Regulatory Compliance / Compliance Plan Development and Implementation
An effective compliance plan is a living, breathing document. In order to be effective, it must become an integral part of your organization. It cannot simply lay dormant until an auditor shows up or a violation occurs. Rather, through the active application of the plan’s policies and procedures on a daily basis, active compliance can be achieved. This will streamline your organization’s business operations, reduce the likelihood of statutory violations, help to mitigate any damages resulting from a breach, and serve as evidence that your organization is doing it’s best to fully comply with applicable rules and regulations. When compliance begins to be a part of the daily culture of your organization, you will achieve the maximum results and rewards. Should you choose to retain Liles Parker to assist with your compliance needs, we will likely proceed in the fashion outlined below:
Liles Parker attorneys have the necessary background and experience to assist health care providers with the development and implementation of an effective Compliance Plan and their overall Compliance Program.
Although many of our attorneys have extensive experience assisting large provider organizations with their regulatory compliance needs, our primary focus includes individual physicians (both MDs and DOs), dentists, small to mid-sized physician group practices, home health agencies, skilled nursing facilities, durable medical equipment suppliers, ambulance providers, physical therapists, pain management clinics and behavioral health groups. Our attorneys have worked on a wide variety of internal audits, investigations, compliance and regulatory matters and cases. Additionally, we have represented providers in connection with outside reviews and investigations conducted by law enforcement, government contractors and private payors. Several examples of the specific projects completed have included:
- Handling the initial development, monitoring and subsequent revision of an effective, practice-specific Compliance Plan.
- Conducting a “Gap Analysis” of an organization’s business and operational activities, operational practices, documentation practices, coding and billing functions.
- Performing internal audits and assessments of business practices to better ensure statutory and regulatory compliance.
- Serving as outside Compliance Counsel, providing regular compliance guidance to Compliance Officers and Compliance Contacts working in a practice, clinic or organization.
- Providing guidance to entities regarding human resource issues, employee privacy, protection of company information, conflicts of interests and self-dealing.
- Providing guidance to entities regarding the self-disclosure of certain conduct to governmental agencies.
Over the last decade, Compliance Plans have become an essential part of the way health care providers conduct business. Compliance programs aimed at reducing, preventing and deterring fraudulent and improper conduct are at the forefront of the health care industry’s goals. These programs can also benefit small to mid-sized provider organizations by helping them avoid costly litigation and by streamlining their business operations. While the Federal government presents basic procedural and structural guidance for Compliance Programs, the Department of Health and Human Services, Office of Inspector General’s (HHS-OIG’s) guidelines do not represent an all-inclusive set of steps which can be readily adopted by all providers. Providers are expected to know and adhere to There is no ‘‘one size fits all’’ compliance program, especially when it comes to small and mid-sized provider entities.
II. Components / Elements of an Effective Compliance Program:
Regardless of the nature of the organization, it is generally recognized that there are seven main components which must be addressed when assembling an effective Compliance Plan. Once an organization’s seven components have been properly assessed, a tailored version of these issues can be assembled into a draft Compliance Plan. An organization’s “Mission Statement” and “Honor Code” are often folded into the draft Compliance Plan. Any previously drafted written policies and procedures utilized by an office will likely need to be reviewed to ensure that the directives outlined are fully consistent with the newly assembled Compliance Plan. An office’s safety manual, including materials mandated by the Occupational Safety and Health Administrative (OSHA) will also be reviewed to help ensure that the information contained therein is both complete and accurate. Collectively, these documents, reference manuals and other materials (including the organization’s Compliance Plan), along with a provider’s in-house training program constitute an office’s overall “Compliance Program.”
III. Benefits of an Effective Compliance Plan:
Virtually all health care providers can realize tangible, lasting benefits by implementing an effective Compliance Program. These benefits include, but are not limited to:
(1) Proactive approach. Your organization’s adherence to the provisions of an effective Compliance Plan is a proactive way to make sure that your company is meeting all of its statutory and regulatory obligations.
(2) Evidence of a good faith effort to follow the rules. The existence of, and adherence to, an effective Compliance Plan serves as evidence of a good faith effort to comply with applicable laws and regulations.
(3) Sentencing guidelines. Should the government ultimately choose to purse criminal charges against you or your organization, your use of an effective Compliance Plan will be favorably credited under the points system set out under the Federal Sentencing Guidelines.
When evaluating a practice and developing an appropriate Compliance Program, we are sometimes asked — “Is there a downside to having a Compliance Plan in place?” To be clear, the establishment of a Compliance Plan invariably puts a provider on “notice” of what the rules actually entail. As a result, a provider’s failure to adhere to the plan’s provisions and / a provider’s lack of follow-through on an issue can subject a provider to liability. As Robert W. Liles, the Firm’s Managing Partner regularly advises providers — “The only thing worse than not having an effective Compliance Plan in place, is having a Plan and not following its provisions.” In such a situation, the risk areas identified in your Plan will essentially serve as a “roadmap” of possible statutory breaches to be examined by HHS-OIG investigators, FBI agents, Federal and State prosecutors. Therefore, it is imperative that your organization comply with and diligently follow-through on all aspects of your Compliance Plan. As HHS-OIG has noted, an effective Compliance Plan can:
• Speed and optimize the proper payment of claims.
• Minimize billing mistakes.
• Reduce the chances that an audit will be conducted by CMS, its contractors or HHS-OIG.
• Avoid conflicts with the Stark laws (which prohibit improper self-referrals) and the Federal Anti-Kickback statute.
IV. The Anticipated Impact of a Compliance Plan on Patient Care:
The incorporation of compliance measures into a health care organization’s everyday business practices will likely augment, rather than adversely impact, patient care. Regardless of the nature of your provider organization, “quality patient care” likely remains at the top of your list of goals to be achieved. Overall, our client’s have generally found that their organization’s focus on patient care has been enhanced by the development, implementation and adherence to the provisions set out in an organization’s Compliance Plan. For example, the quality and completeness of documentation included in your patients’ medical records often significantly improves as clinicians refamiliarize themselves with the rules required by Medicare and its contractors. Additionally, an effective Compliance Plan may also reduce the likelihood that erroneous or fraudulent claims are being submitted to the government for payment. Finally, your commitment to the rules and your diligence in following-through on any changes needed will serve to highlight the fact that your organization is making good faith efforts to comply with the law. Your documentation of these remedial efforts will likely prove beneficial if the organization is subjected to a government audit or investigation.
Just how “effective” will a Compliance Plan be in terms of its ability to prevent regulatory / statutory lapses by a provider? No one is perfect, despite their best efforts at complying with applicable rules and regulations. Unfortunately, not even the best Compliance Plans are 100% effective in keeping a provider on track. Rather than think of a Compliance Plan as a panacea, it would be more accurate to think of an effective Compliance Plan as analgous with a “flu shot.” As such, it is preventative in nature. When you take a flu shot, there is still a possibility that you will come down with the flu. Nevertheless, even if you do contract the flu, it will hopefully be less serious than it might otherwise have been. Compliance Plans can help in preventing possible future problems from ever occurring, if they are developed, implemented and actively embraced by the organization and its staff. The adoption of such a program also lets employees know that the organization does not tolerate fraud, waste or abuse, and requires every employee to take steps to ensure their business conduct is proper.
V. Developing an Effective Compliance Plan — The Performance of a “Gap Analysis”:
“Gap analyses” are routinely used in practically every industry to assist Compliance Officers and others in identifying corrective actions that need to be taken in order to bring an entity to an acceptable baseline of compliant operations. While there are various ways to conduct a gap analysis of a provider’s business practices, documentation, coding and billing activities, we recommend that the analysis is conducted by qualified health lawyers and claims analysts. While many portions of a gap analysis may be conducted by the affected provider, it has been our experience that many small and mid-sized providers do not have the time and / or trained staff to properly complete such a review. Once a baseline assessment of an organization’s operations and business activities is completed, the next step would be for our claims review staff to work through each area and determine whether the activities fully comply with applicable regulatory, legal and ethical requirements. As you will find, the process of performing a gap analysis can serve as an excellent measurement tool for determining the extent to which a provider’s actions fully track applicable documentation requirements, medical necessity guidelines, and coding and billing mandates identified by the Centers for Medicare and Medicaid Services (CMS) and its contractors (typically in the form of Local Coverage Determination (LCD) provisions). Once the various legal, statutory and regulatory “measuring sticks” applicable to the services provided are examined, your current practices may be appropriately assessed. It is essential that any defiencies identified are remedied and any overpayments noted are promptly returned within 60 days of identification and reconciliation.
VI. Seven Elements to Include in any Compliance Plan, Regardless of the Size of the Provider Organization:
Since 1998, HHS-OIG has diligently worked to analyze the different, and often unique, business models of various health care provider practices, groups and organizations, ranging from third-party billing companies to ambulance suppliers. Since initiating these reviews, HHS-OIG has published “Compliance Program Guidance” covering the following provider types:
“OIG Compliance Program Guidance for Clinical Laboratories” (Published in the Federal Register, 1998)
“OIG Compliance Program Guidance for Home Health Agencies” (Published in the Federal Register, 1998)
“OIG Compliance Program Guidance for Hospitals” (Published in the Federal Register, 1998)
“OIG Compliance Program Guidance for Third-Party Medical Billing Companies” (Published in the Federal Register, 1998)
“OIG Compliance Program Guidance for Hospices” (Published in the Federal Register, 1999)
“OIG Compliance Program Guidance for Durable Medical Equipment, Prosthetics, Orthotics” (Published in the Federal Register, 1999)
“OIG Compliance Program Guidance for Small Group Physician Practices” (Published in the Federal Register, 2000)
“OIG Compliance Program Guidance for Nursing Facilities” (Published in the Federal Register, 2000)
“OIG Compliance Program Guidance for Ambulance Suppliers” (Published in the Federal Register, 2003)
“OIG Compliance Program Guidance for Pharmaceutical Manufacturers” (Published in the Federal Register, 2003)
“OIG Supplemental Compliance Program Guidance for Hospitals” (Published in the Federal Register, 2005)
“OIG Compliance Program Guidance for Nursing Facilities” (Published in the Federal Register, 2008)
These guides serve as an invaluable resource for providers when assembling an effective Compliance Plan and identifying general operational, coverage, coding and billing “risks” which must be assessed. Nevertheless, HHS-OIG expects providers to supplement these provisions with provider-specific risks identified during the gap analysis initially conducted. To be clear, “one size does not fit all.” Working closely with our clients, we will work to identify and address each of the general and provider-specific risks currently faced by a provider. As each of these various Compliance Program issuances published by HHS-OIG reflects, the government expects all providers to appropriately modify a version of the seven elements outlined below. Together, these seven element can be used to develop and implement a fully functioning, effective Compliance Plan. The seven elements consistently cited by HHS-OIG include:
1. Conducting internal monitoring and auditing through the performance of periodic audits;
2. Implementing compliance and organizational standards through the development of written standards and procedures;
3. Designating a Compliance Officer or Compliance Contact(s) to monitor compliance efforts and enforce provider standards;
4. Conducting appropriate training and education on provider standards and procedures;
5. Responding appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate
6. Developing open lines of communication, such as:
(1) discussions at staff meetings regarding how to avoid erroneous or fraudulent conduct, and
(2) community bulletin boards to keep rganization employees updated regarding compliance activities; and
7. Enforcing disciplinary standards through well-publicized guidelines.
Importantly, as we assess your organization and work to develop and implement an effective Compliance Plan, we will diligently work to address each and every aspect of these seven components. Over the years, we have found that a tailored version of each of these seven elements can be crafted and individualized to address the unique risks presented. When crafting an individualized Compliance Plan for your practice or organization, we will adjust the plan, taking into consideration the size (both in terms of the number of staff, the number of locations and the breadth of health care related services provided). An organization’s resources, the nature of care provided, the general risks, and an organization’s provider-specific “risks” must be carefully considered when drafting a provider’s Compliance Plan. These steps must also be taken when updating an existing Compliance Plan. HHS-OIG has readily recognized the concept of “scalability” when creating, modifying and / or applying a plan. While the government does not expect smaller providers to develop and adhere to highly complex, resource-heavy plans, they are expected to incorporate basic versions of each of the seven components in a way which effectively applies a scaled-down version of these concepts, reflective of the fact that staffing, space and financial resources are likely limited. In a small to mid-sized group practice, the Compliance Officer is typically required to assume a number of other duties and responsibilities. In contrast, larger organizations may be significantly more complex, thereby requiring that the organization develop and adopt a more comprehensive set of compliance provisions and safeguards.
VII. Steps for Implementing an Effective Compliance Program:
Step One: Auditing and Monitoring
A successful compliance review initiative begins with an ongoing evaluation process. Compliance Officers must look critically at their organizations. The evaluation process we employ is two-pronged — not only should the provider’s policies and procedures be evaluated to ensure accuracy and relevance, but the actual practices derived from those policies and procedures must also be considered. Are employees properly carrying out their compliance duties and responsibilities? Recurring and regular internal audits will give a provider an ongoing opportunity to assess statutory and regulatory compliance. “Risks” can be categorized into two silos. A provider’s business operations and practices would be examined and listed in the first silo. The second silo would include a detailed claims review, covering not merely medical necessity and documentation but also the provider’s coding and billing practices. Prior to conducting a self-audit, providers should discuss the review with their health attorney to better ensure that the audit is properly handled.
Step Two: Standards and Procedures Review
Each organization should designate an individual (usually the Compliance Officer), to periodically review the policies and procedures of the organization and revise them if necessary. This review should consider both the current state of law (taking into account any new regulations or changes to regulations) and the completeness of the policies and procedures. If the individual determines that the policies and procedures are ineffective or outdated, these policies and procedures should be updated to reflect any necessary changes in applicable statutes and regulations. A Compliance Plan with written policies and procedures is helpful for the operation of any organization, regardless of size, type or capability. The notion of “scalability” again comes into play, with larger providers likely developing a more comprehensive set of policies and procedures than those adopted by small providers.
Written policies are arguably one of the most important elements to an effective Compliance Plan. The implementation and enforcement of a standardized set of policies and procedures will assist a provider in establishing a firm internal control on risk areas which may otherwise result in fraud or billing errors.
As we develop your provider-specific plan, we will create a tailored resource manual of claims-specific guidance issued by both public and governmental sources. Readily available information would include relevant statutes, regulations and medical guidance covering the specific services performed by a provider. The manual will contain written policies and procedures, important statutory information (such as copies of the False Claims Act, Anti-Kickback Statute and Stark laws), claims-specifc CMS directives and guidance, Medicare contractor coverage guidance (NCDs, LCDs and LMRPs) applicable to the services you providing and other relevant information published by HHS-OIG (such as “Special Fraud Alerts” and “Advisory Opinions”). In most cases, we recommend that manuals are researched and updated at least twice a year to ensure that all regulatory and statutory references and requirements current and applicable to the services you are providing. Significant changes must immediately be communicated to your staff. Additionally, all employees should be advised where a current copy of the Compliance Plan is located and can be reviewed. Finally, as part of their training and orientation, new employees should be educated on the provider’s policies and procedures, along with their commitment and obligation to follow the rules.
In order to best develop a comprehensive and relevant set of policies and procedures, a provider should consider the various weaknesses and potential areas of regulatory exposure inherent in your areas of practice. As a start, review the types of cases brought against providers working in the same or similar areas of practice. Each of these problems areas should be incorporated into your list of “risk areas.” In doing so, you will hopefully be positioned to readily recognize (and avoid) violations of the law and instances of waste and / or abuse which have plagued other providers in your industry. Importantly, there are two types of risk which should be examined. These types include:
- Industry-wide “risks.”
- Provider-specific “risks.”
As discussed above, industry risk areas are those typically faced by providers working in the same or similar areas of practice. While the vast majority of risks faced by your practice will likely fall within this category, it is important to keep in mind that no two practices are exactly alike. As a result, you will likely have a number of practice-specific risks that no other provider faces. These risks may be related to unique business arrangements you are involved in or could be a result of your unique patient mix. In any event, your goal is to identify any and all risks faced by your organization. Once identified, these risks should be folded into your compliance plan.
Once all of your risks have been identified, it usually make the most sense to first address your areas of greatest vulnerability. While the specific areas of risk typically encountered by various provider types will be discussed in a later session, there are four major risk areas affecting almost all health care providers. These risk areas include:
- Coding, billing and claims submission;
- Reasonable and medically necessary services;
- Documentation; and
- Business relationships (such as improper inducements, kickbacks and self-referrals.
Your organization’s policies and procedures should also include guidance covering the proper storage and retention of medical, business and compliance-related records. This includes establishing guidelines on creation, distribution, storage and destruction of records (particularly medical records). Pay particular attention to HIPAA privacy requirements when establishing these protocols. Medical record retention is especially important, due to both actual health care needs and possible audits and investigations for which this documentation will support the provider’s billing. For business and compliance regards, such as financial statements or employee training dates, you may want to keep a binder of the relevant information for easy access. The compliance documents you may want to retain include records related to educational activities, internal investigations and internal audit results.
You should also document your entity’s efforts to comply with applicable Federal health care program requirements. For instance, if your office requests guidance from your Medicare administrative contractor (MAC) on the issue of records retention, you should keep all records related to your request and any written or verbal responses from the MAC, or that no response was given. Should the MAC respond with additional guidance or clarification, you should document how your office is modifying its approach to the provision of services and when those changes go into effect. This is important if your organization intends to rely on these responses for future decision making or billing purposes. In short, it is in the provider’s best interest, regardless of size, to have procedures in place related to document retention. The following record retention guidelines may be helpful:
- Your policies should outline the amount of time each type of record should be retained (Federal and state statutes (generally set at six years, or six years from the date of majority for minors) should be consulted for specific time frames, if applicable);
- Medical records (if in the possession of the provider) should be secured against loss, destruction, unauthorized access or reproduction, corruption, or damage; and
- Policies and procedures should indicate the proper disposition of records should the entity be closed or sold.
Step Three: Designation of a Compliance Officer
Before completing any audits or identifying risk areas, a member of the staff should be designated to serve as Compliance Officer. In this capacity, the practice’s Compliance Officer will be responsible for all compliance-related activities, including developing a corrective action plan and enforcing adherence as necessary. In a typical institutional provider’s compliance program, there is a full-time Compliance Officer responsible for overseeing the implementation, establishment and enforcement of the Compliance Program. However, in a smaller organization, resources may be so constrained so that an Office Manager or other employee may be asked to take on the duties of Compliance Officer, as well. In most small to mid-sized practices, the individual assigned to serve as Compliance Officer is responsible for:
- Overseeing and monitoring the implementation of the compliance program;
- Establishing methods, such as audits, to improve the practice’s efficiency and quality and to reduce the practice’s vulnerability and exposure to fraud, waste and abuse;
- Periodically revising the Compliance Program after reviewing changes or additions to law, needs of the practice, and requirements of Federal and private payors;
- Developing, coordinating and leading a training program focused on the components activities and goals of the practice, and ensuring that training materials are appropriate and readily available;
- Screening new and existing employees and independent contractors against Federal exclusion databases to ensure they are authorized to participate in activities involving Federal health care programs;
- Investigating reports and allegations regarding possible unethical or inappropriate business practices;
- Monitoring subsequent corrective action and/or compliance.
Working with you, our team of Compliance attorneys and staff will assess your specific needs and vulerabilities so that a tailored Compliance Program can be established.
Step Four: Conducting Appropriate Training and Education
Education and training, tailored to the size, needs and specialty of your particular practice, will be critical to the success of your Compliance Program. A provider’s employees must understand how and why it is essential that they fully comply with the provisions set out in your Compliance Plan. There are three basic steps for setting up a training regimen:
- Determining who needs training, and in what areas (e.g. coding and billing or documentation requirements);
- Determining the best types of training for the organization’s needs (e.g. seminars, in-service training, or other programs); and
- Determining when and how often training is needed and how much training each employee should receive.
Training may be accomplished through several methods, including on-site training, compliance meetings and outside training seminars. Any changes to the plan should by promptly announced and routed through your staff or placed on a centrally placed bulletin board. Regardless of the training method used, a provider should make sure that appropriate education is effectively communicated and that employees understand their role in health care compliance.
General Compliance Training
Compliance training is designed to educate employees regarding their obligation to follow the law and to immediately notify management of of any possible ethical or regulatory breaches. Training will also emphasize the fact that violations of the provider’s Compliance Program may subject the employee to disciplinary measures, up to and including termination. New employees should be trained as soon as possible after their starting date. All employees should receive training at least on an annual basis (and more often if necessary). Additional points to be covered include:
- The importance of the Compliance Program and how it operates;
- The consequences, both for the organization and an individual employee, of violating the policies and procedures set forth in the provider’s Compliance Plan; and
- The role of each employee in the proper functioning of an effective Compliance Program.
Coding and Billing Training
Coding and billing training may also be necessary if your staff includes medical coders and billers. In many instances, a billing provider may conduct his or her coding independently, and as such, should be trained on proper coding levels and other guidance. If the provider employs coders or billers, they too should be trained on proper procedure. Additionally, if your organization uses a third-party billing company, be sure to ask whether they conduct training on billing and coding issues as well. It is in the provider’s best interest to ensure that employees or business associates who are directly involved with billing receive extensive training specific to the organization’s specialty and risk areas. Examples of items that could be covered in coding and billing training include:
- Coding requirements;
- Claim development and submission processes;
- Signing a form for a billing provider without the provider’s authorization;
- Proper documentation of services rendered;
- Proper billing policies and procedures and submission of accurate bills for all services or items rendered; and
- The legal sanctions for submitting deliberately false claims or recklessly billing.
Format of the Training Program
Training may be conducted either in-house or by a third-party, such as a consultant or attorney. Instead of utilizing internal programs and in-service sessions, outside seminars may be useful for training purposes.
If the provider uses a third-party billing company, you should ensure that documentation is complete so that claims submitted on the organization’s behalf are fully supported. If not, these areas should be covered in training. In addition to training, you should purchase and maintain current reference sources for your coders and billers, including CPT, ICD-9 or 10 and HCPCS code books (in addition to interpretations of those manuals by your Medicare Administrative Contractor) and make them available to both clinicians and other staff involved in the coding and billing processes. All seminars and in-service training sessions should be designed to integrate core provider values, such as ethics, the organization’s “Mission Statement,” compliance protocols and goals, into their curriculum.
At a minimum, employees should be trained annually on billing, coding, and compliance guidance. However, there is no formula for determining how often to conduct training. This should be based on the provider’s practical experience and overall employee compliance with policies and procedures. Should you find that violations are occurring – more frequent training should be conducted.
Step Five: Responding To Detected Offenses and Developing Corrective Action Initiatives
The next step in the development process involves the drafting of a “Corrective Action Plan.” Violations of the Compliance Pan or underlying Federal or State law threaten the provider’s reputation and expose it to potential audits, investigations and penalties. Consequently, when receiving reports or indications of likely non-compliance, it is the duty of the Compliance Officer to investigate the allegation and determine what, if any, violations have occurred. The Compliance Officer must then work to resolve the problem and take other action as appropriate. If a serious violation is identified, possible steps may include a corrective action plan,the return of any overpayments, disclosure to Federal payors and/or referral to law enforcement authorities. However, before taking any of these steps, consult your legal counsel for advice and guidance on the appropriate action to take. In any regard, you should ensure that the rights of your organization, and the employees, are protected.
Your organization may develop its own set of warning signs — including changes to the number or type of claims denials, or patient complaints about billing. However, policy non-compliance should be determined on a case-by-case basis. An organization should seek advice from its legal counsel to determine the extent of the entity’s liability and to plan an appropriate course of action.
For potential criminal violations, an entity may want to include procedures for referral or disclosure to the appropriate authorities (often discussing the circumstances with legal counsel). For mere overpayments, the organization should have procedures for identification and remittance of improper payments.
The Compliance Plan should include procedures for an investigation of all reports of detected violations. A provider cannot ignore possible fraudulent activity. In fact, this undermines the very purpose of the compliance program. Moreover, your policies and procedures should have protocols to ensure that repeat or compounded violations do not occur. This may include employee retraining or termination, or other appropriate responses to detected risk areas. Should a violation occur and it is not detected promptly through the policies and procedures of the Compliance Plan, you should modify the plan accordingly. You may consider what flaws in the plan missed the violation or why the violation occurred in the first place. Regardless of rationale, it is important to review and update your compliance plan periodically.
Step Six: Developing Open Lines of Communication
Providers must maintain open lines of communication. This will help prevent communication mix-ups and may help explain how mistakes occurred in the first place. Because each employee is involved in the achievement and ongoing maintenance of a successful compliance program, regular and recurring communication with your staff regarding the goals, requirements and expectations of your organization’s compliance plan is required.
Communication may be maintained through several standards, including e-mail messages, bulletin board postings, daily and / or weekly staff meetings and educational sessions. In addition to these mechanisms, it is essential that your staff know that your Compliance Officer maintains an “open door” policy for any employee to meet and discuss possible compliance concerns. You may also find that an anonymous tip line will foster the reporting of concerns by your staff, especially if your Compliance Officer is new or not yet accepted by your staff. This “open door” policy approach towards the reporting of concerns should be expanded to include communications between your organization and outsiders (including, but not limited to patients, your outside billing company, the public, vendors, and others).
A system for meaningful and open communication should include the following tenets or practices:
- Employees should be reminded that they have an obligation to report any conduct that a reasonable person would, in good faith, believe is erroneous or fraudulent;
- The creation of a user-friendly process (such as an anonymous hotline or drop box) for effectively reporting suspected activities;
- The development of procedures to promptly process reports of erroneous or fraudulent conduct;
- If a third-party billing company is used by your practice or organization, you should ensure that there is open and recurring communication between your company and the Compliance Officer or Compliance Contact at the billing company. These contacts between the organizations should cover possible concerns, teamwork on internal audits, training needs or modifications, changes to applicable law and other operational or compliance matters;
- The utilization of anonymous reporting methods, such as hotlines or suggestion boxes, which allow employees to report on suspected improper activity. Employees should feel comfortable in bringing concerns and / or problems to your attention. Keep in mind, if they don’t feel like they can talk with you, they will report problems somewhere else; and
- Provisions in your policies and procedures which makes it abundantly clear that your organization will not retaliate or adversely treat an employee who reports suspected erroneous or fraudulent activities to you in good faith.
Protecting anonymity may not always be feasible. However, all employees should know who to contact in compliance matters and should be able to report compliance issues without fear of retribution. While your practice should strive to protect the anonymity of a reporting employee, you also need to stress that at some point in the enforcement and /or correction process it may be necessary to disclose information regarding how this issue became known and the steps that were taken to correct the deficiency. Unfortunately, there may be a point where it is impossible to protect an employee’s identity any further.
Step Seven: Enforcing Disciplinary Standards through Well-Publicized Guidelines
Finally, employees must understand the consequence of non-compliance with the organization’s policies and procedures. An effective compliance plan includes procedures for enforcing and disciplining employees who violate the provider’s policies. Provisions for enforcement and discipline are necessary to add credibility and reliability to the Compliance Program.
Disciplinary mechanisms must be consistently and appropriately enforced. At the same time, the organization’s disciplinary procedures should be flexible enough to allow for mitigating or aggravating circumstances. The procedures might also require that individuals who fail to report violations or actively cover up violations of the compliance plan be subject to discipline. Disciplinary actions taken might include:
- Warnings (oral);
- Reprimands (written);
- Temporary suspension;
- Restitution of damages; and
- Referral for criminal prosecution.
These disciplinary actions should be promulgated to employees and included in training sessions both for new employees and annual training. As Compliance Officer, you should record any findings of non-compliance by documenting:
- The date of an incident;
- The name of the reporting party;
- The name of the person responsible for taking the non-compliant action;
- Any follow-up or remedial action(s) taken to correct the non-compliant action or behavior;
- Any training which may be necessary to prevent this non-compliant action from happening again; and
- An assessment of whether this issue should be added to your organization’s list of practice-specific risk areas in the provider’s Compliance Plan.
The steps set out above set out a typical approach used when setting up a small to mid-sized provider’s Compliance Plan. As the outline reflects, each of the seven elements repeatedly cited by HHS-OIG as necessary for a plan to be effective, have been addressed. Ultimately, it is up to each specific provider to decide both the manner and the extent to which they will choose to implement these compliance measures. Liles Parker attorneys and staff have extensive experience developing effective Compliance Plans and broader Compliance Programs. Should you have questions regarding your practice’s compliance needs, please feel free call us for a complimentary initial consultation. We can be reached at: 1 (800) 475-1906.
 While compliance plans have generally been “voluntary” in the past, in light of recent legislative changes, the development and implementation of an effective compliance plan will likely be a condition of participation in the future. Various components of an effective compliance plan are already required of some health care providers (such as nursing homes). Moreover, in at least state (New York), all Medicaid providers are now required to have an effective compliance plan in place. The writing is on the wall – compliance is no longer voluntary – it is mandatory.
 RAT-STATS, a simple computer program, is used by Federal agencies and Medicare/Medicaid contractors to develop statistically relevant random samples. You should utilize the same software for internal audits. It is available free at: http://oig.hhs.gov/organization/oas/ratstats.asp