Enter the New Age of Compliance Program Effectiveness
Minimizing risk is not just about having a compliance program, there are many other factors to account for.
By Joette Derricks, MPA, FACMPE, CPC, CHC, CSSGB
A compliance program that only incorporates the seven elements of an effective compliance program (as articulated in the U.S. Sentencing Commission Guidelines Manual) won’t win you bonus points when negotiating a False Claims Act (FCA) settlement. At the April 2016 Health Care Compliance Association (HCCA) Annual Compliance Institute, U.S. Department of Health and Human Services (HHS) Inspector General Daniel R. Levinson explained the Office of Inspector General (OIG) position on the matter:
Compliance has become such a mature exercise that it is presumed that healthcare institutions … will have robust compliance programs. So that is assumed. One does not get bonus points for having a compliance program at this point. This is not new. This is well established.
Factor in All Compliance Elements
Levinson’s comments paralleled the OIG’s release of a special advisory bulletin entitled “Updated Criteria for Implementing Permissive Exclusion Authority Under Section 1128(b)(7) of the Social Security Act.” The bulletin outlines how the OIG’s exclusion authority decisions are made and the key factors taken into account. Four broad categories are assessed as to whether exclusion is warranted:
- The nature and circumstances of conduct;
- The conduct during the government’s investigation;
- Significant action and efforts to improve the situation; and
- The history of compliance.
Each factor receives a rating: (1) indicates a higher risk; (2) indicates a lower risk; or (3) is neutral to the risk assessment.
The history of compliance categories are rated on:
If the person has a history, prior to becoming aware of the investigation, of significant self-disclosures made appropriately and in good faith to OIG, the Centers for Medicare & Medicaid Services (CMS) (for Stark law disclosures), or CMS contractors (for non-fraud overpayments), this indicates lower risk.
An existing compliance program that incorporates the aforementioned seven elements of an effective compliance program does not affect the risk assessment.
The absence of a compliance program that incorporates the aforementioned seven elements of an effective compliance program is a higher risk.
To earn bonus points, compliance program efforts must demonstrate effectiveness to obtain a low risk score. For example, a large physician group that routinely investigates compliance concerns and voluntarily issues timely refunds to their Medicare carrier has a lower risk score than a group comparable in size that never refunds overpayments.
DOJ and HCCA Reiterate Importance of Bonus Points
In February 2017, the U.S. Department of Justice (DOJ) issued the document “Evaluation of Corporate Compliance Programs,” which outlines important topics and frequent questions the DOJ asks when investigating a corporate entity. The next month, at the HCCA Annual Compliance Institute, the OIG released “Measuring Compliance Program Effectiveness: A Resource Guide,” which outlines the ways components of a corporate compliance program can be benchmarked and measured. A review of both resources makes it clear that organizations without a sound compliance program will have a far more challenging time of scoring bonus points when faced with an investigation.
Expect Corporate Compliance Program Evaluations
The DOJ expects compliance programs to be both strong on paper and in practice. The DOJ’s guidance focuses on three overarching areas: (1) company culture, (2) compliance structure and resources, and (3) the effectiveness of company policies and procedures. It provides critical insight into the substantive compliance-focused questions that the DOJ’s Fraud Section frequently considers when evaluating a corporate compliance program. The three areas are further broken down into the following 11 categories:
Analysis and Remediation of Underlying Misconduct: Has there been a root cause analysis? If so, what was done to resolve the misconduct?
Role and Involvement of Senior and Middle Management: What is management’s “tone at the top” regarding a culture of compliance?
Autonomy and Resources: Does the compliance department have adequate resources and funds? Do compliance personnel have the expertise to do the job? Is the compliance officer recognized as a key role?
Policies and Procedures: Are policies and procedures current, and are employees trained on them?
Risk Assessment: What approach is in place to identify, analyze, and address risk?
Training and Communication: How and when is training offered, and is it appropriate for the employee’s role? Is there open communication beyond formal training?
Confidential Reporting and Investigation: Are compliance incidents analyzed confidentially to protect an investigation and potential whistleblower?
Incentives and Disciplinary Measures: How does the healthcare organization incentivize compliance and discipline employees for misconduct? Are managers held accountable for misconduct that occurred under their supervision? Are disciplinary actions applied consistently?
Continuous Improvement, Periodic Testing, and Review: What is the healthcare organization’s process to continually monitor the compliance program? How are compliance efforts reviewed?
Third-party Management: What controls are in place to manage third-party relationships (business associate agreements, subcontractors, independent vendors, etc.)?
Mergers and Acquisitions: If there has been a merger or acquisition, what process was employed to learn of potential compliance issues in existence? How did the transaction integrate and implement the parent’s compliance program?
Although the new DOJ guidance is not a systematic guide for compliance, it does illustrate the DOJ’s priorities and methodology when reviewing and analyzing compliance programs. Being able to provide satisfactory responses to DOJ inquiries on these topics may determine the outcome of an investigation.
Measure Compliance Program
Effectiveness: A Resource Guide
The OIG’s resource guide is designed specifically for providers to know both what to measure and how to measure with respect to the seven elements of a compliance program first established by the U.S. Sentencing Commission’s Guidelines Manual. The resource guide provides 401 ideas for measuring the seven elements of an effective compliance program. The areas addressed include:
Standards, Policies, and Procedures, including policy/procedure access, accountability, understanding, and updates.
Compliance Program Administration, including the roles and responsibilities of the board of directors, compliance officer, and compliance committee.
Screening and Evaluation of Employees, Physicians, Vendors and Other Agents, including accountability, conflicts of interest, and disclosures.
Communication, Education, and Training on Compliance Issues, including risk-specific training, training and communication plans, and accountability.
Monitoring, Auditing, and Internal Reporting Systems, including risk assessments, work plans, corrective action, and non-retaliation.
Discipline for Non‐Compliance, including consistency, awareness, and documentation.
Investigations and Remedial Measures, including process, quality, consistency, and documentation.
Many items relate to monitoring and audit functions, including development of an annual audit plan, conduct of compliance audits, and relying on sampling techniques. Specific types of audits are listed that rely on document review, interviews, surveys, and a walking through to verify and inspect operations.
Note: Levinson reiterated at the HCCA’s Annual Compliance Institute, “that no organization is expected to adopt all, or even a large number, of the suggestions at any given time, and the list is not intended to serve as a checklist or certification program. Rather, an organization should select measures based upon the organization’s specific needs, resources, and risks as part of its ongoing compliance program assessment.”
As compliance professionals measure and demonstrate compliance program effectiveness, both the DOJ’s document guidelines and the OIG’s resource guide are excellent resources, with practical tools to use to bring your compliance program into the new age.
Joette Derricks, MPA, FACMPE, CPC, CHC, CSSGB, is CEO of Derricks Consulting, LLC with 35 years of healthcare experience as an administrator, consultant, writer, and educator. Her extensive knowledge of third-party reimbursement, coding, and compliance, coupled with her operational “know-how” ensures a client’s operation is productive, profitable, and compliant. Derricks is a member of the Baltimore East, Md., local chapter.