Compliance Planning 101

Compliance programs that help medical practices prevent and detect fraud are no longer just good business. They're mandatory. Under the Affordable Care Act, all providers who bill Medicare or Medicaid are now required to create policies, train staff, and establish protocol for promptly reporting financial misconduct.

Mandatory compliance measures are designed, of course, to root out the small number of unlawful providers who bilk the federal health insurance system. Indeed, healthcare fraud accounts for anywhere from 3 percent to 10 percent of our nation's annual healthcare spending, costing U.S. taxpayers between $80 billion and $200 billion per year, according to the National Healthcare Anti-Fraud Association (NHCAA).

But the new requirements also put legitimate providers who inadvertently run afoul of anti-kickback statutes or fail to return overpayments in a timely fashion at greater risk for civil and criminal penalties. Overpayments occur when two insurance companies pay for the same claim, or the provider bills for services at a higher level than his documentation supports.

Russell Still, executive vice president of Medical Management Associates, a practice management consulting firm in Atlanta, says a robust compliance program will flag such instances, allowing the practice to take corrective action and put policies in place to prevent a repeat occurrence. Just as important, it can serve as a show of good faith, too, potentially insulating the provider from criminal and civil penalties down the road. "If you do get caught with a billing issue, a good compliance program can help deflect some of the additional charges you might otherwise be required to pay," says Still, noting the government has the opportunity to not only ask for money back for claims that are billed inappropriately, but to add treble (triple) damages in penalties. "If you have an operational plan in place, you can potentially deflect some of that."

But what constitutes an effective compliance program? CMS has yet to issue specific guidance on how most providers should implement internal controls, but solo practitioners and small group practices can cover their bases with the recommendations of the Office of Inspector General. The OIG identified seven components for having a solid compliance plan in 2000, which remain just as relevant today, says NHCAA CEO Louis Saccoccio. Here they are:

Conduct internal audits and monitoring

According to the OIG, the best compliance programs include an ongoing evaluation process to ensure their standards are both current and accurate. The evaluation process should also ensure that the program is, well, working: Are staff members following procedures and submitting claims accurately? Larger practices frequently use outside vendors to audit their claims, but smaller practices with limited resources may choose to focus their resources on the parts of their business that present the greatest liability risk, says Brenda Tranchida, a healthcare attorney for Baltimore-based Venable law firm.

"It has to be scaled to the size of the organization and it has to make sense," says Tranchida. "For physician practices, one of the major risks is in billing and any relationships they may have with referring physicians."

By auditing a sample of claims periodically and monitoring the referrals your practice makes and receives to ensure it does not benefit financially from the arrangement, your practice will be well positioned to mitigate risk.

Designate a compliance officer to monitor compliance

To that end, a designated compliance officer should be named to ensure adherence, conduct internal audits, and update policies to reflect regulatory changes. The OIG recommends that claims that get submitted and paid during the initial three months after your education and training program is implemented be reviewed to provide a baseline audit. That gives your compliance officer a tool with which to measure future compliance effectiveness. "The whole point of having a compliance plan is to prevent and detect fraud; to make sure you're billing for things you actually did," says Still. "You can't just adopt a policy and put it on the shelf. You need to show proof that you're following the policies set forth in the plan."

Establish practice standards and procedures

You must also be able to demonstrate a strong ethical culture and commitment to compliance through written materials. Once the internal audit identifies risk areas, your practice should develop written standards and procedures that reduce the opportunity for erroneous claims and fraudulent activity, OIG reports. Small practices need not reinvent the wheel, however. They can develop their own material with minimal resources by culling together the compliance standards and procedures of organizations with which they may be affiliated, including physician practice-management companies, independent practice associations, physician-hospital organizations, management services organizations or third-party billing companies, the government says.

Conduct appropriate training and education

Even the most bullet-proof compliance program, however, won't do the trick if your employees are left in the dark. Staff training should be tailored to your practice's needs, size, and specialty. The first step is determining who needs to be trained in coding and billing, and who needs compliance education, according to OIG. Determine, too, what type of training best suits your practice's needs (seminars, in-service training, self-study programs) and how often education is required to keep your staff up to speed. More specifically, compliance training should clearly communicate the importance of the program, the consequences of violations, and the role of each employee in the operation of the compliance program, OIG guidance suggests.

"Most physicians are not engaged in anything fraudulent, so for them it's really more of a compliance issue," says Saccoccio, noting patient privacy and data security also fall under the purview of an effective medical practice compliance program. "In healthcare these days, it's important that providers have a plan in place to prevent fraud and abuse and protect patient data. They need to ensure their billing is accurate and that their staff is following their compliance plan."

Respond appropriately to detected offenses and develop corrective actions

Physician practices, of course, must also act decisively when incidents of misconduct are reported. OIG guidance notes that the compliance officer should immediately investigate such reports to determine if a violation of law or internal procedure occurred. That may require disciplinary action, the return of any overpayments, a report to the government, or a referral to law enforcement authorities. Practices should develop their own set of warning indicators, as well, to help identify violations early on, according to OIG guidance notes. Those might include significant changes in the number or type of claims rejections or reductions, correspondence from the carriers and insurers challenging the medical necessity or validity of claims, illogical patterns, or unusual changes in the pattern of code utilization, and high volumes of unusual charge or payment-adjustment transactions.

Develop open lines of communication

Smaller practices, in particular, must encourage all employees to voice suggestions and share concerns with the compliance officer. An informal open-door policy is an easy and effective tool. The OIG notes that a user-friendly process (like e-mail or an anonymous drop box) can encourage staff members to report erroneous or fraudulent conduct. Where anonymity is impossible to provide, however, all staff members should at the very least know whom to turn to for help. Likewise, the compliance officer should communicate regulatory changes with the staff, praise employees who spot overpayments or risk factors, and solicit feedback for operational improvement, says Still.

Enforce disciplinary actions through well-publicized guidelines

Lastly, employees must be made aware of the consequences for non-compliant behavior, which may include warnings, written reprimands, probation, demotion, temporary suspension, termination, and restitution of damages, the OIG suggests.

Your in-house training and procedure manual should clearly outline procedures for enforcing and disciplining individuals who violate the practice's standards, including those who fail to detect or report violations. "You can't just adopt a policy and put it on the shelf," says Still, noting disciplinary procedures should be clearly communicated at staff training workshops and distributed internally in writing. "A practice would need to be sure its employees understand the policies and the actions they would face if they did not comply with the rules and regulations."

Mechanisms should also be in place to ensure violations are consistently and appropriately addressed. Still agrees with the OIG, however, that enforcement policies should be flexible enough to account for any mitigating or aggravating circumstances. That may include errors committed by new or part-time employees who are not yet current on protocol. It may also relate to resources.

"A smaller practice may have a shorter list of policies based on their knowledge of rules and regulations whereas larger practices may have a more detailed understanding of the regulations through internal knowledge or use of an outside adviser," says Still.

Shelly K. Schwartz has covered business, investing, and personal finance for 20 years. A former editor for CNNmoney.com in New York, she now freelances full time. Her work appears regularly on CNBC.com, Bankrate.com, and USA Today.

This article originally appeared in the March 2014 issue of Physicians Practice.