Avoiding a Compliance Nightmare in 2020
Date Posted: Friday,
January 24, 2020
I've never been a huge fan of horror films and not because of the blood and guts but simply because of the bad choices the victims always seem to make; "Let's hide behind the wall of chain saws, no one will see us there" or, "Let's bypass the running car with no one in it and head for the hills and hide from a "Hill Person"". I see health care organizations making the same avoidable mistakes when it comes to their compliance programs. Listen, it doesn't have to be that complicated to make a smart decision when it comes to what your compliance program should look like. There is nothing that says your compliance program has to be this 1000 page complex and overly burdensome document for which you paid $25,000 and the odds of it being followed are exactly zero! The plan itself is static for the most part once its created and only requires tweaks from time to time as the practice changes or as requirements by the governments change. Your policies and procedures are what defines the effectiveness of your compliance efforts and ultimately your compliance program. Policies are where you need the ultimate focus since these are how you tell someone internally and externally the what, when, where, why and how for the way things are done at your organization/practice. Policies that are followed in "good-faith" is how you potentially lessen penalties and fines and avoid accusations of conspiracy to commit fraud.
There is absolutely no doubt 2020 is already off with a bang! Thus far (since January 2nd), we have had no less than 3 new clients contact us because they were notified by one of the Blues that they were being terminated from participation. A law firm has us working on a 22-count indictment for conspiracy to commit fraud or a scheme to elicit funds from the federal payor program(s). A law firm that is working with the United States Attorney's Office (USAO) on a multiple count indictment for violation of Incident-To and infusion services. Then there are the dozen or so clients that have contacted us who since January 2, 2020, have received notice of audit from the Targeted, Probed and Educate (TPE) program, Special Investigative Unit from one of the commercial payors, a client who is facing $50k in off-sets without notice following the submission of claims in 2019 and finally a client who received a Notice of Intent of Referral to the Department of Treasury for failure to promptly return overpayments to CMS. The majority of the issues these clients are facing could have been addressed prior to any of them becoming an issue had they taken the time to understand their service lines, requirements by the government for audit and/or refund processes, documentation requirements for coding and billing of their services, and how to avoid referral to the Department of Treasury. How you ask? Simple, by having standard operating procedures (SOPs) and/or effective policies written in a manner that makes it easy for the staff to understand the what, when, where, why and how of dealing with specific issues as I previously outlined.
I know you all get tired as do your providers, owners, CEOs, and other managers hearing about compliance programs but the truth is the requirement to have one is only gaining momentum. Compliance programs are a condition of participation with the majority of the commercial payors and with CMS. There are boxes on the CMS 855 Forms that you have to check to attest to your having an effective compliance program in place and believe me, I saw multiple times in 2019 requests from not only prosecutors but from the SIUs and other entities requesting proof of your compliance.
As a Compliance and Regulatory Officer, I spend the majority of my days engaged in the review of governmental Guidelines, Statutes, Acts, Laws and Regulations to aid in the recommendations provided to our law firms, medical practices, community hospitals and health care organization clients. The impact of changes in the rules are and will continue to have significant impact for decades to come and long after I am gone from working in this industry. We are without a doubt one of if not the most regulated of all professions and the fines and penalties are beyond comprehension lots of times.
One of the best ways to monitor your compliance program is to understand what governmental agencies are looking for from your organization and how non-compliance can impact you. Take for example the U.S. Department of Justice (DOJ), Criminal Division who on the 30th of April, 2019 released their updated guidance to prosecutors within DOJ on how to assess the effectiveness of corporate compliance programs. What is interesting about this release is the incredible focus the guidance places on compliance programs and the requirement of investigators looking at companies to closely to evaluate, test and require upgrades to their programs prior to any investigation being concluded.
The guidance document places emphasis on 3 fundamental questions that prosecutors need to address:
1. Is the corporation's compliance program well designed?
2. Is the program being applied earnestly and in good faith? This means they want to know whether or not the program is being implemented effectively.
3. Does the corporation's compliance program work in practice?
The guidance document itself actually creates 12-topics for consideration:
1. Risk Assessment - Prosecutors should consider whether the program is appropriately "designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business" and "complex regulatory environment[]." JM 9-28.800.
2. Policies and Procedures - Prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company's commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
3. Training and Communications - Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience's size, sophistication, or subject matter expertise.
4. Confidential Reporting Structure and Investigation Process - Prosecutors should assess whether the company's complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers. Prosecutors should also assess the company's processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.
5. Third-Party Management – Prosecutors should also assess whether the company knows its third-party partners' reputations and relationships, if any, with foreign officials, and the business rationale for needing the third party in the transaction. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region. Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
6. Mergers and Acquisitions - Prosecutors should examine the company's M&A pre-acquisition due diligence and post-acquisition integration processes.
7. Commitment by Senior and Middle Management - Prosecutors should examine the extent to which senior management have clearly articulated the company's ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them. See U.S.S.G. § 8B2.1(b)(2)(A)-(C) (the company's "governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight" of it; "[h]igh-level personnel … shall ensure that the organization has an effective compliance and ethics program.").
8. Compliance Autonomy and Resources - Prosecutors should assess whether the compliance function has sufficient seniority, resources, and autonomy commensurate with the company's size and risk profile. Notably, Prosecutors should ask whether the company outsourced all or parts of its compliance function to an external firm or consultant. If so, Prosecutors will probe the level of access that the external firm or consultant has to company information.
9. Incentives and Disciplinary Measures - Prosecutors should assess whether the company has clear disciplinary procedures that are enforced consistently, as well as whether and how the company incentivizes ethical behavior.
10. Continuous Improvement, Periodic Testing, and Review - Prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company's size and complexity. Prosecutors may reward efforts to promote improvement and sustainability. In evaluating whether a particular compliance program works in practice, prosecutors should consider "revisions to corporate compliance programs in light of lessons learned." JM 9-28.800; see also JM 9-47-120(2)(c) (looking to "[t]he auditing of the compliance program to assure its effectiveness"). Prosecutors should likewise look to whether a company has taken "reasonable steps" to "ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct," and "evaluate periodically the effectiveness of the organization's" program. S.S.G. § 8B2.1(b)(5). Proactive efforts like these may not only be rewarded in connection with the form of any resolution or prosecution (such as through remediation credit or a lower applicable fine range under the Sentencing Guidelines), but more importantly, may avert problems down the line.
11. Investigation of Misconduct - Prosecutors should assess the effectiveness and resources of the company's investigative function. Notably, this is the second instance in the updated Evaluation calling for Prosecutors to assess a company's investigative function.
12. Analysis and Remediation of Any Underlying Misconduct - Prosecutors evaluating the effectiveness of a compliance program are instructed to reflect back on "the extent and pervasiveness of the criminal misconduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct; and any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program, and revisions to corporate compliance programs in light of lessons learned." JM 9-28.800; see also JM 9-47.120(3)(c) ("to receive full credit for timely and appropriate remediation" under the FCPA Corporate Enforcement Policy, a company should demonstrate "a root cause analysis" and, where appropriate, "remediation to address the root causes"). Prosecutors should consider "any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program." JM 98-28.800; see also JM 9-47-120(2)(c) (looking to "[a]ppropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred" and "any additional steps that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk").
Throughout the course of a year, I speak to thousands of health care professionals from all across this great nation and while so many tell me they learn so much from me, the truth is I learn just as much if not more from y'all, which provides me scenarios to problem solve.
The biggest mistakes I saw in 2019, which can be avoided going forward, were organizations either over- or under-thinking their compliance program and as a result, spent way too much money or what they spent was a waste of money because what they got won't protect them should they need it. When you set out to accomplish something such as the implementation of a compliance program, there is no need to guess, the foundation is there, tools and templates are widely available and expert guidance is at your fingertips. This leads me to the last part of this first Blog of 2020 and that is whether or not you should/could use a compliance program in box. You know, the ones they advertise for $99.95 or the "professional" version for $199.00. My answer is these things are not effective and would do nothing to protect you during an investigation unless you first performed a "Gap Analysis" and then made enough modifications to the documents to truly be specific to your organization. At the end of the day, these things are generic templates that do not take into account in which state you practice, the payors you participate with or the current structure of your practice/organization. Again, the old saying goes, "Garbage in; garbage out," meaning if you simply open the Word document and replace the word "Practice" with the name of your entity, print it and stick it in a binder and only pull it out when you are called to the carpet, you will absolutely in the end get what you deserve.
Unfortunately, 2020 for providers of health care services is going to most likely be a record setting year for recoveries, plea agreements and/or indictments. Don't be one of the statistics because you cut corners or chose to bury your head in the sand and pretend nothing bad like that could happen to you. Pleading ignorance and/or stupidity are non-defenses in a court of law. "Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity" Martin Luther King, Jr.
Sean M. Weiss is a Partner and serves as VP/Chief Compliance Officer for DoctorsManagement, LLC based in Knoxville, TN. DoctorsManagement, LLC services more than 20,000 clients nation-wide and has been in existence since 1956. Weiss serves as an Investigator and expert witness in Federal and State cases as well as an expert or lead in Administrative Law Judge Hearings. During his 25-year career, Weiss has engaged in more than 200 cases working with law firms and health systems across the country. Weiss serves as a third-party compliance and regulatory officer for more than a dozen health care organizations across the country of varying sizes. For more information on Sean M. Weiss or DoctorsManagement, LLC visit us online at www.doctors-management.com or contact us directly at 800.635.4040. You can also follow Sean on his biweekly Blog on LinkedIn (Sean M. Weiss "The Compliance Guy") or at www.thecomplianceguyblog.com
What to do next...
If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at info@drsmgmt.com.
Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology - our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy - DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today's healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.