The HHS Office of Inspector General (OIG) has released long-awaited compliance program guidelines for hospitals. Recognizing that "one size does not fit all," the OIG abandoned its initial efforts to develop a model plan and instead released guidelines for hospitals to consider in connection with the development of their own compliance programs. This more flexible approach will permit hospitals to tailor programs to fit their their needs and financial resources. The purpose of this issue of Health Law Developments is to provide our clients and friends with a summary of the most significant provisions of the new guidelines.
While the guidelines are strictly voluntary, the OIG is strongly encouraging hospitals to develop compliance programs. Will hospitals with compliance programs be treated more leniently by the OIG if they run afoul of the law? The new guidelines state that the OIG "will consider the existence of an effective compliance program that pre-dated any Government investigation when addressing the appropriateness of administrative penalties." However, the existence of an effective compliance program will not insulate hospitals from government prosecution. Hospitals should recognize that the new guidelines are not in and of themselves a compliance program. Instead, they are intended to serve as framework for compliance program development.
The guidelines identify the following seven fundamental elements of an effective compliance program:
- Written Policies, Procedures and Standards of Conduct
- Designation of a Compliance Officer and Compliance Committee
- Conducting Effective Training and Education
- Developing Effective Lines of Communication
- Enforcing Standards Though Well-Publicized Disciplinary Guidelines
- Auditing and Monitoring
- Responding to Detected Offenses and Developing Corrective Action Initiatives
The guidelines are not without controversy. Of particular concern to hospitals are the comments of the OIG regarding compliance officers and the recommendation by the OIG that hospitals report misconduct to the government within a reasonable period of time (not to exceed 60 days) after determining that there is credible evidence of a violation.
- Development and distribution of written policies, procedures and standards of conduct.
The guidelines provide that every compliance program should develop and distribute written compliance policies identifying specific areas of risk. These should include standards of conduct that clearly explain the hospital's commitment to compliance, with particular emphasis on preventing fraud and abuse. The policies and procedures should consider the regulatory exposure of the hospital and address the following areas of special concern that have been identified by the OIG through investigations and audits:
- Billing for services not actually rendered
- Providing medically unnecessary services
- DRG Creep
- Outpatient services rendered in connection with inpatients stays
- Teaching physician and resident requirements for teaching hospitals
- uplicate billing
- False cost reports
- Billing for discharge in lieu of transfer
- Patient's freedom of choice
- Credit balances - failure to refund
- Hospital incentives that violate the anti-kickback statute or other similar federal or statute or regulations
- Joint ventures that may violate the anti-kickback statute
- Financial arrangement between hospitals and hospital-based physicians
- Stark physician self-referral issues
- Knowing failure to provide covered services or necessary care to members of a health maintenance organization
- Patient dumping
- Designation of a compliance officer and establishment of a compliance committee.
The guidelines state that every hospital should designate a high-level official to serve as the compliance officer. Depending on the size and resources of the hospital, it may be a full-time position or a position in which compliance duties are performed in addition to other responsibilities. The compliance officer should have direct access to the governing body and the chief executive officer, and sufficient funding and staff. The guidelines also recommend that a compliance committee be formed to assist the compliance officer in the implementation and operation of the compliance program. One of the most controversial provisions of the guidelines is the suggestion by the OIG that the compliance function should be independent of the hospital's general counsel. If this suggestion is adopted, compliance activities will take place outside of the protection afforded provided by the attorney-client privilege, which may provide confidentiality for certain communications. Hospitals are strongly encouraged to discuss with legal counsel the implications of electing to follow the OIG's recommendations in this area.
- Conducting effective training and education.
An effective compliance program should require employees to attend training sessions on a periodic basis. How much training is required? The answer will vary depending upon the duties and responsibilities of each hospital department. The guidelines note that, in corporate integrity agreements, the OIG typically requires a minimum of one to three hours annually for basic training and more for specialty fields such as billing and coding. All educational activities should be documented by the compliance officer. The guidelines suggest the following educational topics:
- Fraud and abuse laws
- Coding requirements
- Claim development and submission process
- Marketing practices
- Government and private payor reimbursement principles
- General prohibitions on paying or receiving remuneration to induce referral
- Proper confirmation of diagnoses
- Billing requirement for services incident to a physician's services
- Requirements for physician authorization of services
- Alteration to medical records
- Prescribing medications without proper authorization
- Proper documentation of services rendered
- Reporting misconduct
- Developing effective lines of communication.
There should be open communication between the compliance officer and hospital personnel. The guidelines suggest the development and distribution of written confidentiality and non-retaliation policies to promote the reporting of potential fraudulent activity. They also suggest that several independent reporting paths be developed so that reporting cannot be diverted or otherwise discouraged by supervisors or other personnel. The OIG encourages the use of hotlines, E-mail, written memoranda and newsletters.
- Enforcing standards through well-publicized disciplinary guidelines.
This element requires disciplinary action for employees who fail to comply with the hospital's standards of conduct or federal or state law. While the guidelines suggest that the compliance program should specify the degrees of disciplinary action that may be imposed, it may be sufficient for hospitals to use existing HR policies and procedures. The guidelines also state that hospitals should conduct background investigations, including reference checks on new hires who may have discretionary authority to make decisions that involve compliance issues. Employment applications should require applicants to disclose any criminal convictions or exclusions from participation in the Medicare or Medicaid program. Individuals who have been recently convicted of crimes relating to health care or who are debarred, excluded or otherwise ineligible to participate in Medicare, Medicaid or other federal health care programs should not be eligible for hospital employment.
- Auditing and monitoring.
This element requires ongoing evaluation of the compliance program through various techniques, including the performance of periodic audits addressing compliance with anti-kickback rules, the Stark physician-self-referral rules, coding requirements, billing practices, reimbursement, cost reporting, marketing and other areas of concern identified through OIG special fraud alerts, OIG audits and OIG enforcement initiatives. Although the OIG recommends the establishment of initial benchmarks when the compliance program is established, the guidelines do not provide a very good explanation of how the benchmarking program should work. It appears that the OIG may be contemplating something along the lines of the test utilization monitoring procedures discussed in the Model Compliance Plan for Clinical Laboratories. In this Plan, the OIG advises labs to track data on the top 30 procedures billed to Medicare each year, and if utilization increases 10% or more, the laboratory should determine the cause of such growth. Hospitals should consult with legal counsel before initiating an audit program. Hospitals must make sure that they clearly understand potential exposure and reporting obligations which may arise as a result of auditing programs.
- Responding to detected offenses and developing corrective action initiatives.
The OIG's recommendations with respect to investigations and reporting of misconduct are the most controversial provisions of the new guidelines. The OIG recommends that hospitals promptly investigate reports of misconduct and take to steps to correct any violations which have occurred. According to the OIG, "such steps may include an immediate referral to criminal and/or civil law enforcement authorities, a corrective action plan, a report to the government, and the repayment of overpayments." The guidelines also state that hospitals should promptly "report the existence of misconduct to the appropriate governmental authority within a reasonable period, but not more than sixty (60) days after determining that there is credible evidence of a violation." While there may be advantages to prompt reporting of misconduct, such as possible reduction of administrative sanctions and monetary penalties, the investigation and possible reporting of alleged misconduct raise complex and sensitive legal issues which should be discussed with legal counsel before any such activities are initiated.
The guidelines are the most detailed explanation to date of the OIG's views on hospital compliance programs. They should prove to be a valuable resource for hospitals involved in the establishment of compliance programs. A copy of the guidelines may be obtained from any member of the Dykema Gossett Health Care Group.