Considering the increased risk, you may be wondering what a private practice can do to protect itself in this complex regulatory environment. I recommend that you begin by not making one of the three biggest mistakes a private practice can make when it comes to regulatory compliance.
By John Outlaw, CHC, CHBME
When I started my career in health care compliance nearly 15 years ago, compliance programs were just beginning to take hold outside of hospital systems and were a largely foreign concept for physician practices. Back then, they were strictly voluntary, but today compliance programs are a mandatory condition of participation in Medicare as part of the Patient Protection and Affordable Care Act of 2010 (ACA). At the same time, we have experienced tremendous expansion of government oversight of the health care industry that has dramatically increased risk for physician practices.
We have seen new HIPAA privacy and security regulations to secure protected health information (PHI), followed by the HITECH Act, which included mandatory reporting requirements. We have seen the government mandate the use of EHRs and myriad regulations around those. Voluntary reporting in PQRS evolved into mandatory participation in MACRA, and we have seen multiple changes to cost-containment models that impact health care delivery on the front end and reporting on the back end. Add to that major changes to state and federal anti-kickback statutes, physician self-referral laws, and anti-markup rules.
While most people think of the ACA in terms of providing access to health insurance for the uninsured, it also included a host of new federal and state audit mechanisms and enormous investment of resources dedicated to fraud investigation and enforcement action, in addition to mandating the use of compliance programs. Ironically, even the privatization of the government health care programs has added yet another layer of complexity, with health plans creating their own cost-containment rules and increasingly investing in their own fraud prevention activities.
Not that any of those are bad things, but they represent a massive change that has required the investment of significant financial and human resources by the physician community that take away from the practice of medicine. Considering the increased risk, you may be wondering what a private practice can do to protect itself in this complex regulatory environment. I recommend that you begin by not making one of the three biggest mistakes a private practice can make when it comes to regulatory compliance.
The first mistake practices make is simply not having a plan. That plan doesn’t necessarily even need to be a compliance plan per se, but a game plan. At its very basic, a game plan begins with addressing a series of questions related to individual regulatory requirements: What will we do if "X" happens? How are we making sure that "X" happens? What are we doing to protect against "X"?
There is nothing mysterious about a compliance program—it just makes good business sense. Odds are good that your practice already has most of the components in place (code of conduct, policies and procedures, education and training, auditing and monitoring, for instance), they just haven’t been synthesized into a formal game plan yet—that’s a compliance program. You need a plan that anticipates certain possible issues and lays out a course of action to be followed when they arise.
Let’s fill in some of those blanks above: What will we do if we get a recoupment notice from a Recovery Audit Contractor—or the Office of the Inspector General (OIG) or the Department of Justice (DOJ)? How are we making sure that our billing company isn’t billing globally for our PC-only services? What are we doing to protect against unauthorized disclosures of PHI?
The second biggest mistake—a corollary of the first— is assuming that someone else has it covered for you. Often physicians think of compliance strictly in terms of coding and billing issues and believe their billing company has their back. Guess what? The billing company’s compliance program is designed first and foremost to protect the billing company. There are certainly some very good billing companies out there that do a lot of proactive work to keep the physicians informed and educated in the event that their own compliance-related efforts happen to identify irregularities that may implicate the physicians. However, their first priority is to protect themselves.
Physician practices have an obligation to have their own independent compliance programs. In fact, I never cease to be amazed at how many physicians do not know that all of their Medicare Advantage/Part C payor contracts require that they have a compliance program; that as part of that program, they are required to exercise due diligence in overseeing the activities of their billing company and other subcontractors; and that they typically are required to sign an attestation to that effect every year as a condition of participation in the program.
The third biggest mistake is thinking that you are okay as long as you are not knowingly doing anything improper. The OIG does recognize that mistakes happen, but the whole point of a compliance program is to implement controls to reduce the likelihood of those errors and to make sure that when mistakes do happen, they are quickly identified and corrected.
The OIG has opined that if the “mistakes” persist because of a failure to implement effective controls designed to identify, detect and prevent them, then that may itself be viewed as evidence of a fraudulent intent in the form of willful disregard. The DOJ actually considers the failure to have an effective compliance program in place as an “aggravating” factor in making decisions about whether to prosecute a case and the nature and extent of damages to seek.
There is no question that there is a cost associated with implementing compliance programs and related controls to mitigate the risk for these violations—but there could be a much greater cost of not doing so.
John Outlaw, CHC, CHBME, is vice president, compliance services, Strategic Radiology, an IT, data, and performance-improvement membership organization of private radiology practices that provides products, services, and infrastructure to members.