The OIG has had compliance program guidance since the early 1990’s for Physician Group Practices and other types of providers such as hospital, DME. With the Healthcare Reform Act and Patient Protection Affordable Care Act, a Compliance Program is required since 2013. The required compliance program should follow the OIG Compliance Guidance for your physician practices. An effective compliance program will develop a risk assessment and audit protocol to monitor the business’ activity to prevent fraud and abusive activities. The program will also ensure contracts and relationships comply with federal Stark Law and Anti-kickback Statute.
Keep in mind a physician practice has to maintain compliance for several areas such as HIPAA Privacy (2003) and HITECH security (2009) which also includes the Omnibus Rule (2013), OSHA standards, Human Resource Processes, licensing requirements and more. Each program has very specific elements that must be implemented to be “effective and active,” including a program manager(s), support from the top down, standards of conduct, policies and procedures, training, monitoring and more. As you can see there are many pitfalls that are possible. Without compliance the business operations will suffer one way or the other.
HITECH Security is beyond your billing system. It looks to whether or not someone can hack open ports in your server, what employees are saving on their PCs and mobile devices and are the devices encrypted, who has access to PHI and e-PHI, are staff emailing PHI and more. This is a very intensive process of examining the IT infrastructure and does require knowledge and understanding of HIPAA and HITECH rules. The Office for Civil Rights (OCR) as well as the Office of Inspector General (OIG) will be auditing to ensure compliance with the HIPAA and HITECH provisions.
Security audits include wrongfully attesting to Meaningful Use or not maintaining meaningful use guidelines for the money a provider was paid for their Electronic Medical Records system and are prosecuted under the Federal False Claims Act which includes a treble damages penalty.
HIPAA Audits are increasing mainly due to the number of breaches being reported and the penalties are steep considering the cost of monitoring in a proactive manner. A breach can be anything where PHI ends up in the wrong hands such as but not limited to stolen or lost mobile devices containing PHI.
Omnibus Rules expands all the privacy and security rules to Business Associates. A business associate is anyone who may have potential access or need to see protected health information such as consultant, attorney, billing companies, etc. Providers must have a business associate agreement updated in 2013 with the new rules. Providers must keep a log of all business associates, date, and purpose at a minimum.
OSHA rules for work place safety, signs as appropriate for your business must be maintained and training performed with staff.
Human Resource Compliance ensures that you perform all verification prior to hiring, complete all the necessary forms, completed your new hire process and checklists, employee evaluations are performed, employees disciplined accordingly, consistency, and all must comply with federal and state laws.
All the programs require the need for monitoring the processes to ensure they start and stay compliant. This auditing process will include reviewing billing revenue reports, selecting a sample of claims to ensure the documentation is sufficient to warrant the evaluation and management code billed and services provided, patient records for privacy acknowledgement and appropriate consent or authorization, if applicable, IT network and devices audit at least annually, meaningful use compliance, inspection of the OSHA items that are appropriate for your office, employee records to verify they have been checked against the sanction provider databases, and all employee training has been completed. Keep in mind, if the audit results in problem areas that need to be corrected, ensure those issues are corrected and documented education is provided.
Using compliance to improve your business operations is essential and will improve efficiency, cash flow, and keep your business “between the ditches.” Effective compliance programs will also ensure the company is meeting all federal and state laws, the coverage criteria for the services you provide which will reduce risk for overpayments in audits, reduce the provider’s risk for criminal charges and help keep penalties to a minimum. You can use the compliance program as a marketing point to referral sources because providers do not want to risk referral business to a company that is unethical or not compliant which may cause the “Badges” to show up at their office as a secondary investigation or even for questions.
As a former compliance officer, I developed a compliance program that reflected the personality of the company and the executive team. This saved the company when we disclosed we had a rouge employee who violated federal law. I also focused on working closely with billing to ensure we all stayed current on education and changes with payers.
Have you started on your compliance programs? The programs are required and upon audit or investigation, especially, the government is not giving lenience for not having put programs into place. Failing to have compliance programs in place could result in the government pursuing criminal charges, which sounds as painful and expensive as it really is unfortunately.
Here is the good news, if you pull the OIG Compliance Guidance and work plan for 2014, this will help you outline a program if you need to do the program yourself. Office for Civil Rights has sample Privacy Notices and other forms. A consultant or your healthcare attorney can review what you have done as part of the independent audits of these programs to give you an assessment of your program. This will help your compliance or regulatory officer develop changes and improve the efficiency of the program. An efficiency and effective set of compliance programs will improve the company’s operations and reduce risk. Don’t look at compliance programs as “cost centers but rather “reward programs” for your company!
Angela Miller, CMC, CHC, is president of Medical Auditing Solutions LLC. Contact her at www.MedicalAuditingSolutions.com