Many practices have a compliance plan. Some have sat on a shelf gathering dust for many years. If you have one, think you have one, or unsure if you have one, continue reading. Your compliance plan could be your best friend … or your worst enemy.
Compliance plans — a very short history
Nearly a decade ago, long before ACO, meaningful use, and PQRS became commonplace terms, HIPAA was a prevalent acronym in medical practices. Practices spent countless hours creating HIPAA privacy manuals. We then spent countless hours training our staffs, educating our patients, and worrying what "Big Brother" would do if we committed a privacy violation.
During this same period, the Office of the Inspector General urged practices to create compliance plans that spelled out what steps they were taking to protect PHI (protected health information) and to monitor internal coding, documentation, and billing practices. Most of these plans included the creation of two or more committees charged with monitoring, education, and reporting responsibilities. In the event a practice or one of its committees found discrepancies, the compliance plan dictated what steps the practice would take. These steps included reporting violations to the government.
We were ready for the inevitable, but nothing happened. Other than a few cases making the evening news, privacy breaches were very rare. Medicare coding audits were just as rare and resulted in little more than a wrist slap and compulsory online coding education for the offender. In many mid-size and smaller practices, the compliance plan committees ceased to meet or function as new priorities arose. Compliance plans gathered dust; but, government oversight gathered momentum.
This generation's acronyms — RACs, MICs, and ZPICs — are the new sheriffs in town. Unlike their predecessors, they have teeth and have found medical practices to be quite lucrative targets; as I have noted before, the federal government makes an ROI of $7.20 for every dollar it invests in detection and enforcement of fraud, waste, and abuse. Targets include privacy, coding and documentation, and billing — yes, new iterations of yesteryear's compliance plans. If your practice has ignored its own compliance plan directives, that plan could be your enemy. Many healthcare law gurus feel that not following your compliance plan is worse than having no compliance plan at all. Here are a few steps your practice can take if you have not been following the guidelines you set.
1. Find it. Most likely, your compliance plan is in a binder on a shelf in the administrator's office or the billing office.
2. Review it. Before taking any action, review your plan to understand how your practice has been functioning relative to the directives in your plan.
• Have the committees met as frequently as delineated?
• Are their findings and actions documented?
• Are committee members listed who have not been with the practice for years? This is an area where I have tripped up in years past, forgetting to ensure that committee memberships were updated in our plan. Better yet, use job titles instead of names.
• Is all employee privacy and compliance training documented? All new employees should go through HIPAA privacy/security training, at a minimum.
• Is all employee privacy and compliance retraining documented? Every compliance plan I have ever reviewed calls for ongoing annual education.
• Have the efforts of these committees been reported to your governing board?
• Have clinical staff received requisite OSHA training if it is prescribed in your plan?
• Are HIPAA Business Associate agreements current? A Business Associate Agreement should be in place with every vendor that has access to patient information.
3. Sync it. Your review will identify areas where your practice is doing just what the plan says it should be doing and documenting these activities.
4. GAP it. Your review will identify the gaps between what you are doing and what your plan says you should be doing.
5. Don't fake it. If you find discrepancies, do not make up documentation for activities that never occurred. The shortest path between medical practice and criminal court is a cover-up.
6. Fix it. Update your compliance plan. If what was promised in your plan is overly optimistic and cannot be accomplished realistically, scale it down. Set fair standards of performance and follow them. Do not overpromise and under-deliver.
Compliance plans are not required. However, a properly-utilized compliance plan demonstrates that a practice has made reasonable efforts to avoid and detect potential fraud, waste, and/or abuse. If misbehavior is discovered in an audit of some facet of your practice, both the OIG and the Department of Justice will take the plan's existence and proper use as a mitigating factor in determining penalties and sanctions. It can be a real best friend.
Lucien W. Roberts, III, MHA, FACMPE, is vice president of Pulse Systems, Inc., and a former practice administrator. For the past 20 years, he has worked in and consulted with physician practices in areas such as compliance, physician compensation, negotiations, strategic planning, and billing/collections. He can be reached at [email protected].