Complying With Compliance
By Robert A. Pelaia, Esq., CPC, CPCO, and Jamie Ewing
Although compliance is your entire organization’s responsibility, it’s your board’s responsibility to manage it.
The Office of Inspector General (OIG) and the American Health Lawyers Association (AHLA) have collaborated on three occasions (2003, 2004, and 2007) to provide guidance for boards of directors’ oversight of compliance issues. This oversight is so important that OIG and AHLA recently collaborated again, this time incorporating the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA) to help develop and publish an updated guidance tool: Practical Guidance for Health Care Governing Boards on Compliance Oversight (the guidance).
Why Is Board Oversight Important?
Compliance with applicable state and federal laws should be of the utmost importance for any organization, especially in healthcare. The industry-wide shift to increased transparency in public reporting has led to greater board involvement. Board oversight helps to ensure your organization’s compliance program is working efficiently and effectively. The guidance was developed to provide “practical tips for Boards as they work to effectuate their oversight role of their organizations’ compliance.”
Current Expectations for Board Oversight
Boards must consistently act in good faith to safeguard an organization against violations of applicable state and federal regulations. To accomplish this, your board must guarantee a reporting system is in place, and that the reporting system is sufficient to maintain timely action. The new compliance oversight guidance notes that boards are expected to use all available resources to optimize the organization’s compliance program. Available resources include Federal Sentencing Guidelines, OIG’s guidance documents, and OIG Corporate Integrity Agreements (CIAs).
The sentencing guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The OIG guidance documents highlight the importance of implementing internal controls to monitor adherence to applicable regulations. CIAs outline key structural and reporting requirements for compliance. These resources work to function as a baseline for developing internal controls to promote and monitor compliance.
Balance the Program’s
Scope with Your Organization’s Size
Compliance programs vary by organization. No single standard applies to all organizations. Ideally, your board should strive to make compliance programs as comprehensive as possible, but must balance the scope of the compliance program with the size (and available resources) of an organization. The sentencing guidelines recognized this area of concern, and allow compliance programs to vary according to the size of the organization. The sentencing guidelines also recommend that boards of smaller organizations “may need to become more involved in the organizations’ compliance and ethics efforts” than might be required in larger organizations.
Stay Informed of Regulatory Changes in the Industry
Regulatory changes in the healthcare industry are common, and it’s important for boards to stay informed. The new compliance oversight guidance suggests that your board develop a “formal plan to stay abreast of the ever-changing regulatory landscape and operating environment.” Periodic updates from staff members will allow your board to make informed decisions.
The guidance also notes that outside educational programs are a way for boards to expand their knowledge of industry risks and regulatory requirements. The most effective way to ensure your board is up to date with regulatory changes is by consulting with a compliance professional or, if possible, adding a compliance professional to your board.
Compliance Program Functions
The guidance suggests that you should “define the interrelationship of the audit, compliance, and legal functions” within your organization. Every organization balances myriad functions; when clear boundaries exist between each function, an organization is more likely to maintain a solid structure. According to the guidance, the five significant functions include compliance, legal, internal audit, human resources, and quality improvement. More specifically:
- The compliance function includes prevention, detection, and resolution of any actions that do not comply with the applicable state and federal standards.
- The legal function entails providing advice concerning the legal and regulatory risks of your organization’s business strategies.
- The internal audit function involves an objective evaluation of internal control systems and framework within your organization.
- The human resources function includes the recruitment, screening, hiring, and training of employees.
- The quality improvement function focuses on providing high-quality practices and improving efficiency.
Your board must evaluate each area independently and consistently to ensure each function is met.
The OIG believes your organization’s compliance officer should be independent of your legal counsel because the professional obligations for each function differ. Although independence is crucial, a collaboration between each function promotes your organization’s overall interests.
The guidance notes that boards should develop a process to “ensure appropriate access to information,” perhaps through a “formal charter document approved by the Audit Committee of the Board or in other appropriate documents.” Organizations that cannot separate each function are particularly prone to risks due to the significant possibility of sharing privileged information within the organization (intentionally or otherwise). The guidance suggests that to monitor risks your board should closely evaluate how management:
- Identifies and investigates compliance risks;
- Identifies and implements appropriate corrective actions and decision-making; and
- Communicates between various functions.
Issue Reporting Mechanisms
Your board should receive risk mitigation and compliance effort reports on a consistent, timely basis. Your board must enact a system to encourage open and honest communication, and must make its expectations clear. Expectations may include the use of objective scorecards, internal and external investigation reports, hotline call activity, and reports of allegations of material fraud or senior management misconduct. Per the guidance, your board needs to exhaust all efforts to hold management accountable to meet those expectations.
Formats to receive reports vary by organization. Dashboards are a popular tool that contain key financial, operational, and compliance indicators to assess risk, strategic plans, policies, and procedures. The guidance suggests that your board and management work together to tailor the dashboards to meet your specific needs.
Your board can also establish a risk-based reporting system when certain risk-based criteria are met. This is an effective way to ensure timely reporting of suspected violations.
The guidance also suggests your board conduct systematic “executive sessions” to achieve greater compliance results. These executive sessions should not include senior management, but should include leadership from the compliance, legal, internal audit, and quality functions. Systematic executive sessions act as a way to encourage dialog by keeping the lines of communication continuously open.
The guidance additionally recommends regularly scheduled sessions as a way to maintain continuity (vs. holding sessions only when problems arise).
Risk Identification Procedures
Per the recent guidance, a variety of activities in the healthcare field are prone to violations, including patient referrals, billing problems, privacy breaches, and quality-related events. Your board must first be able to identify high-risk areas. Identification can be accomplished through internal sources, such as employees reporting to an internal compliance hotline or internal audits, and through external sources, such as professional organization publications, OIG-issued guidance, consultants, or news media outlets. Your board can also monitor competitor’s violations to verify that your departments are in compliance.
The sentencing guidelines highlight your board’s responsibility as, “ensuring the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal behavior.” Your board should also develop, implement, and monitor corrective action plans.
New reimbursement forms are now in place, such as value-based purchasing and service bundling, which have led to increased incentives to monitor compliance. Pay-for-performance policies have placed an increased burden on organizations to focus attention on quality guidelines and outcomes. Statutes addressing the provider-physician relationships are broad in nature; therefore, the guidance notes that it is up to your board to continue reviewing these arrangements to ensure compliance is being met — particularly with self-referral (Stark) and anti-kickback laws.
Another industry trend is increased transparency. The recent guidance states that although increased transparency provides significant opportunities to improve care quality, it also carries substantial risk. Information is continually provided to the public concerning health outcomes and quality measures through the Centers for Medicare & Medicaid Services (CMS) quality compare measures. The Open Payments System also provides data to the public on pharmaceutical and device industries’ payments to physicians.
The guidance notes that compliance is an “enterprise-wide responsibility” and suggests that organization needs “to support the concept that compliance is a way of life,” as opposed to simply one requirement in a long list of requirements. To encourage compliance, your board should conduct frequent performance assessments and possibly use the results to withhold incentives or provide bonuses. One method for promoting accountability is through annual incentive programs. Per the guidance, you may implement employee and executive compensation claw-back/recoupment provisions to be implemented when compliance metrics are not satisfied. The OIG has set this example by requiring compliance certifications from managers of all departments (not just the compliance department). This acts as a clear demonstration to your organization that everyone is responsible for compliance.
According to the guidance, self-disclosure compliance programs offer significant benefits. Self-disclosure of violations — particularly of overpayments for providers enrolled in Medicare or Medicaid — allows your organization to remedy the violation promptly, resulting in a faster resolution. The average resolution for OIG self-disclosure is less than one year. The OIG’s self-disclosure cases settle for 1.5 times the damages, as opposed to double the damages under the False Claims Act. Self-disclosure cases also include exclusion releases as part of the settlement; therefore, your board can help your organization avoid significant penalties when violations occur by implementing self-disclosure programs.
Effective Board Oversight
An effective board must remain well informed of regulatory risks, have a comprehensive understanding of your organization’s compliance program, and continually encourage open communication across the organization. Although it’s your entire organization’s responsibility to remain compliant with state and federal regulations, the guidance emphasizes that it’s your board’s responsibility to ensure it provides comprehensive methods for identifying and investigating risk areas, and providing corrective action to remedy any violations.
Why Is this Important to Coders?
Board oversight is important to coders because of the noteworthy shift in expectations. The healthcare industry has placed significant value on transparency in public reporting. Fraud and abuse laws are focused on quality improvement. This drive toward transparency in public reporting of quality data is a clear recognition that quality care is more of a system problem than a competence problem. Medical coders are responsible for ensuring the requirements for medical billing are properly followed and are aligned with your organization’s
Did You Know?
- AAPC addresses compliance requirements for practices (www.7atlis.net) and offers Certified Professional Compliance Officer (CPCO™) credentials. (www.aapc.com/certification/cpco.aspx)
- AHLA is the country’s largest educational organization devoted to legal issues in the healthcare field.
- AHIA is an international organization of professional auditors working to assess and evaluate risk in the healthcare arena.
- HCCA is a nonprofit organization serving compliance professionals in the healthcare industry.
- OIG is the largest inspector general’s office in the federal government, dedicated to improving the efficiency of the U.S. Department of Health & Human Services (HHS) through combating fraud, waste, and abuse in HHS programs.compliance program.
Robert A. Pelaia, Esq., CPC, CPCO, is deputy general counsel at the University of South Florida in Tampa, Fla. He is certified as a Healthcare Law Specialist by the Florida Bar Board of Legal Specialization and Education, serves on AAPC’s Legal Advisory Board, and was a 2009-2011 AAPC National Advisory Board member. Pelaia is a member of the Jacksonville River City, Fla., local chapter.
Jamie Ewing, attends Florida Coastal School of Law, where she is now a full-time, third-year law student, Juris Doctor Candidate, May 2016.