Compliance plans: How optional, really?

The Feds' final guidelines say you don't have to have a compliance plan. But if you want to protect yourself against a costly audit . . .

By Michael Pretzer
Washington Editor

Since HHS's Office of Inspector General issued its final version of Compliance Program Guidance for Individual and Small Group Physician Practices last fall, doctors have been asking themselves, Should I, or shouldn't I?

Should I heed the OIG and create a compliance program designed to reduce my billing mistakes? Or should I just ignore the federal government's latest intrusion into my practice?

Many physicians have taken a maybe-later attitude. After all, the law doesn't say that a physician must create a compliance plan. Yet, the OIG, health care lawyers, business consultants, and, yes, even physicians argue for action now. Some of their arguments are compelling.

The OIG says a doctor is morally obligated to ferret out mistakes. "All health care providers have a duty to reasonably ensure that the claims submitted to Medicare and other federal health care programs are true and accurate," it declares.

But before going weepy-eyed, keep in mind that physicians are a relatively small part of the problem. Even if physicians made zero Medicare billing mistakes, error-plagued payments would continue. Medicare's erroneous fee-for-service payments to physicians totaled about $3 billion in 1999. Though that sounds like a lot, it's less than 2 percent of last year's total Medicare payment—and less than 25 percent of the estimated incorrect payments. Moreover, the dollar value of physicians' Medicare billing errors has decreased by about 50 percent over the past three years.

Other indicators suggest that physicians are even less culpable. Last year, for example, the OIG's patient hotline received nearly 500,000 calls. But fewer than 500 (less than 0.1 percent) were found to be substantive complaints about physicians.

The more hyperbolic health care lawyers and consultants warn that a physician needs a compliance plan to avoid being hunted down and charged with fraud. Realistically, however, the OIG isn't going to turn a well-meaning doctor into a jailbird over billing errors—compliance plan or no compliance plan. "Under the law, physicians are not subject to civil, administrative, or criminal penalties for innocent errors—or even negligence," states the OIG. "The government's primary enforcement tool, the False Claims Act, covers only offenses that are committed with actual knowledge of the falsity of the claim, reckless disregard, or deliberate ignorance of the falsity of a claim. The Civil Monetary Penalties Law, an administrative remedy similar in scope and effect to the False Claims Act, has exactly the same standard of proof."

The government must jump "a high bar," adds Mark Gorden, senior associate for managed care and regulatory affairs at the American College of Physicians-American Society of Internal Medicine. "Which is why the total number of parties prosecuted and convicted of Medicare fraud averages in the low hundreds in a given year, and only a handful of them may be physicians."

On the other hand, the Health Care Financing Administration is under pressure to recoup money lost through Medicare overpayments. So HCFA and its claims-processing contractors are looking more closely at physicians these days. "The major issue is being audited and forced into settlements over disputed claims," says Gorden.

Even the discovery of minor billing errors can prove costly when you tally up legal and consulting fees and the value of the reimbursements a practice may return to the government. But a compliance program serves as a kind of protection—a shield against an increasingly attentive HCFA. First, with a plan in place, a practice makes fewer billing errors. "It reduces the chances that an audit will be conducted by HCFA," promises the OIG. Second, it gives weight to your billing procedures should they come into question. Who knows? Maybe you rather than the auditor is correct. Third, it shows that you're making what the OIG calls "good faith efforts" to do things right. Acts of good faith, it's widely believed, help mitigate a negotiated settlement. (For the record, HCFA says it seeks full repayment even when a practice has a compliance plan.)

In addition, when you create a compliance program you're likely to improve your practice—a "collateral benefit," according to David Clayton, a principal with Rehmann Robson, a consulting firm in Saginaw, MI. "Any time you do something to evaluate your practice, you're likely to find ways to make it more effective and profitable," he says.

"[Compliance] programs can also benefit physicians' practices by helping to streamline business operations," adds the OIG.

Gorden reverses the cause and the effect. "What's good for business," he explains, "is good for compliance."

Seven steps to greater compliance

Since it issued its first compliance guidance (for hospitals) three years ago, the OIG has loosened up. In previous guidelines, OIG clearly stated that a hospital, say, or a third-party payer had to follow seven basic steps. But in Compliance Program Guidance for Individual and Small Group Physician Practices, the OIG makes it obvious that physicians need take only as many of the seven steps as they think necessary.

"Some physician practices may never fully implement all of the components," states the OIG. "Begin by adopting only those components [that], based on a practice's billing problems and other compliance issues, are most likely to provide an identifiable benefit. The extent of implementation will depend on the size and resources of the practice."

The sacrosanct seven steps are:

1. Audit and monitor your practice. It's pretty much assumed that every compliance plan will include step 1. Do a basic review of your practice's procedures to see if they're effective and current. (Make sure the CPT information you use for coding is up to date, for example.) Then, review your billing and medical records for possible screwups. Are your codes accurate? Is your documentation complete? Are you providing only necessary services? Are you billing Medicare only for services that meet the government's definition of medical necessity? The audit will give you a baseline to measure future compliance. The OIG recommends that you repeat the audit annually, reviewing five to 10 files per physician in your practice.

The audit—some call it risk assessment—is not to be taken lightly, because it sets the stage for the rest of your compliance program. Consider getting outside help. "I strongly recommend that it be performed by an external expert," advises Clayton. "A third party can be objective and provide expertise regarding all the applicable government regulations."

Should you uncover irregularities during your internal audit, the OIG expects you to make restitution ASAP. That's another reason to involve a third party—though perhaps you'll need to hire more than a consultant. "If you find that you've been billing incorrectly, especially if a pattern of errors emerges, you're probably going to need an attorney," says West Virginia internist Thomas F. Mann, one of 24 physicians who was asked by the OIG to review an early draft of the guidelines. "You'll have to self-disclose, and that gets complicated."

2. Establish practice standards and procedures. "After the internal audit identifies the practice's risk areas, the next step is to develop a method for dealing with those risk areas," explains the OIG.

Sounds simple, and for some practices the effort may involve no more than repackaging policies it already has written for patient care, personnel matters, and the like. But others may have to start at square 1.

The OIG has a couple of suggestions for a practice that finds itself pressed. First, focus on the most problematic issues. If your documentation is solid but your coding is shaky, for instance, put your energy into developing standards that improve your ability to bill appropriately. Next, buddy up. Adapt the compliance plan of an affiliated physician practice management company, independent practice association, physician-hospital organization, or third-party billing company.

The togetherness espoused by the OIG has its critics, however. "It raises important questions about confidentiality," says Clayton. "For example, the most logical buddy for a physician group is often a hospital. But I can think of 100 reasons why a practice wouldn't want a hospital looking over its shoulder."

Probably the most difficult aspect of step 2 is knowing the myriad of laws and regulations that your practice must comply with. "Creating a resource manual from publicly available information may be a cost-effective approach," the OIG suggests. "Develop a binder that contains relevant HCFA directives and carrier bulletins, and summaries of informative OIG documents."

Whew. To many practices, the task of building such a binder would be "daunting," according to Aaron Krupp, a government affairs representative for the Medical Group Management Association. And maybe the OIG thinks so, too; in appendices of the guidelines, it summarized the relevant criminal and civil statutes and listed helpful Web sites. Still, the OIG can do more, argues MGMA. For starters, Krupp says, it could create an Internet location where a practice can obtain all the documents it needs.

3. Designate a compliance officer. Someone has to be the point person for a practice's compliance plan—to oversee its development, implementation, and updating. Again, the OIG offers budget-minded alternatives. The officer doesn't have to be a physician; an administrative employee will do. If need be, the responsibilities can be divvied up among two or more employees (the OIG calls them "compliance contacts"). Or a practice can hire a consultant or a professional who oversees compliance for more than one provider—a hired gun, so to speak.

"Each practice needs to assess its own situation," says the OIG. "However, if the role is outsourced, it's beneficial for the officer to have sufficient interaction to effectively understand the inner workings of the practice. Consultants [who aren't] in close geographic proximity to a practice may not be effective."

4. Educate your staff. A practice should keep its physicians and staff informed on matters of compliance and coding and billing, says the OIG. New employees ought to be trained as soon as possible and established employees brought up to date at least once a year.

The training should have two goals, says the OIG: teaching employees "how to perform their jobs in compliance with the standards of the practice and any applicable regulation," and driving home the point that "compliance is a condition of continued employment."

5. Respond to offenses and take corrective action. In your compliance plan, you must promise to do the right thing if a problem arises. For potential criminal violations, your plan should include "steps for prompt referral or disclosure to an appropriate government authority or law enforcement agency. In regard to overpayment, it's advised that the practice take appropriate corrective action, including prompt repayment," says the OIG.

The plan must also explain how you'll deal with those who create a problem; retrain, discipline, or terminate are the alternatives the OIG suggests. And it should tell how you would adjust your plan to avoid repeating mistakes.

6. Communicate. The door to the compliance officer must be open. To do that, says the OIG, your plan should require that employees report errors and fraudulent behavior, establish a "user friendly" reporting system, protect the anonymity of whistle-blowers, and promise not to inflict retribution on those who in good faith report problems.

7. Take disciplinary action. Your plan should explain how you'll deal with employees who make mistakes or engage in fraud. According to the OIG, violations ought to "result in consistent and appropriate sanctions, including the possibility of termination. At the same time, it's advisable that the practice's enforcement and disciplinary procedures be flexible to account for mitigating or aggravating circumstances."

So many questions, so few answers

Compliance Program Guidance for Individual and Small Group Physician Practices isn't without problems. The flexibility that it affords physician groups also creates ambiguities that some physicians may find unsettling. The OIG has implied, for example, that the larger the practice, the more sophisticated and substantial the compliance program. But the OIG never defines large or small. "The OIG says a practice's compliance effort should match its resources," explains Clayton. "But which does it expect more from, a practice of three specialists generating revenue of $1.5 million a year or a practice with five family physicians generating $1.1 million? Size would seem to be a product of multiple factors."

"The question, 'How much is enough?' remains unanswered," adds J. Edward Hill, an AMA trustee.

Moreover, although the OIG compliance guidelines have been simplified for solo and small group practices, they're complex enough to send physicians scurrying to consultants. And consultants are responding to the call. Many offer services that are as flexible as the guidelines themselves.

Toledo-based Gilmore, Jasion & Mahler, for example, will conduct the chart reviews and internal audit (step 1), develop standards and procedures (step 2), and prepare the group to implement a compliance plan. All for as little as $7,000. "We educate the physicians," says Patricia White, a practice management consultant at Gilmore. "We'd rather teach physicians to execute the plan than do it for them."

Physicians may also turn to medical associations for help. Not long ago, for instance, Maryland's Montgomery County Medical Society began marketing the OIG Compliance Plan for Medical Practices, a software "template" that can be electronically cut and pasted to create an individualized compliance program. And the AMA is developing a "model" compliance plan based on the OIG's recommendations. "The model will be easy to implement and cost-effective," promises Hill.

In general, organized medicine has been praising the OIG's work. As William F. Jessee, MGMA's president and CEO, puts it, "The guidelines outline many wise and prudent actions."

But the compliments are frequently followed by words of caution. According to Robert Doherty, senior vice president for governmental and public affairs at the American College of Physicians-American Society of Internal Medicine, "it remains critically important that the OIG continues to be responsive to suggestions for further improvement once the guidance is reality-tested in actual physicians' practices."

For more information on this topic, see the Web exclusives, "What one doctor has done about compliance" and "Risky business: Where you're most likely to make a billing error".

Internet compliance resources

Medicare fiscal intermediaries and carriers
www.hcfa.gov/medicare/incardir.htm 

Medicaid state carriers
www.hcfa.gov/medicaid/mcontact.htm

Department of Health and Human Services Office of Inspector General
www.hhs.gov/oig

Health Care Financing Administration
www.hcfa.gov

Medicare training
www.hcfa.gov/medlearn

US Government Printing Office (for federal statutes and regulations)
www.access.gpo.gov

US House of Representatives Internet Library (for health care laws)
uscode.house.gov/usc.htm

Health Care Compliance Association
www.hcca-info.org

Errors and omissions insurance: Do you need it?

Two or three years ago, a few insurance companies began marketing errors and omissions insurance policies to hospitals, physicians, and other health care providers. In its basic form, the insurance pays for the legal costs incurred by a practice when it defends itself in government audit. In some cases, the insurance also covers reimbursements and civil penalties.

Since then, the number of companies offering E&O insurance, and the varieties of policies they sell, have proliferated. Today, E&O insurance may be available from the same carrier that insures a practice's office building and equipment, or it may be an addendum to a practice's malpractice insurance.

In Michigan, for example, some malpractice carriers are including E&O coverage of legal expenses at no extra charge for qualified physician practices, according to Deborah Campbell, the head of professional client services for Old Kent Insurance Group, based in Grand Rapids. "Stand-alone E&O insurance may be too expensive for small practices," she says. "The malpractice policy coverage for compliance and billing errors can be especially helpful to them."

The cost and coverage of E&O insurance varies widely across the country. An annual premium may be as low as $400 per physician, with coverage typically ranging between $1 million and $5 million. "It's likely to be more expensive and harder to find in litigious states, such as California, Texas, and Florida," says Susan Wilson, an account executive with the Hylant Group in Toledo.

A physician should closely examine an E&O policy—indeed, any insurance policy—and be skeptical of extravagant promises. "Look carefully at the policy's benefits and at the exclusions that dictate when benefits are to be paid," advises David Clayton, a principal with Rehmann Robson, a consulting firm in Saginaw, MI.

Although the supply of E&O insurance is growing, the demand for it hasn't—at least not among small group practices and soloists. "Mostly hospitals and large groups are buying it," says Wilson. "Probably because they feel more vulnerable."

Perhaps physicians' enthusiasm is dampened by the fact that, in some instances, a carrier will not issue E&O insurance until a practice has a compliance plan. But if a practice has a compliance program, does it really need to spend money for E&O coverage? West Virginia internist Thomas F. Mann doesn't think so. "The best insurance is a compliance plan," he says. "It's not a policy you buy."

 

Michael Pretzer. Compliance plans: How optional, really?. Medical Economics 2001;2:36.