Gatekeeping vital to a best practice organization

Gatekeeping should be viewed as a first line of defense, protecting not only a healthcare organization, but the patients as well. In a Health Care Compliance Association (HCCA) webinar titled “Gatekeeping & Monitoring – Developing Sound Processes for Screening, Removal & Reinstatement,” Amy Andersen, Director of Operations at Verisys Corp., noted that every organization can be sorted to a risk aversion spectrum. On one end, the most risk-averse organizations use best practice compliance to achieve stellar outcomes. On the other end, non-compliant organizations risk fines and loss of reputations. The greatest cost to organizations in terms of monetary impact to establish gatekeeping measures is the change management and system implementation. Regardless, best practices organizations need to be proactive about gatekeeping and monitoring, not after the fact.

Gatekeepers

The best way to protect organizations is to implement a gatekeeping strategy. Gatekeeping is ensuring that information is properly disseminated among an organization and its association. Thus, the first consideration for an organization is which parties are being let into the organization. Organizations should not only focus on the healthcare professionals within their organizations, but the vendors and contractors employed by the organization. Andersen noted that the vendor space was one of the most overlooked areas in protecting an organization.

Secondly, once an organization permits vendors or individuals into the organization, it must readily identify any gaps. In essence, Andersen said that the organization should understand what it knows and does not know about the admitted vendor or individual.

Finally, the organization should establish criteria for admittance of these vendors or individuals. Thus, an organization’s gatekeeping strategy should include three parts: (1) identification, (2) communication, and (3) remediation.

Identification, communication, and remediation

At a most basic level, identification starts with screening and monitoring. Some barriers to gatekeeping include data “hoarders,” those entities who do not share what they know or require you to go through a gate itself. These entities can be threats to the organization.

Andersen advised that organizations should examine and avoid unconsidered risks. In terms of credentialing, Andersen stressed “verify, verify, verify.” These risks are created when an organization silos information within itself. She cautioned against this, noting that organizations should do holistic reviews to determine whether the departments within the organization are communicating any risks effectively.

Access to information is vital. Once identification generates data for the organization, relevant information must be made visible. After policy and procedure access occurs, the organization must take action in a consistent manner. This is includes removal of individuals from the organization or vendor from a business relationship, expectations should be laid out clearly. Any auditing that is done should be unbiased and adhere to industry standards.

Identifying ‘60-day rule’ overpayments during routine auditing

The need to identify, report, and return Medicare and Medicaid overpayments to CMS under the “60-day rule” and the ability to understand and prepare for the risks posed by routine auditing are essential for all medical providers. At a recent Health Care Compliance Association (HCCA) webinar, Jean Acevedo, LHRM, CPC, CHC, CENTC, Senior Consultant, Acevedo Consulting, Inc., and Lester J. Perling, Esq., CHC, partner, Broad and Cassel LLP, discussed these topics and offered their recommendations.

The 60-day rule

Section 6402(a) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established new section 1128J of the Social Security Act, which requires providers and suppliers who submit claims to Medicare and Medicaid to report and return “identified” overpayments to CMS within 60-days or face potential liability under the federal False Claims Act. These requirements were implemented by CMS in a February 12, 2016 Final rule (81 FR 7653) (see CMS finally codifies the 60-day Parts A and B overpayment return rule, February 12, 2016; and Comments, questions, concerns? Weighing in on the 60-day overpayment Final rule, March 2, 2016).

According to Perling, the Final rule sets forth the following parameters for understanding the 60-day overpayment requirement:

  • Definition of an “identified” overpayment. Providers are responsible for overpayments that they “know or should have known”about through the exercise of “reasonable diligence.” Providers that deliberately choose not to investigate when they are made aware of the existence of potential overpayments, would be held liable under the FCA.
  • Exercising “reasonable diligence”. Reasonable diligence requires that providers (1) implement proactive compliance activities to monitor for the receipt of overpayments; and (2) undertake investigations “in a timely manner” in response to obtaining “credible information” of a potential overpayment.
  • “Timely” defined. CMS considers a “timely” investigation to be at the most six months from receipt of the credible information, except in extraordinary circumstances.
  • When does the 60-day period begin? The 60-day period does not begin to run until the provider has had a chance to undertake follow-up activities and quantify the amount of the overpayment.
  • Lookback period. The 60-day rule applies to overpayments identified within six years after they were received.
  • Repayment options. Providers may use claims adjustment, credit balance, the HHS Office of Inspector General’s (OIG) Self-Disclosure Protocol, or other appropriate processes to report or return overpayments. Regardless of the process used, the refund should include an explanation or the statistical sampling methodology used if the overpayment was extrapolated.

Routine baseline audit

Acevedo next discussed the annual baseline audit performed as part of the organization’s compliance program. She recommended that it be done under the attorney/client and work/product privileges in order to help insulate the organization from exposure.

Physical therapy case study

Acevedo next presented an audit case study of a physical therapy department. She stressed the need for the auditor (whether in-house or an outside contractor) to examine the three critical physical therapy documents: (1) the initial evaluation and plan of treatment; (2) the treatment notes; and (3) the clinician’s progress report.

In preforming the audit, she recommended that the auditor take note of the fact that health care professionals are creatures of habit and that, for example, they will either include all necessary elements in the plan of treatment, the treatment notes, and the progress report, or not (i.e., they are usually consistently good, or consistently bad at recordkeeping). She also cautioned that while this document audit may be time consuming, and it is important that the auditor be thorough and not just review the most recent treatment notes and progress reports.

If the auditor finds that therapy documents are deficient or erroneous, Acevedo suggested that the auditor STOP and do two things: (1) consider the possibility that an overpayment situation exists and the timeline that may kick in under the 60-day rule; and (2) alert the attorney and the owner of the practice. She cautioned, however, about jumping to conclusions and leaving a paper trail of written concerns that may amount to “breadcrumbs” for a government investigator or a whistleblower to follow.

Prospective v. retrospective audits

Perling stressed that whether the audit is prospective (i.e., occurs prior to submission of a claim) or retrospective (post claim submission) it does not matter as the finding of negative result or high error rate in either would potentially activate the 60-day rule requirements.

Issues to consider when auditing

Perling suggested taking the necessary steps prior to audit to create an attorney/client privilege that will be recognized and respected by any government investigator.

Perling also discussed whether the standards the auditor is relying on are authoritative or merely guidance. Perling believes that statutes and regulations are clearly authoritative, but that “not everything CMS publishes is authoritative.” For example, while CMS Manuals and Local Coverage Determinations are binding on the Medicare contractor, they are not binding on an administrative law judge. The real question, according to Perling, is “whether the Department of Justice or a whistleblower will think a standard is authoritative.”

Final thoughts

In closing, Perling and Acevedo offered three reminders: (1) educate before auditing; (2) the routine annual audit should review current compliance with standards, not past deficiencies; and (3) audits are still required for effective compliance programs. The danger, according to Acevedo, “is putting your head in the sand.”

Kusserow on Compliance: Compliance officers being effective

Today, organization leadership wants to feel confident that its compliance officer is effective in guarding against government intervention, litigation, and other unwanted events that give rise to liabilities. The challenge is how to convince everyone they are effective in what they do.  Experts with years of experience as both compliance officers and advisory compliance consultants to organizations were asked to provide some insights and suggestions for compliance officers.

Al Bassett, J.D., is a retired Deputy Inspector General and nationally recognized expert on health care compliance programs who has worked on evaluating effectiveness of dozens of compliance programs. He believes that to be effective, the compliance officers must always be selling the benefits of a successful program, as well as the consequences for not having one, to the Board and executive leadership. Once they are on board, then the selling must continue with managers and first line supervisors, and finally with the rank and file employees, physicians, and medical staff.

Carrie Kusserow has 15 years’ experience as a compliance officer, interim compliance officer, and compliance consultant to many organizations. She agrees and says, without question, the biggest sales target has to the Board, in that once it is sold, executive leadership will follow suit. It needs to know and understand what is required of it by enforcement and regulatory agencies, as well as the personal risks for ignoring its fiduciary compliance oversight responsibilities.  The HHS Office of Inspector General (OIG), along with the American Health Lawyers Association, has been issuing ‘White Papers” on Board obligations.  The most recent was Practical Guidance for Health Care Governing Boards on Compliance Oversight. The OIG is now incorporating this guidance into mandates for the CIAs.

Tom Herrmann, J.D., retired from the HHS OIG Office of Counsel to the Inspector General (IG) and then became a compliance officer and consultant to many organizations. He states that once there is “buy-in” from leadership, it is important to cultivate sound working relationships with other functions that overlap with compliance, including human resources (HR), Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) privacy and security officers, legal counsel, and internal audit.  In far too many organizations, these functions operate at cross purposes with one another and engage in turf battles, so as to have a serious negative impact on compliance officer effectiveness. There is a need to focus on developing cooperation and coordination of effort, along with developing protocols (policy documents) that establish working relationships and methods of cooperative effort.

Steve Forman, CPA, is another veteran of the HHS OIG, where he served as Director of Operations; he followed this with more than twenty years’ experience as a compliance officer and consultant. He sees the most successful and effective compliance officers as having been able to convince first-line managers to carry the compliance message to their subordinates by word and example.  The words they say and the attitudes they project to their staff are powerful, more so than pronouncements from the compliance officer or even the executive leadership.  Compliance officers selling themselves as being effective can be quickly enhanced by personally meeting with and talking to first-line supervisors and managers about the compliance program.

Jillian Bower has worked with dozens of compliance officers in advancing their programs. She points out that it is important to maintain ongoing metrics to benchmark progress of the compliance program to reassure executive leadership and the Board that the compliance officer is being effective in protecting the organization from unwanted events or acts that could give rise to liabilities.   She has found that one of the most useful means of doing this has been employing a professionally developed and independent administered compliance knowledge survey that evidences employee understanding of the program. The best surveys are anchored in a large database to permit comparison to other health care entities; and used periodically they also can measure benchmarks and progress in the program and further evidence compliance officer effectiveness.

Kash Chopra, J.D., has worked with a number of clients with their compliance programs, in addition to have served as an interim compliance officer. She believes effective compliance officers are successful in promoting employee compliance communication channels, particularly hotlines, that ensure complaints and allegations are promptly investigated and resolved professionally. If the workforce does not believe the organization is receptive to its concerns and nothing happens to its input, the compliance officer and program will never be fully effective. In addition, the compliance officer needs to be visible and available to hear employee concerns.  Chopra believes in walking around and being available to talk with people about their jobs, thoughts, and concerns.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Find a friendly format to ensure compliance guidance is followed

Modify the HHS Office of Inspector General (OIG) Compliance Program Guidance (CPG) documents so they make more sense and will be followed by the organization, according to Frank Ruelas, Facility Compliance Professional at St. Joseph’s Hospital and Medical Center/Dignity Health, during a webinar hosted by the Health Care Compliance Association (HCCA).CPGs, particularly for hospitals, provide valuable guidance for compliance professionals to follow in assessing their compliance programs and can be used by compliance officers of all types of facilities. The key is to make sure some sort of guidance is being followed and that assessments are verifiable.

Making use of the CPG

CPGs provide valuable information but few people read them and follow them, according to Ruelas. The problem is often that the original format of the OIG CPGs, from the Federal Register, is hard to read and navigate. Ruelas suggests taking the “text” format document from the Federal Register website and reformatting it into a “friendlier” format to help drive effectiveness. The revised format could contain a table of contents (to act as an inventory or checklist), hyperlinks to resources, headings, and anything else that would make the document more useable to perform an assessment of the organization’s compliance program.

When it comes to using the reformatted document to perform an assessment, Ruelas suggests going through and highlighting each action item contained in the CPG in one of three colors: green (acceptable demonstrated compliance), yellow (some demonstrated compliance), or red/pink (no demonstrated compliance. This will demonstrate the level of compliance and will easily show which items need additional attention. Ruelas stressed the importance of self-assessments being verifiable. Compliance officers must be able to show how he or she reached their assessment, right down to each item.

Just how many elements are there?

Ruelas warns that depending on which guidance you are following, the elements may vary slightly. The OIG has seven elements in a compliance program. The Affordable Care Act (ACA) (P.L. 111-148) and the Federal Sentencing Guidelines have eight and nine elements, respectively, but most elements overlap. All guidances are applicable, and no matter which framework you use—there is no established framework—it provides instructions on how to move forward to make your compliance program more effective, Ruelas noted.

How to get started

Ruelas stressed the importance of a supportive mindset when assessing an organization’s level of compliance. It could be that a compliance officer is coming into an already established program, so it is important to expect challenges. Then, Ruelas says to use the “plain, simple, old school” tried-and-true “5W1H Model”—start by identifying Who, What, When, Where, Why, and How regarding the compliance program, down to each item. If those are not identifiable, start with the compliance officer requirements of a compliance program, Ruelas noted, because that forces the compliance officer to focus on his or her own role and responsibilities. It also provides an opportunity to optimize the compliance officer’s job description and to meet with organization leadership.