Evaluate Your Compliance Program Like the Government
Make a plan that is committed to preventing, correcting, and maintaining compliance.
Compliance is more than a document outlining plans to meet generalized standards you heard about at a seminar. Compliance is about setting expectations for employees of ethical, proper behavior. It’s about:
- Demonstrating your organization’s commitment to “doing the right thing;”
- Designing a mechanism for constant monitoring;
- Using appropriate tools to prevent and detect violations of laws or policies; and
- Following up to ensure that when a problem is detected, corrected, and resolved, it does not reoccur.
Why Compliance Is Important
Given the complexities of healthcare laws, an effective compliance program is necessary. Such an effort raises awareness of the practice’s commitment, and the role of every individual within the practice — including board members, physicians and other providers, executives, administrators, and clinical and clerical staff — to make decisions that protect the practice (and themselves) from potential risks. An effective compliance effort also means listening to your patients’ concerns about billing or service issues.
Department of Justice (DOJ) fraud enforcement efforts remain aggressive, and the government continues to crack down on alleged violations of the federal False Claims Act (FCA), Anti-kickback Statute, and other laws. Law enforcement investigators and prosecutors are serious about holding organizations and their management accountable.
To see how serious the DOJ is, we need only to look at 2017 federal FCA enforcement activity. In 2017, they recouped over $3.7 billion; and there were 799 new FCA cases filed, of which 84 percent were initiated by a whistleblower. Plus, every state has its own FCA enforcement activities.
Compliance Is More than a Plan, It’s a Commitment
The U.S. Federal Sentencing Guidelines emphasize that it’s not sufficient for a company simply to implement a compliance program. Rather, ongoing risk assessment, training, and improvement is required and is assessed by federal prosecutors when misconduct is identified. In short, practices receive no credit just for having a compliance program — it must be an effective program.
The U.S. Federal Sentencing Guidelines outline what is required of an organization to receive sentencing credit for an “effective programs to prevent and detect violations of law.” The requirements are that:
- The head of the compliance program must report directly to the governing authority or appropriate subgroup;
- The compliance program must discover the problem before discovery outside the organization was reasonably likely;
- The organization must promptly report the problem to the government; and
- No person with operational responsibility in the compliance program participated in, condoned, or was willfully ignorant of the offense.
Assess Your Compliance Efforts’ Effectiveness
Healthcare organizations have two new tools to help self-assess their compliance efforts.
First, on Feb. 8, 2017, the DOJ Fraud Section issued a document entitled “Evaluation of Corporate Compliance Programs” (DOJ resource), which included 11 topics and related questions federal prosecutors may use to assess the effectiveness of corporate compliance programs.
Second, on March 27, 2017, just weeks after the DOJ’s Fraud Section released its document on corporate compliance program factors, the Office of Inspector General (OIG), in conjunction with the Health Care Compliance Association (HCCA), issued a document entitled, “Measuring Compliance Program Effectiveness: A Resource Guide,” (HCCA/OIG guide) which provides guidance for designing and implementing company compliance programs.
The DOJ resource references two factors under the U.S. Attorneys’ Manual that federal prosecutors should consider when investigating a corporate entity (such as a healthcare organization), determining whether to bring charges, and negotiating pleas or other agreements. These factors, commonly known as the “Filip Factors,” include:
- The “existence and effectiveness of the corporation’s pre-existing compliance program;” and
- The corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.”
The DOJ resource offers the following 11 subject areas that federal prosecutors may consider when investigating a healthcare organization, each of which may be more or less relevant depending on the facts at issue:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy of Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third-party Management
- Mergers and Acquisitions
The OIG/HCCA guide contains more than 400 compliance metrics that address seven elements of an effective compliance program, and lists suggested ways to measure such metrics:
- Standards, Policies, and Procedures
- Compliance Program Administration
- Screening and Evaluation of Employees, Physicians, and Vendors
- Communication, Education, and Training on Compliance Issues
- Monitoring, Auditing, and Internal Reporting Systems
- Discipline for Non-compliance
- Investigations and Remedial Measures
Both DOJ Resource and OIG/HCCA Guide are relevant and worth reviewing. Your circumstances — such as group size, whether you have performed prior assessments, and your resources to conduct an evaluation of your compliance program — may lean you toward using one or the other assessment. Some compliance aspects, such as vendor management, provider contracts, or mergers and acquisitions, may benefit from using both documents.
Generally, the DOJ assessment is viewed as more retrospective, while the OIG/HCCA assessment tool provides a more prospective or concurrent view of your program. The OIG/HCCA tool also provides specific measurable guides for each of the 400-plus items, such as pulling samples, interviewing staff, or observing tasks. Don’t be overwhelmed by either document: The best approach is to break the assessment into workable steps, rather than to tackle it all at once.
To quantify your assessment, consider developing a scoring mechanism to identify and measure the gaps in your current program. For example, each item pertinent to your practice would be assigned a score from one to five, with five being the best score. Items that do not apply to your practice are excluded from the scoring. Add the points you receive and divide the sum by the total available points, to obtain your “effectiveness score.”
Corrective Action Plans
As you work through your effectiveness assessment, develop corrective action plans (CAPs), as needed. These may require additional training, revising a policy or procedure, or additional reviews. To help support your compliance efforts, document everything regarding the assessment, scoring, CAPs, subsequent improvement efforts, and the results of subsequent assessments.
A good tip is to document all your compliance efforts with the assumption you’ll be audited. This ensures you have a protected file retention process to keep the documentation for up to 10 years.
Compliance is a dynamic process. Training is not a once and done deal; it’s an annual (at least) event. Likewise, policies and procedures must be updated based on changes such as new payer medical policies, a new service line or procedure, etc.
It’s important that both your compliance program and assessment process are scalable to the type, size, and resources available to your practice.
Performing effectiveness assessments helps in identifying your organization’s vulnerabilities and prioritizing them. Your compliance program and assessment process will evolve and mature based on the time, skill, and effort given to it.
Because of the increased pressure of today’s regulatory and enforcement environment, it’s recommended your practice reviews its compliance program, taking into consideration the DOJ Resource and OIG/HCCA Guide. Remember, though, these are merely guides: They are not mandates to how your practice should evaluate effectiveness.
Joette Derricks, MPA, FACMPE, CPC, CHC, CLSSGB, has 35 years of experience as an administrator, consultant, writer, and educator. She has worked with top-100 hospitals and physician groups of every specialty. Derricks combines her revenue integrity expertise with her operational “know-how” to ensure clients’ operations are profitable and compliant. She is a member of the Baltimore East, Md., local chapter.
DOJ, “Justice Department Recovers Over $3.7 Billion From False Claims Act Cases in Fiscal Year 2017,” www.justice.gov/opa/pr/justice-department-recovers-over-37-billion-false-claims-act-cases-fiscal-year-2017
U.S. Federal Sentencing Guidelines §8B2.1(5), www.ussc.gov/sites/default/files/pdf/guidelines-manual/2011/manual-pdf/2011_Guidelines_Manual_Full.pdf
U.S. Department of Justice Criminal Division Fraud Section Evaluation of Corporate Compliance Programs, www.justice.gov/criminal-fraud/page/file/937501/download
HCCA/OIG, Measuring Compliance Program Effectiveness: A Resource Guide, https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf
U.S. Department of Justice Criminal Division Fraud Section.
HCCA/OIG, Measuring Compliance Program Effectiveness: A Resource Guide, https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf \