Compliance: The Best Risk Management Tool

What is compliance, anyway? Something that you will know when you see it? What is an effective compliance plan? To some, simply staying out of the regulators’ sight is compliance, but compliance at its core is about assuring that the health and safety of patients is paramount. A robust compliance program is the ultimate risk management tool, but how do you know if your compliance program is working?

With ever-expanding areas of compliance, measuring the effectiveness of compliance plans was a topic of a study group composed of compliance professionals and the Department of Health and Human Services and the Office of Inspector General, which published “Measuring Compliance Program Effectiveness: A Resource Guide.” This publication identifies important elements of a compliance plan, but also suggests tools to measure and score compliance. The core elements of a compliance program are policies, standards, and procedures; program administration; screening and evaluation of employees, physicians, vendors, and other agents; monitoring, auditing, and internal reporting systems; discipline for non-compliance; and investigation and remedial measures.

As the regulatory sea ebbs and flows, there are so many new areas that providers must address in their compliance plans. For example, just this year, changes to the Stark Law in the 2018 budget bill were clarified in Centers for Medicare & Medicaid Services (CMS)’ Final Physician Fee Schedule Rule; new legislation essentially expanded the Anti-Kickback Statute’s prohibitions to private insurance for certain services; and both state and federal governments are creating new enforcement tools to control the prescription of controlled substances. All these areas should be incorporated into compliance plans, monitored, and evaluated.

Because of HIPAA and HI-TECH reporting requirements, chances are good that most healthcare providers think that monitoring adherence to privacy requirements for protected health information takes priority for compliance. While privacy concerns should, because of federal reporting requirements and potential fines, be constantly monitored for breaches, the greatest risk does not arise from privacy breaches but from other compliance areas. A sampling of areas where compliance plans should focus are listed below.

Fraud, Waste and Abuse Compliance

EKRA: The enactment of the Eliminating Kickbacks in Recovery Act of 2018 (EKRA) has expanded the Anti-Kickback Statute with new criminal penalties to many commercial health insurance plans as well as Medicare and Medicaid. Although EKRA was created to address “patient brokering,” the practice by recovery homes and treatment facilities of engaging third parties to recruit patients in exchange for payments, this law also applies to clinical laboratories and others involved in providing behavioral health services. As healthcare providers integrate behavioral and substance disorder treatment into primary care, the review of policies, procedures, and practices for ordering these services and the laboratory tests necessary for compliance with state laws will become a new area of compliance review.

TELEHEALTH: Telehealth is an important new area for compliance review as CMS reports that more than half of the telehealth claims paid in 2014 and 2015 were unallowable because they did not have matching originating-site facility fee claims. With these high error rates within Medicare claims, CMS has announced new review, provider education, and enforcement efforts. Complicated Medicare payment rules that differ from Medicaid and commercial insurance rules assure that telehealth is a high-risk area for providers.

BIG DATA: As the easy availability and review of big data is worked into the everyday routine of regulators, providers need to be aware that they will be measured against norms established through data analytics that are regularly provided to CMS, OIG, DOJ, and contractors. More than ever, appropriate and thorough documentation of medical records is important. When available, providers should access their information and determine how it measures in comparison to other providers, a key part of a compliance review.

MEDICAL RECORD CODING, MEDICAL NECESSITY, STARK LAW, ANTI-KICKBACK, AND QUALITY OF CARE: These areas are important as they support false claims actions and require vigilant ongoing audit and review. While the subject areas change from time to time, providers must establish ongoing education about the services they provide, the required documentation to support the medical necessity of those services, and the appropriate coding. Careful and consistent internal auditing of documentation is a basic and vital compliance tool.

Prescribing Compliance

Prescribing controlled substances has become complicated and is an area that providers need to include as part of their ongoing compliance efforts. In Kentucky, prescribing standards are established by the Kentucky Board of Medical Licensure and the Kentucky Board of Nursing, and they vary depending on the type of substance prescribed and the credentials of the subscriber. Compliance in this area involves diligent adherence to checking KASPER, performing regular reassessments, limiting amounts prescribed, and even doing a reverse KASPER – checking one’s own prescribing report – for irregularities. Heightened scrutiny of urine drug screen testing and documentation of medical necessity has become a focus of regulators as the reasonableness of requiring testing as a routine part of treatment is being challenged from a payment perspective.

Employment Compliance

In addition to providing care and treatment, healthcare providers are also employers, creating compliance issues. Employers must comply with anti-discrimination laws such as Title VII, the ADA, and many other federal, state, and local laws that address hiring, firing, and any other tangible employment actions.

Workplace policies are governed by the National Labor Relations Act, which the NLRB has ruled covers such diverse items as social media posts and complaining to a manager. Workplace safety is governed by OSHA rules and regulations. The Department of Labor governs compliance with wage and hour laws, including overtime regulations. These are once again set to change, increasing the compliance burden on employers.

Corporate Compliance and Taxation

Measuring and assuring compliance with state, local, and federal laws that govern the existence and operation of corporations and limited liability companies is essential. Maintaining minutes, effective board and leadership practices, and required filings and reports is essential to maintaining the advantages of operating as a corporate entity. Failure to communicate changes in leadership and control to update Medicare and Medicaid enrollment can result in deactivation of provider status and the ability to be paid for services. Providers must be vigilant about reporting changes in enrollment information as well.

Keeping up with required tax filings is multi-layered as taxes include federal, sales, property, capital gains, payroll, and occupational, among many others. Managing the tax payments and filings is complicated and requires vigilance.

The Tip of the Compliance Iceberg

Maintaining an effective compliance program requires a corporate cultural commitment to ethics and values that must be communicated and modeled throughout the organization. Knowing that compliance is important and will be measured puts providers, staff, managers, patients, and vendors on notice that compliance is important and a part of expected behavior and culture. Non-tolerance of aberrant behavior sends a message that ultimately impacts performance and reputation.

Best practices are to craft compliance programs that consistently cover as many areas as possible, with at least one individual who has overall responsibility for compliance and is accountable. However, compliance cannot end with the compliance officer, but must be built into the job descriptions and responsibilities of every employee, officer, director, staff member, contractor, and vendor. A provider’s best risk management tool is a robust and consistent compliance program, which will achieve best practices and high quality of care.

Lisa English Hinkle is a member of McBrayer PLLC. Hinkle concentrates her practice area in health care law and is located in the firm’s Lexington office. She can be reached at lhinkle@mcbrayerfirm.com or (859)-231-8780.

This article is intended as a summary of federal law or regulation and does not constitute legal advice.