OIG Compliance 101
“Ensuring the Next Generation is Prepared”
by Sean Weiss, Partner & VP of Compliance
Each day our industry gains new members who are eager to learn and make a difference in the organizations in which they work. However, many times there is a gap in what they know versus what they should know. Honestly, experience is the best teacher but if along the way we, who have either picked up the torch from a former mentor or were handed it because there was no one else who wanted it, can take the time to ensure the next generation of health care professionals is prepared for what lies ahead, then we can take comfort in passing on the torch.
While most still believe that Office of Inspector General (OIG) Compliance is still voluntary, the truth is it is not. It is actually mandated and the authority to compel health care providers and suppliers to adopt compliance programs is actually a condition of enrollment in Medicare, Medicaid, and the Children’s Health Insurance Program. This authority was granted to the Secretary of Health and Human Services (HHS) by Section 6401 of the Affordable Care Act (ACA). To be even more specific, Section 6401 requires health care providers to develop and implement a formal health care compliance program as a condition of enrollment in federal health care programs. The statute requires the secretary, in consultation with OIG, to adopt what is referred to as “Core Elements” for each type of provider/supplier and in each industry segment. Even though as of 2018 the Secretary has not issued core elements or new guidance, it is clear that providers should continue to follow the published guidance outlined by OIG in 2002.
The Seven Fundamental Elements of an Effective Compliance Program (https://oig.hhs.gov/compliance/provider-compliance-training/files/Compliance101tips508.pdf)
- Implementing written policies, procedures and standards of conduct – Without written policies and procedures you do not have policies. Saying, “This is how we have always done it” is not a policy and is indefensible. Health care organizations should write policies specific to their operations and their culture. There is no one-size fits all when it comes to writing policies, so be smart about what you put in writing and what you are going to do. If you make them too burdensome, you’ll be destined to fall short of creating a culture of compliance. Compliance Plans in a box are also not a great option unless you are going to spend the time to customize them to your organization. Simply placing your name in the document and printing it out and placing it in a binder is not a compliance plan. Customization is key with these out-of-the-box solutions.
- Designating a compliance officer and compliance committee – Regardless of your size, someone has to own compliance within your organization. Whether it is one person or compliance by committee, taking ownership of what is required is a must. A compliance officer needs to be someone who is trust-worthy, strong with their verbal and written communication skills, organized and structured, objective and independent, and able to command the respect of all individuals within their organization from the top down.
- Conducting effective training and education – Without training and education of the company employees, your compliance program will be ineffective. Spending time to educate your employees on what their responsibilities are as outlined within the compliance program is critical to creating the culture of compliance that is discussed in §8B2.1 – Effective Compliance and Ethics Program:
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.
- Developing effective lines of communication – Without effective lines of communication, your compliance program has no legs. Employees should know who to come to when they have a concern but more importantly, they should be made to feel comfortable that their concerns are held in the strictest of confidence and that the company embraces a policy of non-retaliation against those who bring to light concerns regarding potential violations.
- Conducting internal monitoring and auditing – Determining the effectiveness of the compliance plan is a must and needs to identify problem areas and assist in the reduction of risks in those areas. These audits can be performed internally or externally and should focus on coding and billing, mock surveys, review of compliance logs, trending and analysis, identifying variances between what the policies require vs. what employees are actually doing.
- Enforcing standards through well-publicized disciplinary guidelines – Every organization must have processes in place to deal with violations of the compliance plan. Regardless of the role of the employee, compliance requirements apply to everyone, which means no one person is immune to disciplinary action if they violate policy. OIG Compliance Guidance suggests that a compliance program should include a written policy statement setting forth the various degrees of disciplinary actions that may be imposed upon corporate officers, board members, managers, employees, and health care professionals for failing to comply with the organization’s standard policies in addition to applicable statutes and regulations.
- Responding promptly to detected offenses and undertaking corrective action – Responding to accusations of impropriety or potential violations is a must and it needs to be done in a timely manner (and also needs to be outlined in your policy manual). Every investigation should have a written report outlining the specifics of the accusation(s) leveled, who was involved, what led to the claim of wrong-doing, steps of the investigation, and the outcome. I strongly suggest the creation of Corrective Action Plans (CAPs) since these provide the specifics of the complaint and the process by which the compliance officer performed their duties and arrived at a resolution (See my Blog Post on Corrective Action Plans).
There is actually an 8th step in effective compliance plans and that is the Risk Assessment. “Risk Assessment” has been added as the eighth element of those that comprise an effective compliance program, especially with the amendments to the Federal Sentencing Guidelines in 2004. A detailed risk assessment is required to appropriately tailor a compliance program to a company’s business circumstances. Keep in mind that there are two aspects to risk assessment:
- Risk assessment should be ongoing.
- The results of risk assessments should influence the design and implementation of the compliance program in order for it to be effective in preventing and detecting violations of law.
Five Practical Tips for Creating A Culture of Compliance
- Make compliance plans a priority now – There is an old song by Garth Brooks titled “If Tomorrow Never Comes.” Do what needs to be done today and stop procrastinating or failing to do your diligence in combating Fraud, Waste and Abuse. The sooner you get started the sooner you can demonstrate a Culture of Compliance!
- Know your fraud and abuse risk areas – The OIG Work Plan is great place to look each year regarding the areas they most consider high-risk. However, here is my personal list of high-risk areas (in no particular order):
- Evaluation and Management Services
- Cloning and Clinical Plagiarism
- Incident-to and Split/Shared Services
- Prolonged Evaluation and Management Services
- LSO Back Braces
- “Improvement Standard”
- “Medical Necessity”
- Manage your financial relationships – Know who you are doing business with and avoid what could be perceived as questionable practices. Understand Fair Market Value (FMV), Anti-Kickback Statute (AKS), Stark Law, Anti-Trust (Sherman Act), Non-Monetary Gift Law, and Beneficiary Inducements.
- Just because your competitor is doing something doesn’t mean you can or should – I remember as a kid when I would get in trouble and say, “Johnny did it so I thought it was okay” and my grandfather would ask me, “If Johnny Dummy jumped off the Brooklyn Bridge would you follow him?” Every time I have a physician say to me “Dr. Jones does it this way and has never had a problem,” I remind them that Dr. Jones’ day is coming. It is not a matter of if you get audited, it’s simply a matter of when.
- When in doubt, ask for help – If you have a compliance plan in place but not sure if it is the right fit for your organization, get help. If you do not know where to begin regarding a compliance plan, contact a reputable compliance expert. Currently I serve for a number of health care organizations across the country of all sizes as their third-party compliance consultant and am always happy to assist.
What to do next…
- If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at email@example.com.
- Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.