances are there is a big compliancy issue. The fact is many doctor’s offices perform their medical coding in-house using outdated coding books or software. They often rely on employees not fully trained in proper coding methods and techniques. The results are a compliance nightmare with many returned, rejected, and underpaid claims. While it is a good idea to keep old coding books around as a historical reference, coders should never code from outdated books as it subjects the business to increased (and unnecessary) compliance risks.
4. Sign in Lobby Offers Free Limousine Transportation for Medicaid Patients
Section 1128A(a)(5) of the Social Security Act, enacted as part of HIPAA, imposes significant civil money penalties (up to $10,000 for each wrongful act) on providers who offer remuneration to Medicare or Medicaid beneficiaries that can influence the beneficiary to order items or services from the provider. This standard is met if a provider acts with deliberate ignorance or reckless disregard. The OIG interprets this inducement prohibition to allow Medicare or Medicaid providers to offer beneficiaries inexpensive gifts (other than cash or cash equivalents) or services without violating the law. For enforcement purposes, inexpensive gifts or services are those that have a retail value of no more than $10 individually, and no more than $50 to annually accumulate per patient. The OIG provided a reminder to providers to consider the applicable regulatory standards before they start handing out free gifts or services (or other items of value) to Medicare or Medicaid beneficiaries.
5. Coding “Cheat Sheets” Posted on the Wall
There is nothing per se inappropriate about coders having coding “cheat sheets” for them to do their jobs more efficiently; however, an OIG investigator might have a significant problem if the “cheat sheet” next to your desk only reflects high level codes. For example, if you are listing new patient evaluation and management (E/M) codes on your “cheat sheet,” make sure you list all five levels of new patient E/M codes. Be certain to include all options and not just ones that pay you the most money.
6. Memos Posted Instructing Coders to Change Diagnosis Codes
A red flag to an OIG investigator is posted memos telling coders to ensure particular codes are only submitted with certain “covered” diagnoses and to change to a code on the list if the “wrong” diagnosis is submitted by the physician. The bottom line here is you can only submit diagnoses appropriately documented in the medical record. It is okay to have a list of “covered” diagnoses, but it is not appropriate for the coder to change the diagnosis to one not supported in the medical record.
7. Bonuses Paid to Coders Based on Increases in Revenue
Chances are good that the government will closely scrutinize a bonus structure paid to a coder based on increases in revenues. Such an arrangement might be an incentive for an unscrupulous coder to “up-code.” From the OIG’s perspective, the issue with giving coder revenue bonuses makes sense. If the coder submits codes that result in increased revenue, the coder will end up with more money in their pocket; therefore, the bonus is a red flag for encouraging dishonesty. Coding is complex enough without muddying the water with bonus structures tied to revenue. The less risky route is to base the incentive on productivity, timeliness, or accuracy rather than revenue.
8. Dust and Cobwebs Cover the Compliance Manual
Cobwebs may be a bit of an exaggeration; however, organizations that value compliance tend to use a variety of techniques to educate employees, including the development of compliance manuals. These are generally “how-to” textbooks containing policies adopted by the organization to ensure compliance with rules and regulations. A compliance manual should not sit on the bookshelf, as it should be a useful and comprehensive reference tool used often and updated periodically. The organization must ensure employees understand their obligation and conduct themselves in a consistent manner with well-articulated standards, seek clarification when they are unsure, and report suspected violations of applicable laws and rules to the appropriate persons. This leads us to number 9.
9. Evidence of Employee Complaints with No Evidence of Follow-up
An organization that receives complaints or uncovers evidence of improper billing must demonstrate it responded appropriately to the situation, including taking necessary steps to prevent further similar offenses. The steps should modify the organization’s procedures and practices to reduce the chances of the problem recurring. The organization’s prompt and thorough response is imperative. If the organization’s management personnel fail to investigate employee complaints promptly, this questions the effectiveness of the program.
10. Not Employing “Certified” Coders
You can tell a lot about a health care employer by the company it keeps—it is true that you get what you pay for. It costs more to employ a certified coder in terms of the salary and the expense of ongoing educational requirements to maintain continued certification than it costs to employ a coder who is not certified. However, employers maintaining higher standards are the same employers who value integrity and understand that compliance activities are a requirement. It is hard to argue that errors were “unintentional” if no one is concerned with the qualifications of the coders.
Regulatory compliance is important to health care organizations and with today’s headline-grabbing prosecutions, few coders need convincing that health care regulatory compliance is here to stay. Take a moment to look around your work environment. Think about what an “outsider” would see if he or she was scrutinizing your health care operations. You may be surprised at what you see. Take some notes and, if you see any problems, talk with your compliance “go-to” contact person (see #2). After all, it all comes down to coding.
Disclaimer: Information published in this article is the personal views of the author and not that of the University of Florida. Information published in this article is not intended to be, nor should it be considered, legal advice. Readers should consult with an attorney to discuss specific situations in further detail.
- certified coders
- cheat sheet
- compiance manual
- compliance risks
- diagnosis codes
- doctor's office
- HCPCS Level II
- Health care
- legal advice
- privacy rules
- proper coding
- red flags
- Social Security Act
- underpaid claims
- upper management