Compliance PlansKim C. Stanger

(3/13)

Overview

Why compliance? Common compliance issues OIG Compliance Program Guidance for

Individual and Small Physician Groups (10/5/00)

Practical suggestions for drafting or updating your compliance plan

Written Materials

OIG Compliance Program for Individual and Small Group Physician Practices (10/5/00)

“A Roadmap for New Physicians: Avoiding Medicare and Medicaid Fraud and Abuse”

Sample, very basic Compliance Plan

Disclaimer

We are in a bit of flux– Affordable Care Act (“ACA”) may modify requirements

for a compliance plan.– We have not received implementing regulations.

Principles and sample plans need to be updated and modified to fit your circumstances.

This does not constitute the giving of legal advice. This does not establish an attorney-client

relationship.

Why compliance?

Why compliance?

The government wants its money back!

Increased Enforcement

Increased provider education– CMS training and resources for Medicare providers,

oig.hhs.gov/compliance/provider-compliance-training/index.asp. – MedicAide letter (4/12) re civil monetary penalties

Medicare and Medicaid RAC audits Beefed up fraud and abuse laws and enforcement authority

– False Claims Act– Anti-Kickback Statute– Ethics in Self-Referrals Act (“Stark”)– Civil Monetary Penalties Law– Idaho Medicaid fraud statutes

More sophisticated systems to identify overpayments Qui tam lawsuits Duty to self-report and repay

Repay Overpayments:Medicare “Overpayment” = payments a person receives or retains

to which person is not entitled after reconciliation. Must report and repay overpayments to contractor or

agency by:– 60 days after identify existence of overpayment, or– Date corresponding cost report is due.

Knowing failure =– False Claims Act violation

$5,500 to $11,000 per claim 3x damages Qui tam lawsuit Exclusion from Medicare/Medicaid

– Civil Monetary Penalties violation $10,000 penalty

(ACA 6402; 77 FR 9181)

Repay Overpayments:Medicaid

Must repay overpayments or claims previously found to have been obtained contrary to statute, rule regulation or provider agreement. – Within 60 days: interest free– Within 1 year: interest

Failure to repay =– Termination of provider agreement and exclusion from Medicaid

and other state health programs– Civil penalty of up to $1000 per violation– Referral to Medicaid fraud unit

Repeated rule violations– Recoupment– Civil monetary penalties of at least 25% of repayment

(IC 56-209h(6)(h); see MedicAide letter (4/12))

Health Care Crimes

Criminal Penalties for Acts re Health Care Programs, 42 USC 1320a-7bo False Statementso Anti-Kickbacko False Statements re Facility Certificationo Illegal Patient Admittance and Retention Practiceso Violation of Assignment Terms

Health Care Fraud, 18 USC 1347 Health Care Theft or Embezzlement, 18 USC 669 Health Care False Statements, 18 USC 1035 Health Care Money Laundering, 18 USC 1956, 1957 Obstruction of Health Care Investigation, 18 USC 1518 False Claims, 18 USC 287 False Statements, 18 USC 1001 Conspiracy to Defraud Government, 18 USC 286 Mail and Wire Fraud, 18 USC 1341, 1343 RICO, 18 USC 1961-1963 Medicaid Fraud, IC 56-227

Health Care Civil or Administrative Laws

Program Exclusion, 42 USC 1320a-7, 42 CFR pt. 1001.– Mandatory exclusions, 42 USC 1320a-7(a).– Permissive exclusions, 42 USC 1320a-7(b).

Civil Monetary Penalties, 42 USC 1320a-7a, 42 CFR pt. 1003 Program Fraud Civil Remedies Act, 31 USC 3801. Medicaid Fraud and Abuse, IC 56-209h, IDAPA 16.03.09.200. Civil Monetary Penalties, IC 56-227 Civil Remedies, IC 56-227 Associated regulations

Civil and administrative actions have lower standard of proof. Administrative actions do not require full procedure associated

with trial. See 42 CFR pt. 1005.

Compliance Plans

Why have a compliance plan?

ACA will require physicians to have compliance plan as condition to enrollment in Medicare, Medicaid, SCHIP. (ACA 6401)– HHS to develop “core elements” of required compliance

plans.– HHS has not issued implementing regulations for

physicians yet.– Regulations issued for other providers suggests that

HHS will track elements from earlier Compliance Program Guidance.

Why have a compliance plan?

Even if not mandated, compliance plan is still a good idea.– May facilitate compliance and avoid repayments and other

penalties.– May help avoid fraud charges.– May mitigate penalties.– May improve performance.

facilitates prompt claims submissions identifies undercoding as well as upcoding reduces claim denials improves medical record documentation may identify and prevent patient care problems improves staff education improves efficiency

Compliance plan = preventative medicine

What is the status of your compliance program? Is it current?

– Does it include elements govt recommends?– Does it address recent govt enforcement issues?– Does it fit the group’s current circumstances and

practices? Is it effective?

– Do you know where it is?– Do you or your employees know what it says?– Is it working?– Is it followed?

Remember: failure to comply with plan may be worse than no plan at all.

Common compliance issues

Common Compliance Issues for Physician Offices

Billing and coding Reasonable and necessary

services Documentation Improper financial relationships,

inducements and kickbacks Additional items identified in

– “Roadmap for Physicians”– RAC reports– OIG Workplans– OIG fraud alerts and bulletins– Medicaid newsletters

Billing and Coding

Billing for items or services not rendered or not provided as claimed

Submitting claims for services or items that are not reasonable and necessary

Double billing resulting in duplicate payments Billing for non-covered services as if covered Misuse of provider ID numbers Unbundling Upcoding Improper use of coding modifiers Clustering Lack of documentation to support claims

Reasonable and Necessary Services Medicare only pays for items or services that are reasonable

and necessary “for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” (42 USC 1395y(a)(1)(A)).

Physician may be liable for false certification.– See Special Fraud Alert (1/99)

May bill to obtain denial for services, but only if denial is needed for reimbursement from secondary payor.

Support claim through documentation, e.g., medical records and physician orders.

Know and notify employees of the carrier’s Local Medical Review Policy (LMRP).

Provide appropriate Advance Beneficiary Notices (ABN)

Documentation

Timely, accurate and complete documentation sufficient to support claim.– Site of service– Appropriateness of service– Accuracy of billing– Identity of care provider

Records should comply with the following:– Medical record complete and accurate.– Reason for visit, history, physical exam and findings, prior

tests, assessment, diagnosis, plan of care.– Rationale for diagnostic and ancillary services.– Codes supported by record documentation.– Progress, response, changes in treatment, etc.

Inducements, Kickbacks, and Self-Referrals

Anti-Kickback Statutes– Cannot knowingly offer, solicit, give, or receive

remuneration to induce referrals for items or services covered by Medicare/Medicaid unless fit within safe harbor.

Ethics in Patient Referrals Act (“Stark”)– Physician cannot refer patients for designated health

services to entity with whom physician or their family member has financial relationship unless relationship fits within exception.

– Entity that provides service per improper referral cannot bill for service, or if billed, must repay payment.

Inducements, Kickbacks, and Self-Referrals

Civil Monetary Penalties Laws– Cannot offer or transfer remuneration to

Medicare/Medicaid beneficiary if you know or should know that the remuneration is likely to influence such individual to obtain items or services payable by Medicare/Medicaid from a particular provider.

– Hospital or CAH cannot knowingly make payment to a physician to induce physician to reduce or limit services payable by Medicare.

Inducements, Kickbacks, and Self-Referrals Suspect transactions: generally any arrangements

between referral sources (e.g,. hospitals, other providers, pharmaceuticals, vendors, DMEs, Medicare beneficiaries, etc.).– Contracts, including employment, consulting, medical

directorships, professional services, etc.– Leases, including space or equipment.– Joint ventures– Gifts and perks– Free or discounted services or goods (e.g., free screening)– Waivers of copays or deductibles– Professional courtesy– Gainsharing

Ensure transactions with referral sources are structured to comply with laws.

Excluded providers

Cannot contract with person excluded from participation in federal health care program.– Providers– Employees– Independent contractors– Volunteers– Clinical or administrative

Must check excluded provider databases.– HHS-OIG List of Excluded Individuals,

www.hhs.gov/oig

OIG Compliance Program Guidance for Physicians

65 FR 59434 (10/5/00)

OIG Compliance Program Guidance

Not mandatory. Not a compliance plan itself. Provides a guide or outline for a compliance plan. Feds will give some deference if plan addresses the

elements and standards in the OIG guidance.– 7 elements are based on Federal Sentencing

Guidelines. Unlike other similar programs, OIG is very flexible and

does not expect small practices to formally implement all 7 elements.

OIG Compliance Guidance:Elements

1. Internal monitoring and auditing.2. Written standards, policies and procedures.3. Compliance officer or contacts.4. Education and training.5. Investigation of alleged violations and appropriate

disclosures to government agencies.6. Open lines of communication, e.g., open discussions

at staff meetings or bulletin board notices.7. Enforcement of disciplinary standards.

Implementation depends on size and resources of group.

1. Compliance officer(s) and contact(s)

Designate person(s) to respond to or prevent problems. May be one person, multiple employees with divided

responsibilities, or outsourced. Job duties include:

– Oversee and monitor compliance program.– Establish methods to check and improve compliance.– Modify compliance program per changes in practice,

government laws and regulations, payor rules, etc.– Develop and participate in compliance training.– Check excluded provider lists.– Investigate reports of potential violations.

2. Written standards and procedures

Develop written standards to address/prevent problems. Basic standard of conduct. Focus on risk areas, e.g.,

– Coding and billing– Reasonable and necessary services– Documentation of diagnosis and treatment.– Improper inducements, kickbacks and referrals

Look to others’ policies, but modify as appropriate. Use basic policies coupled with copies of relevant

resources, e.g., CMS directives, OIG bulletins, Fraud Alerts, etc.

2. Written standards and procedures (cont.)

Regularly review and update with managers and compliance committee.– New laws, regulations, or guidance– Identified problems or risk areas– Change in group circumstances

Tailor policies and procedures to intended audience and job functions.

Ensure policies are written clearly and are not overly complex.

Include real life examples.

2. Written standards and procedures (cont.) Address retention of records.

– Policy should apply to: Records necessary to support payments, e.g., clinical records,

claims documentation, etc. Documents to verify compliance process, e.g., training,

complaints, investigation, compliance program changes, self-disclosures, audits, communications/guidance from regulator, etc.

– Retain for appropriate time. Medicare and Medicaid generally require 5 years. False Claims Act statute of limitations is 6-10 years. Recommendation: 7-10 years.

– Destroy records per appropriate record policy.– Preserve records relevant to investigation.

3. Training and education

Train new providers and employees during orientation– Commitment to compliance– Relevant laws and regulations– Compliance plan– Individual’s role in compliance

Periodically review or update according to needs, e.g., changes in laws, practice, problems, etc.– Train billing and coding personnel at least annually.

Ensure compliance personnel receive ongoing training.– Seminars, workshops, listserves, etc.

Train employees according to their duties. Use real life examples. Document training.

3. Training and education (cont.)

Training should cover:– Compliance plan.

Standards, policies, and procedures. Discipline for non-compliance. Reporting and non-retaliation

– Billing and coding. Coding requirements Claim development and submission process. Signing form without physician authorization. Proper documentation of services rendered. Proper billing standards and procedures and submission of

accurate bills for government claims. Legal sanctions for submitting false or reckless billings.

– Other risk areas.

3. Training and education (cont.) Training sources might include:

– Internal inservice programs– Compliance bulletin board or posting– Professional association programs, publications, or newsletters– Carrier bulletins and training programs– Third-party billing company services– Commercial seminars or workshops– Government training materials

http://oig.hhs.gov/compliance/– Government fraud alerts, bulletins, etc.

http://oig.hhs.gov/compliance/– Listserves– On-line training– Internet

4. Auditing and monitoring

Audits and monitoring should be used to:– Establish baseline in initiating compliance plan.

Claim development and submission process Identify risk areas

– Periodically assess organization’s compliance– Monitor work of new employees or providers– Respond to complaints.

4. Auditing and monitoring(cont.)

Audits should assess– Claims submitted

Proper coding accurately represents services provided.

Proper documentation to support charges. Services reasonable and necessary. No incentives for unnecessary services.

– Contracts Relationships with referral sources

– Quality of care Services and outcomes

– Practice standards, procedures, and effectiveness. Accurate, current, and complete.

4. Auditing and monitoring(cont.)

Create audit plan and re-evaluate it regularly.– OIG recommends

Annual review 5+ records per govt payor 5-10 records per physician

– Refer to sampling techniques in OIG Self-Disclosure Protocol or CIAs

Consider cause of any problems. Create corrective action plans to fix problems.

– Remember 60 day limit to report and repay

5. Open lines of communication

Maintain open door policy. Encourage questions and voicing of concerns. Maintain communication with billing company. Require employees to report suspected violations

promptly and discipline employees for failing to report.– Remember 60-day deadline to report and repay.

Establish process for reporting concerns, e.g., – Persons to whom reports should be made.– Maintain anonymity if possible (e.g., drop box, hotline).– Cannot guarantee anonymity.

Establish and enforce clear non-retaliation policy. Maintain communication with governing board.

6. Respond to suspected violations Indicators of potential problems

– Audit results– Complaints– Significant changes in number or types of claim denials– Challenges from payors– Pattern changes involving use of codes, increased

revenue by a provider, etc.

6. Respond to suspected violations (cont.)

Follow up on all suspected problems. Stop suspected misconduct pending investigation. Conduct a timely, appropriate investigation.

– Remember 60-day deadline to report and repay. Depending on circumstances, response could include:

– A corrective action plan by group.– Return of overpayments.– Report to govt and/or referral to law enforcement.See OIG Self-Disclosure Protocol, www.hhs.gov/oig– “Innocent” mistakes: refund to payor.– Fraudulent acts: report to govt or law enforcement.

Consider consulting with qualified attorney or expert. Document response. Modify compliance plan as appropriate.

6. Respond to suspected violations (cont.)

Don’t make a bad situation worse by ignoring or covering up a violation.

7. Enforce standards through discipline

Take action against employees for violations. Ensure consistent and appropriate sanctions.

– Oral warnings– Written reprimands– Probation– Demotion– Suspension– Termination– Restitution– Referral to law enforcement.

Document in in-house training, employee handbooks, compliance bulletin board, etc.

Document sanctions.

7. Enforce standards through discipline Perform due diligence re new employees with

responsibilities that implicate compliance.– Check backgrounds and qualifications.– Require disclosure of crimes, program exclusions,

etc. Establish policy prohibiting employment of persons

recently convicted of crime involving health care or excluded from program.– Remove or suspend person from activities involving

compliance issues pending resolution of criminal or exclusion investigation.

– Terminate contract or privileges if convicted of health care crime or excluded from program.

“Okay, but how do I come up with a compliance program?!”

Some practical suggestions for updating or developing a compliance plan…

Suggestions for establishing a compliance program.

1. Don’t get intimidated; your program is simply the things you do to promote compliance.

2. Read the OIG Compliance Program.– Only 16 pages long.– Good outline of elements.– Good summary of risk areas that should be

addressed.3. Get physician “buy in” and support.

– Explain benefits.– Remind them of consequences for violations,

including jail, repayments, fines, and qui tam action by whistleblowers.

Suggestions for establishing a compliance program.

4. Establish a written compliance standard and incorporate it into relevant documents, including:– Employee handbook.– Employee training.– Employee evaluations.– Relevant contracts.

Standard should stress:– Commitment to compliance.– Duty to report suspected non-compliance.– Process for reporting non-compliance.– No retaliation against those who report.– Sanctions for non-compliance.

Suggestions for establishing a compliance program.

5. Identify and focus on the key areas for concern based on high risk areas, e.g., – Billing and coding.– Improper inducements (kickbacks, Stark referrals,

contracts or arrangements with other entities, etc.).– Past problems, e.g., claims denials or

overpayments.– Others.

6. Evaluate your performance in the high risk areas. – Review processes.– Review contracts and records.– Review denials.– Discuss with billing agents.

Suggestions for establishing a compliance program.

7. Create or gather documents that explain applicable standards to employees.– Other providers’ written standards– OIG Compliance Program– Commercial products– Professional associations

To the extent you use or create written material to establish your program:– Keep it short– Keep it simple– Make sure it fits your organization– Don’t include anything you won’t do

Suggestions for establishing a compliance program.

8. Train employees on the standards.– Focus on key employees first.– Document training.– Have them sign certification re training.

9. Stay informed of changes in laws.– List serves and publications.– Industry groups.

10. Follow up– Periodic monitoring.– Investigation and response to complaints/problems.– Training.– Documentation.

Additional Resources

https://oig.hhs.gov/compliance/

OIG Website

Compliance 101 series– Videos

HEAT Compliance Training Documents– “Health Care Compliance Program Tips”– “Operating and Effective Compliance Program”– “Recommended Compliance Resources”

OIG Compliance Program Guidance– OIG Supplemental Compliance Program Guidance for Hospitals,

70 FR at 4863-69– OIG Compliance Program Guidance for Physicians, 65 FR 59434

Advisory Opinions, Special Fraud Alerts, Bulletins, Letters CMS Proposed Report and Repayment Rule, 77 FR 9179 Other materials

Additional Holland & Hart Resources

Health Law Basics monthly webinar series– 2/12, 21, and 28

Stark Anti-Kickback Statute Civil Monetary Penalties laws

– 3/14 Physician Contracts– 4/11 HIPAA

Healthcare Update and Health Law Blog– Under “Publications” at www.hollandhart.com.– E-mail me at kcstanger@hollandhart.com.

Webinars are currently recorded and available through our website

Questions?

Kim C. Stanger

Holland & Hart LLP

kcstanger@hollandhart.com

(208) 383-3913