“Is It Really Worth the Cost and Aggravation?”
by Sean Weiss, Partner & VP of Compliance
One area I spend a lot of my professional time is on Compliance Programs for clients. Whether it is updating an existing plan or starting from scratch, I always get the same question: “Is this really necessary?” There is one question I always ask and then 5 main things I like to point out. The question is, “What is your level of risk aversion/tolerance?” Some clients are wide open and believe they are immune to governmental investigators while others are paranoid regarding everything they do. Compliance is a balancing act and it is critical to understand that what works for one group might not work for another. There is no “One Size Fits All” when it comes to compliance and trying to use a compliance plan in-a-box no matter what size you are is a really bad idea for so many reasons. Was the plan written for a solo or small group? If so, it may be inadequate for a large group, hospital or health system. Was the plan written for a large group, hospital or health system? If so, it will not work for a small practice. Also, compliance plans in-a-box do not take into account specific State Laws, Regulations, Statutes, etc. Compliance plans in-a-box also do not take into consideration specifics of Local Coverage Determinations (LCDs) from your MAC. And one thing I have learned over the years is that guidance and coverage can and often does vary from Payor to Payor.
Remember, “A compliance plan is a living breathing document that constantly evolves as the practice does.” Trying to fit a square peg in a round hole never works; neither does a Compliance Plan in-a-Box!
When discussing compliance plans with clients or potential clients, I always like to focus on the benefits and minimize the risk mitigation piece since I am not a fear monger. At the end of the day, there are consequences for non-compliance (addressed below) and those can be kept to a few bullets to drive the point home. For me, focusing on the benefits of a compliance plan are far better and bring compliance from being a dark topic to one that can be easily embraced by everyone in the organization and that will ensure its effectiveness.
Here are some of the benefits to a compliance program:
• Risk Minimization
• Financial Risks & Operational Risks
• Health & Safety Risks
• Reputational Risks
• Better Image, Improved Relationships, Greater Trust
• Minimizing External Pressures
• CMS (UPIC, RAC, MAC, MICs, Private Payor SIU, etc.)
• Governmental Expectations (e.g. DHHS / OIG)
• (Possibly) Reduced Fines and Penalties during an Audit / Investigation
• Greater Efficiency and Improved Outcomes
• Better trained workforce, better morale
• Elimination of uncertainty and confusion about roles and responsibilities
• Better quality operations
• Identifying and addressing problems early
• Reducing likelihood of government audits & investigations
For every in-action; there are consequences including but not limited to:
• Fines, penalties, and legal fees
• Imposed compliance “settlements” including CIAs
• More regulatory and audit agency scrutiny
• Management time and effort required to perform damage control
• Management turnover
• Lower faculty and staff morale
• Increased bureaucracy and lower efficiency
• Lingering effects
• Guilt by association…
A compliance program does not have to be this 1000 page pigeonhole of a document that binds an organization to do things it cannot or will not. This is one of the things I caution clients when they seek a law firm to build their compliance program. Make sure first and foremost they are health care centric and understand all of the nuances regarding health care compliance. Too many times I have had clients come to me and share a document “Written” by a lawyer claiming to knowledgeable about health care and what I read is a 400 page document that says almost nothing and missed the mark. If you are going to use a lawyer, make sure they have the requisite skills and knowledge to do the job correctly. Look to the American Health Lawyers Association (AHLA) or search online for health care lawyers and interview them thoroughly regarding their experience and understanding of regulatory compliance. It is no different than when you as a consumer seek out a physician for your medical issues; you want to make sure you go to a competent doctor who specializes in what your ailments are to ensure maximum outcome.
When it comes to creating a program, I like to use the KISS Principle for writing after I have conducted a full Gap Analysis of the organization to ensure I understand the foundation of the organization and all of its moving parts. As I said, no two organizations are alike and no one size plan fits all.
Once you get going, it is pretty simple and the first place I like to start is with the Mission Statement since this tells the reader out of the gate what your compliance plan is all about. Here is an example of a simple but effective Mission Statement:
To serve, safeguard, and promote ethical practices at the Medical Practice by:
• Identifying compliance risks and effective methods to mitigate those risks;
• Improving delivery of compliance resources;
• Educating and promoting awareness of ethical and legal standards of conduct through effective programs; and
• Partnering with responsible representatives to monitor compliance and to ensure that appropriate and effective corrective actions are taken where non-compliance is detected
So, why should our organization have a compliance program? Answer: The 2018 United States Sentencing Guidelines (USSG) tells us we should:
U.S. Sentencing Guidelines Provide …..
• §8B2.1. Effective Compliance and Ethics Program
• (a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
• (1) exercise due diligence to prevent and detect criminal conduct; and
• (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
• Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
• (b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
• (1) The organization shall establish standards and procedures to prevent and detect criminal conduct.
• (2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
• (B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
• (C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
• (3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
• (4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
• (B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
• (5) The organization shall take reasonable steps—
• (A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
• (B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
• (C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
• (6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
• (7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
• (c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
There is also some really good commentary for this section above that I am providing below:
1. Definitions.—For purposes of this guideline:
“Compliance and ethics program” means a program designed to prevent and detect criminal conduct.
“Governing authority” means the (A) the Board of Directors; or (B) if the organization does not have a Board of Directors, the highest-level governing body of the organization.
“High-level personnel of the organization” and “substantial authority personnel” have the meaning given those terms in the Commentary to §8A1.2 (Application Instructions ― Organizations).
“Standards and procedures” means standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct.
2. Factors to Consider in Meeting Requirements of this Guideline.—
(A) In General.—Each of the requirements set forth in this guideline shall be met by an organization; however, in determining what specific actions are necessary to meet those requirements, factors that shall be considered include: (i) applicable industry practice or the standards called for by any applicable governmental regulation; (ii) the size of the organization; and (iii) similar misconduct.
(B) Applicable Governmental Regulation and Industry Practice.—An organization’s failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective compliance and ethics program.
(C) The Size of the Organization.—
(i) In General.—The formality and scope of actions that an organization shall take to meet the requirements of this guideline, including the necessary features of the organization’s standards and procedures, depend on the size of the organization.
(ii) Large Organizations.—A large organization generally shall devote more formal operations and greater resources in meeting the requirements of this guideline than shall a small organization. As appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.
(iii) Small Organizations.—In meeting the requirements of this guideline, small organizations shall demonstrate the same degree of commitment to ethical conduct and compliance with the law as large organizations. However, a small organization may meet the requirements of this guideline with less formality and fewer resources than would be expected of large organizations. In appropriate circumstances, reliance on existing resources and simple systems can demonstrate a degree of commitment that, for a large organization, would only be demonstrated through more formally planned and implemented systems.
Examples of the informality and use of fewer resources with which a small organization may meet the requirements of this guideline include the following: (I) the governing authority’s discharge of its responsibility for oversight of the compliance and ethics program by directly managing the organization’s compliance and ethics efforts; (II) training employees through informal staff meetings, and monitoring through regular “walk-arounds” or continuous observation while managing the organization; (III) using available personnel, rather than employing separate staff, to carry out the compliance and ethics program; and (IV) modeling its own compliance and ethics program on existing, well-regarded compliance and ethics programs and best practices of other similar organizations.
(D) Recurrence of Similar Misconduct.—Recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to meet the requirements of this guideline. For purposes of this subparagraph, “similar misconduct” has the meaning given that term in the Commentary to §8A1.2 (Application Instructions ― Organizations).
3. Application of Subsection (b)(2).—High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program, shall perform their assigned duties consistent with the exercise of due diligence, and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
If the specific individual(s) assigned overall responsibility for the compliance and ethics program does not have day-to-day operational responsibility for the program, then the individual(s) with day-to-day operational responsibility for the program typically should, no less than annually, give the governing authority or an appropriate subgroup thereof information on the implementation and effectiveness of the compliance and ethics program.
4. Application of Subsection (b)(3).—
(A) Consistency with Other Law.—Nothing in subsection (b)(3) is intended to require conduct inconsistent with any Federal, State, or local law, including any law governing employment or hiring practices.
(B) Implementation.—In implementing subsection (b)(3), the organization shall hire and promote individuals so as to ensure that all individuals within the high-level personnel and substantial authority personnel of the organization will perform their assigned duties in a manner consistent with the exercise of due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law under subsection (a). With respect to the hiring or promotion of such individuals, an organization shall consider the relatedness of the individual’s illegal activities and other misconduct (i.e., other conduct inconsistent with an effective compliance and ethics program) to the specific responsibilities the individual is anticipated to be assigned and other factors such as: (i) the recency of the individual’s illegal activities and other misconduct; and (ii) whether the individual has engaged in other such illegal activities and other such misconduct.
5. Application of Subsection (b)(6).—Adequate discipline of individuals responsible for an offense is a necessary component of enforcement; however, the form of discipline that will be appropriate will be case specific.
6. Application of Subsection (b)(7).—Subsection (b)(7) has two aspects.
First, the organization should respond appropriately to the criminal conduct. The organization should take reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the criminal conduct. These steps may include, where appropriate, providing restitution to identifiable victims, as well as other forms of remediation. Other reasonable steps to respond appropriately to the criminal conduct may include self-reporting and cooperation with authorities.
Second, the organization should act appropriately to prevent further similar criminal conduct, including assessing the compliance and ethics program and making modifications necessary to ensure the program is effective. The steps taken should be consistent with subsections (b)(5) and (c) and may include the use of an outside professional advisor to ensure adequate assessment and implementation of any modifications.
7. Application of Subsection (c).—To meet the requirements of subsection (c), an organization shall:
(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
(i) The nature and seriousness of such criminal conduct.
(ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business. If, because of the nature of an organization’s business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.
(iii) The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.
(B) Prioritize periodically, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b), in order to focus on preventing and detecting the criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.
(C) Modify, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b) to reduce the risk of criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.
Background: This section sets forth the requirements for an effective compliance and ethics program. This section responds to section 805(a)(5) of the Sarbanes–Oxley Act of 2002, Public Law 107–204, which directed the Commission to review and amend, as appropriate, the guidelines and related policy statements to ensure that the guidelines that apply to organizations in this chapter “are sufficient to deter and punish organizational criminal misconduct.”
The requirements set forth in this guideline are intended to achieve reasonable prevention and detection of criminal conduct for which the organization would be vicariously liable. The prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense.
At the end of the day, having an effective compliance program in place can do a lot to mitigate risk and demonstrate “Good-Faith” effort to governmental investigators. Additionally, CMS has considered making compliance programs mandatory as a condition of participation with the program. It is already required for HHAs and within some Medicare Managed Care (Part C). For me, I like knowing that I can build something that works for my clients without being dictated to by the government on what they actually want in there. However, should a practice be investigated and findings of wrong-doing identified, it could result in a Corporate Integrity Agreement being forced onto the organization and that, in and of itself, is reason enough to be proactive and put your own plan in place while it is still a voluntary process.
Over the coming weeks I will explore different policies for you as well as provide sample policy language to help get you started.
What to do next…
- If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at firstname.lastname@example.org.
- Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.