Compliance Plans and Audits
The Office of Inspector General (OIG) has described seven basic components of an effective compliance program for a small physician practice:
Prepare for certification and a career in healthcare compliance
Validate your knowledge, skills, and expertise with healthcare compliance certification
- Conducting internal monitoring and auditing
- Implementing compliance and practice standards
- Designating a compliance officer or contact(s) to monitor compliance
- Conducting appropriate training and education
- Responding appropriately to detected violations
- Developing open lines of communication
- Enforcing disciplinary standards through well-publicized guidelines
These seven components provide a solid basis for a HIPAA compliance program. As a first step, physician practices can adopt those components which, based on a practice’s specific history with billing problems and other compliance issues, are most likely to provide an identifiable benefit. Initially, compliance programs focus on areas identified as risk factors during the auditing and monitoring step. If a provider has an existing relationship with an outside entity, such as a billing office, the provider may use their policies and procedures as a starting point.
To have a successful compliance program, you must show the plan is improving compliance within your practice. This is done with auditing and monitoring. An audit is a more formal review of compliance with a set of standards. For example, an audit might be performed once a year to look at the overall effectiveness of the compliance program. Monitoring is conducted on a regular (scheduled) basis to confirm compliance is ongoing. For example, performed on a regular basis (weekly, monthly, etc.) to see if procedures are working as intended. The staff can perform both, or the office might want to have an external source perform the audit so that it is more objective.
The extent of implementation depends on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner. For example, larger physician practices can use both this guidance and the Third-Party Medical Billing Compliance Program Guidance, which provides a more detailed compliance program structure, to create a compliance program unique to the practice.
Another resource to help identify items to include in an audit plan is the OIG Semiannual Report. The Inspector General Act of 1978 requires that the Inspector General report semiannually to the head of the department and the Congress on the activities of the office during the 6-month period ending March 31st and September 30th. These reports are intended to keep the Secretary and Congress fully informed of significant findings and recommendations by the OIG.
Two types of audits should be performed: 1.) standards and procedures review; and 2.) claims submission audit.
Examples of areas of risk include:
- Looking back over the history of the practice. Learning from issues that occurred in the past and monitoring to make sure the issues are resolved.
- Identifying what other providers in the same area of healthcare may be identifying as risks and understanding their weaknesses.
- Identifying state and federal billing, coding, and documentation requirements that apply to your practice.
- Referring to specialty societies and associations to learn of risk areas other similar practices are dealing with.
- Checking private payers’ policies in the provider’s contracts. Most payers also have coverage and payment policies available on their website.
The Privacy Rule refers to PHI in any form, but the Security Rule focuses on electronic PHI (ePHI) held or transferred digitally. The Security Rule makes operational the protections contained in the Privacy Rule by addressing the technical and non-tech¬nical safeguards that organizations must put in place to secure individuals’ ePHI.
Each covered entity must identify where ePHI is stored or maintained within their facilities and systems, as well as how it is used and disclosed. Appendix A of the Security Rule is a table, or matrix, that lists the obligations of the covered entity both those required and those that must be addressed. It is this matrix that a covered entity can use as a beginning point to perform the initial assessment required and to create appro¬priate policies and procedures to comply with the Security Rule.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH is intended to promote standardized electronic health records. Part of the rule makes penalties for breaches of information more painful for the provider or facility than before enactment.
A Business Associate is an entity such as a billing service or a person such as a contract coder who use protected health information on behalf of a covered entity. As a result, the business associate is held to the same standards as the covered entity. Other examples are consultants who perform utilization reviews, a healthcare clearinghouse, an attorney, and a third-party administrator.
False Claims Act (FCA)
Passed during the Civil War, the act prohibits anyone from “knowingly” submitting false or fraudulent claims for payment. The FCA defines a claim as a demand for money or property made directly to the federal government or to a contractor, grantee, or other recipient if the money is to be spent on the government’s behalf and if the federal government provides any of the money demanded or if the federal government will reimburse the contractor or grantee. Medicare fraud and abuse falls under this umbrella.
Under the Anti-kickback Statute (AKS), it is a felony to knowingly and willfully offer, pay, solicit, or receive renumeration in return for a referral, or to induce generation of business reimbursable under a federal healthcare program. The statute prohibits both the offer or payment of remuneration for patient referrals, and the offer or payment of anything of value in return for purchasing, leasing, ordering, arranging for, or recommending the purchase, lease, or ordering of any item or service that is reimbursable by a federal healthcare program
Enacted in 1989, the Stark Law bans certain financial arrangements between a referring physician and an entity that bills the Medicare or Medicaid programs. If a physician (or immediate family member) has a financial relationship with an entity, the physician is prohibited from making a referral to the entity for health services for which the Medicare or Medicaid programs would otherwise pay.