Effective compliance programs continue to gain importance. Across all industries, it is imperative that meaningful compliance programs are in place and that they are regularly assessed to account for new risks and changes in the law. Running afoul of the various regulations applicable to any given organization can subject that organization to criminal and civil liability, as well as hurt the organization’s reputation and cause lasting damage. Health care organizations face some of the greatest potential risks due to the heavy focus on this industry over recent years. The focus on health care fraud is expected to continue. President Trump’s budget blueprint for 2018 seeks a $70 million increase in funding to the Health Care Fraud and Abuse Control (HCFAC) program. The reasoning behind the request is that additional funding for the HCFAC program “has allowed the Centers for Medicare & Medicaid Services in recent years to shift away from a ‘pay-and-chase’ model toward identifying and preventing fraudulent or improper payments from being paid in the first place.” An effective compliance program demonstrates an organization’s commitment to operating lawfully and working with regulatory officials to isolate and end violations.
On March 27, 2017, the Office of Inspector General (the “OIG”) and Department of Health and Human Services (“HHS”) issued guidelines to assist organizations in the development of effective internal compliance programs. The guidelines were amassed from a prior meeting between compliance professionals and staff from HHS and the OIG regarding ways to measure the effectiveness of health care organizations’ compliance programs. The recently released guidelines do not focus on a particular type of health care provider or entity, but rather attempt to provide measurement options applicable to a wide range of health care organizations with diverse size, operational complexity, and resources. Hospitals and health systems, physician practices, long-term care facilities, surgery centers and diagnostic imaging providers, and other ancillary service providers and suppliers can all benefit from the guidance released by OIG and HHS.
While a variety of standards have been suggested by HHS and the OIG, it should be noted that not all of these standards will be appropriate for every organization. Each organization will need to reflect upon its own operational programs and practice needs when developing its compliance program.
The OIG and HHS used the following seven categories from the Health Care Compliance Association’s CHC Candidate Handbook: Detailed Content Outline as guideposts and provided factors to consider for each category thereunder:
- Standards, Policies, and Procedures;
- Compliance Program Administration;
- Screening and Evaluation of Employees, Physicians, Vendors and other Agents;
- Communication, Education, and Training on Compliance Issues;
- Monitoring, Auditing, and Internal Reporting Systems;
- Discipline for Non‐Compliance; and
- Investigations and Remedial Measures.
For each category, several items that an organization should consider when developing its compliance plans have been summarized. This summary is not a comprehensive list; it is only intended to highlight some of the areas of focus within each category.
Standards, Policies, and Procedures
An organization should periodically review its policies and procedures with the appropriate individuals to ensure (i) policies and procedures are up-to-date with the most recent regulations, and (ii) the review of such policies and procedures is conducted in a consistent manner. It should retain all documentation of such reviews, including the names and titles of those who approved each policy and the date of the approval. Similarly, it is recommended that an organization centralize the location of its policies and procedures to ensure all employees within the organization are referring to the correct and most recent versions.
Compliance Program Administration
In maintaining a compliance program, an organization should examine the effectiveness of its program from top to bottom. Therefore, the organization should review meeting minutes of the board to ensure the organization is following its own compliance policies in connection with training and reporting requirements. Furthermore, it should conduct audits to determine employees’ perception and level of understanding of the compliance program. From the organization’s board of directors to its lowest level employees, all individuals involved in the organization should be aware of the compliance program and their role in upholding its principles.
Screening and Evaluation of Employees, Physicians, Vendors and other Agents
This category is suggested to ensure that the pre-employment screening, conflicts of interest, vendor screening, exclusion screening and exit interviews are appropriately administered and documentation is maintained for the appropriate time frame. In doing so, it is suggested that an organization ensure that the employees who conduct these screenings are aware of the purpose of the screening and how to respond to or escalate the information in the event of a negative result. It is also recommended that regular audits are conducted on the results to ensure adherence to internal procedures.
Communication, Education, and Training on Compliance Issues
An organization should ensure that its employees are undergoing compliance training regularly. Additionally, especially in health care, it is important to recognize those individuals in high-risk positions and implement special training specifically related to those positions. Training materials and programs should be reviewed periodically to ensure that the program covers all required laws. An organization should consider conducting follow-up tests and audits of its compliance hotline to determine if there is any change in use after such training.
Monitoring, Auditing, and Internal Reporting Systems
An organization should ensure that its internal monitoring and reporting systems are effective and functioning as intended. Specifically, it should review its files for an enterprise-wide risk assessment and address any risks identified. Additionally, certain reporting systems should be accessible to the workforce and employees should be aware of the name and contact information for the individual in charge of reporting incidents. Documentation of any reports should include reporting dates, responding dates, and the dates incidents were closed. Specifically, as it relates to the Centers for Medicare & Medicaid Services 60-day overpayment rule, an organization should ensure that an incident tracker is in place and that such overpayments do not exceed the timeframe permitted by the rule.
Discipline for Non‐Compliance
When disciplining employees, it is important to apply such actions fairly and consistently across the organization. Along with this, it is recommended that the organization provide transparent information related to disciplinary actions to create a culture of openness and fairness. It is also recommended to audit disciplinary files to determine whether the documentation supports the actions taken.
Investigations and Remedial Measures
For this category, an organization should confirm that it has the correct guidelines in place to enable individuals to conduct high-quality investigations and properly document and maintain investigation findings. It is recommended that an organization review investigation files to ensure investigations are appropriately managed and reported to the correct leaders within the organization. For investigations to be successful and effective, it is essential that employees do not fear retaliation. It is recommended that the organization survey current employees and conduct exit interviews of former employees to determine if they feared retaliation and to conduct audits to determine if retaliation occurred. After the conclusion of an investigation, it is expected that a root cause is identified and remedial actions are taken.
A link to the HHS/OIG guide can be found here: https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf. While the OIG’s guidance is not mandatory for developing an effective compliance program, the OIG’s recommendations will likely be viewed by many in the industry as a type of benchmark when evaluating an organization’s compliance program. Compliance program evaluation is typical during the course of conducting transactional or corporate due diligence and is critical when an organization is audited as part of a fraud and abuse or other reimbursement or regulatory compliance investigation.