Face Compliance Program Challenges Head On
Create a plan, use seven keys to implement it, and then customize it.
By Alicia Shickle, CPC, CPCD, CPPM
A provision in section 6401 of the Patient Protection and Affordable Care Act of 2010 (ACA) mandates physicians to adopt a compliance program as a condition of Medicare, Medicaid, or Children’s Health Insurance Program (CHIP) enrollment. Your practice may already have a program in place, but this ACA provision has opened a floodgate of additional regulatory and law enforcement scrutiny and liability. As a result, your practice will need to be more vigilant than ever in its compliance program efforts.
Providers who aren’t part of a larger, integrated system are less likely to have an effective compliance program in place because of a lack of financial and human resources. Efforts may be fragmented or incomplete as individuals with compliance responsibilities are asked to do more with less. The end result is a practice still at risk for noncompliance.
Providers must become more aware of the importance of an effective compliance program. Ultimately, they are the ones who are subject to the risks of noncompliance. Future penalties will likely be far more damaging to your practice’s bottom line than what is required of it now to become a compliant organization.
Seven Keys Unlock an Effective Compliance Program
There are seven keys for an effective compliance program patterned after the Office of Inspector General’s (OIG) Guidance for Individual and Small Group Physician Practices:
1. Policies and Procedures
One of the most important controls you can have for mitigating risk is to implement policies and procedures based on best practices. Communicate expectations to staff, board members, and external vendors. Establish a process, including a central library of policies and procedures, which includes creating, updating, sharing, approving, and archiving documents.
Link policies and procedures to laws and regulations, and have them readily available to everyone in the organization through the use of a simple search of key words. Include a system of alerts to trigger reminders to update policies periodically—at the least, annually—and if workflow or services change.
2. Training and Education
Conduct annual staff and compliance training, as well as job-specific training. Forcing compliance managers to manually track training schedules is a cumbersome and daunting task, and tracking compliance training requirements is nearly impossible, even for small practices. Track training compliance and to monitor scores for understanding and competency. You should have processes for receiving new and updated laws and regulations from a variety of external sources, and for providing education and training on new or revised regulations and policies.
3. Audit Management
All organizations, regardless of size, should conduct baseline audits as a benchmark for ongoing auditing and monitoring. Be sure to identify vulnerabilities and weaknesses through auditing and to prioritize compliance tasks based on the level of risk.
It’s important to look in the right areas. If results are returned as acceptable, this is an indication your organization is not looking in the right places. The purpose of monitoring your processes is to identify personal vulnerabilities and areas of weakness. Implement plans for corrective action when necessary, and prevent noncompliance activities from reoccurring, to help you mitigate possible penalties and/or sanctions.
Systematic, consistent, and organized documentation is required when managing an audit process.
4. Designated Compliance Specialist
Although compliance is everyone’s responsibility in an organization—all staff has an obligation and responsibility to report any observed or suspected noncompliance activity—you should designate a staff member as compliance officer, to be responsible for overseeing compliance activities.
The compliance officer should create a culture of compliance and report all incidents to the chief financial officer and board. Unfortunately, often the compliance officer is seen as an adversary, making it difficult to rely on employees’ assistance in detecting noncompliance or fraudulent activities. The compliance officer must understand what constitutes fraud, waste, and abuse, know how to report it, and feel confident performing the task.
5. Open Lines of Communication and Disciplinary Non-retaliation Policies
You must have open communication and a non-retaliation policy, so employees will participate in “policing” the organization for noncompliant activities. Each employee should feel “deputized” to always do the right thing, the right way. Many hands make light work, and it’s crucial for the compliance manager to get buy-in from everyone.
6. Noncompliance Management
Take all reported noncompliance issues seriously. Let employees know that if they report a potential incident, the compliance officer will investigate and correct the issue. Be sure all incidents are documented and investigated immediately, and determine if an incident requires further action. Self-disclosure may be required in some instances, and seeking legal counsel is important to help sort through those decisions and processes.
7. Risk Assessments and Management
Staying up to date on new regulations and changes in the industry goes a long way in mitigating your risk of penalties, sanctions, and exclusions. Understand what is unique to your organization because every practice is different. Don’t use “out of the box” solutions, and make the most of available tools and resources. The key is to customize and adopt a solution that fits your organization’s needs.
On a final note, remember to implement policies that are attainable. Be practical, use common sense, and seek the help of experts—including legal advisors—if you need it. When you have established a foundation, managing the program will become business as usual.
Alicia Shickle, CPC, CPCD, CPPM, is director, Compliance Division
Latest posts by John Verhovshek (see all)
- Remember: CMS Allows ’97 Extended HPI with ’95 E/M Guidelines - December 5, 2016
- Code to the “Highest Severity” for Drug Use, Abuse, and Dependence - December 5, 2016
- HHS Warns of Phishing Attempt Disguised as Audit Communication - December 1, 2016