By Emilie J DiChristina, MBA for PracticeFirst
It is time to get serious about Compliance! Yes I mean you ~ don’t roll your eyes and move on!
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) and other regulatory bodies have made it clear that a compliance program must be demonstrated as being fully effective. A weak program would likely be viewed as a “sham” program and that is worse than no program at all. Thus, the OIG has noted that effective compliance programs should incorporate independent reviews of the compliance program.
I can feel your eyes rolling again…but this is important, and small practices are not exempt!
Let’s start with the real reasons YOUR PRACTICE needs to sit up and take notice:
The ACA (Obamacare) is an expensive program. Whether you agree with it or not, you HAVE to agree that the money has to come from somewhere, and lack of compliance with Fraud & Abuse prevention and HIPAA/HITECH makes perfect sense for the government because…;
a. The various federal and local OIGs feel if you are not compliant with the laws and updates by now…you actually are asking for an audit (and they are happy to comply)!b. The government has had success with RAC audits (Billions $$$$) and OCR findings for HIPAA violations are also raking in the bucks!
c. Electronic health records are fraught with the opportunity to “cut & paste”, “upcode” and violate HIPAA through staff error!
d. They (the various OIG offices) know your practices have let “fraud & abuse” compliance slide, and may be giving lip service to the recent HIPAA changes because there is so much else on your plates and most small practice do not have Practice Administrators.
So let’s get down to what your practice needs to do – sooner than later – having an “effective” program in place.
1. First, be sure that you have a designated compliance officer, a designated privacy officer and a designated security officer.
THE GOOD NEWS? In small practices this can be one person designated as compliance officer but with a job description which notes responsibility for privacy and security as well. This person needs to have authority to act, but will also report to the CEO or principal provider of the practice, and if the practice is a large one, will report to/lead the compliance committee.
2. Second, concentrate on training and education. The OIG considers “the proper and periodic education and training of all managers, physicians and facility personnel” to be a major component of an “effective” program.
Ideally, this will be performed in person, at least yearly, by your compliance officer, and will then be available in multiple other formats to insure absorption by the employee (many of whom learn in different ways).
The education should be tailored to the type of employee as well. Obviously, cleaners, couriers, etc. need a different level of training that do providers, clinical staff and billing staff.
All training must minimally include your practice’s “rule of conduct”, an explanation of CMS and OCR requirements for the prevention of fraud and abuse, and the maintenance of Privacy and Security as well as the duty to report misconduct and potential breaches.
3. Policies, forms, audits and more ~ Oh My!
Without written policies, how will your employees be judged, how will they receive guidance in a sticky situation, and what will you show to the OIG when they arrive?
Without forms (largely to be used with Privacy, but also with assignment of access levels in EMR/PM systems, and of course when there is a coding question), how will you have the requisite paper trail that defines “effectiveness”?
Audits, not just for the RAC! If your compliance officer, or an outside contractor performs regular audits on E&M, procedures, security access, and even your money flow – you can be both “effective” in the eyes of the OIG and potentially identify revenue drain, embezzlement risk and opportunities for improvement.
You know the old adage…”You can’t fix it if you don’t know it’s broken!”
4. Next, insure that communication is at the foremost in all employees’ minds and they can regularly access your compliance officer with questions, and the compliance officer regularly works with and communicates with all employees.
As part of the “effectiveness” component of any plan scrutinized by the OIG, there needs to be a clear understanding by all employees that there will be no retaliation for bringing problems to the attention of the practice, and when requested, confidentiality of the person advising of a problem will be maintained.
5, Fifth, record maintenance. When it comes to billing, everyone knows they need to keep encounter sheets (super bills) with the billing materials in case of audit or question. When it comes to medical records, everyone knows they must keep records for a designated number of years.
But does your practice have a plan for keeping the records associated with problems brought to your attention by employees or others AND the investigation, findings, actions and correction or mitigation that was needed?
Do you have a breach investigation process? Do you have a process for notifying the OCR Secretary if you have a breach?
If you answer NO, you may have a problem meeting the “effectiveness” requirements of an audit.
6. Finally, there is employee management. This means that you use the compliance, privacy and security plans and policies as a measure when evaluating employee performance, and to guide your disciplinary process.
The OIG “effectiveness” measure includes your willingness to set policies and rules for the discipline of employees who violate the policies, for the evaluation of an employee based on their compliance, and for reporting to licensing and certification boards, or the police for major violations by employees.
So, in the final analysis…
- Do you think your practice or organization has an “effective plan”.
- Do you know what to do if your billing company notifies you of a suspected breach?
- Do you know how to investigate a suspected breach?
- Do you know if your practice is at risk under the “cloning” or “cut and paste” EMR audits currently being undertaken by government and private insurers?
- Does your practice really have the depth to handle this on your own, or is this falling to you as the provider who has soooo many other things on your plate.
WARNING – Pre-paid compliance and HIPAA policy books and tool-kits abound, but without everything noted in this article, they may just give you a false sense of security about “effectiveness” so I urge you to take the time to really consider where your organization stands on the effectiveness of all policies, procedures and underpinnings of your practice. After all, you just want to provide health care – make sure you can without loss and reputational harm – make sure you are effective!
Emilie DiChristina may be reached at 716.474.2429 or firstname.lastname@example.org for more in