Medicare and Medicaid Fraud and Compliance Plans

MEDICARE AND MEDICAID FRAUD AND COMPLIANCE PLANS
by
George F. Indest III, J.D., M.P.A., LL.M.

SCOPE OF ARTICLE

In this article, the author reviews the basics of Medicare and Medicaid fraud initiatives generated by the Office of the Inspector General and the State. This article reviews the State and Federal laws that are used to prosecute or obtain civil recovery from physicians in Medicare and Medicaid cases. The article also covers the guidance recently issued by the Office of the Inspector General for compliance plans for small medical practices. Sufficient information is provided for a physician or small medical group to design a Medicare & Medicaid compliance program.

§1 Compliance and Fraud and Abuse: Introduction

There is probably no other area of such significant legal importance to a physician who treats Medicare and Medicaid patients as the area of fraud and abuse and compliance.

§2 The OIG Sees a Problem with Fraud and Abuse in the Medicare Program

According to OIG, the Federal government's efforts in controlling fraud and abuse in Federal health care programs continue to bear fruit.

• From fiscal year 1997 until September 2001, the OIG reported overall savings of more than $65.31 billion.
• This is comprised of $1.07 billion in audit disallowance, $59.4 billion in savings from implemented legislative or regulatory recommendations and actions to put funds to better use, and $4.9 billion in investigative receivables.
• Medicare and Medicaid accounted for more than 98 percent of the total savings, with the balance attributable to various other HHS programs.
• In FY 2000 alone, Medicare and Medicaid accounted for more than $15.42 billion of the record $15.62 billion in overall savings.

The OIG reports significant enforcement achievements during the span of FY '97 to September 2001, ² including:

• The exclusion of more than 15,822 abusive or fraudulent individuals and entities from doing business with Medicare, Medicaid, and other Federal and State health care programs.
• 1,714 successful criminal prosecutions.
• 3,497 civil actions against individuals or entities engaged in fraudulent conduct against departmental programs.

As provided for in the Federal law known as the Health Insurance Portability and Accountability Act (HIPAA),³ most of the money recovered in the form of judgments, settlements and administrative penalty impositions from these cases has been or will be returned to the Medicare Trust Fund.

§4 The Medicaid Program and Medicaid Fraud

There are somewhat similar problems and somewhat similar concerns with the Medicaid Program and other state and federal programs, as well.

[1] The Medicaid Program

Medicaid is a joint Federal and State-funded program. The Federal government mandates certain eligibility classes and quality of care standards, with the bulk of the administrative functions being carried out by the States. However, enforcement is left primarily to the State with the Federal government providing overall supervision and guidance. In the Federal government, the Medicaid Bureau has been part of the Health Care Financing Administration (HCFA),⁴ a division of the Department of Health and Human Services (HHS). However, in 2000, the agency was renamed the Centers for Medicare & Medicaid Services (CMS) and refocused along its three primary lines of service - the Center for Medicare Management, Center for Beneficiary Choices and the Center for Medicaid and State Operations.

These three (3) centers are designed to clearly reflect the agency's major lines of business: traditional fee-for-service Medicare; Medicare+Choice and state-administered programs, such as Medicaid and SCHIP. The Center for Medicare Management will focus on management of the traditional fee-for-service Medicare program. This includes development of payment policy and management of the Medicare fee-for-service contractors. The Center for Beneficiary Choices will focus on providing beneficiaries with information on Medicare, Medicare Select, Medicare+Choice and Medigap options. It also includes management of the Medicare+Choice plans, consumer research and demonstrations, and grievance and appeals functions. The Center for Medicaid and State Operations will focus on programs administered by states. This includes Medicaid, the State Children's Health Insurance Program (SCHIP), insurance regulation functions, survey and certification, and the Clinical Laboratory Improvements Act (CLIA).

The State agency responsible for administering the State's Medicaid Program, including performing audits on Medicaid providers is usually referred to as the "Medicaid Agency." In Florida the Medicaid Agency is the Agency for Health Care Administration (AHCA).

[2] Overview of Medicaid Fraud in the United States

With annual health care costs in the U.S. now exceeding $1 trillion, fraud and abuse in the Medicaid Program is costing taxpayers billions of dollars each year, according to the Federal Medicaid Bureau. The Medicaid Program's price tag has risen from $3.9 billion in 1968 to more than $130 billion in 1993. The program's cost has risen so significantly for a variety of reasons, but HCFA, and now CMS, decided to focus on the tremendous amount of money lost to fraud and abuse.⁵

CMS' effort to detect and prevent fraud and abuse in the Medicaid program is based on a partnership and cooperative effort with beneficiaries, Medicaid providers, contractors, and state and federal agencies such as state Medicaid Fraud Control Units, state Surveillance and Utilization Review Units (SURU), the Office of the Inspector General (OIG), the Federal Bureau of Investigation (FBI), the Department of Justice (DOJ) and Congress.

While the states are primarily responsible for policing fraud in the Medicaid program, CMS provides increased technical assistance and guidance to these efforts. Fraud schemes often cross program lines and CMS continues to improve information sharing between Medicare and the nation's 57 State Medicare programs. For example, the South Florida Task Force demonstration had Medicare contractors, Medicaid state agencies, U.S. Attorneys and Medicaid Fraud Control Units working together for the first time detecting fraud and abuse in Medicare and Medicaid programs. In one of the most exciting joint ventures, the group matched Medicare and Medicaid data, to identify patterns of aberrant billing practices.

Building on the success of the South Florida Task Force, similar work groups have now formed in a dozen states.

[3] Medicaid Bureau's List of Most Common Medicaid "Rip Offs"

According to the HCFA Medicaid Fraud Bureau, the following are the most common "rip offs" in relation to the Medicaid Program:

• Billing for phantom patient visits
• Billing for goods and services not provided
• Billing for old or used items as though they were new
• Billing for more hours than there are in a day
• Billing for medically unnecessary testing
• Paying kickbacks in exchange for referrals
• Charging personal expenses to Medicaid
• Inflating the bills for services and goods provided
• Concealing ownership of related companies
• Falsifying credentials such as medical degrees/licenses or specialty certifications
• Double billing.

§5 Compliance Plans: Cure for All Ailments

Although this paper concentrates primarily on Medicare and Federal enforcement, a good compliance plan will assist in detecting and preventing problems with the all programs and all payers, not just the Medicare Program.

§6 Federal and State Fraud and Abuse Laws

[1] Federal Statutes Commonly Used to Address Health Care Fraud and Abuse⁶

[A] Federal Criminal Statutes Commonly Applied to Health Care Providers

The following list sets forth those Federal criminal offenses that are commonly utilized to combat Medicare and Medicaid fraud and abuse cases. The list is not exhaustive, however, these are the statutes most often used by prosecutors:

a.  Health Care Fraud (18 U.S.C. § 1347) (a crime to knowingly and willfully execute (or attempt to execute) a scheme to defraud any health care benefit program, or to obtain money or property from a health care benefit program through false representations).

Penalty: imposition of fines, imprisonment of up to 10 years, or both. If the violation results in serious bodily injury, the prison term may be increased to a maximum of 20 years. If the violation results in death, the prison term may be expanded to include any number of years, or life imprisonment.

b.  Theft or Embezzlement in Connection with Health Care (18 U.S.C. §669) (a crime to knowingly and willfully embezzle, steal or intentionally misapply any of the assets of a health care benefit program).

Penalty: imposition of a fine, imprisonment of up to 10 years, or both. If the value of the asset is $100 or less, the penalty is a fine, imprisonment of up to a year, or both.

c.  False Statements Relating to Health Care Matters (18 U.S.C. §1035) (a crime to knowingly and willfully falsify or conceal a material fact, or make any materially false statement or use any materially false writing or document in connection with the delivery of or payment of health care benefits, items or services).

Penalty: imposition of a fine, imprisonment of up to 5 years, or both.

d.  Obstruction of Criminal Investigations of Health Care Offenses (18 U.S.C. § 1518) (a crime to willfully prevent, obstruct, mislead, delay or attempt to prevent, obstruct, mislead, or delay the communication of records relating to a Federal health care offense to a criminal investigator).

Penalty: imposition of a fine, imprisonment of up to 5 years, or both.

e.  Mail and Wire Fraud (18 U.S.C. §§ 1341 and 1343) (a crime to use the mail, private courier, or wire service (including a telephone, fax machine or computer) to conduct a scheme to defraud another of money or property).

Penalty: imposition of a fine, imprisonment of up to 5 years, or both.

f.  Criminal Penalties for Acts Involving Federal Health Care Programs (42 U.S.C.§ 1320a-7b):

False Statement and Representations (a crime to knowingly and willfully make, or cause to be made, false statements or representations in connection with applying or receiving benefits or payments under all Federal health care programs).

Anti-Kickback Statute (a crime to knowingly and willfully solicit, receive, offer, or pay remuneration of any kind (e.g., money, goods, services) (a) for the referral of an individual to another for the purpose of supplying items or services that are covered by a Federal health care program; or (b) for purchasing, leasing, ordering, or arranging for any good, facility, service, or item that is covered by a Federal health care program).

Penalty: imposition of a fine of up to $25,000, imprisonment of up to 5 years, or both; exclusion of the provider from participation in Federal health care programs.

[B] Federal Civil Statutes Commonly Applied to Health Care Providers.⁷

The following civil penalties are those pursued most often by the OIG and Federal prosecutors against health care providers.

a.  The False Claims Act (31 U.S.C. §§ 3729-3733) (prohibits knowingly presenting (or causing to be presented) to the Federal government a false or fraudulent claim for payment or approval; also prohibits knowingly making or using (or causing to be made or used) a false record or statement to get a false fraudulent claim paid or approved by the Federal government).

Penalty: a minimum of $5,500 up to a maximum of $11,000 for each false claim submitted. In addition to the penalty, a provider could be found liable for damages of up to three times the amount unlawfully claimed.

b.  Civil Monetary Penalties Law (42 U.S.C. § 1320a-7a) (a comprehensive statute that covers an array of fraudulent and abusive activities and is very similar to the False Claims Act).

Penalty: a penalty of up to $10,000 per item or service and up to three times the amount unlawfully claimed. In addition, the provider may be excluded from participation in Federal health care programs.

c.  Limitations on Certain Physician Referrals ("Stark Laws") (42 U.S.C. §1395) (Physicians (and immediate family members) who have an ownership, investment or compensation relationship with an entity providing specified "designated health services" are prohibited from referring patients for these services where payment may be made by a Federal health care program, unless a statutory or regulatory exception applies. An entity providing a designated health service is prohibited from billing for the provision of a service that was provided based on a prohibited referral, unless an exception is met).

Penalty: denial of payment for the designated health services, refund of amounts collected from improperly submitted claims, and civil monetary penalty of up to $15,000 for each improper claim submitted. Physicians who violate the statute may also be subject to additional fines per prohibited referral. In addition, providers that enter into an arrangement that they know or should know circumvents the referral restriction law may be subject to a civil monetary penalty of up to $100,000 per arrangement.

d.  Exclusion of Certain Individuals and Entities From Participation in Medicare and other Federal Health Care Programs (42 U.S.C. § 1320a-7) (violation of criminal or civil laws affecting health care providers can subject them to exclusion from participation in the Medicare, Medicaid and all other Federal programs for minimums of 3 or 5 years.)

[2] Florida Statutes on Health Care Fraud and Abuse

[A] Florida Statutes Commonly Used to Combat Fraud and Abuse

a.  Florida Patient Self-Referral Act of 1992 (F.S. Section 445.654) (prohibits a health care provider from referring a patient for designated health services to an entity in which the health care provider is an investor or has an investment interest.)

Penalty: $15,000 for each service improperly claimed; $100,000 for each arrangement that attempts to circumvent the prohibition and has the principal purpose of assuring referrals by the physician.

b.  Florida Anti-Kickback Statute (F.S. Section 455.657) (prohibits any health care provider from offering, paying, soliciting, or receiving a kickback for referring or soliciting patients.)

Penalty: Violations of this section are punishable as provided by the Florida Patient Brokering Act (Section 817.505), Florida Statutes.

c.  Florida Patient Brokering Act (F.S. Section 817.505) (prohibits inducing the referral of patients or patronage from a health care provider or facility by offering, paying, soliciting, or receiving any commission, bonus, rebate, kickback, or bribe; engaging in any split fee arrangement; or aiding, abetting, advising, or otherwise participating in the above prohibited conduct.)

Penalty: First offense: first degree misdemeanor and/or $5,000 fine; Second offense: third degree felony and/or $10,000; injunction; recoupment of costs.

[B] Other Florida Statutes That Can Be Used to Combat Health Care Fraud and Abuse

a.  Theft, Section 812.014, Florida Statutes (A person commits theft if he or she knowingly obtains or uses, or endeavors to obtain or use, the property of another with intent to, either temporarily or permanently deprive the other person of a right to the property or a benefit from the property and appropriate the property to his or her own use or the use of any person not entitled to the use of the property.)

Penalty: If the property stolen is valued at $100,000 or more or if the property stolen is cargo valued at $50,000 or more and it is in the stream of interstate or intrastate commerce, the offender commits grand theft in the first degree, punishable as a felony of the first degree. If the property stolen is cargo in interstate or intrastate commerce or the property stolen is emergency medical equipment taken from a facility licensed under chapter 395, the offender commits grand theft in the second degree, punishable as a felony of the second degree.

b.  Forgery, Section 831.01, Florida Statutes (Prohibits the false making, altering, forging or counterfeiting of a public record in relation to a matter wherein such certificate, return or attestation may be received as a legal proof; or a charter, deed, will, testament, bond, or writing obligatory, letter of attorney, policy of insurance, bill of lading, bill of exchange or promissory note, or an order, acquittance, or discharge for money or other property, or an acceptance of a bill of exchange or promissory note for the payment of money, or any receipt for money, goods or other property, or any passage ticket, pass or other evidence of transportation issued by a common carrier, with intent to injure or defraud . . . .)

Penalty: felony of the third degree.

c.  Uttering forged instruments, Section 831.02, Florida Statutes (prohibits uttering or publishing as true, a false, forged or altered record, deed, instrument or other writing mentioned in Section 831.01 (above) if individual knows it to be false, altered, forged, or counterfeited, and intends to injure or defraud.)

Penalty: guilty of a felony of the third degree.

d.  False and fraudulent insurance claims, Section 817.234, Florida Statutes (prohibits any person from presenting or causing to be presented any written or oral statement as part of, or in support of, a claim for payment or other benefit pursuant to an insurance policy or a health maintenance organization subscriber or provider contract if the person knows of the false, incomplete or misleading information and intends to injure, defraud or deceive the insurer.)

Penalty: If the value of the property involved in the violation is less than $20,000, the offender commits a felony of the third degree. If the value of the property is more than $20,000 but less than $100,000, the offender commits a felony of the second degree. If the value of the property is more than $100,000, the offender commits a felony of the first degree.

§7 OIG's Compliance Guidance for Small Group Practices

[1] A Model Compliance Plan for Small Group Practices

On October 5, 2000, the Office of the Inspector General (OIG) issued a notice entitled "Compliance Program Guidance for Individual and Small Group Physician Practices" ("Small Practice Guidance").⁸ You can download a copy or review it at www.hhs.gov/oig. In this document, the OIG specifically stated that the applicability of its guidelines "will depend on the circumstances and resources of the particular physician practice." ⁹ Therefore, before deciding to implement a conference plan in a small medical practice, one is expected to weigh the advantages and disadvantages. A practical judgment should be made taking into account what may be gained through such a plan and the overall costs in time, money and risks that might be incurred.

Given the risks of non-compliance facing such small practices, and the potential gains that can occur, we suggest that all small medical groups, even sole practitioners, can benefit from instituting a minimum, basic compliance program. Later in this presentation, we will discuss ways to minimize the costs of implementing such a program.

In emphasizing flexibility, the OIG avoids defining what constitutes a small practice. Rather the OIG offers vague comments such as the following:

The difference between a small practice and a large practice cannot be determined by stating a particular number of physicians. Instead, our intent in narrowing the guidance to the small practices subset was to provide guidance to those physician practices whose financial or staffing resources would not allow them to implement a full-scale, institutionally structured compliance program as set forth in the Third Party Medical Billing Guidance or other previously released OIG guidance.¹⁰

Further, the OIG explains,

"There is no 'one size fits all' compliance program, especially for physician practices."¹¹

[2] Elements of the OIG's Small Practice Compliance Guidance

In response to comments received from physicians and trade associations, the OIG laid out a path for physician practices to follow in implementing compliance measures that is simpler and less formal than other OIG healthcare compliance programs. This guidance offers a physician practice the flexibility to choose which components to implement based on the needs of the practice and the benefits it hopes to gain. Each step contains recommendations for implementation, which should make the process easier for physicians to follow.

Using the following detailed guidance, a physician or small medical practice should be able to prepare and implement a compliance program satisfying all expectations of the government.

[A] Auditing and Monitoring

The first step the OIG recommended was that a physician practice perform a baseline audit to ascertain what, if any, problem areas exist and focus its compliance efforts on the risk areas that are associated with those problems. Two types of audits are recommended: (a) a standards and procedure review; and (b) a claims submission audit.

The OIG proposed a physician practice review its standards and procedures to determine if they are current and complete. Standards and procedures should comply with regulations as well as other requirements such as correct use of CPT and ICD-9-CM codes.

A claims submission audit should focus on a physician practice's compliance with applicable coding, billing and documentation requirements. The OIG recommended that the practice's billing representative and a medically trained person perform the audit. Some physician practices may wish to bring in an independent consultant or billing expert to assist in the audit and to establish more objectivity for the process. This baseline audit can be used to enable a physician practice to judge over time its progress in reducing or eliminating potential areas of vulnerability. The OIG offered guidance on how to conduct a baseline audit, and recommended that the audit cover claims that were submitted and paid during the initial three months after implementation of an education and training compliance program. This audit will create a benchmark against which the physician practice can measure future compliance effectiveness.

The physician practice should conduct a follow-up audit at least annually to ensure the compliance program is followed. The OIG advised that a randomly selected number of medical records be reviewed for coding accuracy. Although there is no set formula to determine how many medical records should be reviewed during an audit, the OIG's basic guide suggested reviewing five or more medical records per federal payor, or five to ten medical records per physician. Note that these compliance measures should cover private payors as well, to help prevent billing errors and improve the reimbursement process with those health plans. For some physician practices, however, this type of audit may be too burdensome. In that event, the OIG encouraged the physician practice to review claims that have been reimbursed by federal health care programs only.

A critical part of any compliance audit is the practice's response if a problem is found. The specific action a physician practice takes, however, should depend upon the circumstances of the situation. The Guidance suggested a few responses, such as repayment with an explanation of the billing error. In some instances where the compliance audit reveals more serious implications, the physician practice should consider engaging legal counsel, as well as accounting firms or coding experts, to assist in the audit and make recommendations on corrective action plans. Some audit results could require use of the OIG's voluntary self-disclosure protocol if the amount of overpayments is significant. As the OIG indicated, there is no boilerplate solution on how to handle problems that are identified.

[B] Establish Practice Standards and Procedures

The next step proposed by the OIG is to develop a method for addressing those risk areas through written standards and procedures. The OIG has concluded that written standards are helpful to all physician practices, regardless of their size. In fact, many physician practices may already have written practice policy statements regarding patient care, personnel matters and practice standards and procedures on complying with federal and state laws. Supplementing these standards and procedures with compliance measures should not be too difficult or time consuming for the physician practice.

For those physician practices that lack the resources to develop a set of standards and procedures dealing with all risk areas, the OIG recommended that the physician practice focus first on those risk areas most likely to arise in its particular physician practice. Additionally, for physician practices that are affiliated with a physician practice management company, a management services organization or a third-party billing company, one practical solution would be to incorporate the compliance standards and procedures of those entities, if appropriate, into its own standards and procedures. This approach has the advantage of minimizing the number of different policies and procedures to which the practice would be subject. However, wholesale adoption without analysis of the appropriateness of another healthcare provider's compliance program is not recommended. Physician practices that elect to use another health care provider's compliance program should tailor such policies, procedures and other written materials to their own practice where appropriate.

As a cost-effective approach, the Guidance recommended that a physician practice compile a resource manual containing the physician practice's written standards and procedures, relevant HCFA directives and carrier bulletins, and summaries of informative OIG documents. In this manner, the physician practice's policies and procedures are automatically updated as changes occur. The OIG and HCFA are working to compile a list of basic documents issued by both agencies that could be included in such a compliance binder. A word of caution:  because physicians usually are not lawyers, counsel must make sure that the physicians have reviewed and understand all documents that are incorporated in their compliance binder.

To assist physician practices in focusing on situations where the practice may be vulnerable, the OIG identified four potential risk areas affecting physicians which include: (i) coding and billing; (ii) reasonable and necessary services; (iii) documentation; and (iv) improper inducements, kickbacks and self-referrals.

(1) Risk Area: Coding and Billing

The following risk areas associated with billing are thought to be among the most frequent subjects of investigations, audits and national enforcement initiatives by the OIG:

(i) billing for items or services not rendered or not provided as claimed;
(ii) submitting claims for equipment, medical supplies and services that are not reasonable and necessary;
(iii) double-billing resulting in duplicate payment;
(iv) billing for non-covered services as if covered;
(v) knowingly misusing provider identification numbers, which results in improper billing;
(vi) unbundling (billing for each component of the service instead of billing or using an all-inclusive code);
(vii) failure to properly use coding modifiers;
(viii) clustering;¹² and
(ix) upcoding the level of service provided.

Practices should develop their coding and billing practices in tandem with statutes, regulations, payor standards and coding and billing standards currently used by physicians.¹³

(2) Risk Area: Reasonable and Necessary Services

Medicare will only pay for services that meet the Medicare definition of "reasonable and necessary."¹⁴ A physician practice's compliance program should acknowledge this limitation, but should also provide that physicians may order any tests, including screening tests, which they believe are appropriate for the treatment of the patient. According to the Guidance, the physician practice may bill Medicare in order to receive a denial for services, but only if the denial is needed for reimbursement from a secondary payor.

(3) Risk Area: Documentation

Perhaps the most important physician practice compliance issues are the appropriate documentation of diagnosis and treatment. A properly documented medical record aids in accurate claims submission and supports any subsequent need to justify the claim or the medical necessity of the service provided. A physician practice should develop internal guidelines to ensure accurate medical record documentation. The Guidance provided specific examples of documentation guidelines for practices to follow, many of which should already be familiar to physicians. For example, medical records should be complete and legible; they should document reasons for patient encounters, assessments, diagnoses, the identity of the clinician observing the patient;  and they should support the CPT and ICD-9-CM codes used to submit claims.

The Guidance suggested that one method for improving quality in documentation is for a physician practice to compare its claim denial rate to the rates of other physician practices in the same specialty to the extent such information can be obtained from the Medicare fiscal intermediary. However, many Medicare fiscal intermediaries may be reluctant to provide claim denial rates to entities other than the affected physician practice.

(4) Risk Area: Improper Inducements, Kickbacks and Self-Referrals

To have a complete compliance program, one must have standards and procedures that encourage compliance with the Anti-Kickback Statute and the Stark Law. The Guidance specifically delineated arrangements with hospitals, hospices, nursing facilities, home health agencies, durable medical equipment suppliers, pharmaceutical manufacturers and vendors as areas of potential concern. Rather than attempt to cover the provisions of the Stark Law and the Anti- Kickback Statute or the implementing regulations, advisory opinions and fraud alerts that have been issued since the statutes were adopted, the OIG simply recommended that legal counsel familiar with the Anti-Kickback Statute and Stark Law be consulted whenever a physician practice intends to enter into a business relationship with these potential or actual referral sources.

The OIG advised physician practices to address the following risk factors in its policies and procedures: (i) financial arrangements with other healthcare providers to whom the physician practice may refer federal healthcare program business; (ii) joint ventures with healthcare providers supplying goods or services to the physician practice or its patients; (iii) consulting contracts or medical directorships; (iv) office and equipment leases with healthcare providers to which the physician refers; and (v) soliciting, accepting or offering any gift or gratuity of more than nominal value to or from those who may benefit from a physician practice's referral of federal healthcare program business.

The OIG's Guidance also raised the highly sensitive issue of waiving patient copayments and deductibles and advised physician practices to adopt measures to avoid offering inappropriate inducements to patients. While physicians may think it would be good business practice to offer waivers of deductibles and/or copayments, many out-of-network physicians seem to have a particularly difficult time understanding why offering discounts that match the in-network benefit are prohibited. Health care providers and their counsel have been on notice about the questionable nature of this type of business practice since the 1991 OIG Fraud Alert "Routine Waiver of Copayments or Deductibles under Medicare Part B" was released, and consequently, the OIG expects the waiver of copayments and deductibles to be addressed in physician practice compliance programs.¹⁵

(5) Retention of Records

A priority for physicians, especially in light of HIPAA implementation, is a records retention system implemented in a compliance program. Standards and procedures should cover the creation, distribution, retention and destruction of patient and business records, as well as compliance related documents. State and federal privacy and regulatory requirements should be reviewed when implementing a records retention system.

The Guidance noted that while conducting its compliance activities, a physician practice should document its efforts to comply with applicable federal health care program requirements. Any requests for advice from the federal government, and any subsequent responses, should be retained, especially if the physician practice intends to rely on that response to guide it in future decisions, actions or reimbursement requests or appeals.

Regardless of a physician practice's size, the Guidance offered the following record retention guidelines: (i) specify the length of time that a physician practice's records are to be retained, and consult federal and state statutes for specific time frames; (ii) secure medical records against loss, destruction, unauthorized access, unauthorized reproduction, corruption or damage; and (iii) stipulate the disposition of medical records in the event the physician practice is sold or closed, subject to state law.

[C] Designation of a Compliance Officer/Contact(s)

Large health care entities will often employ an individual as its compliance officer, delegating to the compliance officer duties that include overseeing the implementation of the corporate compliance program, investigating complaints, developing and implementing the provider's response to these complaints and interacting with senior management, the Board of Directors and, when necessary, government agencies. Financial resource constraints may make it difficult for physician practices to designate one individual to be in charge of compliance functions. Therefore, the Guidance allowed the physician practice to designate more than one employee with compliance monitoring responsibility. In lieu of having a dedicated compliance officer, as required in previously published OIG compliance guidances, the physician practice instead may describe in its standards and procedures the compliance functions for which the designated employees would be responsible. These physician practice employees would be known as "compliance contacts" and compliance-related responsibilities would be only a portion of his or her responsibilities as an employee of the physician practice.

The Guidance also offered physician practices the alternative of outsourcing all or part of the functions of a compliance officer to a third party, such as a consultant, practice management company, management services organization, independent practice association ("IPA") or third-party billing company. Sharing a compliance officer with other health care providers affords multiple benefits to the physician practice: lower costs, increased expertise in the compliance officer role, and perhaps a better working relationship with HCFA and OIG representatives. As in any outsourcing arrangement, there is the risk that insufficient interaction between the physician practice and the compliance officer may cause the compliance program to lose its effectiveness.

A physician or practice should encourage interaction between the physician practice and the outsourced compliance officer, including perhaps designating an employee as the official liaison with the compliance officer. The liaison approach could be problematic, however. If other responsibilities of the physician practice's designated liaison prevent him or her from serving as the compliance officer in the first place, it is not clear that his person could serve as an effective liaison. In light of the liaison's other responsibilities, it is imperative that the physician practice place a high priority on the liaison's obligation to effectively and frequently communicate with the outside compliance officer. In this area, the role of the healthcare attorney is to advise the physician practice to properly structure the compliance officer's role, particularly if this role is outsourced.

Although the compliance oversight role needs to be tailored to the risk areas specific to each physician practice, the Guidance does set out a helpful list of duties that a physician practice may want to assign to the compliance officer/contacts. These duties include: (i) overseeing and monitoring the implementation of the compliance program; (ii) establishing methods to improve efficiency and quality of services and reduce the risk of fraud and abuse; (iii) periodically revising the compliance program to keep it current; (iv) developing, coordinating and participating in the practice's training program; (v) ensuring that the DHHS OIG's List of Excluded Individuals and Entities, and the General Services Administration's (GSA's) List of Parties Debarred from Federal Programs have been checked with respect to all personnel;¹⁶ and (vi) investigating any allegations concerning possible unethical or improper business practices, and monitoring subsequent corrective action.

[D] Conducting Appropriate Training and Education

Training and education are an important part of any physician compliance program. Education components of the physician compliance programs should be tailored to the specific practice's needs, specialty and size. Training and education require determining who needs training (both for compliance and for coding and billing); the type of training that best suits the practice's needs; and when and how often education is needed. Again, the Guidance afforded the physician practice with a significant degree of flexibility to accomplish the educational component of a compliance program. Training may be conducted through a variety of means, including in-person training sessions (i.e., either on site or at outside seminars), distribution of newsletters, or even using a readily accessible office bulletin board. No matter what means is selected, all employees should receive training on how to perform their jobs in compliance with the standards of the physician practice and applicable regulations. The physician practice should convey a very clear message: compliance is a condition of continued employment.

Depending upon an employee's job responsibilities, coding and billing training also may be appropriate. Although physicians often are primarily responsible for coding and billing, it is unrealistic to expect that a physician will remain well versed in all the requirements, including the constant flow of reimbursement updates and modifications. Physicians generally rely on the physician practice's employees for this information. Therefore, it is important that employees who are directly involved in billing, coding or other aspects of the federal healthcare programs be well trained in their area of responsibility and be a good source of knowledge and expertise for the physician practice.

Coding and billing training should cover topics such as (i) coding requirements; (ii) claim development and submission processes; (iii) signing a form for a physician without the physician's authorization; (iv) proper documentation of services rendered; (v) proper billing standards and procedures and submission of accurate bills; and (vi) the legal sanctions for submitting deliberately false or reckless billings.

Although there is no specific requirement for ongoing training, the OIG recommended at least an annual training program for all individuals involved in coding and billing. With healthcare providers that are subject to a corporate integrity agreement, the OIG usually requires a minimum of one hour per employee annually for basic training in compliance areas.

[E] Responding to Detected Offenses and Developing Corrective Action Initiatives

If the physician practice suspects a violation of its compliance program, the compliance contact should fully investigate the allegations to determine whether a violation of applicable law or requirements of the compliance program has occurred. If the allegation is substantiated, then the physician practice must take timely and decisive action to correct the problem. Overpayments must be returned to the payor, and in certain circumstances, the physician practice may find it necessary to report the violation to the government, and/or refer the matter to law enforcement authorities.

The Guidance suggested that physician practices should develop their own set of red flags that will alert them to potential compliance issues. For example, red flags could include a significant change in the number and/or types of claims rejected or adjusted, letters from fiscal intermediaries questioning the medical necessity or validity of claims, and unusual changes in billing code utilization patterns. The physician practice should investigate any red flags promptly. Counsel should advise the physician practice to modify its compliance program to prevent a future recurrence of the problem.

The OIG strongly encouraged physician practices to include in their compliance program steps for prompt referral or disclosure of any potential criminal violations to government authorities or a law enforcement agency. As outlined in the Provider Self-Disclosure Protocol, healthcare providers are encouraged to voluntarily report suspected fraud. However, any decision to make a referral or disclosure can have serious consequences for the physician practice and its physicians and should only be done after consulting with healthcare counsel In instances of overpayment, the physician practice should take appropriate corrective action, including prompt identification and repayment of any overpayment to the affected payor.

[F] Developing Open Lines of Communication

Previously published OIG compliance guidances encouraged a formal and more costly process to implement the communication component, including the use of hotlines and e-mail systems. The OIG recognized that physician practices are conducive to more informal modes of communication than other entities for which compliance guidances have been issued. The Guidance stated that the communication element might be met by implementing an "open door" policy between the physicians, compliance contacts and practice employees, combined with techniques such as posting notices in common areas and/or the use of a compliance bulletin board. In all circumstances, the OIG recommended that the physician practice post the DHHS OIG Hotline telephone number in a prominent area.

The Guidance suggested that meaningful and open communication can be achieved by including the following elements in the physician practice's standards and procedures: (i) require that employees report conduct that a reasonable person would, in good faith, believe to be erroneous or fraudulent, and provide that there will be no retribution for reporting conduct in those circumstances; (ii) create a user-friendly process for reporting erroneous or fraudulent conduct and for processing those reports, such as an anonymous drop box for larger practices; (iii) make it clear to the employees that a failure to report erroneous or fraudulent conduct is a violation of the compliance program; and (iv) utilize a process that maintains the anonymity of the persons involved in the possible erroneous or fraudulent conduct that has been reported and the person reporting the concern.

[G] Enforcing Disciplinary Standards Through Publicized Guidelines

It is not a surprise that the OIG expected a physician practice compliance program to include a disciplinary process that is consistently followed. The final step in the Guidance requires procedures for enforcing and disciplining individuals who violate the compliance program, either through their own actions or through their failure to report another person's violation. A physician practice brings credibility to its program by providing consequences for inappropriate behavior. These consequences can include warnings, reprimands, probation, damages, termination of employment and referral to authorities. However, the Guidance would allow the practice the flexibility to account for mitigating or aggravating circumstances.

The physician practice should retain all reports of non-compliant conduct and disciplinary action in a compliance file in the event that the physician practice is ever investigated by a regulatory agency or is required to defend its actions.

[H] Appendices

Included with the Guidance is an appendix of additional risk areas that a physician practice might wish to address during the development of its compliance program. These additional risk areas include:

• Variations in local medical review policies among carriers in determining reasonable and necessary services;
• The use of advance beneficiary notices, especially in regard to diagnostic tests or services;
• Certificates of medical necessity and potential physician liability regarding medical equipment and supplies, and home health services;
• Billing for non-covered services as if covered;
• The physician's role under the Emergency Medical Treatment and Active Labor Act, particularly in regard to physician on-call responsibilities;
• Billing for services provided by teaching physicians in teaching settings;
• Gain sharing arrangements and civil monetary penalties for hospital payments to physicians to reduce or limit services to beneficiaries;
• Physician incentive arrangements;
• Third-party billing services, in particular services that seek to be paid on a percentage basis;
• Billing practices by non-participating physicians;
• Professional courtesy;
• Rental of space in physician offices by persons or entities to which physicians refer; and
• Unlawful physician advertising.

The appendices provided by the OIG also included summary descriptions of criminal, civil and administrative statutes related to fraud and abuse in the context of healthcare. Finally, the OIG listed OIG-DHHS contact information and frequently cited Internet resources.

[3] Ambiguity Created by the OIG's Guidelines and AMA Criticism

The result of the built in flexibility in the OIG Small Practice Guidance is uncertainty for physicians. The American Medical Association (AMA) has leveled criticism at the OIG's Small Practice Guidance based in part on this flexibility and apparent vagueness.

It was reported:

The AMA said the final guidance was better than the June 12, 2000 draft, but was still too broad and still shaped too much like the guidance the OIG has given big institutions such as hospitals. It gives physicians no clear way of knowing whether their programs are effective or 'how much is enough' complained J. Edward Hill, a Tupelo, Mississippi physician and AMA Trustee.¹⁷

An AMA publication adds to this stating:

The flexibility that [the Small Practice Guidance] affords physician groups also creates ambiguity that some physicians may find unsettling. The OIG has implied, for example, that the larger the practice, the more sophisticated and substantial the compliance program. But the OIG never defines large or small.¹⁸

In the wake of the OIG's issuance of the Small Practice Guidance, consultants, medical associations and other groups are rushing to fill the gap by offering off-the-shelf, do-it-yourself and "cookie cutter" compliance plans at discount rates to physicians and medical groups. A "cookie cutter" approach should be avoided at all costs by the conscientious physician or administrator. Any valid compliance plan a medical group or even a sole practitioner implements, must be customized to the unique facts and circumstances of that particular practice. Any compliance plan implemented must also be regularly followed, routinely revised and familiar to all in the practice or working for the practice. A simple compliance plan is certainly acceptable.

§8 What the Future May Hold: The Good News and the Bad News

[1] Highlights from OIG Work Plan

Each year the OIG announces its plans for the upcoming year regarding the particular areas and issues upon which it will concentrate and any special projects it will undertake. In its Work Plan for Fiscal Year 2002,¹⁹ the OIG has stated that it will place emphasis on the following areas:

1. Hospitals - Medicare payment error prevention program; medical education payments; privileging activities; one-day stays; discharges and readmissions; consecutive inpatient stays; payments to acute care prospective payment system hospitals; implementation of critical access program; satellite hospitals; prospective payment system transfers during hospital mergers; DRG limits; outlier payments for expanded services; periodic interim payments; uncollected beneficiary deductibles and coinsurance; DRG payment window Part B providers; expansion of DRG window; hospital reporting of restraint-related deaths; reporting of restraint and seclusion use in psychiatric hospitals; outpatient prospective payment system; outlier payments under outpatient prospective payment system; outpatient services on same day as discharge and readmission; outpatient pharmacy services at acute care hospitals; outpatient medical supplies at acute care hospitals; procedure coding of outpatient and physician services; PRO sanction authority.

2. Home Health - oversight of quality; compliance programs; payment system controls; coding of resource groups.

3. Nursing Home Care - quality assessment and assurance committees; nurse aide training; family experience with nursing home care; three day stay requirement; consolidated billing; survey and certification process; use of penalties.

4. Hospice Care - plans of care; payments to nursing homes; use of continuous home.

5. Physicians - beneficiary access to preventative services; advance beneficiary notices; teaching hospitals; billing for resident services; evaluation and management codes; consultations; inpatient dialysis services; bone density screening; incidental services and supplies; reassignment of benefits.

6. Medical Equipment and Supplies - medical necessity of DME; pricing of equipment and supplies.

7. Laboratory Services - CLIA certification; cholesterol testing; proficiency testing.

8. ESRD - utilization service patterns of beneficiaries; EPOGEN; Method II billing.

9. Drug Reimbursement - Medicare coverage of prescription drugs; drug prices paid by Medicare; billings for nebulizer drugs.

10. Other Medicare Services - Medigap; rural health clinics; Medicare payments for clinical trials; Medicare mental health national error rate.

11. Medicare Managed Care - New adjusted community rate proposals; general and administrative costs; cost-based managed care plans; enhanced managed care payments; MCO profits; managed care additional benefits; beneficiary education about M+C plans; physician perspectives on MCOs.

12. Medicaid Hospitals - GME payments; hospital-specific disproportionate share payment limits; patient transfers; outpatient clinical diagnostic laboratory services under ambulatory procedure group systems; credit balances in inpatient accounts.

13. Medicaid Managed Care - marketing and enrollment; public-sponsored health plans; payments as part of the fee-for-service upper payment limit calculation: duplicate payments; pharmacy benefit managers; HIV/AIDS antiretroviral drug therapy; cost containment of mental health drugs.

14. CHIP - adolescent enrollment; educating families of newly enrolled children; disenrollment.

15. Other Medicaid Services - mutually exclusive codes; dual eligibility; fee-for-service payments for dual eligible enrollees; upper payment limit calculations; intergovernmental transfers; nursing facility administrative costs; services for severely mentally ill; benefits for homeless mentally ill; claims for residents of institutions for mental diseases; payments for inmates of public institutions; restraints and seclusion in residential treatment centers; discharge planning; DME reimbursement rates; follow up on clinical lab services; average wholesale drug prices; outpatient prescription drug pricing; drug rebates; coverage for poor working disabled; school-based health services; payments of services to deceased beneficiaries; escheated warrants.

16. Contractor Operations - oversight of contractor evaluations; program safeguard contractors; fraud control units; IS controls; provider education and training; comprehensive and component procedure codes; payments for incarcerated persons; payments for deported individuals; bankrupt providers; administrative costs; claim processing costs; unfunded pensions; pension segmentation/costs claimed; pension termination.

17. General Administration - Government Information Security Reform Act; improper fee-for-service payments; MSP; group purchasing organizations; CIAs; coordination with state and federal agencies.

18. Investigations - healthcare fraud; provider self-disclosure.

19. Legal Counsel - Compliance guidance; CIAs; advisory opinions and fraud alerts; safe harbors (more predicted for FY 2002); EMTALA enforcement; program exclusions; CMPs.

Physicians who have any involvement with any of the above areas would be well advised to have a compliance audit performed immediately to help ensure all of their activities and billings in these areas can be supported.

[2] "Phase I" of Final Stark II (Physician Self-Referral) Regulations Issued

Much has been said about the Stark II Regulations. The proposed regulations were published in January 1998 and received thousands of pages of comments by those potentially affected by them.²⁰ "Phase I" of the final Stark II Regulations were published on January 4, 2001.²¹ "Phase I" of the Stark II Regulations will become effective on April 14, 2002.

[3] Some Good News for Healthcare Providers?

The new Stark II Regulations do provide some questionably "good" news for healthcare providers:

 

1. On-site supervision has been eliminated for in-office ancillary services. Physician practices must merely meet the level of supervision required for reimbursement purposes.

2. In-office ancillary services may be performed anywhere in the "same building" as a group's full-service office, not necessarily in the same suite of offices.

3. Services personally performed by the referring physician are no longer "referrals."

4. Some services carved out of DHS, including: IOLs in ASCs; nuclear medicine.

5. "Per-use" and "per-click" arrangements may qualify as set in advance.

6. More flexibility in allocation of expenses and income within a group practice.

7. New exceptions finalized; fair market value; non-monetary compensation up to $300; academic medical centers; medical staff benefits; hospital compliance assistance to physicians.

[4] Some Bad News for Providers!

The Stark II Regulations in several respects disappointed healthcare providers and those who counsel and advise them:

  1. HCFA (now known as "CMS") declined to carve out a number of services, including lithotripsy, as requested by commenters.

  2. Off-site centralized DHS facilities may not be shared.

  3. Most percentage-based compensation arrangements are disapproved.

[5] A Little Good News and a Little Bad News

The new Stark II Regulations contain some matters of a rather mixed nature, as well:

1. Some important issues (such as physician recruiting) were deferred to Phase II of the Stark II Regulations.

2. Many (but not all) of the DHSs have been more precisely defined. Whether this is good or bad news depends on whether the service a provider proposes to render is in, out, or still in the gray area.