Where to Begin with Compliance
Read more from the latest issue of Billing.
Ensure Your Clients Follow the Rules
By Michelle Ann Richards, CPC, CPCO, CPMA, CPPM
Some of my clients believe that providing annual OSHA and HIPAA training to employees and keeping policies in a binder constitutes a compliance plan. This is a good start; however, HIPAA and OSHA aren't the only components of a compliance program. A compliance program should also include human resources, HIPAA privacy, HIPAA security, and more.
The Office of Inspector General (OIG) serves as the watchdog for fraud and abuse related to federal healthcare programs. It says an effective compliance program is comprised of the following seven components:
- Conducting internal monitoring and auditing
- Implementing compliance and practice standards
- Designating a compliance officer or contact
- Conducting appropriate training and education
- Responding appropriately to detected offenses and developing corrective action plans
- Developing open lines of communication
- Enforcing disciplinary standards through well-publicized guidelines
As medical billers, coders, compliance officers, and practice managers, it is incredibly important that you become familiar with the OIG guidance for third-party medical billing companies (www.oig.hhs.gov/fraud/docs/complianceguidance/thirdparty.pdf). The OIG created this document to help third-party medical billing companies, agents, and subcontractors develop effective internal controls that promote adherence to applicable federal and state law, as well as the program requirements for federal, state, and private health plans.
There is one clear identifier that distinguishes fraud and abuse: intent. When someone intends to do something, they plan it out and in turn understand what the consequences of their actions are (i.e., defrauding the government, receiving penalties/fines, jail time, or losing their license). There are also many good providers who just weren't aware of updates to the government's rules and regulations or they trusted their billing manager or practice administrator to handle everything without auditing their progress. Some may find themselves placed on a very expensive Corporate Integrity Agreement (CIA) to avoid sentencing or losing their license to practice medicine.
An effective compliance program requires ongoing oversight by a designated compliance officer, a practice manager working a dual role as compliance officer, or a committee. It is imperative to have regularly documented communication among the providers, administration, compliance officers/compliance committees, owners, boards, and billing teams.
So how do you know which policies and procedures to implement? Simple – perform risk assessment audits. There are two kinds of audits a medical practice should conduct: a standards and procedures audit and a claims submissions audit.
A standards and procedures audit lets you determine whether office policies and day-to-day processes are in compliance, whereas a claims submissions audit can determine whether providers and staff are submitting claims in accordance with federal rules and payor policies. A claims submission audit can be done either prospectively (prior to claims submission) or retrospectively (after the claims have been sent out). If you decide to conduct a retrospective audit, you may end up reimbursing payors. In conducting a claims submissions audit, you first have to decide:
- If you will perform a retrospective or prospective audit
- What type and size of sample you will use: random, controlled, select payors, or all payors
- What audit tools you will use
- The risks you should be monitoring
Regardless of whether you conduct a prospective or retrospective audit, the results will remain the same. If you have performed the claim submissions audit appropriately, you should know if:
- Documentation is complete and accurate
- Claims are accurately coded and reflect all services provided
- Services or items provided are reasonable and necessary
- Claims are submitted with correct NPI information
- Claims are submitted with all correct insurance and demographic information
- Any incentives for providing unnecessary services exist
Start with observation. Practice managers should observe the practice through the eyes of a patient. Every aspect – from making an appointment to checking out – should be observed and noted for any deficiencies or areas to improve. Look for the following items in the waiting room or patient care areas:
- Notice of Privacy Practices is posted in a prominent area and is offered to all new patients
- Front office staff avoid using patient identifiers or having loud conversations
- New patient requirements are adhered to – for example, photo identification; insurance information; emergency contact details; race, ethnicity, or language information
- A TV, radio, or some sort of distraction is playing to avoid incidental protected health information disclosures
- Magazines are not offensive
- Adequate seating is provided for obese patients
- Doorways and walkways are adequately wide for handicapped persons
- Hand rails are located in restrooms or handicap-accessible stalls are available
- Interpreters can be made available for those who need them
These are just a handful of examples of what to look for by observing the practice. You will likely find other areas of risk by asking your employees and clients' employees questions such as:
- Do you know where all the exits are located?
- Are the exits well identified?
- Do you know the emergency management plan?
- Do you know what to do in case of fire?
- Do you know where the fire extinguishers are located?
- Do you know how to use a fire extinguisher?
- Do you know what a Material Safety Data Sheet is and where it is located?
- What steps would you take if your co-worker ingested a chemical used in the office?
- What do we do when a patient has a complaint?
- What would you do if a patient fell in the exam room?
- How often does the practice test emergency eye wash stations?
- Is there a reconciliation process for billing and appointments?
These questions will all be part of the risk assessment process. If employees do not have the answers to any of the above questions, you will want to adjust your training and education.
After the internal audit (risk assessment) identifies the medical organization's risk areas, the next step is to develop a method for addressing those risk areas through standards and procedures. Written standards and procedures are a central component of any compliance program. Having the right policies and procedures in place will help reduce the prospect of erroneous claims and fraudulent activity by identifying risk areas for the medical organization or practice. Once the risk areas are found, a compliance officer or appointee will need to establish tighter internal controls to counter those risks, while also helping to identify any aberrant billing practices. This is all done by risk management. (We will discuss this further in an upcoming article.)
Continue the Audit
After the initial risk assessment, periodic audits are recommended (at least annually) to ensure the compliance program is being followed appropriately. Whether you are a medical billing company, practice, or hospital, the following structure ensures that providers understand coding and billing, medical documentation, and expectations of their performance. I recommend having a structured training process for providers, including:
- Medical documentation training
- CMS fraud and abuse training
- Reviewing current benchmarking data for provider's specialty
- Performing a prospective billing audit on 10 patients
- Reviewing audit results with provider and re-education, if necessary
- Ongoing auditing and monitoring of provider billing
Auditing and monitoring is a continuous process. Most importantly, the aforementioned will need to be documented. As the saying goes, "If it's not documented, it was not done." This holds true in the world of healthcare compliance, especially when it comes to auditing and mitigating risk areas.
The Importance of Ethics
There is a fine line between compliance and ethics. In essence, compliance means conforming to relevant laws, regulations, policies, standards, procedures, or contractual obligations. These standards could be in the form of external (local, state, federal, or third-party) or internal obligations. Compliance with external obligations is a critical component of effective risk management, which can enable the medical organization to better prevent, detect, contain, and correct any noncompliance issues that could damage the viability of the organization.
Ethics refers to moral principles and values that guide a person or an organization. The term "ethical conduct" can refer to knowing the difference between right and wrong and choosing to do what is right. This is why it is extremely important that medical organizations send a message to their employees that leadership, starting from the top, is on board with the compliance program. This will in turn lay the foundation for building a culture of compliance within the organization.
Therefore, all medical organizations and practices should perform their due diligence prior to hiring or promoting a person to the role of compliance officer. They will need to ensure that:
- Individuals with substantial authority have not engaged in any illegal activities or conducted themselves in a manner inconsistent with the Code of Ethics
- Screening procedures are employed for all new hires, such as background, criminal, and exclusions checks
- Previous employers are contacted prior to hiring or promoting individuals
It is very important to have policies and procedures in place and to keep policies up to date. A Code of Conduct or Code of Ethics should be designed to set the expectations of employees' behaviors and attitudes. By regulating behavior and putting policies, rules, and consequences into practice, practices ensure that employees know what is expected of them and will adhere to and promote ethical behavior based on shared organizational values.
More than Compliance
A ripple effect takes place once a compliance program has been implemented. Just in relation to coding and billing, there is an increased accuracy of documentation that will provide an end result of actually enhancing patient care. Compliance programs also provide benefits by not only helping to prevent erroneous or fraudulent claims, but also by showing that the medical organization is making additional good faith efforts to submit claims appropriately.
Providers should view compliance programs as analogous to practicing preventive medicine for their practice. Medical organizations that embrace the active application of compliance principles in their culture and continually put efforts toward compliance can help to prevent problems from occurring in the future. Some added benefits of having an effective compliance program include:
- Increasing patient and employee safety
- Increasing patient and employee satisfaction
- Ensuring accountability
- Reducing billing mistakes
- Reducing the likelihood of repercussions from an audit
- Streamlining and improving business operations
- Creating a team environment
Having a compliance program sends an important message to the medical organization's employees – including all physicians and mid-level assistants – that leadership recognizes mistakes will occur, but you have a plan in place to handle them.
Michelle Ann Richards is the compliance manager for the American Association of Professional Coders' (AAPC) Compliance Division. She has more than 20 years of healthcare leadership experience. She was part of the team responsible for building 7Atlis, AAPC's Compliance Solution Software (www.7atlis.net). Richards has successfully built a network of healthcare attorneys while providing compliance assistance to their clients on corporate integrity agreements or under government radar. She works with independent physician practices, hospitals, hospital-owned physician practices, federally qualified health centers, and third parties in healthcare across the United States. She can be reached via email at firstname.lastname@example.org.