The Key Elements in Developing a Comprehensive Compliance Program

With the ICD-10 implementation a task of the past year, practices can now turn from the key focuses of computer system upgrades, financial risk assessments, coding-specific education, and critical documents review to upgrading their compliance plan. However, they must continue to turn their attention to compliance issues and make sure all of the newly implemented policies are compliant with HIPAA regulations and the mandates of the many payers and the government. Compliance is an integral operational part of all medical practices. A compliance plan is not something to be written, implemented, and relegated to a bookshelf. It should be integrated into the practice’s daily activities, used, reviewed, and tweaked as often as necessary. Remember that a well-written compliance program provides a roadmap for physicians and staff to follow and shows how a practice does its due diligence in monitoring, education and documentation.

Compliance is an expanding area of law, and one that is going to expose practices to more risks.

Just as you keep up with advances in the medicine you practice, you must also keep up with and adhere to the myriad changes in the compliance arena of the practice. It is important that physicians and their staff understand that compliance is an expanding area of law, and one that is going to expose practices to more risks. Your compliance plan should also include additional policies that address particular needs or risks relevant to your practice. Your practice should include human resources policies, finance policies, patient care policies, and OSHA policies.

The advent of federal and state Accountable Care Organizations, the expansion of Medicare and Medicaid managed care plans, and the implementation of other state Medicaid redesign initiatives, including Delivery System Reform Incentive Payment programs, are all dramatically expanding the breadth, scope, and magnitude of compliance programs.

Compliance obligations among healthcare providers and other entities entering into joint ventures and initiatives must be considered in your plan. Plans must be implemented among participants without duplicating efforts or expanding potential liability. They must figure out how to integrate new requirements with existing compliance efforts, as well as execute them across all partners and participants. States are implementing more specific and stringent compliance regulations.

As an example, following are the eight elements of the mandatory compliance requirements for the state of New York. The principles presented here should form the basis of your compliance plan.

Implement standards, policies, and procedures.

The compliance requirements state that policies and procedures must:

• Be modified and expanded in a template plan to meet your unique risks;

• Be easily accessible and regularly updated and maintained (If someone from the Office of Inspector General [OIG] comes in and finds two inches of dust on the document, it does not speak well of your practice.);

• Clearly communicate all rules, requirements, and processes.

Designate a qualified compliance officer.

The compliance officer must be empowered to educate other employees, update physicians, call meetings, and, when necessary, initiate corrective action in the event of a violation.

Open lines of communication.

To meet requirements, compliance programs must have communications initiatives in place that will:

• Notify individuals throughout your practice of the network of existing hotlines for reporting potential issues and problems;

• Explain which hotline or entity to contact for guidance on specific issues; and

• Support the appropriate sharing of information among partners and participants to ensure that all relevant parties are fully informed of emerging issues and prepared to respond in a timely manner.

Provide training and education.

Your educational programs must be detailed and must be written to support compliance. You must develop training programs to ensure that staff members at every level are knowledgeable about compliance regulations, as well as their responsibilities in ensuring those regulations are strictly followed. You must have written processes in place to confirm training was provided for each position in your practice. The programs must include content specific to your policies and risks, and should be developed centrally and be compatible across entities to ensure consistency of content while avoiding duplication of efforts. Customized training and a written HIPAA test help ensure that staff members understand the key issues in compliance necessary to perform the specific tasks in their job descriptions. All new employees must be trained within the first 30 days of hire and be tested. I have customized all of my HIPAA tests for each client so that they are unique to their practice, specialty, and geographically area. I do not recommend a template plan because each practice is unique, and it makes a difference whether or not it participates in a physician network. You should also have annual refresher courses for all staff. Keep a file of the dates, content of each session Webinar, and other training that your employees have attended. Make sure that all of your employees have signed that they attended the course and/or read the material and understood its content. Your compliance plan should include a policy on the repercussions for failure to complete training as required.

Maintain discipline.

Discipline becomes more complicated and potentially politically sensitive as regulations broaden to include requirements that take into consideration non-employees and business associates. The most important features in any discipline plan are that it encourages good faith participation in the compliance program by all performing providers and that it is applied consistently. Staff must be held accountable for any compromises in their positions and roles in your practice.

Perform periodic chart audits.

Periodic chart audits should be done at least every six months and can help ensure that the documentation supports the level of service billed. This has been and will continue to be an issue that concerns the government with auditing unnecessary medical services. Documenting auditing results is critical to your compliance efforts, as is documenting any corrective action and educational efforts taken as a result of your audit findings.

Traditionally, risk assessment has focused on four issues: medical necessity, documentation, coding, and billing. Your compliance officer also must have processes in place for meticulously and continually evaluating adherence to the implementation plan; the distribution, use and accounting of funds; and the completeness and accuracy of quality, cost, and other data that may need to be aggregated and delivered to the Centers for Medicare & Medicaid Services or the state.

Take corrective action.

The compliance officer is responsible for ensuring that effective corrective action is swiftly implemented for any identified issues. That officer’s required role also includes communicating the corrective action plan and tracking progress against established goals. Document your findings so that anyone and/or any organization that investigates later sees that you took legitimate actions to deal with the issue and correct it on a timely basis.

Implement a nonintimidation and nonretaliation policy.

You must implement and enforce a policy of nonintimidation and nonretaliation. You have to monitor all disciplinary actions to ensure they can’t be perceived as retaliatory. You also need to ensure that disciplinary actions are being applied equally across the entire network.

Now that you have appointed an individual to be responsible for your plan and program, you must have a code of conduct policy. This is the basic commitment to comply with federal, state, and local rules and regulations applicable to healthcare and your practice. Your compliance officer should have a job description of duties and powers.

We all know how much the rules and regulations in healthcare are changing. Your plan must include general topics, frequency of training, and how you will document completion of training. All polices should be reviewed annually and updated as necessary. Eliminate policies that are no longer appropriate or relevant and replace with new ones. Make sure that you have a template in place that permits you to document when a policy was last reviewed and when it was last changed.

Before starting your review, take a look at the OIG website at www.hhs.gov/oig. It will provide you with references and guidance. Remember that a well-written compliance program provides a roadmap for physicians and staff to follow and shows how a practice does its due diligence in monitoring, education, and documentation.