Compliance 101 Study Guide
Stark Law Analysis
1) Is there a referral from a physician for a designated health service (DHS)? 2) Does the physician (or immediate family member) have a financial relationship with the entity providing the DHS? 3) Does the financial relationship fit in an Stark Law exception?
If DOJ declines the case whistle blowers can receive
25%-30% of the award
Journal of Health Care Compliance By William Altman
3 Measures of Effectiveness - Structure - Process - Outcome
Penalties
3 times the government programs, plus $11,000 per claims
OIG can impose mandatory exclusion for a minimum of
5 years
Compliance Annual Report
- Given to Board of Directors and Executive Management - To communicate missions & goals
Anti-Kick Examples - Criminal Statue
- Offering office space at no charge to physicians - Cut-rate support services such as dictation or secretarial services to physicians, or computer equipment provided at no charge by pharm. company
Baseline Audit (Snapshot)- 3 Main Objectives
- Outline current operational standards and extent to which legal requirements are being met - Identify real and potential weakness - Offer recommendations
Four reasons to highlight in presentation to the Board of Directors
- Quality of Care is enhanced - Protect corporate directors from personal liability - Demonstrates to community that provider has commitment to honesty - Reduce organization's exposure to fines and penalties
2010 amendments to the Federal Sentencing Guidelines include the following changes to provide for mitigation of potential penalties
- Restitution or remedying harm done to victims - Self-Reporting & Cooperation with authorities
Perform a Comprehensive Assessment of potential risks and vulnerabilities to the organization
- Review the seven elements of a compliance program - Audit employees attestations for the standards of conduct (Code of Conduct) - Confirm that team members have received annual training on compliance and HIPAA standards - Review the organization's compliance and HIPAA policies to identify any requirements that have not been implemented or are not being adhered to as required by the Office of Inspector General and the Office of Civil Rights
Non- Retaliation Policy
Best way to ensure staff participation in compliance program
Compliance Integrity Aggreement (CIA)
Government Compelled
10 Obstacles to Effective Compliance Implementation
A. Commitment and buy-in B. Lack of funding C. Too many roles for compliance professional D. Interpreting laws and regulations E. Lack of resources and staff F. Lack of education and training G. Resistance to change H. Lack of or poor communication I. Fear of retaliation/retribution J. No internal enforcement
Justice Department
Violent Crime - 1st Priority Health care fraud - 2nd Priority
Compliance Programs
Voluntarily Manadatory
Open Door Policy
MOST important communication device
Upcoding related to the E/M code
Misuse of Modifier 25- allows additional payment for a separate E&M service rendered on the same day as a procedure
February 27, 1997
OIG open letter to all providers - encourages health care organization to implement compliance programs in order to protect themselves from fraud and abuse. With that letter, Model compliance plan for Clinical Laboratory was offered as guidance. Since that time, Model compliance plan has been implemented in many areas as mentioned before
Covered Entity may disclose
PHI to business associate
Stark Law
Pete Starks
Congress could not agree on a Privacy & Security Standard. Department of Health and Human Services issued
Privacy Rule - April 15, 2003 Security Rule- April 20, 2005
HHS Office of Inspector General (OIG) in conjunction with Justice Department is responsible for enforcing the rules and regulations under -Medicare/Medicaid laws outlined as part of the - Social Security Act and administered by
CMS
2004 - Federal Sentencing Commission released "Ch 8 Part B
Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program" - These revisions focused on effective compliance and ethics programs
Anti-Kickback Safe Harbors
An organization identifies a potential issue when reviewing personal services and management contracts.
Education
Best line of Defense and best strategy for prevention
Must be included in the policy for statistically valid sampling and extrapolation
Financial Errors rate exceeds 5% with a refund to occur within 60 days
Sanctions Include:
Fines Restitution Forfeiture Probation
HIPAA
Kennedy Kassebaum Act
Penalties for Privacy Violations
Negative publicity Unintentional violations are subject to civil penalties (up to $100 for each violation with a $25,000 annual limit) Intentitional Violations - subject to criminal penalty (up to $50,000 and one year in jail after $500,000 and ten years In jail for ) File a complain with Department of Health and Human services
Compliance policies and procedures should be integrated into existing policies
Only thing worse than not having a policy is having a policy and not following it. Develop policy carefully and review them regularly. Make sure they are realistic and measurable.
Verification
Privacy regulations to require the covered entity to have in place reasonable methods to verify that the individual is who she says she is and that she has the right to receive the information.
Medicare inpatient reimbursement
based on $10,000 numeric codes ICD-9-CM organized into DRGs
Double Billing
charging an "access fee" or "administrative fee" that allows them to obtain Medicare payments
OIG & Federal Sentencing Guidelines call for the
designation of a compliance professional
1984 Sentencing Reform Act
designed to correct inequities in deferral sentences. Includes the Federal Sentencing Guidelines that include guidance for assessing fines and detailed method for calculation of a "culpability score."
False Claim Act (FCA)
empowers government to investigate and bring civil action in fraud case. Implemented during Civil War to curb war time price gouging also allow private citizen to bring civil actions against an organization in the name of United States. This action provided significant incentive for the private citizen to come forward. This action is better known as Qui Tam, whistle blower.
Upcoding
has been a major focus for OIG HIPAA added additional civil monetary penalty to the OIG sanction authorities for upcoding violations
OIG Work Plan
highlights areas the government will give close attention to
Health Insurance Portability and Accountability Act - Passed in 1996
legislative action include the availability, portability, and renewability of health insurance, changes to fraud and abuse laws, the Administrative Simplification Section; tax provisions; application enforcement provision of group health plan regulations and revenue offset.
Who needs compliance? Why?
o Physicians practices o Medicare o Ambulance Services o 3rd Party Billing o Pharmaceutical Manufacturing o Hospitals o Laboratories o DME o Home Health
What do you do when you find a problem?
o First, meet with you in-house or external legal counsel and determine extend of potential violation o OIG recommends an internal investigation; be sure to take necessary steps immediately to stop or modify the procedures that are alleged source of wrongdoing o Internal investigation must be handled carefully and documented meticulously o Compliance officer should be part of team with senior staff performing audit; team should meet together at least at the end of investigative process to discuss findings and plan for final report o OIG calls for prompt reporting of misconduct to appropriate governmental authority with in a reasonable period, but not more than 60 days after determining that there is credible evidence of a violation and not more than 30 days to avoid stricter fines. o Thorough documentation will include: Description of potential misconduct and how it was reported Description of investigative process List of relevant document reviewed List of employee interviewed Employee interview question and notes Changes to policies and procedures, if appropriate Documentation of any disciplinary action Investigation final report with recommended remedial actions o Per OIG "As appropriate such step may include an immediate referral to criminal and/or civil enforcement authorities a corrective action plan, a report to the Government, and the submission of an overpayment, if applicable" o Voluntary disclosure - is not only the right thing to do, it also provides certain financial advantage. Those who violates False Claim Act are liabel to government for civil penalty of not less than $5000 and not more than $10,000 plus tremble damages for each false claim. If organization reports the violation within 30 days of discovery, however, damages can be significantly reduced o OIG encouraged voluntary disclosure of suspected fraud. Organization are expected to police themselves and work with government to correct problem. OIG currently maintains a Provider Self Disclosure Protocol on it website o Although not protected from civil or criminal action under False Claim Act, providers disclosing fraud are advises in the Self-disclosure protocol that self-reporting of wrongdoing may offer mitigating factor. By self reporting, the provider may have option of conducting a self-audit (following OIG guidelines) rather than an imposed government audit. o From "Building a Partnership for Effective Compliance: A Report on Government-Industry Roundtable," participate identified a series of questions to guide scope of internal investigation • What is the origin of the issue? Systematic practice, a third party inquiry, or misconduct by individual • When did the issue originate? Origin of practice and extent of its impact on organization • How far back should the investigation go? • Can extrapolation of a statistical sample be used? Statistical sampling and extrapolation may be warranted when it is too difficult or costly to determine the exact cause of improper billing
Participating Providers
the physician will not seek extra payment (beyond the co-payment or deductible)
Compliance Budget correlate
to the size of the organization and scope
Compliance officer's duty
will vary depending on size and scope of program
The Administrative Simplification Section of Title II
is the section that triggered the regulation for standard transaction and code sets, privacy, and security of health information, and unique health identifiers.
HIPAA act of 1996
makes it a criminal offense to submit claims based on incorrect codes or medically unnecessary services and the government has the power to exclude the organization from Medicare, Medicaid, and a long list of other government.
If you employ or contact with an excluded individuals, whether directly or indirectly
may be subject to CIVIL monetary penalty and obligation to repay any amounts attributable to the services of the excluded individual
OIG urges that employees be required to have a specific number of educational hours per year
normally 1-2 hrs/year for most organization
Review Program Guidance for Third Party Medical Billing companies
o 17 billing risk areas o 7 coding risk areas
Stark Law - Civil Act
regulations are complicated and consulting legal counsel is advised
Restitution
restoration of something lost or stolen to its proper owner
Privacy
right of an individual to control his or her personal information and keep it from being divulged or used by others against his/her wishes.
OIG suggest training be separated into two sessions:
the first a general session on compliance for all employees and the second covering more specific information for appropriate personnel
OIG Work Plan
identifies high risk & key areas of focus for auditing
Preemption
if a Federal law states that it preempts or overrides state law on a particular issue, then federal law is the law that must be followed
DRG Creep
using a DRG code that provide a higher payment rate than the DRG code that accurately reflects the service furnished to the patient.
Upcoding
using a billing code that provides a higher reimbursement rate than the billing code that actually reflects the service furnished. Major focus of OIG enforcement efforts and HIPAA added additional civil monetary penalty to OIG sanctions
Integrity Program
values and doing the right thing
Compliance Officer
- "focal point" - Sits "ex officio"
For the purposes of interpreting application of the physician Self Referral Law, physicians refer
- DME Providers - Radiologists
Follow Up Audit
30-60 days to see if issues were addressed
When provider makes an innocent mistakes they still must repay identified over payments
60 days
Compliance Committee
"to advise the compliance officer and assist in the implementation of the compliance program."
2 Notices of Proposed Rule Making (NPRM)
Have been issued by HHS - which will incorporate the HITECH changes into the HIPAA rules
Report Stark Law Violation
CMS
Billing Errors
Contact Fiscal Intermediary (FI) or carrier - Must pay back money
Anti-Kickback
Copeland Act (Supplemented Davis Beacon Act)
HIPAA governs the use and disclosure of protected health information (PHI) by
Covered Entities Directly & Business Associated Indirectly
Daniel Levinson
Current IG for Department of Health & Human Services
June Gibbs Brown
Inspector General 1970s-1980s
E/M for NEW patients
cost more than established patients
Anti-kickback statute
prohibits any knowing and willful conduct involving solicitation, receipt, offer, or payment of any kind of remuneration in return for referring an individual or for recommending or arranging the purchase, lease, or ordering of an item or services that may be wholly or partially paid for under a deferral health care program
Balance Budget Act of 1997
has three strike rule - 3 strikes and you're out clause, requiring permanent expulsion for healthcare organization found guilty of fraud a third time.
FSG suggests offering
incentives to those who follow the compliance and ethics program
Report Provider Self Disclosure
OIG Website
Government estimates on fraud
10% of total US health care expenditures, about $100 billion annually
If DOJ assumes the case whistle blowers can receive
15%-25% of the award
Government Agencies
Department of Justice DHHS OIG CMS
Abuse Example
Failure to maintain accurate medical or financial records
A covered entity is bound by the
Notice of Privacy Practices
Compliance Program Guidance (CPG)
Provides principles to follow when coming up with a program that best suits your organization's needs
Organized Health Care Arrangement (OHCA)
clinically integrated setting where individual typically receive health care from more than on health care provider
Focused Training
for employees to learn about cost reporting risks identified by a risk assessment
Illegal to charge more than the limiting charge
established for physician's services
"Sin of omission" and "sins of commission"
failure to detect or report an offense is just as serious as actual misconduct
CIA - (Corporate Integrity Agreement)
organization does not admit fault or liability, but does submit itself to government corrective action plan. Government imposed CIA have been onerous in the past and is expected to become more onerous in the future. CIA are usually 3-5 years, but can last as long as 8 years.
Access Requiring an Opportunity to Object
Group of circumstances for which a use or disclosure of PHI is permitted without first obtaining the individual explicit permission required that the individual be given an opportunity to object. Any one of the three purposes will allow access to the PHI: Include limited information about individual in facility directory - individual name, location within entity, general condition, and religious affiliation; may be shared with clergy. Individual must also be allowed to restrict to whom the directory information is disclosed. Individual is given an opportunity to object; disclosure can be made to family, friends, or other involved in individual care or payment for care; information must be directly related to individual's involvement in the subject's care. If individual does not object to the disclosure, one can reasonable infer in the exercise of professional judgment that the individual does not object Covered entity can disclose PHI for purpose of assisting in disaster relief. The disclosure can be made to either a private or public entity authorized by law or by it character to assist with disaster relief
4 Aggravating Factors to a culpability score
If an upper level employee has "participated in, condoned, or was willfully ignorant of the offense" If the violation is a repeat offense If the government was hindered during its investigation and If awareness of and tolerance of the violation were pervasive
4 Mitigating Factors to a culpability score:
If the organization had an effective compliance program, even though there was a violation If the organization reported the violation promptly If the organization cooperated with the government investigators If the organization accepted responsibility for the violation
Access for Treatment, Payment, and Health Care Operations
If the use or disclosure of the PHI fits into one of three definitions, the PHI can be used or disclosed without getting explicit permission from the individual; requiring an individual permission to use or disclose PHI for PHI was deemed too cumbersome to allow for efficient and effective deliver Treatment - physician call to colleague Payment - Submitting bill to insurance company Health Care Operations - physician compliance
Why Compliance Programs are Essential
Payback to fiscal intermediaries or carriers may result in audited services Probation and court imposed programs Government designed programs Exclusion from government program Reduced threat of qui tam (whistle-blower) lawsuit
Minimal necessary ties to two additional concepts:
Role based access means only allowing employees and other access to the information that is needed to perform their role in the organization Need to Know - educational process - covered entity may grant an individual full access to the medical record because it is appropriate based on her role. The ability to access PHI does not mean that there is a need to know the information
Access for Purposes in Public Interest
Use is deemed to be in the public interest Most of the uses/disclosures under these provision carry restriction on circumstances under which the PHI can be used or disclosed to who it can be disclosed When the information is requested by a secretary of DHHS to investigate an allegation of privacy violation When subject of information requests it
Privacy Rule two major categories:
Ways in which PHI can be used or disclosed Rights provided to individuals Uses and disclosure without an individual's explicit permission Permitted use and disclosures if covered entity has given the individual if the covered entity has given the individual an opportunity to object Uses and disclosure only with individual explicit permission
OIG notes
"Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a hospital's marketing and financial personnel, in that the pressure to meet business goals may render these employees vulnerable to engaging I prohibited practices."
Federal Sentencing Commission has stated
"Compliance and ethics programs shall be designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct."
Federal Sentencing Guidelines
"To carry out such operational responsibility, such individual shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the government authority."
Qui Tam - (Qui tam pro domino rege quam pro se ipso in hac parte sequitur)
"he who brings the action for the king as well as for himself." Can receive up to 15-25% of government's total reward if DOJ accepts the case and 25-30% if DOJ declines the case.
OIG and Federal Sentencing Guidelines calls for designation of a compliance professional
"to serve as focal point for compliance activities."
HIPAA Background
$.24 cents of every dollars spent on health care was being spent on administrative cost; not provision of health care to individual. One reason was high administrative cost of proprietary transaction between provider and payer. Congress identified over 400 prietary transaction method o Standardization of electronic health information also brought increase concern for inappropriate use of health information. As a result, Congress added provisions to statute that is commonly known as HIPAA privacy and security regulations o HIPAA govern the use and disclosure of protected health information (PHI) by "covered entities" directly and their business associates indirectly. o Standard Transaction 837 - Claims/Encounter 834 - Enrollment/Disenrollment 270, 271 - Eligibility 835 - Payment and remittance advice 811, 820 - Premium Payment 276, 277 - Claims Status 278 - Referral Certification and authorization o Standard Code Sets ICD-9 CM HCPCS Level 1 Code (CPT codes) HCPCS Level 2 Code (Medical and surgical supplies) CDT NDC
Anti-Kickback Statute Penalties
$50,000 per kickback & 3 times the amount of remuneration
Responding to a Search Warrant
- Director shall request to see the search warrant and affidavit of probable cause - Must notify the Dean, or their designee and university counsel - The Director or designee shall NOT answer any questions asked by the investigating officer unless Counsel is there
To prevent False Claims Act(FCA) Violation
- Evaluate the process and determine if an inappropriate charge is occurring - if it is, educate staff on no longer placing the charge and evaluate the overpayment and develop a plan to pay back money
Second NPRM
- Issued May 31,2011 - Changes to accounting requirements - Adding a patient's right to request a log of accesses to their electronic Designated Record Set
Upcoding occurs if a provider uses a modifier 25 to claim payment for an E&M when the patient care rendered was NOT significant
- NOT separately identifiable - was NOT above and beyond the care usually associated with the procedure
To obtain reimbursement fromt he Government for services provided to Federal healthcare program beneficiaries you must:
- Obtain a NPI - Complete Medicare Enrollment Application - Complete your state-specific Medicare Enrollment Application
Health Information Technology for Economic & Clinical Health (HITECH) Act
- Passed February 2009 - Part of American Recovery & Reinvestment Act (ARRA) - To promote widespread adoption and standardization of EHRs - includes modifications to the Privacy & Security Rule - First significant
Benefits of Compliance Program
- Safeguards organization legal responsibility to abide by applicable laws and regulations - Demonstrate to employee and community the organization's commitment to good corporate conduct - Identify and prevent criminal and unethical conduct - Improve the quality of patient care -Create a centralized source of information on heath care regulations - Develop a methodology that encourages employees to report potential problems - Develop procedures that allow the prompt, thorough investigation of alleged misconduct - Initiate immediate and appropriate corrective action - Reduce the organization remedies, such as program exclusion Per OIG "Current CMS reimbursement principles provide that certain of the costs associated with the creation of a voluntarily established compliance program may be allowable on certain types of hospital's cost report. The allowable costs, of course must at a minimum, be reasonable and related to patient care." However, government imposed compliance program, or corporate integrity agreement, are not allowed
Two instances under the privacy regulations when the covered entity is required to disclose PHI
- When information is requested by Secretary of DHHS to investigate an allegation of a privacy violation - when patient requests it
Excluded individuals can:
- Work in non-federal health care program payment settings - Provide care to non-Federal health care program beneficiaries - Non- patient care employment options
Non-participating providers
- do not receive direct payment from the Medicare program - cannot charge Medicare patients more than 15% in excess of the Medicare fee schedule amount
CMS Medicare's Final Rule for Teaching Physicians
- effective July 1996 - revised November 2002 - Outlines regulation for services provided by residents and teaching physicians
Baseline Audit (Snapshot)
- first steps in launching an effective compliance program - to eliminate potential areas of vulnerability - must include diagnosis codes and increased billing of complications and co-morbidities
First NPRM
- issued July 14, 2010 - Changes is an amendment to the accounting of disclosures standards
Attestation
- statement that confirms attending training session - retained in employees personnel file
Evaluating for Success
-Annual Review of Written Compliance Program - Continual Review of Policies and Procedures - Benchmarking against your own statistics
File a compliant regarding the covered entity's privacy practices with the
-Covered Entity and Office of Civil Rights of the DHHS
Security
-applies to the spectrum of physical, technical, and administrative safeguards put in place to protect the integrity, availability, and confidentiality of information and the systems in which it is store
OIG urge a "new employee policy
." To perform "a reasonable and prudent background investigation, including reference check."
OIG Top 10 Reason to Implement a Compliance Program
1. Adopting a compliance program concretely demonstrates to the community at large that a provider has a strong commitment to honesty and responsible corporate citizenship. 2. Compliance programs reinforces employee' innate sense of right and wrong. 3. An effective compliance program helps a provider fulfill its legal duty to government and private payors. 4. Compliance programs are cost effective. 5. A compliance program provides a more accurate view of employee and contractor behavior relating to fraud and abuse. 6. The quality of care provided to patients is enhanced by an effective compliance program. 7. A compliance program provides procedures to promptly correct misconduct. 8. An effective compliance program may mitigate any sanction imposed by the government. 9. Voluntarily implementing a compliance program is preferable to waiting for the OIG to impose a Corporate Integrity Agreement (CIA). 10. Effective corporate compliance programs may protect corporate directors from personal liability.
7 Elements in Guidance for Hospital
1. Written standards of conduct 2. Designating a chief compliance officer and other appropriate bodies 3. Effective education and training 4. Audit and evaluation techniques o monitor compliance 5. Reporting process and procedures for complaints 6. Appropriate disciplinary mechanism 7. Investigation and remediation of systemic problem
Number of Core Elements in OIG Compliance Manual
7
FCA would NOT apply to
A glitch in an EHR system leads to several upcoded bills going out
Code of Conduct beginning with
Chain of Command
Federal Fraud and Abuse Laws that apply to physicians
False Claims Act (FCA) Anti-Kickback Statue (AKS) Physical Self Referral (Stark Law) Exclusion Authorities Civil Monetary Penalties Law(CMPL)
Affiliated Covered Entity (ACE)
Group of legally separate covered entities that share common ownership or control. Common ownership is easy to determine. What constitutes sufficient ability to influence the actions or policies and procedures is a question that can only be answered based on the facts of each situation. ACE allow group of covered entities to function as one covered entity
Right to Request an Accounting of Disclosure
HIPAA privacy regulations give an individual right to know who has received his/her PHI. An account is not required if disclosure was: TPO Incidental disclosure Made in a limited data set Made with an authorization from hospital Madre for national security purpose Disclosure prior to enforcement date of privacy regulation A disclosure to subject of information Disclosure only required giving the individual an oportunity to object. Disclosure to a correctional institution or other law informant official
Minimal necessary
HIPAA to identify the amount of PHI that can be used or disclosed in a particular circumstance to accomplish its goal or task at hand. These circumstances does not require minimal necessary: With authorization To a provider for treatment Subject of the information Secretary of DHHS As required by law As required to comply with the regulations
Corporate Integrity Agreement(CIA)
If provider does not have one in place, the OIG will develop on that is enforceable through corporate integrity agreement. CIA has detailed policy, training, audit, and reporting requirement that are typically in force for 5 years and involved substantial oversight.
Right to Request Restriction and Confidential Communication
Individual may request additional restrictions on use and disclosure of PHI when the use or disclosure is for treatment, payment, health care operations or the disclosure is to a family member, friend or care taker. These are the only uses and disclosure that the individual is allowed to further restrict. Privacy rule is very explicit. While an individual has the right to request a restriction, the covered entity is under no obligation on the use or disclosure of PHI. Request for confidential communication address manner in which PHI is communicated. If individual request reasonable communication in certain manner, the entity must comply with request
False Claims Act
Lincoln Law
Project Bad Bundled
OIG Effort to identify laboratory tests processed in groups but reported individually at a higher rate of reimbursement also unbundling
Exclusion
OIG has the authority to exclude individuals and entities from participation in Medicare,Medicaid, and other federal health care programs
DRG Creep
OIG identifies as a risk area
hotline or helpline
Other organizations may have in-house email systems. Emails can be configured so that problems can be reported without the reporting the person sending the email. However, if a response is required, then name and address is mandatory. Drop box is another variation. Regular and frequent pick up required as well as no camera nearby.
Responsibility of the Board
Oversight of the corporate compliance program
Kickbacks lead to:
Overutilization Increased program costs Corruption of medical decision making Patient Steering Unfair Competition
Getting a handle on regular review
PDCA Approach
Right to a Notice of Privacy Practices
Privacy regulation requires that covered health care provider and health plans provide individuals with a notice of their privacy practices Notice lets individual how the entity will be using and disclosing PHI Notice should be carefully drafted; if not fully described how PHI is used and disclosed, it could be argued that the covered entity's ability to use and disclose information may be more restrictive that what the privacy regulations allow Must be provided to individual on first visit. The covered entity must have made a good faith effort to obtain an acknoweldgement from individual that the notice was received If first episode of care was over the phone, then covered entity must mail its notice to individual within 24 hours.
There are eleven categories covered entity is permitted to disclose information in the public interest without first obtaining permission
Public health activities Reporting on victims of abuse, neglect, or domestic violence Reporting for health oversight activities Judicial or administrative proceedings Law enforcement purpose Information to coroners, medical examiners, and funeral direcot Information for organ donation Certain research purpose Disclosures to avert a serious threat to health or safety Specialized government functions Workers compensation
Hybrid Entity
Single Entity that meets the covered entity status with both covered and non -covered health care activities and designates in healthcare components as required by the Privacy Rule
Development of policies and procedures begin with areas of risk.
Targeting areas on OIG Work Plan that apply to your organization and adequately address them in your policies and procedures.
OIG believes that the compliance program should include a written policy statement setting forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, employees, physicians and other health care professionals for failing to comply with standards, policies and application statutes and regulations.
The policies should include 5 points: o Noncompliance will be punished o Failure to report noncompliance will be punished o An outline of disciplinary procedures o The parties responsible for appropriate action o A promise that discipline will be fair and consistent
A teaching hospital may want their support for a compliance program
To come from the Dean
Physician Buy-In
Top 10 obstacles to implementing an effective compliance program
May request an accounting of disclosures
Up to Six year period but cannot go further than April 14, 2003.
Transparency
With OIG & Department of Justice Provide the Government with a list of physicians whom the company paid
Affidavit
a written statement confirmed by oath or affirmation for use as evidence in court
Those who violate the FCA owe the government for civil penalty of
between $5,000 -$10,000
Retrospective Audit
broad baseline risk assessment, a snapshot or essentially a laundry list of all the things you need to fix; better to identify a problem and fix it. If you discover a billing error with over payment, you are required to report the error and pay back any amount due the government.
If you suspect the possibility of wrongdoing,
first step is to contact your in house or external counsel who can make an initial assessment of the risk involved. Counsel will determine whether investigation should continue under attorney-client privilege
Compliance Program
following rules and regulations
Hybrid Covered Entity (HCE)
has as one of its function, an activity that makes it a health care provider, health plan or Health Care Clearing house. Under privacy regulations, entire business would be a covered and subject to regulation. The part of the business that engage in HIPAA covered functions are designed as the covered component and the remaining portions are designed as the non covered portion
Business Associate
individual or corp "person" that performs for a covered entity any function involving the use or disclosure of PHI
Forfeiture
loss or giving up of something as a penalty for wrong doing
Caremark International Derivative Litigation
makes the board responsible for implementation of a system to gather information on the company's efforts to prevent and detect fraud and abuse
Code of Conduct
must be distributed within 90 days of hire
Code of Conduct and Employees
o All employees must receive, read, and understand the standards o A supervisor should explain the standards and answer any questions o Employee should attest in writing that they have received, read, and understood the standards o Employee compliance with standards must be enforced through appropriate discipline when necessary o Discipline for non compliance should be stated in the standards
Code of Conduct: Content Checklist
o Demonstrate system wide emphasis on compliance with all applicable law and regulations o Written plainly and concisely so all employees can understand the standards o Includes internal and external regulations o Mentions organizational policies without completely restating them o Is consistent with company policies and procedures
Current Compliance activities in many organization
o Equal Employment Opportunity Commission (EEOC) o Employee Retirement Income Security Act (ERISA) o Wage and Hour Rule o Occupational Safety and health Administration (OSHA) o Nuclear Regulatory Commission o Joint Commission on Accreditation of Healthcare Organization (JCAHO) o Research compliance
Many organization uses progressive discipline:
o First step would be supervisor's conference in securing employees understanding of the problem and a commitment to correcting the behavior o Second step could be conference with a higher level of authority or written warning. This level would emphasize the seriousness of the situations and stress the urgency of modified behavior of face further disciplinary action o Subsequent steps might include suspension without pay or infliction of a probationary period in which employee will required to correct the behavior. o Final step is termination once all other options have been exhausted. o Any steps beyond supervisor's conference should involved HR department Proper and thorough documentation will be essential
Every organization needs policies and procedures for:
o Internal assessment o Record Retention (where, how long) o Self-disclosure o Regular Medicare sanction checks (General Services Adminisration (GSA) and OIG sanction list) o Billing policies o Unbundling o Credit Balance o No charge visit o Incomplete/Unsuccessful procedure o Documentation requirement
What is a Compliance Program?
o Prevention, Detection, Collaboration, and Enforcement o System of policies and procedures developed to assure compliance with and conformity to all applicable federal and state laws governing organization o Ongoing process, part of fabric of organization, commitment to ethical way of conducting business
Business Associate
people such as accountants, outside legal counsel, transcription agency, billing, and other vendors; before PHI can be shared between covered entities, business associates must provide satisfactory assurance that it will not use or disclose PHI in a manner than contradicts Privacy Rule.
Safe Harbors
protect certain payment & business practices that could implicate the AKS from criminal and civil prosecution
Confidentiality
protecting that information, usually by safeguarding it from unauthorized disclosure
Bad AD Program
request physician's assistance in identifying misleading advertisements
Security Rule
requires organization to control the means by which PHI is kept confidential. It applies to all individually identifiable health information (IIHI) that is store or transmitted in electronic form
Teaching physician Rule
special documentation requirement for services provided by residents and teaching physician.
72 hour rule
stipulates that diagnostic tests provided on an outpatient basis within 72 hours of an admission must be billed as part of the admission DRG
In all OIG program guidances
the first prescribe elements calls for the "The development and distribution of written standards of conduct, as well as written policies and procedures that promote a commitment to compliance."
Federal Sentencing Guidelines (FSG)
very clear on the expected board commitment
When excluded from TRICARE and Veteran Health Administration
will NOT pay for items for services that you furnish ,order, or prescribe
Concurrent Audit
will identify and address potential problems individually as they arise. If problem exist, correct the related policy or procedure, communicate change and then go back for a three, six month follow up audit to be sure the issue is resolved
Function of Compliance Committee:
• Analyzing legal requirement and specific risk areas • Regularly reviewing and assessing policies and procedures • Assisting with the development of standards of conduct and policies and procedures • Monitoring internal systems related to standards, policies, and procedures • Determining the appropriate strategy to promote compliance • Developing a system to solicit, evaluate, and respond to complaints and problems
Certain functions common to all types of organization that should be reviewed:
• Anti-kickback and self-referral issues • Credit balances • Bad debts • Claims development and submission • Record retention • Cost reporting • Marketing • Compliance program processes
Monitoring/Conducting internal audits
• Avoid duplication with other departments such as accounting, quality assurance, etc • Auditors should have experience in areas they are auditing - nurse/physician for medical necessity; coders for documentation and coding • To assure objectivity, reviewers should be independent of physician and line management
Code of Conduct Purpose
• Code of Conduct Purpose o To present specific guidelines for employees to follow o To confirm that all employees comprehend what is required of them o To provide a process for proper decision making o To confirm that employees put standards into everyday practice o To elevate corporate performance in basic business relationship o To confirm that the organization upholds and supports proper compliance conduct
Specific training in high risk areas is critical for specialized personnel. Claim submission has been at the heart of most settlements to date. Federal Sentencing Commission and OIG recommend:
• Ethics • Government and private payer or receiving remuneration to induce referrals • Proper confirmation of diagnosis • Submitting a claim for physician when rendered by a non physician • Signing a form for a physician without the physician authorization • Alteration to medical records • Prescribing medication and procedures without proper documentation • Proper documentation to services • Duty to report misconduct
All other Use and Disclosure of PHI
• Fourth and final way is authorization, a document used to get an individual's permission to access PHI for a particular use of disclosure • An authorization must be used if the intended use or disclosure of PHI does not fit one of the categories already discussed • An authorization is only valid if it contains the required elements as defined by privacy regulation. It must contain: Description of PHI to be used or disclosed in a specific and meaningful fashion Name or other specific identification of person or class of person authorized to make the use or disclosure of PHI Name or other specific identification of person or class of person authorized to receive the PHI Description of purpose of each requested use or disclosure An expiration date Signature of individual and date Statement informing the individual of right to revoke the authorization in writing A statement informing the individual right to revoke authorization A statement informing the individual that signing the authozition is a precondition of treatment, participation in research, eligibility for benefits, or enroll Statement informing the individual that the recipient of the PHI may re-disclose it In a manner that no longer protected by the privacy regulations • Individual is entitled to a copy of the authorization; without all the required elements, it is not valid and a covered entity cannot rely on it to use or disclose PHI • Authorization would not be needed for fundraising purposes. Limited PHI include name, address, insurance status, date of care would be allowed. • Authorization not needed for marketing activities if performed face to face encounter with the individual or if the item of nominal value is given to the individual
OIG recommends compliance officers to consider the following technique:
• On site visits • Interview with personnel involved in management, operations, coding, claims, patient care • Questionnaire developed to solicit impressions of a broad cross section of hospital employees and staff • Review of written medical and financial record the support Medicare claims • Review of written materials and documentation prepared by different division of a hospital • Trend analyses or longitudinal studies that seek deviations in specific areas over a given period • Including compliance language in job description and job evaluation • Using compliance related questions in exit interview
Responsibilities according to OIG
• Overseeing and monitoring the implementation of compliance program • Reporting on a regular basis to governing body, CEO, and compliance committee • Revising compliance program periodically as appropriate • Developing, coordinating, and participating in a multifaceted educational and training program • Ensuring that independent contractors and agents are aware of organization compliance program requirements • Ensuring that appropriate background checks are done to eliminate sanctioned individuals and contractors • Assisting with internal compliance review and monitoring activities • Independently investigating and acting on matters related to compliance
HCCA prepared and published Code of Ethic for Health Care Compliance Professional addressing 3 principles
• Principle 1 - Obligation to public • Principle 2 - Obligation to employing organization - should serve organization with highest sense of integrity, unprejudiced, and unbiased judgment • Principle 3 - Obligation to profession - uphold integrity and dignity of profession, to advance effectiveness of compliance program and to promote professionalism in health care compliance.
Individual Rights under Privacy Rules
• Right to Access and Inspect their record Can restrict the individual's access, ie pyschotherpay notes Inmate's medical record Research study If license health professional: Sharing the information would put the individual or another person in danger Sharing information would be reasonable likely to put that person at risk for substantial harm Put the subject of the information or another person at substantial risk of harm If denied, the individual can appeal the decision (which has to be in writing). Another provider has to review the denial and make a decision. The covered entity is required to abide by the decision
10 Things to include in Your Basic Compliance Course
• The body of legal and regulatory knowledge guiding all compliance activity • Your organization's specific compliance philosophy • How to handle compliance communication within and outside of your organization • How compliance violation are defined and how they should be reported • Policies regarding patient confidentiality handing of patient specific information • Claim submissions-the activity most at risk for compliance exposure • Only qualified individuals will be permitted to perform diagnosis and procedure coding • Physician documentation is the primary determinant of claim submission • Vendors will be held to the same compliance standards as staff • Employee involved in compliance violation will be discipline
