The 7 elements come from the US Sentencing Commission Guidelines (Commission). See http://www.ussc.gov/Guidelines/2010_guidelines/index.cfm. The commission stated that organizations potentially subject to criminal sanctions would be given “credit” against model sentencing terms if the organization had a compliance program.
The OIG has taken on the concepts of compliance programs and now encourages voluntary compliance. HHS Inspector General (IG) June Gibbs Brown stated that given the size and scope of healthcare that voluntary compliance was the only hope that the programs had to truly reduce fraud, waste, and abuse.
In the CPG issued by the OIG (third party billing companies  and to individual physicians and small group practices ), the agency established the 7 elements of a corporate compliance program (Table 83-2).
The PPACA requirements will substantially utilize the OIG's 7 elements. ED groups (and their counsel) should continually consult to these requirements when developing and modifying their CCPs. The following section reviews the 7 elements in the context of ED groups.
Element #1: Implementing Written Standards and P&PS
These compliance standards and related P&Ps must include risk areas beyond coding and billing, including
EMTALA: The group must document its EMTALA training for providers (EDPs, NPPs, and nurses), including the P&P review and coordination with the hospital?
HIPAA privacy and security: The group must have a policy regarding the storage/removal and/or transportation of electronic protected health information (ePHI) on movable devices such as flash drives, portable hard drives, and laptops? For example, should laptops and other portable media be required to be encrypted to avoid possible disclosure under the HITECH Act? What about smart phones and tablets? Unlike laptops, many of these products have hard drives that cannot be encrypted. As such, under the HITECH regulations, these products are deemed “unsecured” and any ePHI that is lost or stolen from those devices may likely implicate HITECH Act reporting.
Equal employment opportunity (EEO) laws and regulations regarding age, race, and/or gender discrimination: The group must ensure that hiring practices are compliant with EEO standards?
Wage and hour laws and regulations, ERISA requirements for health and welfare benefit plans and worker's compensation laws: The group must ensure proper classification of “exempt” and “nonexempt” employees for proper compliance with overtime pay rules?
As previously discussed, it is essential that the ED Group demonstrates P&Ps to show effective coordination with the ED group's B/C in the areas of credit balances, refunds, and unclaimed property.
Element #2: Compliance Oversight: One Size Does Not Fit All
A 10-doctor EDP group will not be expected to have a full-time compliance officer and may instead designate one of the physicians or an administrative person in the group to serve in this function as part of their administrative duties. However, an ED group of 50 or more physicians might be expected to have a full-time chief compliance officer (CCO). Another way to think of this requirement is: A group receiving more than $10 million in Medicare/Medicaid reimbursements might be expected to have a full-time CCO. There are no bright line standards; however, ACEP and EDPMA both filed formal comments to the HHS NPRM recommending scalability and flexibility of the compliance officer function, given the tremendous variety in sizes of groups and practice structure in the HHS final rules.
For larger organizations, particularly those organized under Delaware (DE) law, CCO should report to the board of directors (BOD) or at least the audit committee of the BOD. Compliance “best practice” ensures that the CCO periodically reports beyond the operational management and directly to the BOD. This periodic report typically includes risk areas such as coding, Q/A sampling techniques, and mitigation techniques (eg, specific coder education and retraining). An effective CCP along with periodic reporting by the CCO to the BOD may mitigate potential director and officer (D&O) liability for noncompliance (under the In Re: Caremark 698 A. 2d 959 [Del. Ch. 1996] decision). In this case, the court found that the BOD had met their fiduciary duties and appropriately monitored company actions by having routine reports to the BOD.
Element #3: Education and Training/Retraining: One and Done Is Not Enough
Compliance education requires a continuing process to ensure that organizational members are continually apprised of and utilizing the newest standards. Multiple formats should be considered such as online webcasts, audio conferences, in person conferences, periodic newsletters, or e-mail alerts that scale to the organization. EDPs may attend or participate in educational sessions and presentations through their hospitals, ED groups, or their work with a state medical society, ACEP chapter or national ACEP. These programs should be documented in the ED group's “Compliance Binder.” For example, ACEP's Coding and Reimbursement Conference, certain Scientific Assembly courses and EDPMA's annual Solutions Summit offer courses that could qualify as coding and compliance training. Certain hospital meetings or training courses may qualify as effective training in the areas of HIPAA and EMTALA.
The training should be directly tailored to the general functions, in which the employees are engaged. For example, prebilling or front-end employees can be grouped in the billing function.
Given the significant amount of material and the number of laws and regulations driven by PPACA, it may be advisable to divide the training into major topics. To illustrate, HIPAA's privacy regulations and the security standards mandated by the HITECH Act naturally can be combined into one online training course. It may be particularly effective to reiterate key areas through follow-up e-mail updates and newsletters, including specific examples of breaches of PHI that has been publicized, is essential to achieving effective compliance education.
Element #4: Developing Effective Lines of Communication: “If I Sit Down in Your Office to Report the Compliance Issue, Can I Still Maintain Anonymity?”
Traditionally, reporting for compliance meant the establishment of an “800” hotline that employees could use to report compliance issues anonymously. Anonymous reporting was viewed as critical for employees to avoid possible retaliation or retribution for raising questions, particularly if they were questioning their direct manager or senior management. These hotlines still exist but do not receive the majority of the compliance reporting traffic, with the exception of human resource issues. Many companies provide wallet cards with the reporting number and instructions (Figure 83-2).
Privacy and ethics quick test.
Retaliation: The Compliance “Cancer”
The chief reason behind the anonymous reporting and hotlines of the 1990s were again the concern over retaliation and retribution. Retaliation by management against employees for reporting compliance issues can intimidate employees and prevent the reporting necessary to have an effective compliance program. Though managers may ask first who raised the issues, it is critical that CCO or person serving in the compliance function maintain the anonymity of the person reporting to greatest extent possible, if requested. The CCO should clearly communicate that all questions, concerns, and issues should be raised, including HR issues. These issues will then be triaged appropriately with necessary inquiry or investigation.
Blanket guarantees of confidentiality to the reporting employee should be avoided. When a major compliance inquiry begins, divulging the employees name and information may be required. For example, in the course of an internal inquiry or an OIG self-disclosure and inquiry by the OIG, it is possible that the entity's counsel or OIG attorneys will request to speak directly to the person who raised the compliance issue. Therefore, it is recommended that the employee reporting the issue be told that confidentiality will be maintained to the greatest extent possible but will not be guaranteed throughout the process.
In any ED group and particularly those in multiple offices or states, the “failure to report” should be addressed in the organization's P&P. Reporting must be mandatory and the failure to report considered a serious potential policy violation with corrective action or progressive discipline to the employee. To illustrate, in certain healthcare organizations, operations managers certify to the CCO or compliance function on a quarterly or biannual basis that they have identified and forwarded all material compliance issues to the attention of the CCO or compliance function. Another strategy is to incorporate fulfillment of compliance responsibilities into the manager's and employee's annual performance appraisals.
Element #5: Internal Monitoring and Auditing: Data Is King
Given the high proportion and number of governmental payor claims in the ED and the FCA penalties, including multiplier effects, the ED coding QA policies and procedures are crucial to an effective CCP. The ability to capture the coding QA data is essential even in a mid-sized ED group. The following issues and considerations should be defined in the group's internal QA and for those providing the coding and billing, whether the hospital or independent third party B/C:
How will claims or records be selected for the QA process? There must be a random selection process and an adequate sample size to ensure the coding accuracy rate within a defined margin of error.
Random selection can be achieved using low-tech methods such as selecting a day of the week, the clients, and the coders to audit by using random number generator software (such as the OIG RAT-STATs) to randomly select accounts or records to review. While there are many “random number generator” software packages available, the OIG's program is freely downloadable from the OIG website.
Capturing the regular coding QA results in an appropriate data base for internal and external reporting is essential. Table 83-3 shows an issue specific Q/A report used to conduct specific documentation reviews related to specific documentation and coding issues, such as ECGs or laceration repairs. Errors are identified, claims refunded, and rebilled and corrective action and education taken with the coders.
Table 83-3 Example of a Documentation Review |Favorite Table|Download (.pdf)
Table 83-3 Example of a Documentation Review
Total Coders/ Clients Reviewed
Total Charts Reviewed
Review of EKG s and LCDs where applicable
Review of laceration repair billing and documentation
Coder A: client 1
Wrong CPT code used, lac repair billed
when sutures not done in ED
Coder B - client 2
Wrong lac repair code used. Dermabond coded for Medicare
Coder C - client 3
Wrong CPT code used: coded for wrong location on body
Coder D - client 4
Wrong CPT code used: No lac repair done
Coder E - client 5
Dermabond coded for Medicare
Coder F - client 6
Wrong CPT code used: coded for wrong location on body, wrong code used for length specified
Coder G - client 7
Wrong lac repair codes used: used wrong size of wound for CPT selection. Also coded wound repair when should have billed for excision
Coder H - client 8
Wrong lac repair codes used: simple
when should be intermediate or complex. Also should have separated lac repairs when two done in same location but different level of closure performed
Coder I - client 9
Wrong lac repair codes used: simple when should be intermediate or complex. Also wrong location used for CPT selection
Review of I & D Billing and Documentation
Coder J - client 10
Billed 10060 when should have billed 10061.
Coder K - client 11
No I & D performed: CPT error
Coder L - client 12
No drainage on I & D—missed Modifier 52. Also billed 10060 when should be 10061—vessel loop placed for drainage
Coder M - client 13
Billed 10060 when should have billed 10061. Packing and/or multiple sites.
Coder N - client 14
No drainage on I & D—missed Modifier 52.
In this example, one of the risk areas for ED coding (eg, laceration repair [LAC] coding) is selected for focused coder and client review. The LAC codes are entered into the billing application and the universe of potential accounts is selected for a given month; similar coder focused reviews can be done in the risk areas of PATH and NPP coding and billing. Coder and client note coding errors and then corrective action is taken with the coders regarding the specific errors found. Once the data is in a reportable data base, internal management and client reports can be provided showing how specific issues such as PATH, NPP, or I&Ds were analyzed and additional education and training resulted from that focused review.
It is also important that the database reflects that corrective action was initiated for each of the miscoded or wrongly coded claims, particularly with governmental payors. If the regular coder QA revealed claims that had been coded at 99284 that should have been coded at 99283, then it is important that the full refund be made to the governmental payor. To avoid being denied as a duplicate claim, a full refund should be made and then the claim rebilled to that payor provided that the timely filing period has not expired. As discussed previously, the timeliness of the refund process is essential as well. Once the coding QA function determines that the case was wrongly coded, the 60-day clock to repay the governmental payor begins to run. The refund form used for each Medicare administrative contractor (MAC) is usually available on the MAC website and must be used when issuing the refund to Medicare (Figure 83-3).
Example of CMS Medicare overpayment form.
Element #6: Enforcement and Discipline
Enforcement of written compliance P&Ps is essential. In fact, OIG and DOJ officials have stated publicly that the organization's failure to follow their own internal P&P can be viewed by the government as evidence of “intent” to defraud the government. Recall that the penalties under the FCA rise from the minimum $5500 per claim to as much as $11,000 per claim if the government believes that the provider's conduct was intentional. So if an organization states that it will make appropriate inquiry or investigation of internal compliance issues, the organization should do so and document all stages of the inquiry including reference to the internal P&P that may have been violated.
Enforcement and discipline may arise in several key areas of the ED group's P&P. For example, assume an employee or provider fails to report material compliance issues and the hospital or a third party audits the group. Management decisions, including failure to report and the disciplinary action, if any, will be closely scrutinized by the auditing organization. Since essentially all healthcare organizations have a policy prohibiting retaliation and retribution against employees, any manager that retaliates against an employee for bringing compliance issues forward should be addressed as a most serious violation of P&P.
The difficulty occurs when attempting to determine whether the employee is being properly disciplined for HR issues or is being retaliated against. The CCO, HR, and management must assess these issues. Retaliation against the employee of course may turn that person from someone who makes an “internal complaint” into a relator (OIG whistleblower). Provisions of both the FCA and EEO laws prohibit retaliation against employees for raising legitimate compliance issues.
Therefore, retaliation cannot only cause the ED group's entire CCP to be questioned but also can expose the group to additional potential liability (in addition to the FCA liability if any) under the FCA and EEO laws.
Element #7: Response and Prevention: The Importance of Corrective Action Programs
When internal compliance issues arise, many in the organization may watch to see how the entity responds and if it follows the compliance P&P. Obtaining the appropriate reimbursements for ED groups is very complex and undergoes ongoing edits, with frequent reimbursement of providers by commercial payers and health plans at incorrect contract rates. However, denials for one set of claims cannot be the basis for failure to address coding or billing issues identified for another set of claims. Instead, the response and prevention should come in the form of correction action plans or programs (CAPs).
CAPs may be small, medium, or large, covering specific issues, coders, or a major subject matter like PATH that can stretch across many coders and clients. Once the issues are identified, root cause analysis should be conducted to determine the essential facts that gave rise to the issues—the so-called “5 W's” from the newspaper business: who, what, where, when, and what length of time?
Depending on the nature of the issue, experienced healthcare counsel may be critical in advising the ED group about disclosure of the compliance issue to the government, how should the disclosure be accomplished, and to whom? The issue whether to disclose the compliance issue and the CAP to the government is critical to an effective CCP.
“Misconduct does not include inadvertent errors or mistakes. Such errors should be reported through the normal channels with the applicable carrier, intermediary or other HCFA designated payor.”
OIG's Billing Company Guidance
If the issues are systemic and require detailed analysis of claims or coding over months or years, then the ED group should consider having their counsel write a letter to the MAC. The issue may or may not be referred to the OIG or DOJ for further review.
Healthcare counsel should also assist the ED group in deciding whether or not to disclose directly to the OIG pursuant to the OIG's self-disclosure protocol (SDP). If the root cause analysis shows evidence of more than negligence and shows recklessness or deliberate ignorance, then the SDP should be considered. The following “TIPS” are quoted directly from the OIG's provider compliance training session, as part of the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiatives.