Federal fraud enforcement - physician compliance

Spending attributable to waste, fraud and abuse…
The health care community and physician practices are facing a situation where the federal government is categorizing billions and billions of dollars worth of claims for services as inappropriate and possibly fraudulent. According to a report by the Department of Health and Human Services' (HHS) Office of the Inspector General (OIG), approximately $1.6 billion in overpayments were collected in FY2002. The OIG estimates taht $12.1 billion in Medicare fee-for-service payments made in 2001 were improper.

The amount of spending attributable to waste, fraud, and abuse ranges from 3 to over 10 percent of national health care expenditures according to estimates. With these expenditures now surpassing a trillion dollars, the attention on efforts to reduce spending attributable to criminal and other inappropriate behavior is readily understood. Actions to reduce inappropriate payments also are consistent with the Second Principle of Medical Ethics: "A physician shall deal honestly with patients and colleagues, and strive to expose those physicians deficient in character or competence, or who engage in fraud or deception."

Liability for inappropriately submitted claims…
To recoup health care spending dollars that may be categorized as inappropriate payments, the authority of the federal government to combat health care fraud was clarified and its enforcement ability was significantly expanded with the enactment of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. Among other provisions, this law: earmarked funding to virtually double the number of OIG auditors and investigators in addition to an expansion of the Federal Bureau of Investigation's ability to investigate health care fraud; created the Medicare Integrity Program whereby HHS may enter into contracts with private entities to review and audit activities where Medicare provides coverage; and established a reward program to encourage Medicare beneficiaries to report questionable behavior.

Anyone submitting a claim for payment must be alert to the potential for liability stemming from an inappropriately submitted claim. (Medicare is reaching the point where over a billion claims for payment will be submitted annually, with approximately two-thirds of these claims being for physician services.) In paying a claim, the federal government has the authority to investigate the claim's propriety. Where an investigation finds fault with a claim, ranging from a possibly inadvertent mistake to a determination that the claim was fraudulently submitted, the government has the authority to impose both criminal and civil sanctions (monetary fines) against the individual or entity claiming a right to payment.

• Civil sanctions may be imposed where an individual "knowingly" submits a claim that he or she "knows or should know" will fall into a prohibited category. Civil sanctions may be imposed for each inappropriate claim submitted for payment. Civil sanctions may be as much as $10,000 per claim ($50,000 for an anti-kickback violation) plus an assessment of up to three times the amount improperly claimed.
  
  
• Criminal penalties may be imposed where an individual "knowingly and willfully" defrauds the Medicare, Medicaid, or other federal health care benefits program. If there is a determination that even a single claim was submitted fraudulently, sanctions may include: imprisonment for up to five years; a fine of up $250,000 per claim; and a five-year exclusion (lifetime exclusion for a third conviction) from participation in the Medicare and Medicaid programs.
  

Legal liability avoidance…
Reducing potential liability exposure is one of the key reasons for implementing and maintaining a compliance plan. (The establishment of a compliance plan also will provide other benefits, such as identification of under-coding and improved communications within a practice setting.) The existence of a compliance plan will be taken into account by both the HHS OIG and the Department of Justice in determining whether a medical practice or other health care entity has made reasonable efforts to avoid and detect misbehavior. The application of a plan will be taken into account in determining the level of sanctions, penalties and exclusions that may be sought and imposed.

To be convicted of health care fraud, there must be a finding of intent to commit the illegal act. The existence of an effective compliance plan provides evidence that any mistakes were inadvertent

A compliance plan should be…
A compliance plan should be reasonably designed, implemented and enforced so that it will be effective in preventing, detecting, and correcting inappropriate and potentially criminal conduct. The operation of an effective compliance plan demonstrates due diligence and addresses the issue of potential criminal intent. An effective compliance plan should include the following elements:

1. a general statement of conduct that promotes a clear commitment to compliance;
   
   
2. recognition of the importance of compliance by the appointment of a trustworthy compliance officer with a high level of responsibility;
   
   
3. effective training and education programs for all professional and support personnel;
   
   
4. auditing and monitoring processes;
   
   
5. specific and effective lines of communication between the compliance officer and professional and support personnel;
   
   
6. internal investigation and enforcement through publicized disciplinary guidelines and actions; and
   
   
7. a process to respond to identified offenses and apply corrective action initiatives.
   

An effective compliance plan…
The seven elements, presented in greater detail below, constitute the roadmap for the creation of an effective compliance plan.

Commitment to compliance - As a starting point, a compliance plan must be more than a series of papers dictating directions for office operations. A compliance plan must recognize a specific set of standards and chart a course of action to ensure that everyone in the organization understands his or her obligation to comply with these standards. A commitment to compliance is comparable to an organization having both a "vision" statement and a series of checks that document how the vision is being achieved.

For a plan to be effective, the employees and others involved with an organization must be aware of the standards and understand that the organization will take actions to uphold those standards. A commitment of compliance reflects acceptance of a duty and a resource commitment on the part of an organization (management, board of directors, partners, owner) to assure that the organization's conduct will adhere to standards that are geared to identify and prevent criminal conduct.

Designation of a compliance officer - For a compliance plan to be considered effective, it must be operated through a designated compliance officer. The compliance officer may have duties in addition to serving as the compliance officer, and could even be a person who is in charge of one of the organization's major functions. An organization's compliance officer must hold a high level of responsibility and be trustworthy.

The compliance officer must have sufficient authority to effectuate the compliance plan. An individual will be considered to have the requisite authority if he or she is able to influence behavior and organizational practices, and this may be accomplished by an individual who has substantial control over the organization or a substantial role in setting policy for the organization. The reporting responsibility of the compliance officer is one measure that may be used in determining authority. For example, the compliance officer should report to the board or a board level committee. Consistent with the organization's commitment to compliance, the board or board committee should receive periodic updates and take an active role in holding the compliance officer responsible for the operation of an effective compliance plan. Where an organization does not operate with a board of directors, the compliance officer should report to the highest levels of management. The success of the compliance officer in fulfilling his or her responsibility should be one of the key elements used in judging the compliance officer's performance.

In addition to applying a trustworthiness standard to the compliance officer position, any delegation of compliance authority must be to trustworthy individuals. Measures of trustworthiness include experience with an individual as an employee and clean background checks for new employees who will be involved in activities where compliance questions may arise. Determining the need for a background check should be made on an individual basis, with background checks generally being necessary for individuals who will be involved in billing and coding activities, and for those exercising substantial discretion in setting operational directions or conducting supervisory functions.

Effective training/education programs - The organization must have a routine training and education process that makes participation in the compliance program understandable. This process generally will be under the direction of the compliance officer and it should include active participation in training and education programs. A variety of techniques and materials may be used to comply with this education requirement. Educational activities need to be conducted on a regular (at least annual) basis, with frequency of participation dictated by an individual's functions in the organization.

Participation in an effective education and training program focusing on compliance with fraud and abuse laws should include an overview of the related laws, the operation and importance of the compliance plan, and the role of each employee in the compliance plan. For individuals who will have direct involvement with aspects of an organization's operations where there is a significant potential for application of the health care fraud and abuse laws, extensive education specific to the individual's responsibilities will be appropriate. For example, physicians need to understand their responsibility to provide appropriate medical record documentation of the care provided. Physicians and billing staff need to understand their responsibility to have billing records conform to the documentation found in the medical record. Training and education are essential elements of a compliance plan, and organizations should maintain a record of both its training activities and individual participation in these activities.

Auditing and monitoring - One of the key actions that should be taken to demonstrate a commitment to compliance is the implementation of a system to audit and monitor an organization's practices. The auditing process will entail a regular review of the organization's claim development and submission process from the point where a service for a patient is initiated to the submission of a claim for payment. The monitoring process will entail the development of a methodology to facilitate employee reporting of suspected situations of fraud or abuse.

The audit process should be utilized to: establish a baseline in initiating a compliance plan; periodically assess the effectiveness of the organization; monitor the work of new employees; and respond to complaints.

The baseline audit should examine the claim development and submission process (from patient intake through claim submission and payment) and identify elements within this process that may contribute to non-compliance or that may need to be the focus for improving execution. This audit should establish a consistent methodology for selecting and examining records, and this methodology should serve as a basis for future audits. In addition to conducting a record audit, the baseline activity should include a review of how the organization conducts its compliance plan to determine the adequacy of the educational and other compliance related programs. The baseline audit could be conducted to examine claims submitted during the initial three months after implementation of the education and training program.

Audits need to be conducted, following the baseline sampling methodology, at frequent intervals to ascertain compliance with applicable fraud and abuse requirements. (While a number of health care organizations maintain an annual audit cycle, it is recommended that auditing be conducted on at least a quarterly basis.) The periodic audit also should be used to ascertain that the compliance plan is being followed. The goal of these audits should be to assure personnel competency and uncover improper claims activity (patterns of improper activity in particular) prior to the point where potential violations may be significant enough that the government would impose penalties. An effective periodic audit process must include a means to provide feedback to the individuals involved in the various phases of claim development and submission.

In addition to participation in education and training activities for new employees, there should be a mechanism in place to ensure that their work is consistent with standards to prevent fraud and abuse. Keep in mind that the organization may have responsibilities for the activities of individuals who may provide services for the organization (such as an independent contractor) even though these individuals are not employees of the organization. Where new employees are involved in the claims process (from development to submission), as well as existing employees who are newly involved in the claims process, at least a sample of the claims they have handled should be audited. This focused auditing process should be continued until the compliance officer is satisfied with the individual's level of competence.

Organizations need to be prepared to conduct complaint audits in response to employee or patient complaints or other evidence of possible improper billing practices. Failure to respond promptly to a complaint raises questions to an organization's commitment to compliance. In addition, a complaint to an organization may indicate that a complaint may have been filed with the federal government. Complaints must be taken very seriously, and individuals need to understand that they may make complaints without fear of retribution.

Effective lines of communication - One of the keys to a commitment to compliance is the existence of effective communication concerning compliance within an organization. Communications must be able to flow in both directions between the compliance officer and professional and support personnel within the organization. The compliance program will be meaningless if the lines of communication from the compliance officer to the individuals employed by or otherwise involved with the organization, or vice versa, are ineffective. The compliance officer must be able to relay information about the organization's standards and the results of audit and other compliance information; and the individuals employed by or otherwise involved with the organization must be able to communicate to the compliance officer with compliance questions and complaints.

The compliance officer should operate or maintain a hotline process to facilitate reporting of suspected violations. Employees and others who may utilize the hotline service should have confidence that their confidentiality will be maintained, there will be no retaliation, and the hotline complaint will be investigated.

Internal investigation and disciplinary processes - Demonstration of a commitment to compliance includes an appropriate investigation and disciplinary action applicable to all individuals within the organization who fail to comply with their obligations under the compliance plan. When there is information of potential violations or misconduct, the chief compliance officer (or designee) has the responsibility of conducting an investigation. An internal investigation should include interviews and a review of medical record, billing and other relevant documents. To assure protections from coerced disclosure for information gained through investigative interviews, statistical and record analyses and other reports, consideration should be given to having the investigation conducted by qualified legal counsel. The attorney/client privilege will afford a level of protection in the event that the OIG or another agency requests information developed in the course of an internal investigation.

Disciplinary measures at some point may apply to any individual in an organization, and there should not be wide variations in the application of discipline for similarly situated individuals. To assure fairness and consistency in the application of the disciplinary process, organizations should maintain a written internal enforcement and discipline policy. Individuals within an organization should be apprised of the disciplinary guidelines as part of the compliance education process, and organizations should maintain records on the application of internal disciplinary actions.

Response to offenses, corrective action - On the identification of a compliance problem, organizations have a responsibility to take demonstrable corrective actions, including steps to prevent further similar offenses. Where an organization's investigation has identified the receipt of overpayments or other deviations from federal legal standards, corrective action (including repayment as appropriate) should be initiated. Corrective actions and the issue of whether there should be disclosure of compliance information to the federal government should be discussed with counsel.

One of the more difficult questions that an organization may face is whether it should voluntarily disclose compliance problems with the federal government. While the development and implementation of a compliance plan carries the responsibility of being able to demonstrate adherence to applicable standards, voluntary disclosure of compliance problems does not provide any automatic protections or guarantees of leniency. The fact that an organization maintains a compliance plan does not restructure the organization as an investigatory arm of the OIG, and so disclosure is not mandated.

In considering whether to report a detected offense, it must be noted that OIG enforcement investigations may be initiated based on carrier records, a call from a disgruntled employee, a patient complaint, and even an anonymous tip to the HHS "Confidential Tip Line" (1-800-HHS-TIPS). In the event that an internal investigation discovers that a material violation has occurred, it sometimes may be advisable to report the matter to the federal government. However, such a decision needs to be discussed with counsel. If the organization, with advise from counsel, believes that failure to disclose will call into question the veracity of the plan and limit the reduced culpability protections that the plan is designed to afford, disclosure may be appropriate.

Medical record documentation must reflect…
Documentation is a central element that underlies patient care, billings for patient care, and an effective compliance plan. Documentation must become a routine step to demonstrate the operation of the plan. Accurate patient record documentation also is a key component of the compliance plan, as this documentation provides the justification necessary to support claims payment.

In addition to facilitating high quality patient care, an appropriately documented medical record serves as a legal document to verify the services provided. The medical record may be used to validate the site of the service, the medical necessity and appropriateness of the diagnostic and/or therapeutic services provided, and that the services have been reported accurately. Accurate medical record documentation should comply, minimally, with the following principles of medical record documentation:

• The medical record should be complete and legible.
• The documentation of each patient encounter should include: the reason for the encounter and relevant history, physical examination findings, and prior diagnostic test results; assessment, clinical impression, or diagnosis; plan for care; and date and legible identity of the observer.
• If not documented, the rationale for ordering diagnostic and other ancillary services should be easily inferred. · Past and present diagnoses should be accessible to the treating and/or consulting physician.
• Appropriate health risk factors should be identified. The patient's progress, response to and changes in treatment, and revision in diagnosis should be documented.
• The CPT and ICD-9-CM codes reported on the health insurance claim form should be supported by the documentation in the medical record.
  

Professional assistance…
Just as physicians find value in receiving consultations from their colleagues, there are a number of aspects in the creation and operation of a compliance plan where consideration should be given to retaining outside experts. To aid in weighing the multiple legal issues that may arise, qualified legal counsel has a clear role in many of the aspects of a compliance plan. Similarly, expertise may be sought from experts in medical record documentation, auditors, and other expert consultants.

In conclusion…
The operation of an effective compliance plan will vary from one physician's practice to another physician's practice. There is no single form or size of a compliance plan that will fit every situation. For a compliance plan to be effective, it will need to be tailored to fit the individual organization and its operation will have to become an element of every step in the process of patient encounter to the submission of a resulting claim for payment.