AMARILLO, TX – Last week, we focused on some general tips to limit exposure from compliance issues. No matter how good your lawyer, how well-structured your policy documents, or how well your executive team understands compliance issues, your business’s success or failure under the piercing gaze of regulators will often come down to your corporate compliance program.
Although building a strong compliance program may occasionally seem like putting a roadblock in front of your pursuit of business growth, it’s better to think of it as an insurance policy for your company. Maintaining it can be a real pain, but going without it can be a killer.
To grasp the fundamentals of a sound compliance program, probably the best place to go is the office that typically comes to investigate when things go wrong. The Office of the Inspector General (“OIG”) has issued specific guidance for maintaining a strong DMEPOS corporate compliance program. As with a lot of these issues, it sometimes helps to put yourself in the shoes of a regulator. What are they looking for, and how are you going to prove to them that your business is on the straight and narrow?
The OIG Guidance
The OIG last issued comprehensive compliance program guidance for DMEPOS suppliers in 1999. Last month they announced plans to provide new guidance, starting near the end of this year. That will be broken down into two pieces: One general guidance document applicable to all health care providers, and more specialized industry-specific guidance documents. In a departure from past practice, the guidance will not be published in the Federal Register but instead will be issued through the OIG’s public website.
The 1999 guidance (“Guidance”) still provides the basic building blocks, or what the OIG called “fundamental elements,” of an effective compliance program:
- Implementing written policies, procedures and standards of conduct;
- Designating a compliance officer and compliance committee;
- Conducting effective training and education;
- Developing effective lines of communication;
- Conducting internal monitoring and auditing;
- Enforcing standards through well-publicized disciplinary guidelines; and
- Responding promptly to detected offenses and developing corrective action.
Having an effective compliance program will not only make your business more effective at substantiating claims and handling audits and investigations. It will also make your business more attractive to investors, business partners, and potential buyers.
Let’s look briefly at each element.
Written policies, procedures, and standards of conduct
Standards of Conduct. You should develop general standards of conduct applying to every member of your organization. Standards should promote trust and program integrity. Employees and other members of the organization should attest, in writing, that they have received, read, and understood the standards and will abide by them.
Documented Risk Areas. You should develop policies tailored to address the various types of risk associated with your business. Policies emphasize high-risk areas such as incorrect billing procedures; upcoding; the provision of proper notice to patients, diligence in records maintenance; misrepresentation of goods or services provided; and other common fraud, waste, and abuse issues.
Claims Development. The compliance program should emphasize clear communication with ordering physicians and include procedures to obtain all required elements of the documentation necessary to support the supplier’s claims.
The following issues are typically addressed:
- The documentation of medical necessity;
- The receipt and verification of complete physician’s orders for each item to be provided;
- The proper selection and use of HCPCS codes;
- The use of proper supplier numbers;
- The policies governing the acceptance of Medicare assignment;
- The proper use of Advanced Beneficiary Notice (“ABN”);
- The avoidance of routine waiver of deductibles and coinsurance;
- The appropriate billing of capped rental items; and
- The proper use and documentation for all applicable modifiers;
Basic Regulatory Safeguards. All contracts with referral sources should be reviewed by competent legal counsel for compliance with federal and state anti-kickback and self-referral laws. Your marketing and sales departments should put emphasis on honest, informative, non-deceptive marketing, along with the fostering of patients’ reasonable financial expectations about associated costs.
Sales staff should be aware about issues of inducement, kickbacks, and prohibitions on self-referral. Compensation arrangements based on volume of sales or referrals should be reviewed by competent legal counsel. Adherence with the Telephone Consumer Protection Act is to be maintained, and the specific prohibitions and medical practice safeguards noted. You should implement policies regarding records retention and backup procedures.
Training, Education, and Evaluation. You should establish expectations and periodically train personnel in the most up-to-date compliance standards. Employees should have a clear understanding of the policies and legal requirements of their jobs, understand that compliance is a condition of their employment, and be given clear notice that any failure to comply may result in disciplinary action, up to and including termination.
The Compliance Committee
Each supplier should designate a compliance officer and a compliance committee within the organization.
Compliance Officer. Your compliance officer should be a person of high integrity chosen as a focal point of the organization’s compliance activities. They should have sufficient knowledge, authority, and access to corporate officers to respond effectively to compliance concerns, exercise some discretion in enforcement actions, and transmit concerns to upper management without fear of retaliation. They should periodically revise the program in light of business or regulatory changes. This will require access to employee and contractor records and licensure and the ability to help coordinate personnel issues, including discipline, with the human resources department.
Compliance Committee. Where the organization is sufficiently large or complex, the OIG recommends the formation of a compliance committee made up of individuals from various departments of the business to oversee the compliance risks specific to each. The committee should work to analyze the risk environment and specific legal risks posed by each unit; assess and develop specific policies; work with specific departments to standardize conduct; monitor and evaluate internal control systems; develop strategies to promote compliance and detect infractions; develop a system of complaint solicitation; and monitor trouble areas. The committee should be seen as an auxiliary to the compliance officer.
Training and Education
The OIG recommends a criminal background check for new employees and that all employees and independent contractors be checked against the OIG List of Excluded Individuals and the GSA List of Excluded Parties prior to hiring, and annually thereafter.
Your business should develop a training program for officers, managers, and employees, as well as periodic continued training to reinforce, and where necessary, revise guidance. The OIG recommends annual general training in all relevant areas of compliance outlined above, with specific emphasis on (1) claim development and billing and (2) sales and marketing. All personnel should be subject to training in compliance and corporate ethics.
Trust and Communication
Because effective communication is essential to compliance, you should develop and distribute written confidentiality and non-retaliation policies to all employees within the organization, including procedures for employees to seek clarification about, and when necessary, report compliance concerns. To foster openness, the OIG recommends maintaining hotlines, suggestion boxes, emails, newsletters, and other forms of communications that allow anonymous reporting to reduce fears of retaliation.
Internal Monitoring and Audits
Internal monitoring to ensure compliance is an essential feature of a healthcare compliance program. The Guidance recommends periodic departmental audits and performance evaluation, along with specific steps to take in the event of identified infractions, with special attention on billing and payment infractions and self-reporting responsibilities.
The OIG suggests implementing any or all of the following methods of oversight: Testing staff for billing competence; random on-site visits to all facilities; assessment of relationships to physicians and other referral sources and contractors; unannounced audits; examination of complaint logs; supervisor interviews; the use of targeted questionnaires; interviews with relevant stakeholders; review of documentation of medical necessity; validation of physicians and external suppliers; and use and trend analyses.
Tools should be directed toward the identification and correction of areas of noncompliance. Reports of investigations should be issued and evaluated by the compliance committee.
The compliance program should include guidance for disciplining officers, managers, independent agents, and employees for discovered compliance infractions. The policy should include degrees of disciplinary action that may be imposed upon members of each group of relevant personnel. Available sanctions should be graded to offense, but imposition should be considered on a case-to-case basis. Written standards should elaborate on proper procedures to handle regulatory infractions and other misconduct.
Because compliance infractions threaten the integrity and solvency of your business, the Guidance recommends the prompt response to and implementation of corrective action regarding any discovered infractions. A three-phase process is recommended, consisting of (1) an internal investigation and interim and communication of initial findings, including, where appropriate, consultation with legal counsel; (2) full and transparent disclosure of any discovered infractions to appropriate state and federal regulatory authorities; and (3) the implementation of corrective actions to prevent further similar infractions. This should be documented by your compliance program; lessons should be integrated into your policies.
Putting It All Together
Although there are a lot of components to consider in designing and implementing your compliance program, most of it really boils down to basic business prudence. Train and maintain good personnel. Keep your evolving business practices and requirements up to date. Foster an environment of mutual support in getting everything in place that you’ll need for your business to operate smoothly and grow.
The most common obstacle to an effective compliance program is standard business inertia. You’ve hired a top-shelf company to design the basics of your compliance program and policy documents. You’ve got your binders in place. You tell employees where the information is located, and then you…. stop.
You can have the best policies that money can buy, but still effectively have little to no compliance program. To be effective and robust, your program has to be an active, responsive part of your business. Your compliance committee needs to hold meetings, address issues, and document your actions and any changes to policy. Put update logs on your policies, and make sure to revisit and update them at least annually or whenever new relevant guidance or business practices are developed. Update your annual training. Do the hard work of discussing and learning from discovered mistakes, and document it. Ultimately, every world-class business is built on a catalogue of errors and the resultant lessons learned.
Your compliance program is your proof that you’re learning and adapting to a complex range of business and regulatory hurdles. Keep it healthy and your business will thrive.
Blinn E. Combs, Esq., is an attorney with the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Combs can be reached at (806) 345-6355 or firstname.lastname@example.org.
Jeffrey S. Baird, Esq., is chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or email@example.com.