1. The Compliance Evolution: Challenges of Staying Compliant within Your Health Care Practice Setting
Leigh Davitian, JD
Chief Executive Officer
Dumbarton Group and Associates
October 2016

2. DISCLAIMER: Presenter is 100% Non-Partisan During Today’s Presentation

3. “They are a BASKETS of DEPLORABLES”

4. “Did you see her face? That’s a face of a President?”

5. Inside the Beltway: TOTAL DYSFUNCTION
-Gate
Server-Gate
First Husband-Gate
Clinton Inc-Gate
Ms. America-Gate
Hollywood Access-Gate
Grope-Gate
Rigged-Gate
Suppression-Gate
Media-Gate
Gaffe-Gate

6. Washington is Burning …

7. Day and Life in Congress
Number of legislative days for the House each year in recent
2015: 157
2014: 135
2013: 159 
2012: 153
2011: 175
2010: 127

8. 2016: 110 days worked

9. Salaries of the Dyfunctional
President of the United of States
$400,000
Vice President of United States
$231,900
House of Representatives/Senate
$174,000
Lifetime health care insurance
Comfortable pension

10. Interesting Congressional Facts
Currently, 11,644 bills and resolutions currently before the United States Congress
Only about 1% will become law
Congress works in two-year legislative sessions
114th Congress began on Jan 6, 2015
114th Congress ends on Jan 3, 2017
If legislation not passed, “dies”

11. Congressional Acts of in 2016
National Bison Act of 2016
Freedom of Information Improvement Act
Bathrooms Accessible in Every Situation Act
Making Electronic Government Accountable By Yielding Tangible Efficienies Act of 2016
American Tourism and Improving Visitor Experience Act
Library of Congress Sound/Film Recording Act

12. Good Laws CAN Happen
Improving Medicare Post-Acute Transformation Act (IMPACT)
Medicare Access and Chip Reauthorization Act (MACRA)
21st Century Cures
Home Health Improvement Act

13. 10 Challenges for Physician Practices in 2016/2017

14. (1) Technology Advances
Practice owners can expect some big health information technology expenses in 2016/17
Fully understand all of these programs
Afford associated operational implications
Sticker shock: The cost of technology is expensive
EHR is $30,000 upfront cost; $5,000 yearly

15. (2) ICD- 10 Coding Readiness
(1) ICD-10 claims readiness
International Code of Diseases Version 10 is a system of coding created by the World Health Organization
45,000 more codes than ICD-9
Very formal process with complicated forms
Very expensive (based on size) $80,000 to millions

16. (3) Meaningful Use 2
Physicians using certified Electronic Health Record technology
Improve quality, safety, efficiency, and reduce health disparities
Engages patients and families in their health care
Improves care coordination
Captures data and allows sharing
Promotes advance clinical processes
Improves health outcomes
Maintains privacy and security

17. Meaningful Use 2
The biggest challenges many doctors are facing with Meaning Use 2 is meeting the requirements for electronically exchanging patients’ health information with other providers, especially those using a different EHR

18. (4) Retaining Staff Higher staff turnover means new practice costs
Qualified staff who understand changing environment of health care
Willing to be consistency trained/educated based on new regulations
Flexibility and efficiency – staff need to be flexible
New paradyms of health care partners a physician may need to work with … staff must be adaptable

19. (5) Changing Patient Populations
Increased patient base
Millions of Americans without health insurance now have it because of Obamacare Health insurance exchanges
Medicaid expansion
Physicians now be “financial therapists”
Need to talk about “taboo” issues like cost of procedures, meeting deductibles, out-of-pocket expenses
Many physicians NOW charge fees in advance!!

20. Changing Patient Populations
Increased “informed” patients
Paging Dr. Google
Online self-diagnoses
Patients are less likely to take what a physician tells them at face value
Pro-active patients are a generally good thing, but they present new challenges to physicians
Longer doctor appointments

21. (6) Prior Authorization
Prior authorizations consume time, money
Prior authorizations continue to sap time and money from practices
With more time and staff dedicated to communicating with payers, prior authorization activities can cost a practice up to $5,000 per full-time physician
Many advocating if an authorization has to be done, insurance companies should allow a higher level of billing for the visit or a surcharge

22. (7) Getting Paid – ACA changes
The ACA has changed the way physicians are getting paid based
Changes from fee-for-service medicine to consumer-centered care that rewards quality outcomes
Everything is tied to value-based reimbursement meaning you are paid/rewarded on quality not quantity

23. Getting Paid – ACA changes
Many variations are surfacing
Bundled payments for services
Episode of care (providers paid to treat a specific condition over a period of time)
Physician Quality Reporting System (incorporating quality metrics)
Shared savings programs

24. (8) Clean Claims Tied to Payment
A clean claim has:
No defect
Complete and accurate
A provider submits a clean claim by
Providing the required data elements on the standard claims forms
Attachments and additional elements
Revisions to data elements, attachments and additional elements, of which the provider has knowledge

25. (9) HIPAA, HITECH and Cybersecurity
Protecting WHO has access
Protecting HOW information is transmitted
Understanding what to do if there is a “breach”
Implementing new cybersecurity safeguards
Educating pertinent staff of importance

26. (10) Enhanced Enforcement in Federal Laws
Physician Self-Referral Law (42 U.S.C. Section 1395)
Exclusion Statute (42 U.S.C. 1320a-7)
Civil Monetary Penalties (42 U.S.C. Section 1320a-7a)
Anti-Kickback Statute (42 U.S.C. Section 1320a-7b(b)
HIPAA and HITECH (42 U.S.C )
False Claim Act (31 U.S.C. Section )
Affordable Care Act – (42 U.S.C )

27. Knowing the “Three-Headed Monster”

28. “Three- Headed Monster”
Three important Federal statutes applicable your profession:
HIPAA and HITECH
FALSE CLAIMS ACT (FCA)
AFFORDABLE CARE ACT (ACA)

29. 10 Titles of the Affordable Care Act
Title I. Quality, Affordable Health Care for All Title II. The Role of Public Programs Title III. Improving Quality, Efficiency of Health Care Title IV. Prevention of Chronic Disease Title V. Enhancing Health Care Workforce Title VI. Transparency and Program Integrity Title VII. Improving Access to Innovative Medicine Title VIII. Community Living Assistance Title IX. Revenue Provisions Title X. Reauthorization of Indian Health Care
2400 pages

30. ACA: Enhanced Enforcement
Allocated additional funds for enforcement efforts
Allocated abilities to increase investigation staff/agents
Increased the authority of said staff/agents
Tough enforcement is a reality but it is only one part of the compliance message – the more important message that should be emphasized is a positive message: An effective ethics and compliance program contributes to the bottom-line profitability of a company.

31. Goals of Affordable Care Act
(1) Identify fraud and abuse
(2) Identify waste and errors
Eliminate old providers from the Medicare program
Minimize new providers from entering Medicare program
(5) Reduce overall payment errors
(6) Recover billions of dollars in improper payments
To achieve these goals, the Centers for Medicare & Medicaid Services (CMS) has initiated a number of projects, focused on improper payments. Although all fraudulent claims are improper payments, not all improper payments are fraudulent claims; most are due to documentation errors

32. Fundamentals of Fraud and Abuse
Medicare fraud is:
When one obtains or attempts to obtain services or payments by dishonest means with intent and knowledge and willingness
Medicare abuse is:
When one does not follow good medical practices, inconsistent with accepted sound medical, business, or fiscal practices and result in unnecessary costs, improper payments or services not medically necessary

33. Evolution of Fraud and Abuse: New Categories
Medicare, Medicaid no longer tolerates “ERRORs”
Human error
Computer error
Sloppiness
Laziness
Lack of sophistication
Medicare, Medicaid no longer tolerates “WASTE”
Incurring unnecessary costs as a result of deficient management, practices, or controls (such as over-prescribing/utilization)
Misuse
Excess
Superfluous

34. False Claims Act (FCA)

35. Three Important Areas of FCA
To establish liability, it must be proven that a defendant “knowingly submitted or caused to be submitted a false claim for reimbursement of services”
A claim need not be entirely fraudulent in order to violate the FCA
Government focuses on use of any false statement or documentation in support of a claim for government funds

36. Caveat: All Physicians
Claims being submitted by physicians must be “implicitly and explicitly” certified by the physician that documents/claims are accurate
Physicians must authenticate claims or documents are NOT only accurate but also complete
Support documentation for items or services needs to support the claim submission

37. FCA has BROAD Implications
Unclean Claims Submission
Reverse False Claims = 60-day Overpayment Rule
Whistleblower Incentives/Qui Tam Lawsuits

38. Violations of FCA
Categories of healthcare fraud, abuse often involve allegations of:
Simple billing errors
Submission of “unclean claims”
Incomplete claims submission
Upcoding of services
Billing for more services than prescribed or actually rendered
Lack of documentation in the records to support the services
Alteration of records (retroactively) to get services covered

39. Internal Audits: Medicare Overpayments

40. Medicare 60-Day Overpayment Rule
Section 6402(a) of the Affordable Care Act established a new section 1128J(d) (1) of the Act
In summary:
Requires a provider who has received an overpayment to report and return such overpayment to the appropriate entity and to notify said entity the reason for the overpayment within in 60 days of actual knowledge…

41. Major Provisions 60-Day Rule
The major provisions of this final rule include:
Meaning of “Identification”
Thorough “due diligence”
Report and Return Overpayments
Dumbarton Group

42. Whistleblower Protections
Employees reporting “suspicious”activity of an employer on increase
Contacting government investigate agencies with solid information
The FCA protects employees who report a FCA violation
Discrimination
Harassment
Suspension or termination of employment as a result of reporting possible fraud

43. HIPAA, HITECH and Cyber Security

44. Simple Definition of HIPAA
Privacy - controlling who is authorized to access information
45 CFR Part 160 and Part 164, Subparts A &E
Security – controlling the what and how
45 CFR Part 160 and Part 164, Subparts A &C
Dumbarton Group

45. Protected Health Information (PHI)
“Individually identifiable health information...that is transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium.”
DEFINE SIMPLY

46. Protected PHI Patient name Social security numbers Health plan numbers
All geographic subdivisions smaller than state
All elements of dates related to patient
(Date of Birth, Admission, Discharge or Death)
Telephone numbers
Electronic addresses
Full face photographs

47. PROTECTS: Written Spoken Electronic

48. Compliance Issues Investigated
In order of frequency:
Impermissible uses and disclosures of protected health information
Lack of safeguards of protected health information
Lack of patient access to their protected health information
Lack of administrative safeguards of electronic protected health information (encryption)

49. What does one do if PHI is “breached”?

50. Hypothetical #1
Physician employee has possession of work laptop to assist him/her with daily responsibilities. Employee takes computer home. Employees child uses computer and sends protected patient information to friends.

51. Hypothetical #2
Physician employee sends 30 faxes to a wrong fax number. Fax contained customers diagnoses, treatment plan, insurance information. Transmission happened over a 3 day period.

52. What do you do first?

53. Perform a Breach Analysis
4 Primary Factors
(1) Nature and Extent of PHI
What was shared?
How detailed?
(2) To whom the disclosure was made
Known entity or random person
(3) Whether the PHI was actually acquired or viewed
(4) Aggressiveness of mitigation plan
Dumbarton Group

54. If there is a breach, one MUST report!

55. The New Privacy Trend: Cyber-Security

56. CyberSecurity Tips for Practices
(1) Train employees in security practices
Strong passwords
Appropriate internet use
(2) Protect information computers, networks
Latest security software, malware
Set antivirus software to run a scan after each update
(3) Provide firewall security for your internet connection
(4) Make sure the operating systems firewall is enabled
(5) If employees work at home with work laptop, enure their home systems are protected by a firewall

57. CyberSecurity Tips for Practices
(6) Create a mobile device action plan
Changing passwords
Not sharing passwords
Encrypt data
Install security apps
(7) Make back-up copies of important business data on all computers
Back-up data automatically, offsite and in the cloud

58. CyberSecurity Tips for Practices
(7) Control physicial access to your computers
Sign in/out computers – keep a log
Do not allowed unauthorized users to have access
Keep laptops locked in the office when not attended
(8) Secure your wi-fi networks in the workplace
Make sure the wi-fi is secure, encrypted and hidden

59. CyberSecurity Tips for Practices
(9) Passwords and authentication
Employees should have unique passwords and change passwords every three months
Offer “multi-factor” authentication that requires additional sensitive information to gain access

60. CyberSecurity Tips for Practices
(10) Overwhelming BUT you need some cyber coverage

61. The Lesser Knowns: Hiring Practices for Employers
Dumbarton Group

62. Statutory Mandates Quality Staff
Omnibus Budget Reconciliation Act (OBRA) passed in 1987 identified need for quality staff to interact with Medicare and Medicaid beneficiaries
Title VI, Subtitle B, Part III, Subtitle C, Section 6201 of the Affordable Care Act of 2010 (P.L )
Established the framework for a nationwide program to conduct background checks on a statewide basis on all prospective “direct patient access employees”
Dumbarton Group

63. National Background Check Program
CMS mandated a comprehensive national background check programs for direct patient access employees
Program's purpose is to identify efficient, effective, and economical procedures for conducting background checks for ALL direct patient access employees
The program is administered by:
Centers for Medicare & Medicaid Services (CMS),
Department of Justice (DOJ)
Federal Bureau of Investigation (FBI)
National Background Check Program
Dumbarton Group

64. Hiring Excluded Entities Under Medicare Program

65. Excluded Individuals
OIG has the authority to exclude individuals and entities from Federally funded health care programs pursuant to sections 1128 and 1156 of Social Security Act and maintains a list of individuals and entities called
List of Excluded Individuals and Entities (LEIE)
Anyone who hires an individual or entity on LEIE may be subject to civil monetary penalities (CMP)   

66. Excluded Persons
The CMPL expressly prohibits arranging or contracting “with an individual or entity that the person knows or should know is excluded from participation in a Federal health care program … from the provision of items or services for which payment may be made under such a program”

67. OIG Letter to Industry
Letter being sent to Office of Inspector General to providers who have been identified for violating the Civil Monetary Penalty Law (CMPL), Section 1128A of the Social Security Act, 42 U.S.C. Section 1320a-7a(a)(6), for submitting claims to Federal health care programs for items or services furnished by an excluded individual

68. WHO’s Policing What?

69. The Once New Enforcers RACs - Recovery Audit Contractors
MRA – Medical Review Auditors
MAC – Medicare Administrative Contractors
CERT - Comprehensive Error Rate Testing
STPR – State Wide Probe Reviews
NCCI - National Correct Coding Initiative
ZPICs - Zone Program Integrity Contractors
HEAT - Health Care Fraud Prevention and Enforcement Action Team
The RAC continues to focus the majority of efforts toward adoption of CMS evidence-based coverage policies and site-of-service issues (e.g. identifying overpayments). CERT audits are aimed at measuring improper payments. ZPICs target potential fraud in the Medicare program and can audit the integrity of all Medicare claims for a particular provider with both pre- and post-pay audits. While ZPIC audits are similar in many ways to other CMS audits currently being performed nationwide they do differ in one very important aspect – potential Medicare fraud implications. Yes. Another difference is that when auditors arrive at your HME/Rehab facility they will come armed with information. Instead of random audits, ZPICs will have information in hand, and they will know exactly what they want to zero in on. Essentially, if you are being audited, it is because the ZPICs MAY already have evidence that there is a problem with your billing. What does this information mean for facilities that are within one of these zones? Consequences of a ZPIC review include payment denials, recoupment of overpayments, and referral to other law enforcement agencies. Because ZPICs can refer cases to the Department of Justice, Office of Inspector General, or other law enforcement agencies, a ZPIC review may only be the first step in a long legal battle.
Contractor Error Rate Reduction Plans
Medicare Administrative Contractors – Auditing Scope of Work
CMS’s Assessment and Monitoring of Performance of MACs
Medicare Administrative Contractors—Use and Management of System of Edits
Zone Program Integrity Contractors—CMS’s Audit of Effectiveness
National Supplier Clearinghouse—Performance and CMS Oversight
Claims Processing Contractors—Failure To Conduct Prepayment Reviews in Response to Edits
Recovery Audit Contractors—Identification and Recoupment of Improper and Potentially Fraudulent

70. What are they Auditing/Inspecting?
Derelict in duties under regulations, guidance documents
Fraud
Abuse
Errors
Waste
Compliance with state and federal regulations
Examination of Medicare related billing
Clean claims inspection

71. Creation of NEW, NEW Enforcers

72. Uniform Program Integrity Contractors (UPICs)

73. Auditing their Own Contractor Error Rate Reduction Plans
Medicare Administrative Contractors – Auditing Scope of Work
CMS’s Assessment and Monitoring of Performance of MACs
Medicare Administrative Contractors—Use and Management of System of Edits
Zone Program Integrity Contractors—CMS’s Audit of Effectiveness
National Supplier Clearinghouse—Performance and CMS Oversight
Claims Processing Contractors—Failure To Conduct Prepayment Reviews in Response to Edits
Recovery Audit Contractors—Identification and Recoupment of Improper and Potentially Fraudulent

74. Fact Pattern: You are an employee at a physicians office and on a random Monday a man enters your place of business and introduces himself. He is an official government auditor/inspector. He hands you an “official” piece of paper and insists it be delivered to the person in charge. Appears to be legal documents. What should the employee do?

75. Do you know you what to do?

76. Prepare for a Successful Audit
Require proper photographic identification and identifying information from each member of the audit team
Assign one staff person to be the communication liaison with the auditors (and your senior staff and attorney).
Immediately call your attorney and ask him or her to attend the audit or site visit.
Make sure your office is "photogenic." Inspect your office immediately.
Make sure all displayed licenses and certificates are current.
Make sure all patient health records are properly secured and that your medical record handling and storage comply with Health Insurance Portability and Accountability Act (HIPAA) standards.
Dumbarton Group

77. Prepare for a Successful Audit
7. If the records needed by the auditors are in a different office of the practice, don't overextend yourself trying to obtain them during the site visit.
Set aside a separate room with chairs and a flat surface (a desk or table) for the auditors to use as their meeting, conference, and interview room.
Don't guess the answers to any questions the auditors ask you.
Ask questions of the auditors in an attempt to obtain information about any special areas of concern.
Do not voluntarily advise the auditors of suspicions of wrongdoing or ask whether your policies or procedures are correct.
Always tell the truth!
Dumbarton Group

78. Medicare Compliance Program
Respond to inquiries quickly. Set up a system to flag requests for documentation or additional information from recovery audit or ZPIC contractors. Because these entities are new, you might not notice the mailed requests, which may or may not arrive on CMS letterhead. If they do not get to the right place in a timely fashion, your organization runs the risk of not responding in the required period, which is typically 30–45 days. If you miss that time frame, you could end up with a demand for a refund. 
In the end, taking the time to carefully review your billing and to put a strong compliance program in place will help keep you from getting into trouble in this new climate of increased enforcement.  
Timing. DMEPOS suppliers should be aware that ZPICs could notify the facility via fax a mere hour before the visit. This can leave little time for the facility to prepare. (Note: In situations where ZPICs give short notice, facilities are within their rights to supplement any requested records with supporting documentation even after the visit is complete.)
ANY contractor can make unannounced visits.

79. (7) Core Elements Identified
Designate a chief compliance officer in charge of operating the program
Develop and distribution of written policies, procedures and standards of conduct
Implement regular education and training program for employees
Develop an internal audit system to identify problem areas
Develop a system to report deficiencies and problem areas
Develop a process where employees can come forward without fear of retaliation
Develop a means to quickly remedy problems in a systematic, transparent way