Risk and Compliance in Healthcare Organizations: The Department of Justice’s 2020 Guidance on Corporate Compliance Programs

The Department of Justice has just issued updated Guidance on the evaluation of corporate compliance programs. This document is the latest in a series of Guidance documents (prior versions were issued in 2017 and 2019) issued by the DOJ to assist prosecutors who are investigating potential criminal acts in business organizations. What implications does this have for healthcare compliance?

When it comes to healthcare organizations, the DOJ will typically defer to the agencies with specific healthcare responsibility, such as the Centers for Medicare & Medicaid Services (CMS) and the Department of Health and Human Services (HHS). However, the DOJ guidelines are often relied upon as a “best practice” for developing a corporate compliance program, including a healthcare compliance program. The DOJ is also likely to incorporate healthcare-specific guidelines (such as the Seven Elements of an Effective Compliance Program) along with its own Guidance documents, rather than defer entirely to another agency.

DOJ Guidance Documents Explained

Generally speaking, the DOJ issues these guidance documents in an effort to show transparency to both organizations and attorneys. The intent is essentially prophylactic — that is, here’s what we’re going to be looking for, so make sure that you’re following this; and if you aren’t, you can’t be surprised that we’re asking.

This guidance document is slightly unusual in terms of its strength and scope. It provides all federal prosecutors with a strong mandate to assess and evaluate all aspects of a compliance program, regardless of the industry or nature of the putative misconduct. In other words, as part of a broader criminal investigation, the DOJ will review a compliance program, and use this document to guide their investigation into whether that program was at a sufficiently high standard — or not.

There are three overall questions on which this Guidance is built, along with a number of more specific inquiries to guide prosecutors in determining what, if any, consequences should be applied to the organization. These could include prosecution, monetary penalties, and additional compliance obligations (such as reporting).

Question 1: Is the compliance program well-designed?

The Guidance makes specific reference to a formal risk assessment and resource allocation process. This not only means that a compliance program must start with a risk assessment, but risk assessments must be reviewed and updated periodically, and updates must be made to policies, procedures and controls as necessary, throughout the organization.

The Guidance spins out a number of other specific requirements as well, such as training and communication, and reporting and internal investigations. The punchline, though, is that everything comes out of the risk assessment. Every process and procedure that makes up the compliance program must be aligned with the risks identified by the ongoing risk assessment process.

This means that, at a bare minimum, it is essential that a good compliance program have a strong risk assessment behind it. That assessment must be revisited at regular intervals, and changes in internal controls will need to be regularly made.

Question 2: Is the program effectively implemented?

The DOJ is distinguishing here between what we could call a “real” program, as compared to a “paper” program. In other words, are there appropriate resources to make the program function the way it was designed? Does senior management buy in to the program, and endorse it at a cultural level throughout the organization?

While a risk assessment is where a compliance program begins, the Guidance makes clear that it is in ongoing management and implementation that a compliance program comes to life. Without significant time and resources invested to build the compliance program into the way the organization functions, the program is not going to be sufficient, and the organization will vulnerable to potential penalties.

Question 3: Does the program actually work?

This backward-looking question is intended to assess whether the program was well-designed and well-implemented for the particular organization within which it operates. That is, if misconduct has occurred, was this because the program wasn’t the right program for this organization? Or was the program functioning well, and the misconduct resulted from something else? (DOJ acknowledges that no compliance program will ever prevent every incident of misconduct.)

What DOJ is ultimately looking for here is whether the program changes over time, in response to changes in the organization. If there is misconduct, is it investigated? Are opportunities identified for improving the compliance program to prevent the misconduct in future? Have these remediation efforts actually been implemented? And so on.

Best Practices

Overall, the DOJ has provided a set of clear guidelines that should be used to not only develop new compliance programs, but assess existing ones. Programs which do not live up to the DOJ’s requirements on risk assessments, program implementation, and continuous improvement are more likely to be found to be inadequate. And an inadequate compliance program leaves a healthcare organization at risk.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Learn More

LTCs Could Use Some Compliance TLC This Year

You can’t say they didn’t warn us.

For almost four years, since November 2016, the LTC Final Rule for qualifying to receive Medicare and Medicaid payments has been looming like a little dark cloud on the horizon, getting bigger and closer each year.

Now, a streamlined version of the HHS Office of Inspector General’s (OIG) recommendations and guidance have become mandatory. And the Centers for Medicare & Medicaid Services (CMS) is tasked with enforcing them. In full.

To begin with, you’ll need to have a fully detailed, written compliance and ethics program for increasing quality of care and preventing “criminal, civil, and administrative violations” and abuses. Since the OIG recommendations, which you’re familiar with, already cover such programs, that shouldn’t be a huge problem.

You’ll also need to designate your CEO, a board member, an operating division head, or, for smaller LTC facilities, a compliance officer, to be in charge of implementing every aspect of the program. Again, determining which “high-level personnel” to designate shouldn’t be a huge problem either.

Then, you’ll need to actually implement the program and document compliance.

That’s the hard part.

The program will have to include everything from pre-employment screening to person-centered care, special diets, crime and abuse prevention, and a compliance hotline that preserves whistleblowers’ anonymity and prevents retribution.

What’s more, you’ll need to break the program into specific steps and train not only each member of your full- and part-time staff, but also your contractors in the parts of the program that affect their duties.

And then you’ll need to track, audit and report on compliance, every step of the way. Are your current procedures up to the task? Is your IT?

That’s where the TLC comes in.

What if someone could monitor regulatory changes for you, and translate them from legalese into clear business requirements in everyday English?

What if they could give you policies and procedures that comply with the regulations, but that you can tailor to your own facility?

If they could tell you exactly which policies and procedures to follow, which tasks to perform, how, and by whom in your organization, and generate reports on each step towards compliance?

If they gave you the capability to track, audit and report on every step of the compliance process, at any time, with just a few mouse clicks?

Could your LTC use that kind of TLC? If so, click here to learn more.

5 Payer Audit Errors Every Hospital Must Avoid

5 payer audit errors

Revised September 2022

Most healthcare providers, from large hospitals to solo practitioners, experience an external audit at some point. The scrutiny can unveil errors and violations, which can lead to hefty penalties. 

The key to surviving an external audit, with the least amount of frustration, is to avoid these five common mistakes. 

1. Late Responses

Your deadline to submit relevant documentation begins upon receiving that external audit request. 

External audits may be requested by a commercial health insurance payer, or government agencies such as the Centers for Medicare and Medicaid Services (CMS) or Office for Civil Rights (OCR). While the origin of the audit request doesn’t matter, a timely response is essential. 

Take all deadlines seriously. If an extension is needed, ask for one, immediately. Missing deadlines can result in hefty fines and penalties. 

2. The Wrong Documentation

A common trigger for payer audits is improper or lack of necessary documentation.  As a healthcare practitioner, you must prove the medical necessity of each test or procedure used to diagnose and treat your patients. 

Here’s the tricky part. Sometimes payers and providers disagree on what tests or procedures are medically necessary.  Additionally, medically necessary guidelines change frequently. CMS provides local coverage determinations (LCDs) and national coverage determinations (NCDs) to help with your documentation. Be sure you are aware of changes to these coverage determinations.  

The best way to mitigate this problem is to educate your staff on what services the payer considers medically necessary, and what documentation is required to establish medical necessity. 

 Additionally, clearly document the need for a particular procedure to treat or diagnose a patient. Finally, when required, ensure that authorization is received from the payer before rendering services. 

3. Billing the Wrong Codes

Incorrect billing and coding practices can raise suspicion of fraud, failed claims, or delayed reimbursement, and — you guessed it — external payer audits. Providers and patients overpay a whopping $68 billion annually due to incorrect billing. 

 Coding systems developed by the American Medical Association and the Centers for Medicare and Medicaid are designed to streamline the billing process. Every medical procedure and service from ambulance rides to chemotherapy drugs to doctor visits are contained within coding systems such as the ICD-10, CPT, and HCPCS. 

Studies show 80 percent of medical bills in the U.S. contain errors. This percentage can decrease by ensuring appropriate staff stay current with billing and coding updates and communicate those changes to the right clinical and administrative staff to avoid old and outdated codes. 

4. No Self-Audit

One way to prepare for payer audits is to perform regular self-audits within your facility.  Internal audits are great for identifying and eliminating weak spots that can potentially lead to headaches down the road, like rejected claims and costly compliance failures. 

 One drawback is the strain on precious resources like time and personnel. You can get around this problem by hiring a third-party audit service. Make sure you have HIPAA-compliant Business Associate Agreements (BAA) so that you’re allowed to share your patient health information with third parties providing auditing services.  

 Another option is to use software provides 24/7 access to survey compliance data. Ideally, this software will provide automatic tracking of all documentation and decisions involved in the process of running your organization. 

 This ensures that compliance professionals can get immediate reporting on how well their team is doing, conducting audits more efficiently and effectively. It’s a time and cost-effective solution to hiring an outside third-party provider. 

5. No Legal Help

Having a healthcare attorney in your corner can mean the difference between a smooth audit experience and an audit nightmare. 

Here’s how a healthcare legal team can benefit your health practice: 

  • Work intimately with your staff to analyze any risky billing procedures. 
  • Challenge any demands from payers for overpayment. 
  • Challenge any allegations of fraudulent billing practices. 
  • Push back on any denied claims and the overuse of service claims. 

 Again, software is a useful tool to support your attorney’s work. A system that stores all compliance information, including payment practices, and has search capability will provide your legal team with the information they need to fight payer audit discrepancies when the time arrives. 

 External payer audits don’t have to be a nightmare. By being adequately prepared and vigilant, your next audit experience can be more streamlined and less stress-inducing. 

Learn More About YouCompli

The best way to prepare for a payer audit is to carefully manage changes to regulatory changes and coverage determinations. YouCompli can help you establish a scalable, repeatable process so you don’t miss a relevant change and you can equip your clinical colleagues to respond to the change. Then, when the audit does happen, you’ll have an easy way to demonstrate your work to comply with the requirements. Find out more. 

Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.

Never Miss an Article on Healthcare Compliance

Get a 15-minute strategic overview of YouCompli

Can’t Have The 7 Elements Without This!

 

While not named by the OIG as one of the “7 elements of an Effective Compliance Program” the ability to manage regulations directly affects 5 of the 7 actual elements (the 5 affected are listed at the bottom of this post).

So, you need to manage regulations effectively to have an effective compliance program.

When regulations change you (and many of your colleagues) need answers to one, two or all three of these questions.

  1. Are we aware of all the new regs that might apply to us?
  2. For the ones that do, what needs to be done to comply?
  3. Did we do it?

To make this work easier and give you the ability to manage it, we suggest relying on a methodology to perform this work.  When we created our software, we developed Regulatory Compliance Lifecycle Management (RCLM).

RCLM is a methodology that if followed will give you the ability to answer the questions above and be able to demonstrate what was done to comply (assuming you keep track of it).

RCLM includes:

  • Identification and documentation of new regulations
  • Assessing its relevance to your organization
  • Translation into business requirements, (specific activities required to comply)
  • Communication of requirements to ALL stakeholders
  • Execution of activities required to comply
  • Monitoring and validation that required activities have been completed
  • Demonstration of the steps taken above

Our software automates RCLM and makes compliance much easier.

If you’re interested in seeing how sign-up for our 10-minute demo by clicking the link and picking a date/time that is convenient for you.

#chaostoconfidence #StopReadingRegs

10-Minute Demo

 

 

5 Elements directly affected by regulatory changes

  1. Implementing written policies, procedures and standards of conduct.
  2. Conducting effective training and education.
  3. Conducting internal monitoring and auditing.
  4. Enforcing standards through well-publicized disciplinary guidelines.
  5. Responding promptly to detected offenses and undertaking corrective action.

How to Align Physician Satisfaction and Compliance

  Fraud is still a very real issue across the relationships between physicians and hospitals Is it possible to align physician satisfaction and compliance? According to Gail Peace, President of Ludi Inc., “Regardless of the physician being independent or employed by a hospital, there are a myriad of regulations to navigate in these relationships.” She […]

Continue reading

Highlights from OIG’s Semi-Annual Report to Congress

Late last week, the HHS OIG made available its semi-annual report to Congress summarizing OIG activities occurring from October 1, 2017 to March 31, 2018. As one might expect, OIG continues to commit resources to enforcement-related activities and to improve its data analytics capabilities. A few of the “headlines” from an enforcement perspective include: Criminal […]

Continue reading