Many individual and small group practices find themselves stretched thin trying to see patients and handle the day-to-day operations of the practice. Oftentimes, something slips through the cracks. More often than not, a compliance program is one of them.
You may be asking yourself, “Why is this so important? I have enough to do just addressing patient care needs.” With the passage of the Patient Protection and Affordable Care Act of 2010, Section 6401, physicians who treat Medicare and Medicaid beneficiaries are required to establish a compliance program.
What does a Compliance Program look like?
In October 2000, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS), issued Compliance Program Guidance directed at individual and small group physician practices. The recommendations from HHS OIG included the following:
Conduct internal monitoring and auditing;
Implement compliance and practice standards;
Designate a compliance officer or contact;
Conduct appropriate training and education;
Respond appropriately to detected offenses and develop corrective actions;
Develop open lines of communication; and
Enforce disciplinary standards through well-publicized guidelines.
The question then becomes “How am I supposed to implement this and keep it current?” The answer to that question is going to depend on the size of the practice, the type of specialty involved, and the compliance risks that are unique to each of the specialties. The following are the basic steps any practice can take:
1. Determine who is going to take the lead for the compliance program – a physician or office manager or other staff. Designate that person as the compliance officer/compliance leader.
2. Develop new practice standards or update existing practice standards to address the following elements: HIPAA privacy and security; coding and billing; reasonable and necessary services; documentation guidelines; and improper inducements, kickbacks and self-referrals.
3. Provide education to all employees of the practice – both physician and non-physician – regarding the policies and procedures and disciplinary implications of non-compliance.
4. Develop a monitoring program which includes, at a minimum, the following risk areas:
Charge sheets are updated to agree to the most recent procedure codes.
The appropriate provider code is billed for the service performed.
Staff is practicing within their state-licensed scope of practice.
Documentation templates include all the elements required to support the medical necessity of the services provided.
Completed documentation templates for patient visits contain all the information necessary to support the charges (the requirements may differ based on the type of service and the specialty area).
Physician DEA pins and NPI numbers are safeguarded appropriately to prevent provider medical identity theft.
Processes to verify patient identity are performed to prevent medical identity theft.
HIPAA monitoring to verify who is accessing patient medical information and that conversation areas are HIPAA compliant – including exam rooms, etc.
HIPAA security checks – patient medical information is not stored on hard drives, external hard drives or zip drives. All hardware is appropriately encrypted.
A monitoring process for any gifts received by employees of the office, including the physicians, to determine if the gifts could be considered inducements or kickbacks to generate referrals.
5. Establish a consistent response to issues identified during monitoring and verify that corrective actions are taken.
6. Communicate early and often with staff. Make sure that all employees are aware of the requirements and set a tone that encourages open communication of problems. Physician practices may consider working with a vendor to establish a compliance hotline to allow for anonymous reporting.
7. Routinely reinforce the importance of compliance within the practice through ongoing conversation and feedback to all staff. Publicize the disciplinary standards and follow through with enforcement when situations present themselves.
For those of you who are reading this and thinking you already have these elements in place, please remember that in the eyes of the government if it isn’t documented, it didn’t happen. Make sure you document your procedures, monitoring activities and outcomes. If you don’t have a process in place, now is the time to establish a compliance program.
Shawn Stevison, CPA, CHC, CGMA, CRMA, is the manager of Healthcare Consulting Services at Dean Dorton. She can be reached at 502.566.1066 or sstevison@ddafhealthcare.com.