April 5, 2024
Culture is Everything in the World of Compliance
- by Sean Weiss, Partner & VP of Compliance
I love talking about compliance, what it means to be compliant and all the ways to demonstrate “good-faith” efforts to paint a picture of a top-down culture. But no matter how much I speak and no matter how many podcasts I do or articles I write there are still those who refuse to get the message or opt to assume more risk than anyone should be willing to take on. There is no doubt that payors and their contracted bounty hunters are pushing the limits when it comes to the recoupment of monies paid to providers. There is no letting off the gas pedal since margins are so critical and all providers are presumed guilty until they are found innocent by a jury of their peers. When it comes to government payors and the agencies that enforce policy, rules, laws, acts, statutes, etc., aggressive investigations continue to lead to overzealous prosecutions that cost taxpayers millions and devastate providers, their businesses, families and the communities they serve.
Having an Effective Compliance Plan
So far in 2024, I have been approached by more than 20 law firms requesting my engagement on cases ranging from civil disputes to criminal cases. The common theme in each case is the lack of a compliance plan or at least the lack of what could constitute a compliance plan. Having a document in electronic format or printed and three-hole punched in a binder that says compliance plan (dated 2012) is not an effective compliance plan and is hardly worth the paper it is written on. Most folks when I talk about the fact that a compliance plan is mandatory think, I am making it up, but the fact is, under the 2010 Affordable Care Act (ACA) any provider that treats Medicare or Medicaid Beneficiaries is required to have an effective compliance plan in place. The Act doesn’t say should, could, may or is recommended… it says it’s “required”. “With the passage of the Patient Protection and Affordable Care Act of 2010, physicians who treat Medicare and Medicaid beneficiaries will be required to establish a compliance program.”
In 2024, healthcare organizations (Hospitals, Health Systems, and Physician Groups/Practices) must focus on and make significant efforts towards creating a “Culture of Compliance” to ensure effectiveness and efficiency. However, focusing on “Compliance” only approaches, leaves healthcare organizations exposed to areas of liability often far more than what they could ever imagine or even what they are willing to tolerate. In 2024, you will need to walk through your compliance program and determine how to shift from a compliance-only approach to a “Risk-Based” approach. This will require your compliance team to focus on areas often ignored, those that leave your compliance program exposed to the threats of government agencies, and their investigators. Regardless of the size of your organization, this shift in thinking and in carrying out functions of compliance is a must to ensure you are covering your assets.
To set yourself on the right course of how to approach compliance you must first define it. Keep in mind we are talking about compliance within healthcare, which is different from any other industry, so when we talk about healthcare compliance it is important to understand that it is the process of following rules, regulations, laws, acts, and statutes, that relate to healthcare practices. Healthcare organizations are held to very strict standards from the federal and state levels and violating these can result in litigation, payment suspensions, revocations, significant fines, loss of licenses, and exclusion.
How Important is Risk-Based Auditing?
Just how important is Risk Based Auditing? Well, I tend to take my lead from CMS when it comes to audit risk. More than a decade ago, CMS implemented a new fraud, waste, and abuse detection model called the Fraud Prevention System (FPS). Here is how CMS described the FPS in their 2014 report to Congress; “The Fraud Prevention System (FPS) is the state-of-the-art predictive analytics technology required under the Small Business Jobs Act of 2010 (SBJA). Since June 30, 2011, the FPS has run predictive algorithms and other sophisticated analytics nationwide against all Medicare fee-for-service (FFS) claims prior to payment. For the first time in the history of the program, CMS is systematically applying advanced analytics against Medicare FFS claims on a streaming nationwide basis as part of its comprehensive program integrity strategy.” The fact is the FPS has only gotten more intelligent and better at predicting areas where auditors will be successful in audits leading to recoupments. Payors know your numbers, often better than the provider does, which is why you have to understand where you fall as a producer. Understanding aberrance and where you may be an outlier is critical to mitigating your risk and identifying potential issues before a payor does. There are public use files that you can measure your productivity against to see where you fit within the physician distribution curve(s) (Bell Curves). There are also programs like Compliance Risk Analyzer (CRA) that are incredibly predictive analytic models that help providers understand and mitigate risk. The point is, that there are plenty of tools available to providers, you just have to look. This is why prosecutors always say, “You should have known” …
There is no doubt, CMS has sent a message to healthcare providers that says, “We have upped the ante, now it’s your turn.” We are being given more than just a hint to move towards a more sophisticated method for determining which of our claims may be most at risk for improper coding and billing. We are being given a mandate. In fact, in that same report, CMS boasted that they prevented nearly $1 billion in payments from going out and that doesn’t even address how much they recouped through their pay and efforts.
What providers need to understand is that 100% of all Medicare fee-for-service claims are processed through these predictive algorithms prior to payment. Commercial payors have paid close attention to what CMS has and continues to do and they are following suit. What risk-based auditing does is allow us to see what we look like to those algorithms, so to speak. In essence, we want to see what the auditors see before they come knocking on our doors.
The days of conducting random probe audits and assigning fixed annual chart review requirements have gone with the past. These methods aren’t just inefficient and inaccurate, they are useless. In fact, a case can be made for doing nothing over random probe audits as they most often miss some 90% of risk opportunities.
While methods and algorithms will improve with time, the fact is, that risk-based auditing, in whatever final form, is here to stay.
Coding and Documentation of Professional Services
The other critical aspect of your compliance program is the coding and documentation of professional services rendered to patients by your providers and how you define “Medical Necessity” and other compliance components such as the “Reasonable and Necessary Standard”. Focus on Medical Necessity, make sure you understand how to define it and more importantly, how it’s defined by CMS and Private Payors…
At the end of the day how you structure your OIG Compliance Program will have a significant impact not only on your operations but on how the government looks at you and what their position will be during an investigation. This is what leads prosecutors to decide whether to structure a plea agreement, walk away from a case, or proceed with prosecuting. Take the time to review the Criminal Justice Division document “Evaluation of Corporate Compliance Programs” (the latest version is 2020) as this is really a prosecutor’s playbook and roadmap. Make sure you understand how to structure an effective Risk Based Internal Audit (RBIA) Process via the establishment of a Risk Assessment (RA) because your compliance programs are no longer solely based on the “Seven Elements” of an Effective Compliance Program.