Presentation on theme: "Implementing and Maintaining an Effective Compliance Program Elizabeth Parker, JD Andrew Buffenbarger, MBA, LNHA Management Performance Associates Missouri."— Presentation transcript:
Implementing and Maintaining an Effective Compliance Program Elizabeth Parker, JD Andrew Buffenbarger, MBA, LNHA Management Performance Associates Missouri Health Care Association August 27, 2013
Agenda 1.Compliance: Why We Should Care, Now 2.Building an Effective Compliance Program 3.Auditing and Monitoring Workshop 4.Building a Strong Compliance Officer 5.Current Issues and Risk Areas
Compliance: Why We Should Care, Now Elizabeth Parker, JD Management Performance Associates
Planning Questions 1.Who will be in charge of implementing and overseeing your compliance program? 2.How much time have you committed to implement your compliance program? 3.How much will you budget for your compliance program?
Compliance Is Mandatory March 23, 2013 Medicare/Medicaid Condition of Participation Patient Protection and Affordable Care Act
Federal Health Care regulations are a lot to juggle Nursing Home Administrator HIPAA OIG Screening Kickbacks Stark/ Self- Referrals False Claims Accurate billing and cost reporting Medicare & Medicaid requirements Resident Rights Quality of Care
Anti-Kickback Statute The Anti-Kickback Statute prohibits giving or receiving anything of value to induce or reward Medicare or Medicaid referrals.
Kickback Penalties Criminal penalties: $25,000; 5 years in prison Civil penalties: $50,000 penalty, civil assessment of up to 3 times the kickback, exclusion from federal health care programs, all False Claims Act penalties
Examples of Illegal Kickbacks A hospice provides free goods or goods below fair market value to a SNF to induce the SNF to refer patients to the hospice A DME company provides free devices to doctors who prescribe and order DME from the DME company An imaging center and medical center agree that the medical center will send its patients to the imaging center—and they will split the profits. A home health company pays a rehab company cash for every patient rehab refers to the home health co.
Rehab Co. Under investigation by the US DOJ for allegedly paying illegal kickbacks: One time fee of $600,000 to a SNF chain to get the rehab contract Billed SNF 70% of the Medicare rate and split the remaining 30% with the SNF
Stark/Self-Referrals The Stark Law prohibits referrals between physicians and health care entities that have certain financial relationships with physicians, such as an ownership or investment interest, or a compensation arrangement.
Penalties: Stark Law Repayment; $15,000 Civil Monetary Penalty per service, 3 times amount claimed, exclusion, False Claims Act liability
Physical Therapy Co PT Co. and a physical therapist paid $62,400 for accepting patients with a physicians order for physical therapy written by therapists spouse.
A Missouri Health System A hospital paid $9.3 Million after it self-reported arrangements with 70 doctors, over a decade, with illegal financial incentives to refer patients to the hospital. Doctors received incentive pay based on the Medicare revenue generated from their referrals to the hospital.
The False Claims Act prohibits submitting false or fraudulent claims to the government. Penalties: up to 3 times the claim amount, plus $11,000 per claim
Rehab Co. Paid $1.5 Million for submitting claims to Medicare and Medicaid for services provided by an unlicensed speech therapist.
Nursing Home Co. Paid $953,375 for providing services that were unnecessary, and submitting claims to Medicare. For example, occupational therapy was provided to elderly Alzheimer’s Syndrome patients who could never expect to return to the workforce.
Nursing Home Chain Charged with violating the False Claims Act by encouraging therapists to bill higher amounts and do more expensive therapy—even if patients didn’t need therapy or could be harmed by it. Chain billed nearly 68% of its Medicare rehab days at RUH. The national level is 35%.
Billing and cost reporting Medicare/Medicaid requirements Resident Rights Quality of Care
Civil Monetary Penalties up to $50,000 per violation
Guess the Penalty A hospital discovered that it had made billing errors for the drug Lupron, which resulted in overpayments by Medicare—and did not report the error or repay Medicare.
Guess the Penalty The operator of SNFs in Atlanta submitted claims for inadequate and worthless wound care services.
Guess the Penalty A university medical center submitted false claims: -Double billed Medicare for procedures -Billed for high reimbursement radiation oncology services when a different, less expensive service should have been billed -Billed for procedures without supporting documentation in the medical record -Improperly billed for treatment without corroborating physician supervision
Guess the Penalty A pharmacy employed a pharmacist who had been excluded from participating in Medicare/Medicaid.
Guess the Penalty A hospital entered a settlement in a whistleblower suit to resolve allegations that one of its physicians signed off on vascular tests (billed to Medicare) without reading the tests.
Guess the Penalty Los Angeles area hospitals paid “recruiters” to bring homeless Medicare and Medicaid patients from Skid Row to the hospitals, for treatment that was medically unnecessary.
Guess the Penalty Jury assessed penalties against former owner of a nursing facility for submitting false or fraudulent claims for worthless services
Guess the Penalty Medical equipment company submitted claims for Medicare patients who no longer qualified for the equipment, including patients who had died or were no longer using the equipment.
Guess the Penalty A hospital limited treatments at its outpatient cardiology testing location to cardiologists who referred patients to the hospital. Cardiologists who referred a certain amount of revenue to the hospital were rewarded with more opportunities to treat patients at the outpatient location.
Sometimes Money Isnt Enough SNF DON sentenced to 3 years in prison on a felony count of elder abuse for ordering administration of psychotropic meds to 23 patients CEO pled no contest to a felony count of conspiracy to commit an act injurious to the public, for her failure to adequately supervise the DON
Sometimes Money Isn’t Enough (Former) RN sentenced to 111 months in prison Helped admit ineligible patients to partial hospitalization program for mental illness Fabricated medical records to support false and fraudulent claims Laundered health care fraud proceeds
Enforcement Is Up OIG enforcement activity2011 Result2012 Result Recoveries from audits and investigations$5.2 Billion$6.9 Billion Individuals/entities excluded from Federal health care programs 26623131 Criminal actions brought against individuals/entities 723778 Civil actions brought (false claims lawsuits, civil monetary penalty settlements, provider self-disclosures) 382367
ABC Nursing Home Paid $675,000 for submitting claims for therapy (provided by Therapy Co) that did not match the residents’ needs. Home is suing Therapy Co for negligence and breach of contract. We dont know if Therapy Co will face government penalties.
Nursing home CIA 5 years Establish and maintain Compliance Program Independent review of: MDS Therapy systems assessment Unallowable cost review Validation review by the OIG
Nursing Home CIA Must report to OIG: All government investigations Substantial overpayments Probably violations of the law Employment of/contracts with excluded providers Bankruptcy Failure to provide quality care Implementation report Annual reports
What is a Compliance Program? A system of policies and procedures, monitoring and auditing tools, communication and reporting methods, enforcement, and leadership, designed to follow federal and state laws and federal healthcare program requirements.
Why Do We Need Compliance? Comply with health care laws and program requirements Ensure excellent quality and accurate billing Minimize risk of government penalties Identify and correct compliance problems as soon as possible
Is Your Plan Effective? Criminal sanctions may be mitigated by a compliance program, but only if that program is effective. Most SNFs lack the policies & procedures, staff training, audit functions, and regulatory updates to keep their compliance programs effective.
Required Compliance Program Components Written Policies & Procedures, Code of Conduct Compliance Officer & Compliance Committee Training and Education Effective Lines of Communication Enforcement of Standards Responding Promptly to Detected Offenses and Taking Corrective Action Auditing and Monitoring
Risk Areas Quality of Care Resident Rights Billing & Cost Reporting Employee Screening Kickbacks, Inducements and Self-Referrals Submission of Accurate Claims HIPAA Privacy and Security Record Creation and Retention Anti-Supplementation Medicare Part D
Where Do I Start? Identify risk with a baseline audit: Identify risk areas Identify strengths and weaknesses Seek input from all departments Always be on the lookout for “new” risks
Periodic Audits …keep your compliance program effective
Annual Review Annual Review of the overall effectiveness of the compliance program
Benefits of Compliance Minimize financial loss with reduced sanctions and penalties Improve quality of care and enhance your reputation Lower exposure to liability Reduce whistleblowing Minimize repayments 53
Auditing and Monitoring Workshop Andrew Buffenbarger, MBA, LNHA Management Performance Associates Missouri Health Care Association August 27, 2013
Auditing Employee Screening for OIG Exclusion Does your pre-employment screening meet the requirement? Do you screen contractors? Do you screen volunteers? Do you screen directors, officers, and/or board members? Do you screen before hire and monthly?
Auditing Employee Screening for OIG Exclusion Your employee screening P&P should require: -OIG exclusion, GSA suspension/debarment, and state exclusion list screens for new employees, volunteers, directors and vendors, plus periodic re-checks
Auditing Employee Screening for OIG Exclusion Task breakdown CategoryOIG exclusion GSA suspensionState (Medicaid)exclusion Criminal background Employee, Director/Officer XXXX Contractor XXXRequire by contract Volunteer X
Auditing Consequences The OIG will assess penalties to SNFs that employ or contract with an excluded provider. – Re-pay Medicare and/or Medicaid reimbursement associated with the specific employee or contractor – Assign civil money penalties including fines and treble damages – Potentially become excluded from participation in state and federal health care programs
Auditing Employee Screening for OIG Exclusion The OIG is looking for individuals that pose a risk to the beneficiaries of Medicare, Medicaid, and all other Federal health care programs. Exclusions occur as a result of fraud and abuse convictions, program related convictions, licensure action, and others.
Auditing Employee Screening for OIG Exclusion How do we audit this? See if P&P require these screens -Interview staff responsible for hiring to determine if they understand these P&P, and if they are followed -Check employee/vendor/volunteer files to verify OIG exclusion check was documented -Review contracts to ensure vendors conduct similar screens
Auditing Therapy Therapy (part A & B) is a constant focal point for investigators. Medicare expenditures in SNFs have more than doubled in the last decade (OIG work plan, 2013) An OIG investigation will certainly include a review of your therapy documentation
Auditing Therapy Regular audits are essential to minimizing your exposure to false claims Start with a therapy checklist, assign the audit process to someone outside of the therapy department, and report results to the Compliance Officer and Committee
Quality Assurance Program Quality assurance programs are your best tool to drive strong quality outcomes and avoid penalties. A nursing home paid $305,072 and was required to hire a full-time physician or NP after it was found to have sub-standard pressure ulcer treatment and prevention, incontinence care, pain management, nutrition, weight monitoring, infection control, and diabetic care.
CMS Guidance for QA CMS released guidance to SNFs regarding the development of a QA program. Quality Assessment and Performance Improvement (QAPI) Five elements
QA Program Setup Five Elements Design and Scope Governance and Leadership Feedback, Data Systems, and Monitoring Performance Improvement Projects Systematic Analysis and Systemic Action
QAPI Design and Scope Your Quality Assurance program should focus on these key elements – Clinical care – Quality of life – Resident choice – Care transitions
QAPI Governance and Leadership Executive leadership – Committee members should have the authority to direct work processes and take corrective action Setting facility priorities – establish quality indicators Training, equipment, allocating staff time
QAPI Feedback, Data Systems and Monitoring Systems to monitor care Auditing tools and methods Collect data for analysis
QAPI Performance Improvement Projects (PIPs) Concentrated analysis Review areas of concern Well documented, thorough investigation
QAPI Systematic Analysis and Systemic Action Root cause, or similar, analysis Repeatable, policy driven solutions Documented approach Full disclosure to the Committee
Quality Assurance Approach Example Quality Indicator ResultTargetVariance from target Variance report Incidence of new fractures 101Yes Event Resident is found on the floor in her room with a fractured hip at 0200. Resident cannot report.
Variance Reporting Assemble facts in a storyline. – Use interviews to determine what may have caused the resident to be on the floor. Interview the roommate if applicable. Interview the night shift staff using the “who, what, where, when, and how?” approach for an initial understanding of the event.
Event Review – Initial Understanding R1 is found on the floor in her room with fractured hip at 0200. Resident cannot report. Roommate R2 reports R1 was assisted to bed by E1 using a sit- to-stand lift. R1 was not assisted to the restroom prior to bed. E2 reports EMTs took R1 to the hospital with probable Fx hip. Hospital confirmed Fx. R2 reports R1 was restless and tried to get out of bed without help. E2 reports that R1 had noticeably outward rotation to her hip. 911 called, physician, family, DON & Admin notified. R2 reports E1 entered the room in less than one minute, then called from the doorway for the nurse E2. E2 entered the room immediately thereafter. R2 reports R1 tried to stand from bed and immediately fell to the floor. R2 turned on her call light to summon staff.
Analysis Where are the gaps in the story? Who will you interview? What will you ask? Drill down for details
Final Step Variance reporting – Report your summary of findings and action plan to the QA Committee. – Use the QA meeting to track the progress of your action plan. – Hold people accountable for results. We’re protecting the frail elderly – we do not let this go.
Quality Assurance Program Good QA programs are comprehensive and fluid. – Strong, consistent committee – Standard quality indicators – Performance expectations – Variance analysis – Variable quality indicators to address current issues
Quality Assurance Program QA is a key communication tool. What do you want to share with your staff?
Program Integration Use QA to monitor your compliance program efforts – P&P reviews – Complaint log/action – Staff training – Billing audit results
Auditing Summary Conduct pre-employment screens using the OIG exclusion list, GSA suspension/debarment list, State exclusion list (if applicable), and criminal background check Repeat screens monthly Screen contractors/vendors and require similar screens in contract language Conduct criminal background checks on volunteers
Auditing Summary Quality assurance program – Five elements – Proactive, reactive, effective – Therapy audits Auditing – Employee screening and therapy are only two of the many audits that should be performed.
Building a Strong Compliance Officer Andrew Buffenbarger, MBA, LNHA Management Performance Associates Missouri Health Care Association August 27, 2013
What is a Compliance Officer First, let’s hear from you about the role of a compliance officer.
Compliance Officer 101 Continued Developing a position description will guide your selection Essential duties – Oversee and monitor the implementation of a corporate compliance program – Help the organization, through policies and procedures, auditing, and training, minimize the risk of fraud and abuse
Compliance Officer 101 Continued Manage facility audits, collect data, develop responsive action plans, report to the Compliance Committee Receive, log, and respond to compliance hotline reports Facilitate or conduct compliance training for directors, officers, and employees
Compliance Officer 101 Continued Manage employee, officer, contractor, and volunteer screening Oversee HIPAA compliance activity Participate in the Quality Assurance program Conduct annual compliance program review and update Ensure contractors are aware of your compliance program and resident rights
Compliance Officer Selection What qualifications would you look for when selecting a Compliance Officer?
Compliance Officer Selection Continued Suggested background and experience – Extensive experience in regulatory compliance in a skilled nursing facility or similar environment – Clinical experience is helpful – Experience reporting to a Board or senior leadership – Data system creation and use, auditing, and strong analytical skills – Education across multiple organizational levels
Compliance Officer Selection continued Highly organized Advanced investigative skills and experience with root cause analysis Experience with quality assurance programs including development and implementation Understanding of the billing systems applicable to your organization General understanding of the inner workings of all departments applicable to your organization
General Information A CO can hold another position within the organization at the same time, i.e., staff development coordinator, quality assurance nurse During interview and selection, consider that this person will have to interact with Board members, CNAs, housekeepers, department leaders, contractors, volunteers, and regulators
CO Integration The CO will be highly visible. Acquaint him/her with everyone in the organization Walk through key focus areas – as documented in the Corporate Compliance Program – Billing – QA – Care delivery – Dining and culture – Software systems – Employee screening and on-boarding – P&P
Getting Started Seven Steps You’ve selected, hired, and oriented the CO. Now what? Here are the seven steps to creating a compliance program
Getting Started Step 1 Create a job description and an organizational policy for the Officer and Committee Appoint a Compliance Officer with the right combination of education and experience Appoint a Compliance Committee
Getting Started Step 2 Conduct a baseline assessment of your current compliance level – Training and education – Lines of communication – Enforcement of standards – Monitoring and auditing – Response to detected offenses/corrective action
Getting Started Step 2 continued Assess your current policies and procedures in the following risk areas: – Quality of care – Resident rights and safety – Employee screening – Billing and claims submission – Cost reporting – Kickbacks, inducements, self referrals
Getting Started Step 2 continued Creation and retention of records HIPAA Anti-supplementation Medicare D plan selection
Getting Started Step 3 Develop plan documents – Compliance program document – Code of conduct – P&P addressing each risk area
Getting Started Step 4 Train and educate – Provide compliance training to all employees, officers, directors, owners upon hire and annually – Create a training schedule for each risk area
Getting Started Step 5 Audit and Monitor – Develop audit tools for each risk area – Schedule audits throughout the year – Assign responsibility for audits – Develop a reporting mechanism for audit results
Getting Started Step 6 Review annually – Celebrate progress – Identify areas where you can advance compliance even further
Getting Started Step 7 Stay current – Monitor and incorporate updates into your Compliance Program New regulations OIG updates Recent enforcement actions
Quick Poll Who has a CO in place? Do they hold another position within the facility? What is it? What do they do? Is there anything else you think they should do? What advice would you give others about recruiting, selecting, hiring, and employing a CO?
Use the Momentum Your Compliance Officer is the key to a successful program. Use this discussion as the catalyst for the development of a fully operational Compliance Program led by an outstanding Compliance Officer!
Current Issues and Risk Areas Elizabeth Parker, JD Management Performance Associates Missouri Health Care Association August 27, 2013
OIG Work Plan 2013 Waste (unnecessary services) Patient safety Quality of care Fraud and abuse
Waste (Unnecessary Services) Claims processing errors – Medicare payments for Part B claims with G modifiers Payments for services after beneficiaries’ death
Patient Safety Adverse events in post-acute care for Medicare beneficiaries Use of atypical antipsychotic drugs Communicable disease care
Quality of Care Medicare requirements for quality of care Medicaid waivers – adult day health care services
Fraud and Abuse Hospices – marketing practices and financial relationships with SNFs Payments for alien beneficiaries unlawfully present in the U.S. on the dates of services
OIG Finds 25% of SNF Claims Faulty 20.3%: Claims with an inaccurate RUG (upcoded). 2.5%: Claims with an inaccurate RUG (downcoded) 2.1%: Claims that did not meet Medicare coverage requirements
OIG finds 25% of SNF claims faulty Increase and expand review of SNF claims Identify SNFs that are billing for higher paying RUGs Monitor compliance with new therapy assessments Change the method for determining how much therapy is needed Improve the accuracy of MDS items Follow up on the SNFs that billed in error
Increased Scrutiny of Therapy Fairfax Nursing Center $700,000 Knowingly submitting claims for non- reimbursable therapy
OIG finds 25% of SNF claims faulty How can we prepare for increased review of SNF claims?
HIPAA: Old Penalties (Pre 2009) $100 maximum per violation $25,000 yearly limit for identical violations $0 if unaware of the violation
HIPAA: Increased Civil Penalties Did not know/would not have known At least $100, max. $50,000 per violation Reasonable cause but not willful neglect At least $1,000, max. $50,000 per violation Willful neglect, corrected in 30 days At least $10,000, max. $50,000 per violation Willful neglect, not corrected 30 days At least $50,000 per violation * For identical violations in a calendar year, $1.5M max
HIPAA: Criminal Penalties Up to $250,000 Up to 10 years imprisonment
HIPAA: Increased Enforcement Health System, $4.3 Million Hospital, $1 Million Health System, $865,000 Former Employee, 4 months in jail
When Penalties and Jail Time Aren’t Enough… Health System Face sheets and unencrypted digital files of patient information were stolen Sued for $50 million
PHI The Privacy and Security Rules protect PHI: information than can identify a patient and relates to the patient’s health condition, treatment, and payment for treatment. PHI can be used for treatment, payment, and health care operations. For any other purpose, the use must have a patient authorization, or be permitted by written HIPAA policies and procedures.
Need To Know Basis HIPAA keeps us on a “need to know basis.” If you don’t need to access PHI to do your specific job or provide patient care, don’t access it. When you need to share PHI, keep others on a need to know basis as well—only share the minimum necessary PHI to accomplish the task.
Patient Rights Right to receive Notice of Privacy Practices Right to access their own PHI Right to request to amend their PHI Right to request confidential communication (e.g. cell phone or office number only) Right to request an accounting of disclosures of their PHI Right to give permission to discuss PHI with family & friends
Protecting PHI Change passwords frequently, never share Lock laptops and other devices Log off when you leave your desk; use automatic log-off Don’t download software or install hardware without approval Avoid sending PHI over e-mail. When e-mail is required, follow policy.
Protecting PHI Avoid discussing patients in public spaces or areas where you can be overheard. Keep patient files and other documents with PHI on them locked away, or placed upside down so they can’t be seen. Lock your computer screen. Position your monitor so people cannot see your screen when they walk by Verify identity of anyone requesting PHI
Protecting PHI Do not leave PHI on printers, fax machines, copiers Do not leave PHI on your workstation After using PHI, destroy copies using the shred bin Only remove PHI from work if absolutely necessary. Never leave PHI unattended or in your car Call IT if your smart phone is lost or stolen Do not store passwords on your PDA
Breach Notification When PHI is breached (stolen, lost, hacked, inadvertently given to the wrong party, etc.), must notify the patient(s) involved, the government, and sometimes the media. If you learn of a potential breach, immediately notify your privacy officer
HIPAA: Penalties for Breaches August 273, 2012: First settlement involving the HITECH Breach Notification Rule Blue Cross Blue Shield of TN paid $1.5M
HIPAA: Top 5 Violations Impermissible uses and disclosures of PHI Lack of safeguards of PHI Lack of patient access to their PHI Uses or disclosures of more than the minimum necessary PHI Lack of administrative safeguards of ePHI
HIPAA: Audits Required by HITECH 150 audits by the end of this year Must provide P&P within 10 days Site visit
HIPAA: To Do Privacy Rule policies, procedures, forms Security Rule risk assessment, P&P Business Associate Agreements Breach notification P&P, forms Training http://www.hhs.gov/ocr/privacy/index.html
HIPAA: Social Media Do you trust your employees?
HIPAA: Social Media “It’s just Facebook,” “I’ll post what I want” Photos of residents are PHI Patient name not required
HIPAA: Social Media Educate your employees about social media use
HIPAA: Portable Devices E.g. smartphones, tablets, laptops Settlement: $1.5 Million www.healthit.gov