The government now expects healthcare providers and suppliers to have effective compliance programs in place, but a compliance plan only works for you when you are working with it, according to Robert W. Liles, JD, MBA, MS, Managing Partner, Liles Parker, PLLC, Washington, DC, and Paul Weidenfeld, JD, Co-Founder, Exclusion Screening, Washington, DC, who hosted a lively discussion on the ins and outs of effective compliance plans and the laws surrounding them at the virtual 2020 Healthcare Administration Alliance Conference.
“Having this big, expensive plan with 17 binders is no good if you’re not going to follow it,” said Mr Weidenfeld.
“You want a living, breathing compliance plan that evolves and is relevant to your practice,” added Mr Liles. “You can’t just buy one off the Internet. You need one that is tailored for your individual risks and your needs.”
Mr Weidenfeld framed it from a risk-management perspective. “Your risks all come down to the failure to do what you should be doing, and that’s involved with compliance,” he said. “We often keep them separate, thinking risk is insurance and compliance is rules, but really they feed into each other quite a bit.”
The Rise of Compliance Programs in Healthcare
The Office of the Inspector General (OIG) for the US Department of Health and Human Services (HHS) has encouraged compliance for decades. In the late 1990s, the OIG developed a series of voluntary compliance program guidance documents for various segments of the healthcare industry, including hospitals, physicians, nursing homes, third-party billers, durable medical equipment suppliers, chiropractors, home health agencies, and hospice organizations. These guidance documents encouraged the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements, but they were not required.
“I have to give the OIG all the credit in the world because the work that they’ve done in this area has now been co-opted by everything from banking to oil and gas,” said Mr Liles. “Before I was a lawyer, I was in hospital administration in the mid-80s. We had a risk manager whose sole job was medical malpractice, but no one envisioned a compliance officer at that time, much less a compliance plan.”
However, with the introduction of the Affordable Care Act, passed on March 23, 2010, compliance plans became required by law.
Keys To Success
According to Mr Liles, in the event of an audit or an investigation, HHS-OIG will tell you, “You’ve had more than a decade to put a compliance plan put in place.” Recent enforcement cases have made it clear that providers without an effective plan in place are already being held accountable for their failure to take steps to avoid regulatory violations, he explained. “You don’t have to participate in Medicare and Medicaid; no one makes you,” he added. “But, if you want to be a participating provider, there are certain rules and statutes that you have to follow.”
Mr Liles explained that differentiating between a Medicare Advantage Plan and a private insurance plan can be difficult, but organizations that accept Medicare Advantage are considered “First-Tier Entities” and must fully comply with Medicare compliance program requirements. Evidence of meeting these mandates includes such measures as implementing a code of conduct and providing training to initial hires and all employees annually, providing general compliance training to initial hires and all employees annually, and implementing mechanisms for reporting potential or actual noncompliance (which includes nonretaliation provisions).
According to Mr Weidenfeld, quite a few requirements exist in Medicaid that do not exist in traditional Medicare. However, many Medicaid requirements do also exist in Medicare Advantage plans. “You may not have a specific Medicare fee-for-service requirement, but I guarantee you, there’s probably one in your Medicare Advantage plan,” he said.
“And just to be clear, every one of those Medicare or Medicaid Advantage plans are a little bit different,” added Mr Liles. He stressed the importance of reading these contracts before signing them. For example, mandatory compliance is required in Texas, and Texas Medicaid providers must attest that they have a compliance plan in place before applying for enrollment. “However, you may have simply checked the box ‘yes’ without even realizing what a compliance program is or what is required under this section,” he noted. “This may be a detrimental mistake.”
Private payers are increasingly mandating that to participate, physician practices must implement an effective compliance program. Although the structure of these programs is often not explicitly dictated, some require the participating provider to implement a program that incorporates the 7 core elements of a compliance plan, identified by HHS-OIG: (1) Standards, Policies, and Procedures; (2) Compliance Program Administration; (3) Screening and Evaluation of Employees, Physicians, Vendors, etc; (4) Communication, Education and Training; (5) Monitoring, Auditing, and Internal Reporting; (6) Discipline for Non-Compliance; and (7) Investigations and Remedial Measures.
Mr Liles and Mr Weidenfeld emphasized the importance of the third element—Screening and Evaluation of Employees, Physicians, Vendors, etc. Although this varies from state-to-state, they explained, employees are often screened against all other databases.
“Risk always comes down to people: the people at the front desk, the nurses, and the physicians,” said Mr Weidenfeld. “Good people really make a difference.”
Mr Liles pointed to one of the issues with screening that has now come to the forefront—referrals from excluded providers. If one of these providers writes a prescription to a Medicare beneficiary, it is not considered a bonafide prescription, and Medicare will not pay for it. “Don’t bill for anything you don’t do,” noted Mr Weidenfeld. In addition, hiring an excluded provider and billing under another provider’s number is not a legal way around this payer issue.
“The top 3 reasons for exclusion are drug offenses, patient abuse, and healthcare fraud,” he added. “In Texas, for example, none of your employees should have been excluded from any state or federal healthcare benefit program.”
Mr Liles and Mr Weidenfeld agreed that the fifth element—Monitoring, Auditing, and Internal Reporting—is really the “heart of compliance.”
“You’ve got to look at what you’re actually doing on a claim-by-claim basis,” said Mr Weidenfeld. “You need to understand what your practice gets and what it gives. If you have never found anything wrong, I don’t think you’re monitoring and auditing properly.”
The last of the 7 elements involves fixing what you have found, for example, paying back an overpayment. “You may get away with it in other businesses, but in healthcare, if it’s not yours, it’s just not yours,” they explained. “And it could be a crime for you to hold on to it.”
DOJ and E/M Considerations
The Department of Justice (DOJ) has focused increasingly on compliance plans and programs for corporations. In June 2020, the DOJ updated its guidance entitled “Evaluation of Corporate Compliance Programs,” which greatly expanded both the questions and factors that providers or suppliers should be considering when determining whether their compliance program is “effective.” According to Mr Liles and Mr Weidenfeld, this expanded guidance may, in fact, be “too detailed,” as it provides several hundred questions to answer in regard to whether a program is effective.
More importantly, they noted that corporations on their own cannot violate the law; it takes individual people to violate the law. “Independent physicians are on the front line,” said Mr Weidenfeld. “And what are they looking at on the front line? They’re looking at your billing.”
Evaluation and management (E/M) coding must be used by practicing healthcare providers to be reimbursed by Medicare, Medicaid, or private insurance. Investigations by the government are ongoing, and certain E/M risk areas should be covered in a compliance plan, including, but not limited to, billing for services with a 25 modifier, billing for services that you did not actually render, billing for services that were not medically necessary, and billing for services that were performed by an improperly supervised or unqualified employee.
“The sole investigative tool of the government is really data mining; they don’t actually go to facts anymore, they just go to numbers,” said Mr Weidenfeld. “So, any time you fall outside the norm, they don’t have to prove anything. They have the numbers, so you have to explain why your numbers are outliers.”
Mr Liles and Mr Weidenfeld emphasized the importance of training providers on clinical documentation, coding, and billing, as this has been shown to improve compliance. It is not enough to simply have a compliance program in place, they said. The DOJ will evaluate the effectiveness of an organization’s efforts, and will prosecute culpable individuals, especially in healthcare. “Actually read your contracts and participation agreements, and attest to having a compliance program in place that meets the payer’s requirements,” they stressed.
To ensure compliance, conduct a gap analysis: identify your weaknesses and correct them, and update your plan accordingly. Finally, be certain that a Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act Security Risk Analysis has been performed in 2020. “Hopefully, you will never have a breach of protected health information,” added Mr Liles. “But if a breach does occur, the first item that will be requested by the Office for Civil Rights is a copy of your annual Security Risk Analysis.”
“The fact that restrictions are looser in the time of COVID doesn’t mean you don’t have to do your risk analysis,” added Mr Weidenfeld. “You can’t allow this relief period to change the way you look at things; it doesn’t mean all bets are off.”