Put Your Right-sized Compliance Plan into Action

Put Your Right-sized Compliance Plan into Action

Compliance means providers not only have a compliance plan, but they use it.

Navigating the healthcare fraud and abuse laws can be an overwhelming process. Healthcare is one of the most heavily scrutinized industries in our nation. The good news is that the Office of Inspector General (OIG) has provided many resources to increase our compliance efforts. It’s a good thing, now that compliance plans are a condition of enrollment.

Compliance Plans No Longer Optional

The OIG developed a series of voluntary compliance program guidance documents directed at various segments of the healthcare industry to encourage the development and use of internal controls to monitor adherence to applicable statues, regulations, and program requirements.
“Right-sized” compliance plans were mandated by the Affordable Care Act in 2010 (42 CFR §§422.503 and 423.504) as a condition of enrollment in Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).
The Affordable Care Act (Section 6401) requires the U.S. Department of Health and Human Services (HHS) and OIG to publish regulations that require most healthcare providers and durable medical equipment suppliers to establish compliance programs. As of Feb. 5, 2018, the Centers for Medicare & Medicaid Services (CMS) has finalized the requirements for providers. Providers must now implement compliance programs to participate in Medicare and Medicaid.

Right-size Your Compliance Plan

An effective “right-sized” compliance program is designed to prevent accidental and intentional violations of laws; detect violations if they occur; and correct future noncompliance. Right-sized is an OIG term that refers to applying the regulations that make sense for your practice. A one size fits all program is not what they are looking for. The intention is to implement the seven elements of a compliance plan as it makes sense to your practice size and risks.
For example, if you are a small practice, single location, one provider, it does not make sense for you to have a “compliance committee;” however, effort should be in place to fulfill the function of what a committee would do in a larger practice setting. Some of the responsibilities of a compliance committee typically include:
Responsible for the annual review of policies;

  • Approve policies;
  • Initiate new policies as needed;
  • Monitor compliance training and auditing; and
  • Communicate compliance-related issues to the practice.

If your practice size does not warrant a formal committee, just be sure the functions of that component are managed elsewhere in the organization.

Components of an Effective Compliance Plan

The OIG has identified the seven elements of a compliance plan:

  1. Standards, Policies, and Procedures
  2. Compliance Program Administration
  3. Screening and Evaluation of Employees, Physicians, Vendors, and Other Agents
  4. Communication, Education, and Training on Compliance Issues
  5. Monitoring, Auditing, and Internal Reporting Systems
  6. Discipline for Non-compliance
  7. Investigations and Remedial Measures

Standards, Policies, and Procedures: OIG recommends organizations include real world examples of misconduct in their policies and procedures. Questions to ask when evaluating this area are:

  • Does the organization have standards and policies?
  • Are they accessible to all staff?
  • Does the staff know they exist and how to access them?
  • Are they tailored to specific job functions?
  • Are the policies current?
  • Is there a process for communicating updates or new policies?

Include a code of conduct as one of the standards. This should reflect your organization’s mission, values, and principles of conduct and accountability. Questions to ask when evaluating this area are:

  • Do you have one?
  • Are staff aware of the organization’s code of conduct policy?

Exit interviews can also provide great insight for those employees terminating their employment. Again, this effort can be as formal or informal as needed. An organization can use tools such as Survey Monkey, staff questionnaires, or focus groups to assess employee awareness and compliance with existing policies and procedures.
Appointment of a Compliance Officer/Committee: Your practice size may not warrant the appointment of a formal compliance officer. In a very small practice with one physician and staff, the compliance officer role often is fulfilled by the practice manager as a “compliance contact.” All functions of a compliance officer are included in their role. The primary responsibilities of this role are neutrality and fact finding. This person is the primary contact for compliance concerns or questions. A compliance contact does not need to have all compliance knowledge, but they should know how to find it. Questions to ask when evaluating this area are:

  • Do you have one?
  • Is this person or representative available to all staff?

Communication: This area is one of the most critical elements. Good communication is essential in all organizations, regardless of size. Communication efforts should include methods for ongoing updates of all compliance issues, as well as a mechanism for reporting any compliance concerns within the organization. There are many options for communication that provide adaptation based on your organizational needs. There are several options for providing a mechanism for all staff to report concerns. Some options to consider are:

  • Maintaining an anonymous hotline
  • Implementing a drop box where staff can anonymously submit compliance questions or concerns
  • Offering an “open door” policy for employees to report noncompliance issues to the compliance officer or contact

One of the most critical elements to communication is to provide and enforce a non-retaliation policy for employees who report potential problems.
For larger organizations that maintain a compliance committee, some options to consider are:

  • Is there a direct line of communication between the compliance officer and the board?
  • Does the officer report to board on a regular basis?

Possible options to gauge the effectiveness of communication and obtain feedback on training and other compliance efforts can include the use of surveys or other tools, or interviews. Newsletters or internal websites can also be used to maintain visibility with employees.
Education and Training: Regardless of the size of your organization, all employees, physicians, and midlevel providers in your organization need compliance education and training. At minimum, all staff should attend a general compliance training session on an annual basis. Develop and implement additional sessions for education based on the risk areas of your practice. Coding and billing are high-risk areas where targeted training should be done. Questions to ask when evaluating this area are:

  • Are your coders trained for the specialty they are coding?
  • How do staff receive ongoing training/updates when needed?
  • What is the effectiveness of training (new hire and ongoing)?

The effectiveness of training can be validated via post-tests and surveys.
Internal Monitoring and Auditing: There needs to be a method to evaluate the policies and compliance efforts that have been implemented. This can be done informally via an outside auditor or internally by periodic interviews/discussions with staff regarding their perceived levels of compliance within their departments. Audits are a critical component of this area of compliance and should be designed and performed by internal and/or external auditors using auditing guidelines. Investigations of alleged noncompliance should be reported through a reporting policy or by other means. Be sure to include corrective actions and document every step of the way.
One of the most import areas for monitoring include screening of all employees and providers in the organization. Pre-hire screenings should include license and/or certification verification, credentialing and federal criminal screenings. Questions to ask when evaluating this area are:

  • Do you have a screening procedure in place?
  • Are all employees, vendors, and medical staff hires screened using, OIG,  System for Award Management, state, Social Security Numbers, etc.?

Once pre-hire screenings have been performed and documented, the OIG recommends screening on an annual basis.
Reinforcement and Disciplinary Standards: The OIG recommends incentives to encourage compliance within the organization. Disciplinary measures are also required for employees who fail to follow compliance policies. Questions to ask when evaluating this area are:

  • Does your organization offer incentives to encourage participation in your compliance efforts?
  • Does your organization have fair and consistent disciplinary standards?

The OIG states the severity of discipline should be consistent with the severity of the circumstance. Questions to ask when evaluating this area are:

  • Was the necessary discipline timely?
  • What methods of ongoing monitoring are in place to identify if the corrective action was effective in 3 months, 6 months, and 12 months to ensure ongoing compliance?

Put Your Plan in Action

Having a compliance plan documented in your organization is not enough. According to the guidance document issued April 2019 by the Department of Justice (DOJ), “Evaluation of Corporate Compliance Programs,” evaluation of a compliance plan will be included in the investigation when evaluating the circumstances of a criminal investigation. A paper plan will not stand up to this review. According to the DOJ, they will evaluate whether the plan is well designed, applied in good faith, effective, and if the plan actually works in the practice environment.
A “near-paper program” is a documented plan that sits on the shelf collecting dust. No one even knows it’s there and no one has updated it since it was completed years ago. The policies do not even reflect how your organization operates, as several areas of change have been implemented since the compliance plan was created.
Federal agents are coming up with new ways to detect Medicare fraud and abuse. For example, lenders now are asking for Zone Program Integrity Contractors and prior audit results performed on the practice; and insurance companies are refusing to extend existing policies until they have some level of comfort with the compliance efforts of the practice.
The benefit of a working compliance plan is the detection of criminal or unethical behavior. One of the largest areas of penalties in this area includes false claims. The False Claims Act imposes liability on persons or companies that defraud governmental programs. Penalties for false claims are on the rise: Minimum and maximum False Claim Act (FCA) penalties were previously set at $5,500 – $11,000 per claim. Effective Aug. 1, 2016, penalties increased to $10,781 – $21,563 per claim.

Methods for Identifying Potential Risks

How can you determine your organization’s risk areas? A risk assessment allows you to detect and prioritize potential risk areas. There are several specific areas that require auditing.

Finance and Billing
  • Does a formal process exist for adding new services or revising information in the chargemaster?
  • Does the facility bill professional services for employed or contracted physicians/locums?
  • Does the facility bill for physician assistant and nurse practitioner services?
  • Are regulatory alerts communicated to the coding and billing staff?
  • Does the organization have a policy to address overpayments/credit balances?
  • Are denial reports shared with coding and other pertinent staff?
Electronic Health Records

Are there default documentation issues? For example, a physician checks off “normal” for the gastrointestinal system, and then a patient’s chart automatically is populated with other descriptors, such as “abdomen soft and non-tender, normal bowel sounds, not distended, organomegaly (e.g., liver not enlarged),” etc. Check the following:

  • Which documentation guidelines is the system hard coded to?
  • How is medical decision-making assessed?
  • Can the record document the party performing the history components?
  • Does the software assign the code? If so, can the provider override it?
  • With established patients, which two of the three key elements does it use?
  • How are the requirements for consultations, evaluation and management (E/M) services, transitional care, and chronic care management documented?

Compliance Tools and Resources

Fraud investigators use data analytics to identify areas of focus for fraud and abuse. Bell curve analysis can be a very helpful tool to identify the billing patterns of your providers. Bell curve data published by the Centers for Medicare & Medicaid Services (CMS) is specific to over 30 medical specialties, allowing practice management and medical billing software to identify providers who are potentially over coding or under coding compared to colleagues. AAPC has a bell curve analysis, the “E/M Utilization Benchmarking Tool.
Another FREE and very helpful resource is the OIG Compliance Resource Portal.
Also see HCCA-OIG Compliance Effectiveness Roundtable, “Measuring Compliance Program Effectiveness: A Resource Guide,” March 27, 2017.
You can also sign up to receive email notices for when new information is released. Good sources on the OIG website include:

  • Compliance Program Guidance Fraud Alerts
  • Special Advisory Bulletins
  • OIG Work Plan

Lastly, sign up/subscribe to your payers’ email newsletters and other alerts to policy changes, and monitor recovery audit contractor findings to stay abreast of widespread targeted reviews.

Make Compliance a Priority

Whatever your organization’s right-sized compliance plan looks like, be sure your efforts demonstrate a commitment to compliance in your organization and reflect that compliance is a priority in your organization. Know your organization’s fraud and abuse risk areas and manage your financial relationships.
An effective, active, right-sized compliance plan may serve as a source of mitigation in the event of litigation. It will identify criminal and unethical conduct and reduce qui tam (whistleblower) actions. Sometimes we must remember the benefits when we feel overwhelmed in managing yet another area in our organizations.
Editor’s note: Kathy Rowland presented at HEALTHCON 2019. This article is based on her presentation.

42 C.F.R. §§422.503 and 423.504
CMS, Compliance Program Policy and Guidance:
DOJ Criminal Division, Evaluation of Corporate Compliance Programs:

Latest posts by Kathy Rowland (see all)

Comments are closed.