Basic Compliance Policies and Procedures

Basic Compliance Policies

(January 5, 2016): Now that you have appointed an individual to be responsible for the compliance program and created a compliance committee to help the compliance officer, the focus should turn to basic compliance policies and procedures. If an effective compliance program is like a house with a solid roof to protect the inhabitants from bad weather, policies and procedures function as the studs and support structure. Like walls, policies and procedures establish the outlines of a program, delineating areas of focus. Another way of looking at this is that the basic policies and procedures serve as the constitution of your compliance program. Accordingly, every compliance program should have certain policies at a minimum. The most important ones are (in no particular order):

1. Code of Conduct. This is the basic commitment to comply with federal, state and local applicable rules and regulations applicable to healthcare and your practice. The importance of this policy cannot be overstated. To put it very simply, this policy must say you will not lie, cheat or steal.

2. Appointment of a compliance officer and description of duties and powers. If the compliance officer is like the president, then this policy describes what executive powers that individual has.

3. Ineligible persons and sanctions screening. This policy state that you will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals or entities that are sanctioned, excluded or debarred from federal and state health care programs.

4. Licensure status. Like the ineligible persons policy, this policy should address which individuals must maintain licensure and state that the practice will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals and entities that are not properly licensed. The policy should also indicate how you will verify licensure status and what actions will be taken if you cannot validate proper licensure status.

5. Hotlines and reporting methods for employees, patients and others. This policy should clearly establish how individuals can report concerns and ask questions or request guidance. A key component must be a statement that the reporter may remain anonymous and will not face retaliation for good faith reports.

6. Document internal corrective actions taken. This policy should outline the general steps that will be taken to investigate a report of possible problems. The policy should include direction for how to document the results of the investigation and what, if any, corrective actions were required and implemented.

7. Training.  We all know how much the rules and regulations in health care are changing. This policy should indicate how you will be training staff, general topics, frequency of training, and how you will document completion of the training. This policy should also include the repercussions for failure to complete the training as required.

8. Internal auditing and monitoring. This policy should outline your process for conducting audits. If you are billing any insurer, whether federal OR private, you should be conducting audits routinely. Identify what the risk areas are for your practice. The risk areas could be related to particular services, CPT codes, or a particular insurer. As with the Investigations policy, this policy should also detail what actions you will take in response to results that reveal a possible issue.

9. Conflicts of interest. It is not possible to eliminate potential conflicts of interest unless you live on a desert island, isolated from contact with the rest of the world. Accordingly, the first step is identify possible conflicts of interest (for example, family or business relationships, outside employment, ownership interests, etc.). The policy should require that all potential conflicts of interest be disclosed. Once disclosed, the policy should provide a method for addressing the potential conflict of interest. Some conflicts of interest are so significant or impact the practice in such a way that the underlying situation must be unwound. For example, a contract might have to be terminated or a relationship ended. Other conflicts of interest can be managed. Again, the policy should provide for documentation of the disclosure and what actions are taken to end or manage the conflict of interest.

10. Waivers of copayments and deductibles, discounts, charity care, and beneficiary inducement. One of the fastest ways to get in trouble is to inconsistently apply and collect copayments and deductibles or offer discounts, as insurers will take the position that this is an improper beneficiary inducement of the federal and state anti-kickback laws. There are ways to provide free or discounted care, but it must be done thoughtfully and following established procedures. In addition, this is a key area to develop documentation demonstrating adherence to the requirements.

11. Returning overpayments. Since audits are likely to result in overpayments, you must commit to promptly returning any identified overpayments. A good place to start are the Medicare policy manuals, particularly those of the Medicare Administrative Contractor (MAC). Likewise, private insurers often have policies on refunding overpayments. Don’t forget that the Affordable Care Act requires that Medicare and Medicaid overpayments be returned within 60 days from the identification of the overpayment.

12. HIPAA requirements must be met. Actually, the HIPAA policies are more an entire set of policies that address compliance with the Privacy Rule, the Security Rule, and the Breach Notification Rule. I will address HIPPA policies in more detail in a future article.

13. Document retention. This policy should outline what your document retention and destruction policy and procedures are. Not every document needs to be kept forever, and you should create retention time periods for different kinds of documents (including patient medical records). Don’t forget to include electronically maintained documents. One provision the policy absolutely must contain is a requirement that if the practice is under audit, investigation or any other form of scrutiny, that no documents relating to that matter be destroyed, including deletion of emails.

This baker’s dozen of basic compliance policies is only a starting point. A practice’s book of policies should include additional policies that address its particular needs or risks. In fact, I would be extremely worried if I walked into a practice and did not find at least half a dozen more policies specific to the practice. Also, the policies book need not be limited to compliance policies. The practice should also have HR policies, finance policies, patient care policies and OSHA policies

All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.

And finally, policies should not be like the recipe for Coca Cola, kept in a vault and only known to a few. All staff members should have access to and understand the policies, so a best practice is to place the policies in a binder in a common area, easily accessible by all staff members. If you have an intranet, post them on the intranet. Post them on a bulletin board in the staff break room. Make them widely available. Train on them, repeatedly. Never be in a situation where a staff member can say, “Oh, I didn’t know that was our policy!”

Next month we’ll examine exclusions and why they are so important in more depth.

Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

Looking a Gift Horse in the Mouth (or how to deal with holiday gifts)

(December 8, 2015): Last month we discussed performing audits in your practice. With the winter holidays just around the corner, we are going to take a detour from our process through establishing a compliance program. November, December, January and February bring many holidays and parties. These are usually an opportunity for happiness and cheer, but they can also be present problems for physicians and practices. One of the biggest concerns at this time of year is whether to give or receive gifts. Many practices will receive gifts of food, such as cake, cookies or the ubiquitous popcorn tins. Some will come from grateful patients.  How should you react if a patient brings in a gift of food for you and / or your staff?

I.  Gifts of Food from Patients:

Assuming these are of nominal value, it is fine to accept such perishable gifts from patients. However, it is a very good idea to share such food gifts from patients with the office or departmental staff.

II.  Non-Perishable Gifts from Patients:

Non-perishable gifts from patients present a bit more of a problem. Often these gifts are hand-made. But by their very nature they often can’t be shared by office personnel. And refusing such gifts would offend, insult, or disappoint the patients, who have sometimes spent considerable time and effort on the gifts. In such cases, it is permissible to accept the gift from the patient. However, depending on the nature of the gift, the practice should consider donating the gift to a suitable charity. For example, a quilted wall hanging may be accepted and displayed. A crocheted shawl might be donated to a charity. In the case of something that might be donated and to avoid hurting patient feelings if they don’t see their handiwork later, practice personnel should be appreciative and thank the patient, but explain that the practice policy does not allow them to accept gifts of such value and that they will be donating it to an appropriate charity.

III. Gifts of Food or Perishables from Vendors, Suppliers, other Health Care Providers or Third-Parties:

Let me start this section by saying that any gifts from vendors, suppliers, other health care providers or entities or third-parties are more problematic than gifts from individual patients. Gifts from patients do not implicate the Anti-kickback Statute. Gifts from vendors, suppliers or other health care providers do. Remember that the Anti-kickback Statute prohibits the giving, offering, accepting or receiving any remuneration whether in cash or in kind, in exchange for the referral of services or patients whose care may be reimbursed by federally funded programs such as Medicare. The Anti-kickback statute has no exception for gifts of nominal value or for items such as cookies or cakes.

That said, no physician practice will be prosecuted solely for accepting a holiday gift of food items, provided certain guidelines are kept in mind. As with food gifts from patients, food gifts from non-patients should be of nominal value and should not be a routine event. The food item should be of nominal value. The food should be delivered to the office and not in the form of coupons or paid-for expensive meals at a fancy restaurant. Thus, a tin of popcorn or a platter of mixed cookies from a local deli might be acceptable.

IV.  Gifts of Non-Perishable Items from Vendors, Suppliers, other Health Care Providers or Third-Parties:

Gifts of non-perishable items should never be accepted. As noted above, there is no de minimis value of a “remuneration” that is acceptable. The history of Anti-kickback Statute cases is full of examples of “gifts” that were really meant to be payments for referrals. A number of years ago, I was involved in a case where a marketing rep for an ancillary health care provider meticulously documented the Christmas gifts purchased for physicians and nurses who referred to the ancillary care provider and submitted that documentation for reimbursement as a marketing expense. The gifts ranged from simple small gift baskets of cosmetics to video game units plus games to expensive jewelry for the female physicians or the male physicians’ wives. Unfortunately, the rep’s documentation also included explicit notes as to the expense of each gift and comments that the higher value gifts were for physicians and nurses who referred more business. Partially as a result of this documentation, the ancillary health care provider was forced to make a self-disclosure to the OIG and entered into a five-year Corporate Integrity Agreement, in addition to refunding significant amounts of Medicare reimbursements.

V.  Gifts between Family Members who may be in a Referral Position:

Finally a question often arises is whether it is acceptable for an individual who is in a position to benefit from a physician’s referrals to give a gift to a family member who is a physician. This situation often arises with in-laws of physicians who are health care marketing personnel or ancillary or downstream health care providers, such as home health agencies or an imaging center.   For example, a home health care agency owner may wish to give his brother-in-law, a physician, a gift. If the gift is within reasonable limits, is not excessive in kind or value, and is of the kind typically exchanged by family members, and there are no other indications of an improper business relationship, I find it hard to believe that the government would prosecute such an act. Thus a sweater is likely acceptable, but a new car is not.

VI.  Final Remarks:

As with many subjects in this arena, intent is key. Accordingly, providers should have a policy in place that deals with gifts. If a practice chooses to accept gifts, a written policy incorporating the above aspects helps establish a lack of improper intent. It also provides staff members with cover when they refuse gifts. If this path is followed, all staff members will have a stress-free holiday season.

Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

Does Your Practice Have a Compliance Officer or Compliance Committee?

(October 29, 2015): Last month we discussed why having a functioning, effective compliance program is important. If done correctly, a compliance program that is functional, effective, and well-documented is as important as your medical malpractice liability insurance. Indeed, the Affordable Care Act now requires compliance programs and many private payers now explicitly require compliance programs in their physician contracts.

But compliance programs don’t just materialize out of thin air. I have yet to be able to wave a wand or say an incantation that will bring a compliance program into being. In order to implement a functioning, effective compliance program, somebody has to perform specific tasks. In many practices, a physician (or the physician in a solo practice) is named the compliance officer. In other practices, it is a senior staff member, often the office manager. And sometimes the compliance officer does not have any other duties in the organization, particularly in large practices. All of these models can work. However, where the compliance officer or manager also has other duties, it is critical that those duties do not cause a conflict of interest with the compliance duties. If the compliance officer or manager has other duties in the practice, care must be taken that the individual is permitted enough time to carry out his or her compliance duties. I have seen numerous practices where being the compliance officer takes a back seat to being the office manager or the head of accounting. Those are practices that often run into compliance problems on down the line.

Even more importantly than having the appropriate amount of time, the compliance officer or manager must be given the authority to implement required policies, procedures and practices. All too often, the compliance manager or office is given the responsibility for implementing a compliance program, but not the needed authority. Particularly in solo and small practices, it is not uncommon for the physician to name him or herself as chief compliance officer and then delegate the day-to-day compliance duties to another individual, while the physician remains chief compliance officer on paper. Regardless of whether the individual conducting the day-to-day compliance activities is the actual chief compliance officer or a subordinate performing delegated duties, the most important aspect here is that the compliance staffer not find himself or herself constantly overruled or second-guessed by the physician(s). Unfortunately, I have seen too many cases where a compliance officer is not given the required authority to do what needs to be done or where a physician or group of physicians discounts the sound advice given by the compliance officer.

A physician practice should also implement a compliance committee. A compliance committee has two main functions. First, the compliance committee serves as an oversight body. Second, the compliance committee can be a tremendous help in carrying out compliance duties. In a small practice, the compliance committee might end up consisting of most of the staff members. Conversely, in a large practice, the compliance committee often consists of senior physicians and staff members, such as the head of human resources, the chief financial officer and representatives of other key departments. The composition of the committee and the number of members is not as important as the committee members’ ability to provide oversight and additional resources and manpower in implementing a compliance program.

In terms of oversight, the compliance committee should meet periodically and receive reports from the compliance officer about the steps he or she has taken implement the compliance program.   Quarterly meetings are typical. The compliance officer or manager should chair the meetings. The compliance officer can and should report on implementation of policies and procedures, status of training, any incidents, payer audits and other related matters. The quarterly meetings should be documented and maintained among the practice’s key documents.

In terms of providing additional resources for implementing the compliance program, the compliance officer may have to depend on the representatives of other functions to actually perform or carry out specific duties. For example, the human resources department may be tasked with actually conducting background and sanctions screening or employee training, while the finance or accounting department may help with responding to payer audits or performing internal audits. In addition, other departments and functions can often smooth the way for the compliance officer to implement specific tasks, often by providing input into an initiative or suggesting more cost-effective means of achieving a goal. Finally, these other individuals can help a compliance officer by spreading the compliance message throughout an organization.

In summary, empowering a compliance officer and creating a functioning compliance committee are key to implementing an effective compliance program.

Next month: Basic policies and procedures

Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

How to Implement a Compliance Plan in Your Practice

(September 17, 2015): Despite the fact that Medicare and Medicaid requires that participating providers implement a compliance plan, most small providers have yet to complete the necessary steps to accomplish this requirement.  “My office manager went to a continuing education program, and she’s come back telling me we need a compliance program. I don’t know about that. I know I need to be in compliance with all those rules and regulations, but it seems to be complex and confusing. Do I really need one? How do I put a program into place without spending enormous sums? We’re a small practice and we don’t have a lot of extra time and money to spend on compliance activities.”

This is how my clients often approach me with questions about compliance programs. Or, they have been the recipient of an audit letter from either Medicare or a private insurer. Let’s face it, the requirements for compliance programs are here to stay. Not only are compliance programs now required by the federal government for any provider who receives Medicare or Medicaid reimbursement (see section 6401 of the Affordable Care Act), they are also required by many private insurance companies. Within the last year, I have seen increasing numbers of network provider contracts from private insurance companies include a requirement that the provider have a compliance program. So, having a functional compliance program is no longer an option but a requirement.

To that end, over the next year, we will be exploring the basic elements of an effective compliance program, as well as topics related to a solid compliance program. Let’s start with what a compliance program is and is not. A compliance program is not a document that is placed in a binder on a high shelf in your office, to be dusted off only annually or when faced with scrutiny by insurance companies or, God forbid, state or federal regulators. Instead, a compliance program should become part of the fabric of doing business in your practice. When implemented correctly, a compliance program can help identify potential trouble spots in your practice and give you a framework for addressing those trouble spots. Of course, a functioning and effective compliance program can also help minimize fines and, if things go south, could keep a civil matter from turning into a criminal matter.

A compliance program is also not a mumu – one size does NOT fit all. Just as there are differences between patients, there are differences between practices, the risks they face and the best methods of addressing those risks. An effective compliance program recognizes that while the structure of most compliance programs is similar, it takes into account the practice’s size and sophistication, the medical specialty, and the patient population. For this reason, compliance programs in a box or purchased off the Internet really are not desirable and often cost a practice more money in customization and sometimes tears down the road. A perfect example is the recent settlement by Anchorage Community Mental Health Services in relation to a HIPAA breach, where the government noted the ineffectiveness of the “sample” compliance policies and documents the provider put forward as its compliance program.

The basic elements of an effective compliance program are not complicated. They are:

1. Designating an individual to serve as compliance officer and creating a compliance committee, particularly for larger organizations.
2. Implementing a standard of conduct and policies and procedures relevant to the practice’s operations.
3. Conducting effective training and education.
4. Instituting effective methods of communication
5. Conducting internal monitoring and auditing
6. Enforcing the policies and standards through well-publicized disciplinary guidelines
7. Responding promptly to violations and taking appropriate corrective action.

Each month we will explore each of these topics, discussing how to implement a compliance plan, and how to do so in a cost-effective fashion. Along the way, we will also discuss various forms of guidance available to practices when you implement a compliance plan that is tailored for the specific needs and risks of your individual practice. Let’s start with one right away – the federal government itself. The Office of Inspector General of the U.S. Department of Health and Human Services (“OIG”) has published a number of “Compliance Program Guidances”, intended to help different provider types understand and implement compliance practices specific to and appropriate for their particular branch. One of the guidances is specifically written for individual and small group physician practices and published in October 2000. It’s available here: http://oig.hhs.gov/authorities/docs/physician.pdf. In fact, this document is so basic to a physician practice’s compliance program that I strongly recommend that every compliance program have this document printed off, included among the compliance program documents, and readily available for staff member review. Although this document was published in 2000 (and therefore refers to CMS as HCFA and doesn’t make reference to the Affordable Care Act), it can be considered a bit like the U.S. Constitution – a document that creates the foundation for what comes after and points to a better future.

Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Do you need to implement a complaince plan?  Call one of our experienced health care attorneys for assistance. For a free consultation, please call: 1 (800) 475-1906.