Protect Your Practice With a Medicare and Medicaid Compliance Program

Implementing a formal plan can help prevent fraud and reduce the likelihood of significant penalties, but remember that one size fits one.

Ana-Maria McKessy, JD, and Robert J. Saner II, JD

Covered in FPM Quiz

In today's volatile climate of health care regulatory enforcement, even small practices need some form of compliance plan to help them avoid trouble with the government and to mitigate the damage if trouble occurs. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) gave the Department of Health and Human Services' Office of Inspector General (OIG) and the U.S. Department of Justice (DOJ) more funding for investigating health care fraud. The OIG has hired more investigators and opened new offices across the country, and the DOJ has assigned more FBI agents to its enforcement effort. At the same time, HIPAA significantly increased the penalties for health care fraud (see "Avoiding Fraud and Abuse in Medicare Claims: What FPs Need to Know," September 1997, page 72).

For those who are targeted, the outcomes of this fight against fraud can include civil fines, criminal penalties and exclusion from Medicare and Medicaid. And although the government originally focused on large health care organizations, it has now begun to take a closer look at physician practices. For example, HCFA announced in early June that it will pay rewards of up to $1,000 to Medicare beneficiaries who, in the words of HCFA Administrator Nancy-Ann Min DeParle, report "health care scams and unscrupulous providers" to the government.

Recently, HCFA has tried to ease physicians' fears that coding and documentation errors could land them in jail. In an April letter to AMA President Percy Wootton, MD, DeParle wrote that doctors "will not be punished for honest mistakes and we [HCFA] will not make referrals to the Office of the Inspector General for occasional errors." And HCFA has delayed implementation of the much-criticized 1997 documentation guidelines for evaluation and management (E/M) services so that they may be revised again. (See "Changes Proposed for the E/M Documentation Guidelines," June 1998, page 14.)

Despite the government's reassurances, physicians remain wary -- and rightly so. After all, the government will be the judge of what's an "honest mistake" and what's fraud. Additionally, coding and documentation represent only one component of the compliance picture. The government's crackdown also includes physician self-referrals, kickbacks and fraudulent billing practices.

What is a compliance program?

In this enforcement environment, you should consider implementing a health care compliance program -- a series of internal controls and measures to ensure that you're following federal, state and local statutes and regulations governing the federally funded health care programs. A compliance program may include these components:

• Legal reviews of contracts and operating procedures,
• Directives and training for employees,
• Monitoring and auditing mechanisms,
• Procedures for reporting violations of your plan or of government regulations.

Implementing a compliance program can help a practice prevent misconduct, and it can help detect and contain misconduct that does occur before it snowballs into a bigger problem -- such as an OIG investigation. Implementing a compliance program also can reduce the likelihood that a discontented employee will file a whistle-blower lawsuit because compliance programs include mechanisms for employees to report problems internally. Moreover, having a compliance program in place is a factor in your favor if the government does target your practice. Your documented efforts to follow the law may help you avoid criminal prosecution and exclusion from the federal health care programs, and they provide an argument for lighter fines and penalties if you do make a mistake.

Do I need a compliance program?

Despite the potential benefits of compliance plans, the government doesn't require that practices or health care organizations develop them, and some practices may decide that a formal program isn't necessary. Here are some questions to ask yourself as you make that decision:

• Does the nature of the practice justify developing a compliance plan? If you see few patients insured by federal health care programs and have few contractual relationships with other providers or ancillary centers, developing an extensive compliance plan may not be a good use of your resources. You may simply need to document your existing controls.
• Do the practice's policies or compensation systems encourage aggressive coding and billing?
• Does the practice already have a firm commitment to practicing within the law, and does it have effective internal controls to ensure compliance with federal and state regulatory requirements?
• Is the practice part of a larger organization (such as an IPA or practice-management entity) that is implementing a compliance program for all its practices?

Even if your practice doesn't need a full-scale compliance plan, you may at least want to implement some internal controls, train your staff to follow them and document your effort. In addition to helping you avoid criminal action and civil monetary penalties, compliance programs can be quality assurance tools that promote consistency, efficiency and accountability -- regardless of whether the "organization" is a large multispecialty group or a two-doctor family practice.

The adaptability of compliance programs is key. Just as the compliance needs of physician practices differ from those of hospitals or health systems, each practice's compliance effort must be individually tailored. At a minimum, you should identify areas of weakness, formalize existing practices and provide written documentation of your commitment to comply with the law (for a summary of an effective compliance effort, see "A compliance program overview"). A simple program like this, focusing on only a few key issues, may be all you need.

What should my plan target?

As you focus your compliance initiative, remember the focus of the government's enforcement efforts. Your plan probably should cover these areas:

• Violations of the federal Stark II law (or similar state laws), which prohibits physicians from making referrals for Medicare- or Medicaid-covered designated health services to any entity in which the physician or an immediate family member has a financial interest;
• Violations of federal and state anti-kickback laws, which prohibit giving or receiving anything of value in return for referring patients for items or services that are paid for by federally funded health care programs;
• Billing for unnecessary services;
• Upcoding, especially for E/M services;
• Duplicate billing.
• priorities on the OIG's enforcement agenda include these areas:
• Noncompliance with the "incident to" rule, which relates to the level of supervision required for services by midlevel providers incident to a physician's care;
• Improper certification of medical necessity for durable medical equipment;
• Illegitimate arrangements with billing services;
• Resubmission of unpaid claims;
• Violations of the prohibition against reassignment of physician billing numbers;
• Use of existing physician billing numbers for new doctors waiting to receive their own numbers;
• Failure to refund overpayments.

The scope of your program will depend on the nature of your practice and the degree to which these problems arise in it. Although some practices have chosen to expand their compliance efforts beyond Medicare and Medicaid requirements -- into areas such as sexual harassment, wage and hour requirements, and antitrust liability -- it's best to focus on the rules for federal health care programs separately. The government clearly is targeting misconduct involving these programs. Since that's the government's priority, it should be your priority, too.

Identifying specific problems

The best way to find problem areas in your practice is to conduct a legal audit. In addition to a traditional audit of claims, this audit includes a legal review of contractual relationships and operating procedures. The purpose is to identify all material issues that affect your compliance with the regulations for government health care programs. Although no audit is guaranteed to find every problem, a legal audit will at least give you a realistic snapshot of how well you've been abiding by the law. It will also keep you from wasting time and money on issues that are irrelevant to your practice.

Before conducting your review, take some preliminary steps. First, decide whether you need outside help. Attorneys can review written policies and procedures as well as contracts with vendors and potential patient referral relationships. Assistance from a lawyer can also give you some protection, under attorney-client privilege, from having to release potentially damaging evidence in an investigation. (Evidence you uncover yourself generally isn't protected by other privileges.) Consultants specializing in documentation and coding can help you review your claims and ensure that your documentation supports medical necessity. Of course, you may choose to use your own staff for these tasks, assuming that they're well-qualified and can devote the necessary time.

Box A

A compliance program overview Developing a system for complying with Medicare and Medicaid regulations may seem as daunting as the regulations themselves. To illustrate the big picture more clearly, here's an overview of the process. Learn the government's enforcement priorities and make them your compliance priorities; Conduct a legal audit of your claims, contracts, investments, referral arrangements and marketing practices; Appoint high-level personnel to lead your compliance effort; Develop written standards for complying with the law, and revise your existing policies and procedures as necessary; Train physicians and staff in how to follow your standards, policies and procedures; Conduct ongoing monitoring of your operations (such as your billing, referrals and marketing practices); Conduct background checks on physicians and other clinical and administrative staff, and verify information that job applicants provide; Set up procedures for staff to report suspicious conduct; Establish disciplinary standards for violations of policies and procedures, and enforce those standards; Modify policies and procedures as necessary when you discover misconduct.

Next, decide whether you need an extensive or limited review. If your practice is well-managed and if your coding and billing practices are extremely conservative, a limited review may be enough. But if you haven't been giving sufficient attention to compliance, you may need a more extensive legal audit. If you deliberately choose not to address certain areas because of limited resources, document which areas you aren't addressing and explain exactly why you aren't addressing them (i.e., lack of staff, time or money, or other constraints). Also, prepare a written statement that you haven't found any evidence of noncompliance in these areas.

Conducting the legal audit

Your audit should include a review of your claims and documentation. Pull a random sample of your claims to reflect the nature of your practice. Work with your staff to review as many claims and their supporting documentation as you think are necessary to give you a realistic picture of your compliance profile.

You may want to focus the review on specific concerns. For example, if you're worried about complying with the E/M documentation guidelines (either version), include in your audit sample a large number of records for E/M services, and ensure that they include the E/M codes that the physicians in your practice use most frequently. If your concern is compliance with the "incident to" rule, you may want to interview the physicians, nurses or other staff who had input into the medical record, asking them what services were provided, who provided them and how much supervision was involved.

Retrospective claims audits are the best way to see how you've been managing your documentation, coding and billing -- but they also raise the issue of returning overpayments. Failure to return an overpayment may be interpreted as an attempt to conceal it, which is a crime. Your practice may also be vulnerable to substantial penalties if you uncover outright fraud and don't correct it, or even if you willfully ignore uncorrected problems that otherwise might be considered one-time mistakes. You may need to seek help with these issues from legal counsel.

Your audit should also include a review of your legal contracts for compliance with the Stark and anti-kickback laws, as well as any relevant state laws. You may have little choice but to consult a lawyer for help with this. Review all your physicians' contracts that have any relation to providing medical care through the practice, including these:

• All agreements involving the provision of space and equipment;
• All employment agreements and contracts between physicians and officers, directors and other key employees of the practice;
• Contracts with hospitals, pain centers, laboratories and other ancillary-service providers,
• Contracts with independent contractors, suppliers and other providers of professional services;
• Contracts with practice-management consultants and billing companies;
• Written referral arrangements with other practices.

As part of your contract review, make sure that your arrangements for reassigning benefits don't violate Medicare regulations, which provide that, unless an exception applies, Medicare may not pay amounts due a provider to any other person under assignment, power of attorney or other direct payment arrangement. A billing agent may receive Medicare payments on behalf of a physician as long as the agent doesn't convert the payments to the agent's own control before passing the payments on to the physician (and if other requirements are met). So if you've reassigned to a billing agent your right to collect Medicare payments, be sure the payments are being sent to the agent merely for bookkeeping purposes and are being directly forwarded to the practice's bank account for deposit.

Further, you should review a list of other entities in which the practice owners have an ownership or investment interest as well as a list of all people related to those entities whom the practice employs or contracts with. Be sure your review includes oral agreements and agreements in the form of correspondence, and consider whether they should be formalized.

Another issue is whether to waive co-payments and deductibles for Medicare and Medicaid beneficiaries, otherwise knows as "insurance-only billing." This could be interpreted as illegal patient solicitation unless there is documented evidence that the beneficiaries are indigent and can't afford to pay the co-payments and deductibles. If the patients aren't indigent, the practice may be subject to a civil monetary penalty. Professional-courtesy waivers (waiving co-payments or deductibles for other physicians in the practice and their families) may also violate federal law. To avoid this problem, consider establishing a system that waives these payments for other physicians and their families in exchange for their volunteering time to the practice.

Finally, review your marketing practices, including discounts you offer. Some marketing gimmicks (such as providing child-safety devices and transportation to preventive health care services) are permissible, but others (such as providing health-club memberships, nonprescription vitamins and beauty aids) may not be. The difference, according to a proposed regulation from the OIG, is that any nominal incentives given to beneficiaries must be for preventive care as opposed to the promotion of general health and well-being. Obviously, this is a very fine line.

Developing the compliance program

Your legal audit will reveal where you should focus your compliance efforts. Once you know your risk areas, you're ready to begin developing a program to manage them.

One of the traits most compliance plans share is their foundation: the U.S. Federal Sentencing Guidelines for Organizations. The guidelines stipulate certain components that a corporate entity (which could include a personal corporation) should have in its regulatory compliance program to qualify for a mitigated criminal sentence in the event of prosecution. The significance of these elements is that the OIG has adopted them as necessary components of an effective compliance plan. In a nutshell, a practice's compliance program should be led by decision makers at the highest level and should include written standards of conduct, education and training for all physicians and staff, ongoing monitoring and auditing of the practice's operations, background checks of physicians and staff, a system for reporting suspicious conduct, consistent enforcement, and changes to internal policies and procedures when offenses are discovered.

Additionally, the OIG has indicated that having a compliance plan on paper isn't enough. The program must be designed, implemented and enforced in a way that will detect and prevent criminal conduct. A paper program won't offer your practice any protection if you're investigated.

Of course, the sentencing guidelines provide only the outline of a good compliance plan. Here are some concrete suggestions for developing and implementing one in your practice. (Keep in mind that, depending on the size of your practice and the significance of the problems your legal audit reveals, you may want to bring in an attorney to help you design your compliance program.)

High-level decision makers.
Your program should be led by a compliance officer (and perhaps by a compliance committee, in a group of 10 or more doctors). In a small practice, the compliance officer may be one of the physicians or the practice administrator, assuming that the administrator is empowered to bring about change. If your practice is large, you may want to hire someone for the job. Whoever takes this responsibility must be well-qualified and must have access to top management -- or be top management. This will give the program credibility and help ensure that needed changes will actually be made.

The primary functions of the compliance officer or committee are to oversee the legal audit and implement the requirements of the sentencing guidelines, including serving as the contact point for reports of suspicious behavior and questions about internal policies and procedures. The compliance officer or committee also must keep abreast of changes in CPT codes, directives from carriers and other relevant rules and regulations.

Written standards of conduct.
You should develop written standards stating explicitly that the practice is committed to operating ethically and that instituting the program reflects the integrity of the people involved in it. Also, assess and modify your policies and procedures to ensure that they reflect the practice's commitment to comply with the law. For example, you might need to implement a procedure for labeling resubmitted claims as such to avoid the appearance of seeking double reimbursement for the same service.

Education and training.
Communicate your practice's policies and procedures clearly to all physicians and staff, as well as to independent contractors whose services are billed under the practice's provider number. Use newsletters, E-mail or monthly meetings to alert everyone to changes in your policies or procedures.

Training in how to follow the law should be ongoing and tailored to the needs of the physicians, midlevel providers and support staff. Training programs can take a variety of forms, such as seminars and video presentations. You can also administer questionnaires to assess how well the staff understand the material. Be creative in designing your training, and be sure to make it easy to understand. Give plenty of examples of noncompliant behavior. For example, training for the billing staff might include a discussion of how submitting claims based on codes that don't reflect the services actually provided violates the compliance plan and may violate the law.

In addition, maintain lists of those who have attended training sessions, and keep copies of all your training materials. If you're investigated, you'll need to be able to show what staff members were taught and prove that they actually attended training.

Box B

For more information Just as Medicare compliance is an issue physicians are just beginning to grapple with, resources to help physicians with compliance are just beginning to become widely available. The Medical Group Management Association (MGMA) offers several compliance-related products, including Compliance Programs for the Small Group Practice (a 33-page booklet developed in collaboration with the authors' law firm), an employee educational program, and packets of research and survey information on compliance in physician practices. More information is available from the MGMA's web site (http://www.mgma.com) or by calling 888-608-5602. MGMA and Opus Communications also publish a monthly physician compliance newsletter, Physician Practice Compliance Report. For more information, visit the Opus web site (http://www.hcpro.com/onlinepubs/) or call 800-650-6787.

Monitoring and auditing.
The work you began in your legal audit should be continued in your compliance initiative. Ongoing monitoring and auditing of your operations -- such as billing practices, referral arrangements, marketing practices and use of proper provider numbers -- will help you pinpoint weaknesses and develop additional training. You may want to bring in consultants to help conduct these reviews, or you can use a well-qualified member of your own staff.

Employee interviews are a particularly useful way to monitor your practice's everyday operations -- its paper flow, billing practices and accounting procedures. Interviews help you identify problems that aren't reflected in documents or records, and they can be useful tools for ferreting out unethical or illegal activity. Simply ask your employees how they go about doing their jobs and whether they've witnessed any inappropriate or unethical behavior. An interviewer who knows how the practice is supposed to operate can learn volumes from the staff's responses.

Background checks and employment.
Institute a policy for conducting background checks to determine whether providers or office staff have been convicted of health care crimes or crimes against the federal health care programs, or have been excluded from those programs. Ensure that employment applications ask about past illegal activity, and verify the information that applicants provide. At least one part of this process is relatively easy -- and free: You can find the OIG's report of sanctioned providers on the Web at http://www.oig.hhs.gov.

Abiding by the compliance program should be a condition of employment for all staff, and your employee handbook should state this clearly. Following the compliance plan should be part of employee evaluations, particularly for management and supervisory staff. Contractual arrangements also should be conditioned on an agreement to follow the practice's compliance initiative.

Reporting suspicious conduct.
Set up a system for employees to report potential wrongdoing directly to the compliance officer, without having to go through the chain of command. This can be as simple as setting up a post-office box for anonymous reports or instituting an open-door policy for reporting possible misconduct to the compliance officer. The practice must clearly communicate its commitment to this process. Staff must know that those in charge want them to come forward and won't penalize them for doing so. It's also important to encourage staff to seek guidance if they're unsure about whether they're following your policies and procedures correctly or if they need additional training.

Enforcement.
Compliance programs must have teeth; otherwise staff have little incentive to comply with your policies and procedures, and the plan loses its value as a hedge against tough sanctions if you're investigated. So develop disciplinary standards for noncompliance. Penalties ranging from formal reprimands to termination should be tailored to offenses. For example, if physicians fail to document patient encounters appropriately or provide improper codes, you might consider penalizing them with monetary fines or reductions in their annual bonus payments. All disciplinary standards should be stated clearly in your employee manual.

Responding to problems.
If your program does uncover operational problems or employee misconduct, you need to modify your policies and procedures or take disciplinary actions. If you find that your practice has been improperly overpaid by government contractors, you must return the overpayments. If you find violations of the law, investigate them promptly. Depending on the nature and severity of the problems you uncover, you may be well-advised to report voluntarily what you find to the OIG. But it's critical that you seek legal counsel first.

Finally, you need to write descriptions of the components of your compliance program and keep a notebook of all relevant documentation (although materials protected by attorney-client privilege should be filed separately). This notebook should contain these materials:

• The standards of conduct for the practice's physicians and employees,
• A description of your legal audit's methodology and a statement that uncovered problems were rectified (going into more detail might cost you the protection of attorney-client privilege),
• A description of the legal concerns covered by the plan,
• A description of the compliance officer's role,
• Any changes you make in your policies and procedures,
• A summary of your education and training efforts,
• A description of your internal reporting system,
• Your plans for ongoing monitoring and enforcement,
• Descriptions of any other steps to correct inappropriate actions.

It doesn't have to be complex

Even a family practice with limited resources for Medicare and Medicaid compliance can benefit from a minimal plan that focuses on a few key areas that matter most to the government. Of course, the cost of implementing your plan will vary based on the size and nature of your practice, the scope of your program, how much compliance work you can assign to your existing staff, and what policies and procedures you already have in place to monitor how well you're following federal and state regulations.

But keep in mind that if you skimp on your compliance initiative, you may pay for it later if you fail to address a regulatory area that becomes the focus of a government investigation. With a little thought and planning, you can develop a narrowly defined compliance program tailored to meet the needs and concerns of your practice. The keys are knowing your weaknesses and the government's priorities.

Authors' note: This article should not be considered legal advice or guidance related to particular issues or situations. If you have specific questions or circumstances that require such advice, contact an attorney.

Ana-Maria McKessy is an associate with Powers, Pyles, Sutter & Verville, PC, in Washington, DC. She specializes in health care fraud and abuse counseling and previously worked for the Department of Health and Human Services' Office of Inspector General.

Robert J. Saner II is a partner in Powers, Pyles, Sutter & Verville, PC, specializing in health care law, legislation and regulation.

---

Copyright © 1998 by the American Academy of Family Physicians.
This content is owned by the AAFP. A person viewing it online may make one printout of the material and may use that printout only for his or her personal, non-commercial reference. This material may not otherwise be downloaded, copied, printed, stored, transmitted or reproduced in any medium, whether now known or later invented, except as authorized in writing by the AAFP.