Risk Assessment High Priorities

Risk Assessment High Priorities

Part 1: Guard against False Claims Act violations.

By Marcia L. Brauchler, MPH, FACMPE, CPC, COC, CPC-I, CPHQ

Compliance is a broad concern for provider practices, encompassing everything from proper coding and billing procedures to human resource requirements, patient privacy, etc. When developing a compliance plan, one of the most important decisions you must make is how to allocate your finite resources. By undertaking a risk assessment of your practice’s processes, you’ll better direct your efforts.

My firm created the “Heat Map” for physician practices to identify where to focus their resources — time, money, manpower, and the attention of management, providers, and staff — most efficiently and effectively (see Compliance Heat Map).


The Heat Map is based on historical data related to the number of identified violations for non-compliance and the penalties paid by wrongdoers. Beginning with the raw data, we examined:

  1. The probability a practice will be audited for a given area of compliance; and
  2. The level of risk a practice takes on if it fails to comply with that given area.

Scores are based on a scale of 1-5, where 5 represents the greatest probability and risk. The upper right quadrant of the Heat Map represents the highest probability you’ll be audited and the most severe penalties for non-compliance.

For example, we scored being audited for the Americans with Disabilities Act (ADA) at 1 (low probability). But if you are audited, the failure to comply scores at 5 on our scale. In 2012 there were 72 lawsuits commenced for failing to comply with the ADA, with total fines and penalties of a whopping $5.4 million.

Top Compliance Priorities for All

The highest frequency, highest severity categories in the upper right quadrant of the Heat Map for any practice should include HIPAA, Medical Records, and the False Claims Act (FCA), as shown in our example.

We discussed HIPAA compliance, and compliance with medical records rules and regulations, in the series of articles “Answer Common HIPAA Questions,” which ran last year in Healthcare Business Monthly. Using the Heat Map as our guide, we will explore additional topics in the coming month, beginning this month with the FCA.

The What, Why, and Where of Compliance

When discussing compliance issues, generally, I ask: WHAT is it? WHY does it exist? WHY should you care? And, WHERE can you find more information?

What Is the FCA?

The FCA is a federal law prohibiting a practice from submitting false or fraudulent claims to the federal government. This includes claims for payment of healthcare services paid by the federal government, most notably for the federally funded Medicare and Medicaid programs.

Why Does the FCA Exist?

Congress enacted the FCA in 1863 because it was concerned that product suppliers during the Civil War were defrauding the Union Army. The FCA stipulated that any person who knowingly submitted false claims to the government was liable for double the government’s damages, plus a penalty for each false claim.

There are actually two FCAs: a civil act and a criminal one. Penalties for violating the civil FCA are severe, ranging currently from $5,500 to $11,000 per violation. Plus, the federal government tacks on an additional penalty of three times the amount of damages suffered by the program. Each instance where a practice fraudulently bills the federal government for an item or a service counts as a claim, so fines can add up quickly.

The government’s return on investment for enforcing the civil FCA is huge. For every $1 it invests on enforcement, it receives $7 in recoveries. To date, the Office of Inspector General (OIG), which enforces the FCA, has recovered upwards of $30 billion for government medical programs from providers of all types.

You can violate the FCA by:

  • Knowingly submitting a false claim to the government
  • Knowingly causing someone else to submit a false claim to the government
  • Knowingly making a false record or statement to get a false claim paid by the government
  • Conspiring to do any of the above

For example, a physician who knowingly submits a claim for healthcare services for a patient who doesn’t exist, never received the services, or for whom the services were not medically necessary is in violation of the FCA. A false claim could also be triggered when a practice bills for procedures over a period of days when all of the services occurred during one visit.

The difference between the criminal and civil FCA is “knowledge.” You can’t violate the criminal FCA, and potentially serve jail time, unless the government can prove you submitted a claim or caused someone else to submit a claim that you knew to be false. Under the civil FCA, however, knowing includes not just actual knowledge, but also instances in which a person acted in deliberate ignorance or reckless disregard of the truth (in other words, the person should have known the claim was false). This makes it easier for the federal government to bring a civil FCA case against a practice than a criminal one.

Everyday Examples

Several situations may arise in your practice that could result in a violation of the FCA, some of which might not be obvious to you. For instance, non-physician providers perform many functions and services in a typical practice. If one uses a physician’s provider identification number without meeting the incident-to criteria, the practice could receive a higher reimbursement rate than is allowed. This overpayment, if not returned to the federal healthcare program in a timely manner, is a violation of the FCA. Your practice should have a strict policy against inappropriate use of physician provider identification numbers by non-physician providers.

Another area that can result in an FCA claim is granting “professional courtesies,” which describe a number of practices. The traditional professional courtesy is when a provider waives all or a part of his or her fee when healthcare services are provided to other providers, staff members, or their families. More recently, professional courtesy includes waiving coinsurance obligations or other out-of-pocket expenses for providers, staff members, or their families — commonly known as insurance-only billing.

There are circumstances in which waivers are permitted, but this should never be done routinely. Waivers should be well documented, and based on financial need. To do otherwise risks violating the FCA, and possible violation of the Anti-kickback statute (a great example of one set of circumstances and actions that can result in violations of multiple laws). Here again, your practice should adopt a strict policy regarding these professional courtesies (ideally, prohibiting them).

Why Should You Care? 

A unique provision within the FCA allows people who are not affiliated with government agencies to file actions on behalf of the government against practices for potential violations of the law. These people, commonly known as whistleblowers, expose misconduct and alleged dishonest or illegal activity occurring in an organization (often their employer). Whistleblowers can be office staff, patients, physicians, competitors, etc. If a whistleblower’s lawsuit is successful, he or she is entitled to keep a percentage of any monies the federal government recovers from the practice.

Under the FCA, a whistleblower has to prove the physician practice (or billing company) submitted a claim, or caused someone else to submit a claim, to the government containing false or fraudulent information, and the practice or billing company knew (or should have known) the claims were false. Whistleblowers are protected under many laws. Retaliating against a whistleblower can get you into even bigger trouble.

Where Do You Get
More Information about the FCA?

One of the best resources for more information about the FCA is the OIG’s website: www.OIG.hhs.gov.

Still to come: We will cover topics on the Heat Map in descending order: Occupational Safety and Health Administration regulations compliance, and human resource regulations compliance.


Marcia L. Brauchler, MPH, FACMPE, CPC, COC, CPC-I, CPHQ, is the president and founder of Physicians’ Ally, Inc., a full service healthcare company, where she and a diverse staff provide advice and counsel to physicians and practice administrators, and education and assistance on how best to negotiate managed care contracts, increase reimbursements to the practice, and stay in compliance with healthcare laws. Brauchler’s firm sells updated HIPAA, OSHA, & Compliance policies, procedures and online trainings at www.physicians-ally.com. She is a member of
the South Denver, Colorado, local chapter.


Renee Dustman

Renee Dustman

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.
Renee Dustman

Latest posts by Renee Dustman (see all)

About Has 417 Posts

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.

Leave a Reply

Your email address will not be published. Required fields are marked *