Is Your Hospital Compliance Program in Compliance? OIG's Draft Supplemental Compliance Program Guidance for Hospitals

Introduction

On June 8, 2004, the Department of Health and Human Services' Office of Inspector General ("OIG") published the "OIG Draft Supplemental Compliance Program Guidance for Hospitals" ("Supplemental CPG").¹ As the name suggests, this guidance document is intended to supplement the OIG's 1998 Compliance Program Guidance ("1998 Guidance")² to: (a) address recent changes in hospital payment systems, regulations, and industry practices; (b) focus on particular risk areas; and (c) provide guidance for evaluating existing hospital compliance programs. The 1998 Guidance has not been replaced by the Supplemental CPG. Rather, the OIG believes that collectively the two documents offer a set of guidelines that hospitals should consider when developing and implementing a new compliance program or evaluating an existing one.

The 1998 Guidance provided hospitals with guidelines for establishing a compliance program. The goal was to assist hospitals in developing "effective internal controls that promote adherence to applicable federal and state law, and the program requirements of federal, state and private health plans." The 1998 Guidance broadly defined the components of a successful compliance program and did not focus on the details.

By contrast, the Supplemental CPG provides more detailed guidelines pertaining to the use and evaluation of existing compliance programs and is intended to be used by hospitals "as a benchmark or comparison against which to measure ongoing efforts and as a roadmap for updating or refining their compliance plans."

What the Supplemental CPG Does Not Include

As with the 1998 Guidance, the Supplemental CPG is not itself a compliance program, and its provisions are not intended to be a one-size-fits all solution to hospital compliance. Hospital administrators and compliance officers should treat the 1998 Guidance and Supplemental CPG as starting points "for a hospital's legal review of its particular practices and for development or refinement of policies and procedures to reduce or eliminate potential risk." And, while following the guidelines may significantly reduce the risk of sanctions, it does not guarantee immunity from them.

What the Supplemental CPG Includes

The Supplemental CPG is meant to provide a hospital with a mechanism for determining whether its compliance program is operating effectively. It covers three main aspects of hospital compliance programs: (a) specific areas that are prone to fraud and abuse; (b) guidelines for evaluating effectiveness; and (c) self-reporting.

Fraud and Abuse Risk Areas

The Supplemental CPG addresses eight specific areas of concern:

• Submissions of accurate claims and information
• Self-referral and anti-kickback statutes
• Payments to reduce or limit services
• The Emergency Medical Treatment and Labor Act ("EMTALA")
• Substandard care
• Relationships with federal health care program beneficiaries
• HIPAA privacy and security rules

Other areas of "general interest" to hospitals such as discounts to uninsured patients, preventive care, and professional courtesy also are addressed in the Supplemental CPG.

The eight risk areas identified by the OIG can be categorized in three ways; (1) problems associated with claim submission or emerging from new regulations; (2) pervasive problems under existing regulations or laws; and (3) problems with providing quality services. The Supplemental CPG is illustrative, not exhaustive, and hospitals always should consult the applicable laws, rules, and regulations.

Problems Pertaining to Claim Submission or Emerging from New Regulations

• Submissions of accurate claims and information
• HIPAA privacy and security rules

The Supplemental CPG discusses evolving risks and those that the OIG considers to be underappreciated by the industry; in particular, risks associated with (a) outpatient procedure coding; (b) admissions and discharges; (c) supplemental payment considerations; and (d) use of information technology. First, the OIG discusses Medicare's Hospital Outpatient Prospective Payment System ("OPPS"), which shifts the basis for Medicare reimbursement from the specific level of resources used to a predetermined amount for each ambulatory payment classification code. The Supplemental CPG recommends that hospitals pay close attention to coder training and qualifications to ensure that outpatient procedure codes are entered correctly. Problems with outpatient coding identified in the Supplemental CPG include billing on an outpatient basis for inpatient-only services, failing to follow fiscal intermediary local medical review policies, and submitting duplicate or incorrect claims.

Second, claims problems arise from admissions and discharges because the patient's status at those points affects the amount and method of reimbursement to the hospital. In particular, the OIG is concerned with hospitals' failure to include all the services provided to a patient that day on one claim ("same-day rule"). The Supplemental CPG also notes abuse of partial hospitalization payments, the occurrence of same-day discharges and readmissions, violations of Medicare's post–acute care transfer policy and improper transfers of patients between co-located hospitals (i.e., a long-term care hospital located within an acute care hospital).

Third, the OIG identifies instances of improper claim submissions for various supplemental payments offered by the Medicare program. These include improper reporting of the costs of "pass-through" items for which Medicare will reimburse hospitals for during a limited transitional period, as well as violations of the new outlier payment rules, incorrect designation of a hospital-affiliate as a "provider-based" entity, improper claims for clinical trials, organ acquisition costs and cardiac rehabilitation services, and violations of Medicare rules related to educational activities expenses.

Fourth, the Supplemental CPG addresses the increased use of information technology. While computerized billing and coding offer greater efficiency, the Supplemental CPG urges a careful screening of all computer systems and software related to coding, billing, and confidential information to ensure accuracy and security, particularly with regard to OPPS billing, which is more data intensive.

Ensuring adequate technology systems also is critical for compliance with HIPAA's new privacy and security rules, especially with respect to disclosure provisions. HIPAA permits hospitals to tailor their policies based on size, resources, and needs. Customized policies, however, require customized evaluation of compliance and the Supplemental CPG recommends that hospitals investigate thoroughly whether they are in compliance with HIPAA requirements.

Recommendation:

Hospitals should ensure that their compliance programs comprehensively address claim submission areas and are updated to reflect the HIPAA privacy and security rules. Hospitals also may want to review the composition of their compliance team and possibly include a representative from the information technology department to ensure compliance with HIPAA and other electronic data requirements.

Pervasive Statutory Risk Areas

• Fraud and abuse statutes;
• Gainsharing arrangements;
• Relationships with federal health care beneficiaries;
• Medicare/Medicaid billing

The Supplemental CPG's identification of pervasive risk areas derives in large part from experience gained through the OIG, Department of Justice, and State Medicaid Fraud Control Unit investigations. Hospitals can expect continued intense scrutiny in these areas. First, the OIG will increasingly review payment arrangements between hospitals and physicians and other providers under the self-referral law (the "Stark" law) and the federal anti-kickback statute. Of general concern to the OIG is the actual or ostensible giving of payments, benefits, or gifts in exchange for patient referrals or in exchange for limiting costly or uninsured services ("gainsharing arrangements"). The relationships that the OIG suggests hospitals scrutinize carefully include joint ventures, compensation arrangements with physicians, relationships with other health care entities, recruitment arrangements, discounts, medical staff credentialing, and malpractice insurance subsidies.

The Supplemental CPG describes the risks associated with the exceptions and safe harbor provisions of the various statutes in question. While these exceptions and safe harbors present circumstances in which common business arrangements are permissible, they require strict compliance with all applicable conditions, a practice the OIG found lacking in its investigations and audits. For example, the OIG is concerned that joint ventures may be structured to disguise payment for past or future referrals in violation of the anti-kickback statute. While a joint venture created as an investment interest in an underserved community constitutes a safe harbor from the statute, hospitals involved in such ventures must nevertheless scrutinize the manner in which participants are selected and retained, the manner in which the joint venture is structured, and the manner in which the investments are financed and profits are distributed, to ensure safe harbor protection.

Similarly, gratuities offered to Medicare or Medicaid beneficiaries must meet safe harbor criteria and should be evaluated as part of the hospital's compliance program. The Supplemental CPG details gifts and gratuities, cost-sharing waivers, and free transportation as risk areas to be scrutinized. In general, the hospital should abstain from giving benefits that "the hospital knows or should know [are] likely to influence the beneficiary's selection of a particular provider...".

Another statutory abuse area that the Supplemental CPG identifies is Medicare and Medicaid billing practices. The Supplemental CPG states that providers do not have to charge everyone the same price, nor must they offer Medicare/Medicaid their best price; however, hospitals "cannot routinely charge Medicare or Medicaid substantially more than they usually charge others."

Recommendation:

Hospitals should re-review and evaluate all physician/hospital payment relationships for compliance with Stark and the anti-kickback statute. Hospitals also should review their compliance policies and procedures with respect to the gainsharing, gratuities, and billing rate problem areas that the OIG identifies and should enhance these policies where needed.

Risks Related to Quality of Services

• Substandard care
• EMTALA

The third type of risks that are discussed in the Supplemental CPG can be categorized as those associated with the quality of patient care and hospital services. The OIG is concerned with two issues. The first encompasses situations where patients receive either unnecessary or substandard services, even where the patient is not a Medicare or Medicaid recipient. While the OIG recognizes that most hospitals are committed to providing quality care, it encourages all institutions to measure their quality against comprehensive standards such as the Medicare Hospital Conditions of Participation. The second issue relates to the provision of quality emergency care notwithstanding the patient's ability to pay. Under EMTALA, hospitals have a responsibility to provide appropriate screening and treatment to the fullest extent of their capabilities. The Supplemental CPG identifies several EMTALA compliance problems hospitals should watch out for, such as rejecting appropriately transferred patients, delaying services in order to determine a patient's insurance status, and transferring a patient when the benefits of doing so do not outweigh the risks.

The Supplemental CPG also responds to inquiries the OIG received with respect to a few areas of general interest. Here, the OIG is concerned with hospitals misconstruing the various regulations and guidelines as restricting their ability to provide needed public services such as discounts to uninsured individuals or community-based preventive care programs. To clarify the OIG's position, the Supplemental CPG states that "[n]o OIG authority, including the federal anti-kickback statute, prohibits or restricts hospitals from offering discounts to uninsured patients who are unable to pay their hospital bills."

Recommendation:

Hospitals should ensure that their compliance programs go beyond mere statutory compliance to include quality of care issues. Hospital staff should receive training on the hospital's responsibility to patients under EMTALA and other regulations. Where a hospital is engaged in providing services to needy individuals or communities, it should ensure that that activity falls within the safe harbor or exclusionary provisions of the pertinent regulations and that the compliance program tracks such activities.

Hospital Compliance Program Effectiveness and Self-Reporting

These sections of the Supplemental CPG focus on the role of corporate leadership, self-assessment of compliance programs, and what hospitals should do when misconduct is detected. While the OIG recognizes that the elements of a successful compliance program can vary, it considers the following factors critical to effectiveness: "commitment of the hospital's governance and management at the highest levels; structures and processes that create effective internal controls; and regular self-assessment and enhancement of the existing compliance program." The OIG recommends that compliance programs include a code of conduct that articulates the hospital's commitment to compliance and outlines the ethical and legal principles under which the hospital must operate. The OIG also urges hospitals to engage in a thorough review of the compliance program at least once a year. This review should assess each of the elements of the compliance program as well as its overall success, and it should focus not only on outcome-indicators, such as billing error rates, but also on the underlying structure of the program.

Evaluation of the Seven Basic Elements of a Compliance Program

• Designation of a Compliance Officer and Compliance Committee;
• Development of Written Policies and Procedures;
• Development of Open Lines of Communication;
• Appropriate Training and Education;
• Internal Monitoring and Auditing;
• Response to Detected Deficiencies;
• Enforcement of Disciplinary Standards

The 1998 Guidance established seven basic elements for a hospital compliance program. The Supplemental CPG now provides a very helpful elaboration on these elements and provides examples of the type of probing that a thorough evaluation of a compliance program should include.

The Supplemental CPG considers the compliance department to be "the backbone of the hospital's compliance program." As such, it should have a clear, well-crafted mission, sufficient resources, proper organization (including ad hoc groups and task forces if needed) and open channels of communication between the compliance team and other hospital departments. In particular, the compliance officer should have direct access to senior management and legal counsel.

The Supplemental CPG recommends that hospitals review their written policies and procedures to determine whether they are relevant and clearly written, widely disseminated to staff, and include risk assessment tools to identify areas of weakness. Hospitals should be continually monitoring staff compliance with these policies and procedures.

The third element to be examined during an evaluation is open lines of communication. The Supplemental CPG outlines several factors that a hospital should look at, such as whether the hospital has fostered a culture that encourages communication without fear of retaliation. In addition, the hospital's communication policies should provide adequate mechanisms for encouraging reporting, such as anonymous hotlines and thorough follow– through on all potential instances of fraud or abuse.

The Supplemental CPG recommends that hospitals evaluate their compliance programs for evidence of qualified trainers, appropriate content, and suitable format. Hospitals also should track participation in training programs and consider imposing sanctions for failure to attend training or, conversely, offer incentives for attendance.

The Supplemental CPG explains that the audit element of a compliance program is designed to reduce the risk of improper claims and billing. Audit programs should be reevaluated annually and should include a thorough review of all billing documentation, including relevant clinical documents supporting the claim. The Supplemental CPG suggests that the audit plan examine billing systems for root causes of errors and evaluate the increase or decrease in error rates. The Supplemental CPG further suggests that auditors be independent, well qualified, and able to perform unscheduled or repeat reviews, as needed.

The Supplemental CPG recommends that hospitals evaluate their mechanisms for responding to detected deficiencies. The OIG suggests that matters should be thoroughly and promptly investigated, corrective action plans should be instituted with periodic reviews to verify successful correction, and violations or overpayments should be reported promptly to the appropriate agency.

Lastly, the Supplemental CPG encourages hospitals to ensure effective internal disciplinary procedures and to "create an organizational culture that emphasizes ethical behavior." The Supplemental CPG recommends that disciplinary standards be readily available, well publicized, and enforced consistently. It further suggests that hospitals document each disciplinary enforcement incident and conduct routine checks of staff against government sanction lists, including the OIG's List of Excluded Individuals/Entities (LEIE)³ and the General Services Administration's Excluded Parties Listing System.

Self-Reporting

Where the hospital, either through the compliance program or via senior management, identifies credible evidence of misconduct and determines that the misconduct may violate a law, the Supplemental CPG states that the hospital should report the finding to appropriate federal or state authorities within a reasonable time, but not more than sixty days after the evidence of a violation is deemed credible.⁴ Doing so, the Supplemental CPG states, "will demonstrate the hospital's good faith and willingness to work with governmental authorities to correct and remedy the problem" and "will be considered a mitigating factor" in determining administrative sanctions should the OIG begin an investigation.

Recommendations

Hospitals should fully integrate regular self-assessment into their compliance program and should carefully consider self-reporting practices.

Conclusion

The Supplemental CPG encourages hospitals to conduct a thorough review of their compliance programs. In doing so, hospitals should pay careful attention to the particular risk areas that the Supplemental CPG identifies and make sure that their compliance programs have kept pace with regulatory changes. In measuring the effectiveness of the compliance program, hospitals should look at the elements described in the Supplemental CPG, as well as other governmental and industry practice benchmarks. Nixon Peabody's Health Services Practice Group has extensive experience in the development, implementation, and assessment of hospital compliance programs and is available to assist you with evaluating your hospital's position in accordance with the Supplemental CPG and other OIG guidelines.

___________________________

If you have any questions or require further information regarding these or other matters, please call your regular Nixon Peabody contact or feel free to contact one of the attorneys listed below:

• in our Garden City office, Claudia Hinrichsen at chinrichsen@nixonpeabody.com
• in our Rochester office, Richard Yarmel at ryarmel@nixonpeabody.com
• in our Providence office, Stephen Zubiago at szubiago@nixonpeabody.com

The foregoing summary is provided by Nixon Peabody for education and informational purposes only. It is not a full analysis of the matter summarized and is not intended and should not be construed as legal advice. This publication may be considered advertising under applicable laws.

If you are not currently on our mailing list and would like to receive future publications of Health Law Alert or if you would like to unsubscribe from this mailing list, please send your contact information, including your name and e-mail address, to lblaney@nixonpeabody.com with the words "Health Law Alert" in the subject line.

___________________________

1. Available at http://oig.hhs.gov/authorities/docs/04/060804hospitaldraftsuppCPGFR.pdf. Interested parties may submit comments to the draft Supplemental CPG on or before July 23, 2004.

2. Available at http://oig.hhs.gov/authorities/docs/cpghosp.pdf

3. Available at http://oig.hhs.gov/fraud/exclusions.html

4. However, to qualify for the "not less than double damages" provision of the False Claims Act, the hospital must report within 30 days. See, 31 U.S.C. §3729(a).