[A] Auditing and Monitoring
The first step the OIG recommended was that a physician practice perform a baseline audit to ascertain what, if any, problem areas exist and focus its compliance efforts on the risk areas that are associated with those problems. Two types of audits are recommended: (a) a standards and procedure review; and (b) a claims submission audit.
The OIG proposed a physician practice review its standards and procedures to determine if they are current and complete. Standards and procedures should comply with regulations as well as other requirements such as correct use of CPT and ICD-9-CM codes.
A claims submission audit should focus on a physician practice's compliance with applicable coding, billing and documentation requirements. The OIG recommended that the practice's billing representative and a medically trained person perform the audit. Some physician practices may wish to bring in an independent consultant or billing expert to assist in the audit and to establish more objectivity for the process. This baseline audit can be used to enable a physician practice to judge over time its progress in reducing or eliminating potential areas of vulnerability. The OIG offered guidance on how to conduct a baseline audit, and recommended that the audit cover claims that were submitted and paid during the initial three months after implementation of an education and training compliance program. This audit will create a benchmark against which the physician practice can measure future compliance effectiveness.
The physician practice should conduct a follow-up audit at least annually to ensure the compliance program is followed. The OIG advised that a randomly selected number of medical records be reviewed for coding accuracy. Although there is no set formula to determine how many medical records should be reviewed during an audit, the OIG's basic guide suggested reviewing five or more medical records per federal payor, or five to ten medical records per physician. Note that these compliance measures should cover private payors as well, to help prevent billing errors and improve the reimbursement process with those health plans. For some physician practices, however, this type of audit may be too burdensome. In that event, the OIG encouraged the physician practice to review claims that have been reimbursed by federal health care programs only.
A critical part of any compliance audit is the practice's response if a problem is found. The specific action a physician practice takes, however, should depend upon the circumstances of the situation. The Guidance suggested a few responses, such as repayment with an explanation of the billing error. In some instances where the compliance audit reveals more serious implications, the physician practice should consider engaging legal counsel, as well as accounting firms or coding experts, to assist in the audit and make recommendations on corrective action plans. Some audit results could require use of the OIG's voluntary self-disclosure protocol if the amount of overpayments is significant. As the OIG indicated, there is no boilerplate solution on how to handle problems that are identified.
[B] Establish Practice Standards and Procedures
The next step proposed by the OIG is to develop a method for addressing those risk areas through written standards and procedures. The OIG has concluded that written standards are helpful to all physician practices, regardless of their size. In fact, many physician practices may already have written practice policy statements regarding patient care, personnel matters and practice standards and procedures on complying with federal and state laws. Supplementing these standards and procedures with compliance measures should not be too difficult or time consuming for the physician practice.
For those physician practices that lack the resources to develop a set of standards and procedures dealing with all risk areas, the OIG recommended that the physician practice focus first on those risk areas most likely to arise in its particular physician practice. Additionally, for physician practices that are affiliated with a physician practice management company, a management services organization or a third-party billing company, one practical solution would be to incorporate the compliance standards and procedures of those entities, if appropriate, into its own standards and procedures. This approach has the advantage of minimizing the number of different policies and procedures to which the practice would be subject. However, wholesale adoption without analysis of the appropriateness of another healthcare provider's compliance program is not recommended. Physician practices that elect to use another health care provider's compliance program should tailor such policies, procedures and other written materials to their own practice where appropriate.
As a cost-effective approach, the Guidance recommended that a physician practice compile a resource manual containing the physician practice's written standards and procedures, relevant HCFA directives and carrier bulletins, and summaries of informative OIG documents. In this manner, the physician practice's policies and procedures are automatically updated as changes occur. The OIG and HCFA are working to compile a list of basic documents issued by both agencies that could be included in such a compliance binder. A word of caution: because physicians usually are not lawyers, counsel must make sure that the physicians have reviewed and understand all documents that are incorporated in their compliance binder.
To assist physician practices in focusing on situations where the practice may be vulnerable, the OIG identified four potential risk areas affecting physicians which include: (i) coding and billing; (ii) reasonable and necessary services; (iii) documentation; and (iv) improper inducements, kickbacks and self-referrals.
(1) Risk Area: Coding and Billing
The following risk areas associated with billing are thought to be among the most frequent subjects of investigations, audits and national enforcement initiatives by the OIG:
(i) billing for items or services not rendered or not provided as claimed;
(ii) submitting claims for equipment, medical supplies and services that are not reasonable and necessary;
(iii) double-billing resulting in duplicate payment;
(iv) billing for non-covered services as if covered;
(v) knowingly misusing provider identification numbers, which results in improper billing;
(vi) unbundling (billing for each component of the service instead of billing or using an all-inclusive code);
(vii) failure to properly use coding modifiers;
(viii) clustering;12 and
(ix) upcoding the level of service provided.
Practices should develop their coding and billing practices in tandem with statutes, regulations, payor standards and coding and billing standards currently used by physicians.13
(2) Risk Area: Reasonable and Necessary Services
Medicare will only pay for services that meet the Medicare definition of "reasonable and necessary."14 A physician practice's compliance program should acknowledge this limitation, but should also provide that physicians may order any tests, including screening tests, which they believe are appropriate for the treatment of the patient. According to the Guidance, the physician practice may bill Medicare in order to receive a denial for services, but only if the denial is needed for reimbursement from a secondary payor.
(3) Risk Area: Documentation
Perhaps the most important physician practice compliance issues are the appropriate documentation of diagnosis and treatment. A properly documented medical record aids in accurate claims submission and supports any subsequent need to justify the claim or the medical necessity of the service provided. A physician practice should develop internal guidelines to ensure accurate medical record documentation. The Guidance provided specific examples of documentation guidelines for practices to follow, many of which should already be familiar to physicians. For example, medical records should be complete and legible; they should document reasons for patient encounters, assessments, diagnoses, the identity of the clinician observing the patient; and they should support the CPT and ICD-9-CM codes used to submit claims.
The Guidance suggested that one method for improving quality in documentation is for a physician practice to compare its claim denial rate to the rates of other physician practices in the same specialty to the extent such information can be obtained from the Medicare fiscal intermediary. However, many Medicare fiscal intermediaries may be reluctant to provide claim denial rates to entities other than the affected physician practice.
(4) Risk Area: Improper Inducements, Kickbacks and Self-Referrals
To have a complete compliance program, one must have standards and procedures that encourage compliance with the Anti-Kickback Statute and the Stark Law. The Guidance specifically delineated arrangements with hospitals, hospices, nursing facilities, home health agencies, durable medical equipment suppliers, pharmaceutical manufacturers and vendors as areas of potential concern. Rather than attempt to cover the provisions of the Stark Law and the Anti- Kickback Statute or the implementing regulations, advisory opinions and fraud alerts that have been issued since the statutes were adopted, the OIG simply recommended that legal counsel familiar with the Anti-Kickback Statute and Stark Law be consulted whenever a physician practice intends to enter into a business relationship with these potential or actual referral sources.
The OIG advised physician practices to address the following risk factors in its policies and procedures: (i) financial arrangements with other healthcare providers to whom the physician practice may refer federal healthcare program business; (ii) joint ventures with healthcare providers supplying goods or services to the physician practice or its patients; (iii) consulting contracts or medical directorships; (iv) office and equipment leases with healthcare providers to which the physician refers; and (v) soliciting, accepting or offering any gift or gratuity of more than nominal value to or from those who may benefit from a physician practice's referral of federal healthcare program business.
The OIG's Guidance also raised the highly sensitive issue of waiving patient copayments and deductibles and advised physician practices to adopt measures to avoid offering inappropriate inducements to patients. While physicians may think it would be good business practice to offer waivers of deductibles and/or copayments, many out-of-network physicians seem to have a particularly difficult time understanding why offering discounts that match the in-network benefit are prohibited. Health care providers and their counsel have been on notice about the questionable nature of this type of business practice since the 1991 OIG Fraud Alert "Routine Waiver of Copayments or Deductibles under Medicare Part B" was released, and consequently, the OIG expects the waiver of copayments and deductibles to be addressed in physician practice compliance programs.15
(5) Retention of Records
A priority for physicians, especially in light of HIPAA implementation, is a records retention system implemented in a compliance program. Standards and procedures should cover the creation, distribution, retention and destruction of patient and business records, as well as compliance related documents. State and federal privacy and regulatory requirements should be reviewed when implementing a records retention system.
The Guidance noted that while conducting its compliance activities, a physician practice should document its efforts to comply with applicable federal health care program requirements. Any requests for advice from the federal government, and any subsequent responses, should be retained, especially if the physician practice intends to rely on that response to guide it in future decisions, actions or reimbursement requests or appeals.
Regardless of a physician practice's size, the Guidance offered the following record retention guidelines: (i) specify the length of time that a physician practice's records are to be retained, and consult federal and state statutes for specific time frames; (ii) secure medical records against loss, destruction, unauthorized access, unauthorized reproduction, corruption or damage; and (iii) stipulate the disposition of medical records in the event the physician practice is sold or closed, subject to state law.
[C] Designation of a Compliance Officer/Contact(s)
Large health care entities will often employ an individual as its compliance officer, delegating to the compliance officer duties that include overseeing the implementation of the corporate compliance program, investigating complaints, developing and implementing the provider's response to these complaints and interacting with senior management, the Board of Directors and, when necessary, government agencies. Financial resource constraints may make it difficult for physician practices to designate one individual to be in charge of compliance functions. Therefore, the Guidance allowed the physician practice to designate more than one employee with compliance monitoring responsibility. In lieu of having a dedicated compliance officer, as required in previously published OIG compliance guidances, the physician practice instead may describe in its standards and procedures the compliance functions for which the designated employees would be responsible. These physician practice employees would be known as "compliance contacts" and compliance-related responsibilities would be only a portion of his or her responsibilities as an employee of the physician practice.
The Guidance also offered physician practices the alternative of outsourcing all or part of the functions of a compliance officer to a third party, such as a consultant, practice management company, management services organization, independent practice association ("IPA") or third-party billing company. Sharing a compliance officer with other health care providers affords multiple benefits to the physician practice: lower costs, increased expertise in the compliance officer role, and perhaps a better working relationship with HCFA and OIG representatives. As in any outsourcing arrangement, there is the risk that insufficient interaction between the physician practice and the compliance officer may cause the compliance program to lose its effectiveness.
A physician or practice should encourage interaction between the physician practice and the outsourced compliance officer, including perhaps designating an employee as the official liaison with the compliance officer. The liaison approach could be problematic, however. If other responsibilities of the physician practice's designated liaison prevent him or her from serving as the compliance officer in the first place, it is not clear that his person could serve as an effective liaison. In light of the liaison's other responsibilities, it is imperative that the physician practice place a high priority on the liaison's obligation to effectively and frequently communicate with the outside compliance officer. In this area, the role of the healthcare attorney is to advise the physician practice to properly structure the compliance officer's role, particularly if this role is outsourced.
Although the compliance oversight role needs to be tailored to the risk areas specific to each physician practice, the Guidance does set out a helpful list of duties that a physician practice may want to assign to the compliance officer/contacts. These duties include: (i) overseeing and monitoring the implementation of the compliance program; (ii) establishing methods to improve efficiency and quality of services and reduce the risk of fraud and abuse; (iii) periodically revising the compliance program to keep it current; (iv) developing, coordinating and participating in the practice's training program; (v) ensuring that the DHHS OIG's List of Excluded Individuals and Entities, and the General Services Administration's (GSA's) List of Parties Debarred from Federal Programs have been checked with respect to all personnel;16 and (vi) investigating any allegations concerning possible unethical or improper business practices, and monitoring subsequent corrective action.
[D] Conducting Appropriate Training and Education
Training and education are an important part of any physician compliance program. Education components of the physician compliance programs should be tailored to the specific practice's needs, specialty and size. Training and education require determining who needs training (both for compliance and for coding and billing); the type of training that best suits the practice's needs; and when and how often education is needed. Again, the Guidance afforded the physician practice with a significant degree of flexibility to accomplish the educational component of a compliance program. Training may be conducted through a variety of means, including in-person training sessions (i.e., either on site or at outside seminars), distribution of newsletters, or even using a readily accessible office bulletin board. No matter what means is selected, all employees should receive training on how to perform their jobs in compliance with the standards of the physician practice and applicable regulations. The physician practice should convey a very clear message: compliance is a condition of continued employment.
Depending upon an employee's job responsibilities, coding and billing training also may be appropriate. Although physicians often are primarily responsible for coding and billing, it is unrealistic to expect that a physician will remain well versed in all the requirements, including the constant flow of reimbursement updates and modifications. Physicians generally rely on the physician practice's employees for this information. Therefore, it is important that employees who are directly involved in billing, coding or other aspects of the federal healthcare programs be well trained in their area of responsibility and be a good source of knowledge and expertise for the physician practice.
Coding and billing training should cover topics such as (i) coding requirements; (ii) claim development and submission processes; (iii) signing a form for a physician without the physician's authorization; (iv) proper documentation of services rendered; (v) proper billing standards and procedures and submission of accurate bills; and (vi) the legal sanctions for submitting deliberately false or reckless billings.
Although there is no specific requirement for ongoing training, the OIG recommended at least an annual training program for all individuals involved in coding and billing. With healthcare providers that are subject to a corporate integrity agreement, the OIG usually requires a minimum of one hour per employee annually for basic training in compliance areas.
[E] Responding to Detected Offenses and Developing Corrective Action Initiatives
If the physician practice suspects a violation of its compliance program, the compliance contact should fully investigate the allegations to determine whether a violation of applicable law or requirements of the compliance program has occurred. If the allegation is substantiated, then the physician practice must take timely and decisive action to correct the problem. Overpayments must be returned to the payor, and in certain circumstances, the physician practice may find it necessary to report the violation to the government, and/or refer the matter to law enforcement authorities.
The Guidance suggested that physician practices should develop their own set of red flags that will alert them to potential compliance issues. For example, red flags could include a significant change in the number and/or types of claims rejected or adjusted, letters from fiscal intermediaries questioning the medical necessity or validity of claims, and unusual changes in billing code utilization patterns. The physician practice should investigate any red flags promptly. Counsel should advise the physician practice to modify its compliance program to prevent a future recurrence of the problem.
The OIG strongly encouraged physician practices to include in their compliance program steps for prompt referral or disclosure of any potential criminal violations to government authorities or a law enforcement agency. As outlined in the Provider Self-Disclosure Protocol, healthcare providers are encouraged to voluntarily report suspected fraud. However, any decision to make a referral or disclosure can have serious consequences for the physician practice and its physicians and should only be done after consulting with healthcare counsel In instances of overpayment, the physician practice should take appropriate corrective action, including prompt identification and repayment of any overpayment to the affected payor.
[F] Developing Open Lines of Communication
Previously published OIG compliance guidances encouraged a formal and more costly process to implement the communication component, including the use of hotlines and e-mail systems. The OIG recognized that physician practices are conducive to more informal modes of communication than other entities for which compliance guidances have been issued. The Guidance stated that the communication element might be met by implementing an "open door" policy between the physicians, compliance contacts and practice employees, combined with techniques such as posting notices in common areas and/or the use of a compliance bulletin board. In all circumstances, the OIG recommended that the physician practice post the DHHS OIG Hotline telephone number in a prominent area.
The Guidance suggested that meaningful and open communication can be achieved by including the following elements in the physician practice's standards and procedures: (i) require that employees report conduct that a reasonable person would, in good faith, believe to be erroneous or fraudulent, and provide that there will be no retribution for reporting conduct in those circumstances; (ii) create a user-friendly process for reporting erroneous or fraudulent conduct and for processing those reports, such as an anonymous drop box for larger practices; (iii) make it clear to the employees that a failure to report erroneous or fraudulent conduct is a violation of the compliance program; and (iv) utilize a process that maintains the anonymity of the persons involved in the possible erroneous or fraudulent conduct that has been reported and the person reporting the concern.
[G] Enforcing Disciplinary Standards Through Publicized Guidelines
It is not a surprise that the OIG expected a physician practice compliance program to include a disciplinary process that is consistently followed. The final step in the Guidance requires procedures for enforcing and disciplining individuals who violate the compliance program, either through their own actions or through their failure to report another person's violation. A physician practice brings credibility to its program by providing consequences for inappropriate behavior. These consequences can include warnings, reprimands, probation, damages, termination of employment and referral to authorities. However, the Guidance would allow the practice the flexibility to account for mitigating or aggravating circumstances.
The physician practice should retain all reports of non-compliant conduct and disciplinary action in a compliance file in the event that the physician practice is ever investigated by a regulatory agency or is required to defend its actions.
Included with the Guidance is an appendix of additional risk areas that a physician practice might wish to address during the development of its compliance program. These additional risk areas include:
- Variations in local medical review policies among carriers in determining reasonable and necessary services;
- The use of advance beneficiary notices, especially in regard to diagnostic tests or services;
- Certificates of medical necessity and potential physician liability regarding medical equipment and supplies, and home health services;
- Billing for non-covered services as if covered;
- The physician's role under the Emergency Medical Treatment and Active Labor Act, particularly in regard to physician on-call responsibilities;
- Billing for services provided by teaching physicians in teaching settings;
- Gain sharing arrangements and civil monetary penalties for hospital payments to physicians to reduce or limit services to beneficiaries;
- Physician incentive arrangements;
- Third-party billing services, in particular services that seek to be paid on a percentage basis;
- Billing practices by non-participating physicians;
- Professional courtesy;
- Rental of space in physician offices by persons or entities to which physicians refer; and
- Unlawful physician advertising.
The appendices provided by the OIG also included summary descriptions of criminal, civil and administrative statutes related to fraud and abuse in the context of healthcare. Finally, the OIG listed OIG-DHHS contact information and frequently cited Internet resources.