Compliance programs should keep a sharp eye on all communications

Every word written or spoken in connection with a health care practice presents the potential for risk. At a Wolters Kluwer webinar entitled, Health Care Communication Risks—From a Compliance Perspective, two presenters pointed out various areas of concern and ways for compliance professionals to approach them. Robert Liles, managing partner at Liles Parker PLLC, and Paul Weidenfeld, chief legal officer of Exclusion Screening LLC, spoke from years of experience on topics such as criminal issues, administrative concerns, employment, and documentation.

Text messages

The presenters noted that smartphones, while convenient, have caused countless compliance issues. Communications as seemingly private and innocuous as a text message present a significant risk, as law enforcement can easily obtain information about texts that a service provider might tell a customer is unavailable. One example offered in the webinar told of a dentist who extracted a tooth from a sedated patient while on a hoverboard, then texted a video of the event to a friend; another example came from an office manager who texted her mother to tell her of pulling two teeth from a sedated patient.

Exam recordings

Many states have one-party consent laws for recording communications, and in such states only the party taping the conversation needs to know that it is being recorded. In these states, a patient might record a physician during an appointment or procedure without obtaining the physician’s permission. Such recordings can be used in malpractice cases, such as a recent case during which a physician made disparaging comments during a colonoscopy, before which a patient had started recording the procedure on his phone. The presenters suggested posting specific policies concerning such recordings, recommending language that prohibits use of recording devices unless specifically permitted by the provider.

Reducing risk

The presenters spoke of the seven elements to an effective compliance program identified by the HHS Office of Inspector General:

  • implementing written policies, procedures, and standards;
  • designating a compliance officer and committee;
  • conducting effective training an education;
  • developing effective communication;
  • enforcing standards;
  • conducting internal audits; and
  • responding promptly to detected offenses and developing corrective action.

One important piece of a program is a compliance hotline to allow employees an opportunity to report compliance issues. Employees should be able to do so anonymously, but also be able to provider his or her name with confidence in the organization’s confidentiality. Employees must be assured that they will not be retaliated against for reporting issues in the organization.

Equities rest with agency in administrative enforcement actions

Administrative enforcement is quicker than an investigation but still “deadly” for the provider or supplier, concluded Judith Waltz, partner at Foley & Lardner LLP, at the American Health Lawyers Association’s 2017 Institute on Medicare and Medicaid Payment Issues. “Administrative enforcement” means the tools available to HHS, CMS, and the HHS Office of Inspector General (OIG) without or with limited formal involvement of the Department of Justice, including civil money penalties (CMPs), payment suspensions, and billing privilege or enrollment denials and revocations. In administrative enforcement actions, the equities and more discretion may rest with the agency, and a lesser burden of persuasion applies for the agency to prove its case.

Exclusion regulations

In December 2016 the OIG revised its exclusion regulations (see 81 FR 88334) in part to implement the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). Waltz explained that the Final rule did the following: (1) expanded its permissive exclusion authority for convictions related to obstruction of an investigation to include audits; (2) added permissive exclusion authority for making false statements, omissions, or misrepresentations in enrollment applications; (3) added early reinstatement for loss of license in a different state; and (4) added a 10-year look-back period for exclusions.

Inflation

Waltz noted that CMPs are being updated annually for inflation pursuant to a final rule issue in December 2016 (see 45 C.F.R. Part 102). For example, a CMP for failing to grant timely access is up to $15,000 per day, $16,312 after inflation, and the CMP for false statements, omissions, or misrepresentations in enrollment or similar documents is up to $50,000 per false statement, $54,732 after inflation. Waltz said, “After inflation, numbers are unbelievable.”

CIAs contain lessons for compliance professionals & board members

The typical obligations contained in a corporate integrity agreement (CIA) overseen by the HHS Office of Inspector General (OIG) can be implemented by compliance programs to drive accountability and improve effectiveness. In a webinar titled Compliance Accountability: Lessons Learned from Implementing Corporate Integrity Agreements, Tom Herrmann, JD, and Carrie Kusserow, MA, CHC, CHPC, CCEP, both of Strategic Management Services, LLC, provided an overview of the standard obligations in a CIA, including recent changes, and provided tips to listeners on how to effective oversight and organizational controls for health care organizations.

CIAs are typically included as part of a “global settlement” of criminal, civil, and administrative charges against a health care provider or entity. The CIA, which usually lasts for five years, allows the provider to remain a participant in federal health care programs in exchange for compliance responsibilities. These responsibilities include oversight by the compliance officer, executive-level compliance committee, and board, but also written guidance, mandatory trainings, screening for excluded providers, and regular reports to the OIG. Recently, the OIG has made some changes to CIA obligations, including requirements for management including certifications, minutes from executive-level compliance committee meetings, and obligations for the board.

To avoid entering into a CIA, or to survive one that has already been implemented, organizations should have a compliance officer who is a member of senior management. The compliance officer should report to the CEO, and is neither responsible for serving as legal counsel, nor subordinate to general counsel or the CFO. The compliance officer should chair the executive-level compliance committee, which should include senior management from relevant departments, and meet at least quarterly. Certain senior executives, including the CEO, COO, CFO, and CMO have obligations to monitor and oversee activities within their areas of authority. Lastly, the board of directors, made up of independent, non-executive board members, should be specifically trained on corporate governance and its responsibilities for compliance program oversight.

All compliance programs should have updated written policies and procedures, a disclosure mechanism like a hotline, provide annual training, and should include compliance as an element of performance review for all employees.

Florida hospital improperly billed Medicare almost $300,000 over two years

For over two years, University of Florida Health Jacksonville did not comply with Medicare billing requirements, due to inadequate billing controls. The noncompliance resulted in overpayments of at least $273,000, according to an audit by the HHS Office of the Inspector General (OIG).

Claims

The 695-bed not-for-profit hospital submitted 11,134 inpatient claims during the audit period (January 2013 through September 2014). Medicare paid the hospital $167 million on those claims. The OIG audit evaluated 1,305 inpatient claims that were potentially at risk for billing errors. From those claims, the OIG selected a random sample of 154 paid claims, totaling $1,964,826. Although the OIG determined that the hospital complied with billing requirements for the majority of the claims (133), the audit revealed that the hospital failed to comply with Medicare billing requirements for 21 claims, resulting in a net overpayment of $63,881 for the audit period. Based upon the sample, the OIG extrapolated that the hospital improperly received overpayments of at least $273,346 between January 2013 and September 2014.

Errors

For 19 of the 154 claims, the hospital billed incorrect diagnosis-related group (DRG) codes. For example, in one case, the hospital submitted a claim with a secondary diagnosis code 599.0 (urinary tract infection), despite the fact that the patient’s medical record indicated the patient had no signs or symptoms of a urinary tract infection. In other words, the hospital had no basis to assign code 599.0. The hospital attributed the billing mistakes to human error. The noncompliance related to the DRG codes accounted for the vast majority of the errors and led to net overpayments of $47,165.

When a patient is discharged from an acute care hospital and readmitted to the same hospital on the same day for symptoms related to the prior stay, the hospital is required to combine the original and subsequent stay into a single claim. The OIG determined that for 2 of the 154 audited claims, the hospital incorrectly billed Medicare for related discharges and readmissions that occurred on the same day. The hospital attributed the improper billing to human error.

Recommendations

The OIG recommended that the hospital:

  • refund the estimated $273,346 in overpayments to the Medicare program;
  • identify and return similar overpayments; and
  • strengthen billing and coding controls to ensure future compliance.

 

Objections

The hospital objected to the findings regarding 11 of 21 inpatient claims. Additionally, although the hospital acknowledged that human error contributed to the 10 other errors, there was “no evidence to support systemic coding or billing concerns.” The hospital also challenged the OIG’s authority to extrapolate a payment error rate.