Gatekeeping vital to a best practice organization

Gatekeeping should be viewed as a first line of defense, protecting not only a healthcare organization, but the patients as well. In a Health Care Compliance Association (HCCA) webinar titled “Gatekeeping & Monitoring – Developing Sound Processes for Screening, Removal & Reinstatement,” Amy Andersen, Director of Operations at Verisys Corp., noted that every organization can be sorted to a risk aversion spectrum. On one end, the most risk-averse organizations use best practice compliance to achieve stellar outcomes. On the other end, non-compliant organizations risk fines and loss of reputations. The greatest cost to organizations in terms of monetary impact to establish gatekeeping measures is the change management and system implementation. Regardless, best practices organizations need to be proactive about gatekeeping and monitoring, not after the fact.

Gatekeepers

The best way to protect organizations is to implement a gatekeeping strategy. Gatekeeping is ensuring that information is properly disseminated among an organization and its association. Thus, the first consideration for an organization is which parties are being let into the organization. Organizations should not only focus on the healthcare professionals within their organizations, but the vendors and contractors employed by the organization. Andersen noted that the vendor space was one of the most overlooked areas in protecting an organization.

Secondly, once an organization permits vendors or individuals into the organization, it must readily identify any gaps. In essence, Andersen said that the organization should understand what it knows and does not know about the admitted vendor or individual.

Finally, the organization should establish criteria for admittance of these vendors or individuals. Thus, an organization’s gatekeeping strategy should include three parts: (1) identification, (2) communication, and (3) remediation.

Identification, communication, and remediation

At a most basic level, identification starts with screening and monitoring. Some barriers to gatekeeping include data “hoarders,” those entities who do not share what they know or require you to go through a gate itself. These entities can be threats to the organization.

Andersen advised that organizations should examine and avoid unconsidered risks. In terms of credentialing, Andersen stressed “verify, verify, verify.” These risks are created when an organization silos information within itself. She cautioned against this, noting that organizations should do holistic reviews to determine whether the departments within the organization are communicating any risks effectively.

Access to information is vital. Once identification generates data for the organization, relevant information must be made visible. After policy and procedure access occurs, the organization must take action in a consistent manner. This is includes removal of individuals from the organization or vendor from a business relationship, expectations should be laid out clearly. Any auditing that is done should be unbiased and adhere to industry standards.

Identifying ‘60-day rule’ overpayments during routine auditing

The need to identify, report, and return Medicare and Medicaid overpayments to CMS under the “60-day rule” and the ability to understand and prepare for the risks posed by routine auditing are essential for all medical providers. At a recent Health Care Compliance Association (HCCA) webinar, Jean Acevedo, LHRM, CPC, CHC, CENTC, Senior Consultant, Acevedo Consulting, Inc., and Lester J. Perling, Esq., CHC, partner, Broad and Cassel LLP, discussed these topics and offered their recommendations.

The 60-day rule

Section 6402(a) of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) established new section 1128J of the Social Security Act, which requires providers and suppliers who submit claims to Medicare and Medicaid to report and return “identified” overpayments to CMS within 60-days or face potential liability under the federal False Claims Act. These requirements were implemented by CMS in a February 12, 2016 Final rule (81 FR 7653) (see CMS finally codifies the 60-day Parts A and B overpayment return rule, February 12, 2016; and Comments, questions, concerns? Weighing in on the 60-day overpayment Final rule, March 2, 2016).

According to Perling, the Final rule sets forth the following parameters for understanding the 60-day overpayment requirement:

  • Definition of an “identified” overpayment. Providers are responsible for overpayments that they “know or should have known”about through the exercise of “reasonable diligence.” Providers that deliberately choose not to investigate when they are made aware of the existence of potential overpayments, would be held liable under the FCA.
  • Exercising “reasonable diligence”. Reasonable diligence requires that providers (1) implement proactive compliance activities to monitor for the receipt of overpayments; and (2) undertake investigations “in a timely manner” in response to obtaining “credible information” of a potential overpayment.
  • “Timely” defined. CMS considers a “timely” investigation to be at the most six months from receipt of the credible information, except in extraordinary circumstances.
  • When does the 60-day period begin? The 60-day period does not begin to run until the provider has had a chance to undertake follow-up activities and quantify the amount of the overpayment.
  • Lookback period. The 60-day rule applies to overpayments identified within six years after they were received.
  • Repayment options. Providers may use claims adjustment, credit balance, the HHS Office of Inspector General’s (OIG) Self-Disclosure Protocol, or other appropriate processes to report or return overpayments. Regardless of the process used, the refund should include an explanation or the statistical sampling methodology used if the overpayment was extrapolated.

Routine baseline audit

Acevedo next discussed the annual baseline audit performed as part of the organization’s compliance program. She recommended that it be done under the attorney/client and work/product privileges in order to help insulate the organization from exposure.

Physical therapy case study

Acevedo next presented an audit case study of a physical therapy department. She stressed the need for the auditor (whether in-house or an outside contractor) to examine the three critical physical therapy documents: (1) the initial evaluation and plan of treatment; (2) the treatment notes; and (3) the clinician’s progress report.

In preforming the audit, she recommended that the auditor take note of the fact that health care professionals are creatures of habit and that, for example, they will either include all necessary elements in the plan of treatment, the treatment notes, and the progress report, or not (i.e., they are usually consistently good, or consistently bad at recordkeeping). She also cautioned that while this document audit may be time consuming, and it is important that the auditor be thorough and not just review the most recent treatment notes and progress reports.

If the auditor finds that therapy documents are deficient or erroneous, Acevedo suggested that the auditor STOP and do two things: (1) consider the possibility that an overpayment situation exists and the timeline that may kick in under the 60-day rule; and (2) alert the attorney and the owner of the practice. She cautioned, however, about jumping to conclusions and leaving a paper trail of written concerns that may amount to “breadcrumbs” for a government investigator or a whistleblower to follow.

Prospective v. retrospective audits

Perling stressed that whether the audit is prospective (i.e., occurs prior to submission of a claim) or retrospective (post claim submission) it does not matter as the finding of negative result or high error rate in either would potentially activate the 60-day rule requirements.

Issues to consider when auditing

Perling suggested taking the necessary steps prior to audit to create an attorney/client privilege that will be recognized and respected by any government investigator.

Perling also discussed whether the standards the auditor is relying on are authoritative or merely guidance. Perling believes that statutes and regulations are clearly authoritative, but that “not everything CMS publishes is authoritative.” For example, while CMS Manuals and Local Coverage Determinations are binding on the Medicare contractor, they are not binding on an administrative law judge. The real question, according to Perling, is “whether the Department of Justice or a whistleblower will think a standard is authoritative.”

Final thoughts

In closing, Perling and Acevedo offered three reminders: (1) educate before auditing; (2) the routine annual audit should review current compliance with standards, not past deficiencies; and (3) audits are still required for effective compliance programs. The danger, according to Acevedo, “is putting your head in the sand.”

Find a friendly format to ensure compliance guidance is followed

Modify the HHS Office of Inspector General (OIG) Compliance Program Guidance (CPG) documents so they make more sense and will be followed by the organization, according to Frank Ruelas, Facility Compliance Professional at St. Joseph’s Hospital and Medical Center/Dignity Health, during a webinar hosted by the Health Care Compliance Association (HCCA).CPGs, particularly for hospitals, provide valuable guidance for compliance professionals to follow in assessing their compliance programs and can be used by compliance officers of all types of facilities. The key is to make sure some sort of guidance is being followed and that assessments are verifiable.

Making use of the CPG

CPGs provide valuable information but few people read them and follow them, according to Ruelas. The problem is often that the original format of the OIG CPGs, from the Federal Register, is hard to read and navigate. Ruelas suggests taking the “text” format document from the Federal Register website and reformatting it into a “friendlier” format to help drive effectiveness. The revised format could contain a table of contents (to act as an inventory or checklist), hyperlinks to resources, headings, and anything else that would make the document more useable to perform an assessment of the organization’s compliance program.

When it comes to using the reformatted document to perform an assessment, Ruelas suggests going through and highlighting each action item contained in the CPG in one of three colors: green (acceptable demonstrated compliance), yellow (some demonstrated compliance), or red/pink (no demonstrated compliance. This will demonstrate the level of compliance and will easily show which items need additional attention. Ruelas stressed the importance of self-assessments being verifiable. Compliance officers must be able to show how he or she reached their assessment, right down to each item.

Just how many elements are there?

Ruelas warns that depending on which guidance you are following, the elements may vary slightly. The OIG has seven elements in a compliance program. The Affordable Care Act (ACA) (P.L. 111-148) and the Federal Sentencing Guidelines have eight and nine elements, respectively, but most elements overlap. All guidances are applicable, and no matter which framework you use—there is no established framework—it provides instructions on how to move forward to make your compliance program more effective, Ruelas noted.

How to get started

Ruelas stressed the importance of a supportive mindset when assessing an organization’s level of compliance. It could be that a compliance officer is coming into an already established program, so it is important to expect challenges. Then, Ruelas says to use the “plain, simple, old school” tried-and-true “5W1H Model”—start by identifying Who, What, When, Where, Why, and How regarding the compliance program, down to each item. If those are not identifiable, start with the compliance officer requirements of a compliance program, Ruelas noted, because that forces the compliance officer to focus on his or her own role and responsibilities. It also provides an opportunity to optimize the compliance officer’s job description and to meet with organization leadership.

Compliance advice offered to providers in the orthotic and prosthetic arena

There are high clinical documentation standards for orthotic and prosthetic (O&P) providers. Non-compliance with these documentation requirements can result in numerous adverse consequences for O&P providers, including: audits; recoupment of payments already received; loss of contracting and provider privileges; civil money penalties; loss of credentialing, certification, or licensure; the risk of getting on the Zone Program Integrity Contractor (ZPIC) radar, and exclusion from participation with any physician that accepts government funding, such as Medicare or Medicaid.

Understanding and applying compliance requirements in the O&P arena was the focus of a Health Care Compliance Association (HCCA) webinar offered by Tonja Wise, CHC, Corporate Compliance Manager, O&P Compliance Officer, Shriners Hospitals for Children International.

Wise’s presentation began by explaining why the O&P provider needs compliance and how O&P is different from other specialties. She then discussed the O&P provider’s obligations in the areas of documentation, provider notes, coding, and billing. Wise also noted the importance of the prescribing physician, who shares some of the documentation responsibility with the O&P provider. A summary of Wise’s major points of these topics include the following:

  • As a result of recent fraudulent activity and increased payment recoveries, O&P has become the new durable medical equipment (DME) when it comes to audits and scrutiny by the Office of Inspector General (OIG).
  • O&P suppliers that intend to bill Medicare (and Medicaid in most states) must be accredited. The Board of Certification/Accreditation (BOC) and the Association of Boards of Certification (ABC) both offer this service. Going through accreditation is good practice for ensuring that the organization meets the Medicare Supplier Standards and the accreditation standards.
  • Medical documentation must corroborate the O&P provider’s chart and justify the order written and device supplied. Documentation of the orders, delivery, use and care instructions, and safety are very specific.
  • Documentation requirements include a signed HIPAA acknowledgement; consents for treatment; a valid dispensing order prior to delivery; a signed, detailed written order prior to billing; a detailed delivery receipt; complete, comprehensive O&P provider notes; safety checks completed; and proof of patient care and instructions.
  • Provider notes should be complete, comprehensive, and compliant. This means each patient visit should have an independent, detailed note. The initial evaluation and the delivery visits are the most involved and will be the most important to the payor or auditor. These notes must outline all of the information necessary to support medical necessity.
  • It is the responsibility of the certified O&P provider to ensure that the appropriate Healthcare Common Procedure Coding System (HCPCS) codes are selected.
  • Know the federal requirements for the warranty period for O&P devices. CMS requires a 90-day warranty for all new devices. State Medicaid warranty periods may differ. The O&P provider does not need a new prescription for repairs if the provider delivered the device, unless major components are being replaced.
  • All bills should be reviewed for accuracy and consistency prior to submission. Confirm that diagnostic codes on all orders are consistent with the claim. Ensure all modifiers are included with the claim and are accurate.
  • Prescribing physicians are responsible for providing orders that meet CMS criteria for all O&P devices, documenting all medical necessity for the device being ordered, providing accurate diagnosis data (O&P providers cannot diagnose), and supplying any medical documentation necessary to support the O&P provider’s claim.

Conclusion

Wise believes that the best protection for an O&P provider is to have a robust compliance program in place to monitor coding, billing, medical necessity, and documentation. To ensure this compliance, she suggests that the O&P provider do the following:

  • Conduct annual compliance education.
  • Utilize access to O&P resources for guidance.
  • Be knowledgeable of federal, state and local requirements.
  • Be educated on payor requirements.
  • Read and understand the local coverage decisions (LCDs) and reference them frequently.
  • Be a self-auditor and audit frequently.
  • Ensure that any regulatory updates or major changes to O&P are communicated throughout the organization.