WPHN Compliance Forum October 13, 2008 Shelley C. Koltnow VP Corporate Responsibility Via Christi Health System

WPHN Compliance ForumWPHN Compliance Forum

October 13, 2008

Shelley C. Koltnow VP Corporate Responsibility

Via Christi Health System

Compliance Forum AgendaCompliance Forum Agenda

• Establishing and Managing an Effective Compliance Program in a Rural or Small Provider Setting..………………………..40 minutes

• Q & A / Discussion…………...10 minutes• 5 minute Break• Role of the Compliance Officer• …………………………20 minutes• Risk Areas for Critical Access Hospital

………………………...20 minutes• Q & A / Discussion……………10 minutes• Q & A / Discussion – Further interest/future

programs? • Conclude

Compliance Helps to Navigate the RisksCompliance Helps to Navigate the RisksBy having an effective compliance program in place, a CAH can better navigate the increasing uncertainties and risks associated with the current healthcare regulatory and legal environment.

What is a Compliance Program?What is a Compliance Program?

• Culture of Compliance

– February 23, 1998

First “OIG Compliance Program Guidance for Hospitals”

Focus – adoption of voluntary compliance programs

Promote – “ higher level of ethical and lawful conduct

throughout the health care industry”

Provide – “clear guidance” to reduce fraud and abuse

What is a Compliance Program?What is a Compliance Program?

• Culture of Compliance– January 31, 2005

“OIG Supplemental Compliance Program Guidance for Hospitals” – strong feedback to OIG from the industry

Recognition of high risk areas

Focus – Development and use of internal controls

Promote – Compliance program effectiveness through cultural integration

Provide – Recognition of benefits aside from preventing or mitigating fraud and abuse

What is a Compliance ProgramWhat is a Compliance Program

• OIG recognized benefits to providers: Enhancing health care providers’ operations

Improving the quality of health care services

Reducing overall cost of health care services

Demonstrate commitment to honest and responsible corporate

conduct (evidence-based compliance)

Reporting process free of retaliation

Reduction of loss to government and hospital

Increased likelihood of preventing, identifying, and correcting

problems at early stage

Elements of EffectivenessElements of Effectiveness

• Origin – the Federal Sentencing Guidelines (FSG)

– Reduction of penalty for corporations Requires effective compliance/ethics program

Elements include prevention and detection of criminal conduct, culture

of compliance to assure effectiveness of the program (Section 8B2.1)

Compliance officer – high level, access to CEO, board and overall

responsibility for the compliance/ethics program.

Background checks

Education

Reporting of non-compliant activity (no retaliation)

Discipline

Annual reports to Board and risk assessments

Compliance Plan Compliance Plan

• Elements – Code of Conduct

Standards to guide organizational behavior

Expectation as a condition of employment, contractual relationships, vendor relationships, or being a credentialed provider with clinical privileges

Communicated to all constituents

Approved and endorsed by the governing body

Reviewed annually and updated as needed

Consistent with applicable laws, regulations and policies

“living document” – enforce consistently

Compliance PlanCompliance Plan

• Elements– Policies and Procedures

Part of organization’s policy manual Communicated to all constituents – education Regularly reviewed and updated Approved by Compliance Committee and governing body

of the organization Accessible to all constituents Touch on risk areas for compliance issues


• Elements– Policies and Procedures

Some recognized compliance risk areas: Billing and coding Medical necessity / case management Cost reporting EMTALA Conflicts of Interest, gifts, gratuities Relations with providers and others who refer Medicare and Medicaid fraud and abuse HIPAA privacy and security Government investigations Obligations of Employees to compliance program


• Elements– Compliance Committee

A committee is required to assure that the compliance plan is implemented appropriately across the organization

Comprised of leaders over high risk areas Executives – CFO and COO are typically involved Meets regularly Agenda reflects approvals of policies, education on

compliance matters, discussion of compliance and culture Minutes to the governing body Tie to quality of care, risk management and finance


• Education and Training– Effective education and training on a regular (year

around) basis on key compliance topics– Equivalent to training required in other areas– Standard documentation processes to assure

audit trail– Alert to new developments and issues pertaining

to the organization– Tie to culture, ethics, doing the right thing– Assure reporting mechanisms and compliance

program is known throughout the organization


• Elements– Reporting process

Channels within the organization where individuals can raise concerns or report issues

No retaliation (express or implicit) Like incident reporting – non punitive opportunity to bring

concerns forward Investigate each report Document each report and the disposition of the issue Signs or posters to remind individuals of their duty to

report concerns Hotline for anonymous reports


• Elements– Monitoring and auditing

More than “vigilance” Identify key risk areas and conduct focused reviews Monitor any corrective action plans to assure adherence Make sure any overpayments are returned immediately Consider independent audits each year to assure coding and

cost reporting are accurate and correct – document to governing body

Document continuous monitoring and process improvement efforts as part of the Program (including quality)


• Elements– Disciplinary action for compliance infractions

Consider a policy specific to compliance infractions Follow fair and consistent process with HR disciplinary

policy Assure that any infractions are investigated and

established before discipline is provided Assure the disciplinary process is not retaliatory Consider HIPAA violations to be serious and impose

appropriate disciplinary action – document! Coordinate with HR


• Elements– Response to any offense

Do not delay or postpone Develop an investigation plan with specific goals and

timetables Consider whether legal advice is needed and whether the

investigation should be conducted under the attorney – client privilege

Don’t wait until the problem arises to have an attorney engaged!

Limit communication to those who “need to know” Consider independent auditor involvement (can be

engaged by attorney under the privilege) Report results promptly if any overpayment or disclosure


• Elements– Compliance Officer

High level executive position with autonomy and independence to implement Plan

Reports to CEO and governing body Has adequate resources to perform job Knows how to spot legal and regulatory issues (e.g.,

EMTALA, HIPAA, Medicare/Medicaid reimbursement, OSHA, CLIA, etc.)

Access to any materials or documents, information , and individuals needed to investigate

Independent access to legal counsel

Critical Access Hospitals – Rural Health CareCritical Access Hospitals – Rural Health CareCAH provide care in rural areas and have some distinct needs and challenges regarding putting an effective compliance program in place.

Critical Access Hospitals Critical Access Hospitals

• Issues for small or rural providers– Small staff and limited resources (probably not a full-time

position for compliance)– In small communities, HIPAA can be large part of a

compliance program focus (“everyone knows everyone”)– Relevance of compliance (“we are small – we don’t need a full

compliance program”)– Culture – Priorities– Compliance officer independence (“many hats” issue)

Critical Access HospitalsCritical Access Hospitals

• Although small, CAH compliance programs must be effective and evidence-based

• Integration into operations and culture is essential• Documentation of efforts toward compliance

– HIPAA and Compliance issues log(s)– Medicare Conditions of Participation for CAHs– Compliance committee meeting minutes– Written compliance plan– Written investigation plans, showing timetables and final

outcomes– Compliance education and training – Coordination with risk management, quality, finance and

the governing body


• Operations – Assure there is always a compliance contact– Compliance policy manual is up-to-date and

available– Conduct HIPAA training and discipline consistently– Realistic budget showing adequate resources– Annual CO education

HCCA is great – credential of “CHC” is good to obtain

– Culture is very important in small provider – Tools (MediRegs, Comply-Track, other)


• Relationships– Network of compliance professionals in the

area/region– Staff interactions – Board– Building buy-in and commitment– Listen – analyze both the business aspects and the

compliance issues before responding– Use the committee for difficult decisions– Engage commitment of CEO


• Effectiveness – Address all elements– Communicate effectively– Assess risk with priorities of action– Monitor for excluded providers – Consistency and documentation– Discipline– Education– Tone at the top– Culture


• Buy-in Tips– Obtain a champion– Involve physicians on committees and work groups– Provide one-on-one feedback and education where

appropriate– Understand the clinical sides and business issues driving the

compliance issue – collaboration without violation!– Listening– Physician and provider relationships (contracts and

agreements, payments) are discussed openly with appropriate review

– Quality committee as compliance committee

Discussion and Questions Discussion and Questions

Short Break

Compliance Officer’s JobCompliance Officer’s JobAssure the organization adheres to its standards of conduct while monitoring, auditing, reporting and managing the demonstration of a compliant culture throughout the organization.

Role of Compliance OfficerRole of Compliance Officer

• Basic Requirements

– Accountability to governing body

– Member of senior management

– Independence to raise matters whenever and wherever they

arise without fear of retaliation or inaction

– Support from top (board and CEO – responsible executive)

– Connection to operations to build ethical programs and culture

– Authority to make and implement decisions and

recommendations

Role of Compliance OfficerRole of Compliance Officer

• According to OIG’s Supplemental Compliance Guidance (20050:– Compliance department is “backbone of the

hospital’s compliance program” – Compliance officer should be “well-qualified,

member of senior management and supported by a compliance committee”

– CO should “implement the hospital’s compliance program and to ensure that the hospital complies with all applicable Federal health care program requirements.”

Role of the Compliance OfficerRole of the Compliance Officer

• Standards for Compliance Officer/Department:– “clear, well-crafted mission”– “properly organized”– “sufficient resources (staff and budget), training,

authority and autonomy to carry out its mission”– Relation between compliance and any attorneys

appropriate?– Active compliance committee – members from

“relevant functional departments”


• Ability to form ad hoc groups or task forces to carry out any “special missions such as conducting an investigation or evaluating a proposed enhancement”

• CO has “direct and independent access to governing body, CEO, all senior management and legal counsel”

• “Independent authority to retain outside legal counsel”


• Good working relationship/contact with departments that perform patient financial services (coding, cost reporting)

• Regular reports to governing body and hospital management about the “different aspects of the hospital’s compliance program

Critical Access Hospital Challenge: Critical Access Hospital Challenge:

In a CAH, the Compliance Officer role may be difficult to fill and to fulfill. OIG expects program to be effective. What to do?

Discussion and Questions? Discussion and Questions?

Risk AreasRisk AreasFailure to implement and continue a compliance program can lead to risk of exclusion, civil money penalties, recoupment of funds, and other penalties for substandard survey findings. What are the risks?

Critical Access Risk AreasCritical Access Risk Areas

• Status as a CAH is maintained – all elements • Length of stay (96 hours annual LOS)• Other services like swing beds, psychiatric,

rehabilitation, and hospice and contracts with various providers of these services– Compliance with CoP for each type of service

• Surveys– Designed to detect “to determine whether a citation

of non-compliance is appropriate.” (CMS, 2008)


• Conditions of Participation– CMS expects total compliance– Measures compliance through “observations,

interviews, document/record reviews…to establish organizational and patient-focused functions and processes…and compliance with Federal health, safety, and quality standards that …assure beneficiaries receive safe, quality care and services.”

– Check the State Operations Manual for Standards


• Recap of certain CoP for Critical Access Hospitals– Makes available 24 hour emergency care services

per state requirements for CAHs– Operates no more than 15 acute beds or up to 25

inpatient beds used interchangeable for acute or SNF-level care, provided no more than 15 are used at any one time for acute care

– Maintains an average LOS of 96 hours or less on an annual basis (acute)


• Provide dietary, pharmacy, laboratory, and radiological services either full-time, on-site or part-time, off-site under arrangement with another provider

• Networking arrangement with at least 1 hospital for patient referral and transfer; communication systems to share patient data; emergency and non-emergency transportation


– Networking arrangements for credentialing of medical staff, quality assurance with at least 1 hospital, one peer review organization or other appropriate, state-qualified entity

– Staffing requirements are met – Required inpatient care may be provided by a

physician assistant or ARNP, subject to the oversight of a physician (who need not be present in the facility)

Critical Access Risk AssessmentCritical Access Risk Assessment

• Calculation of the reasonable cost of services for inpatient hospital care – basis for reimbursement from Medicare

– Reasonable cost to provide outpatient services plus a fee-

schedule payment for professional services – basis for

reimbursement from Medicare

– Provision of skilled nursing, rehabilitation, and home health,

psychiatric, and other services. In Kansas, CAHs are

encouraged to integrate as many services locally as is

practical.


• False Claims Act

– “Knowingly presents or causes to be presented to the

United States Government a false or fraudulent claim for

payment or approval…” (31 USC 3729(A)(1)

– Cost report continues to be area of strong OIG focus

– Accuracy is key to compliance

– FCA applies to claims for interim and final payment

– Important for CDM and cost reporting to be monitored


• Claims preparation and submission– Coding errors (up-coding, incorrect coding,

etc.)– Cost reporting– Non-covered services – Insufficient documentation of care– Billing for services not provided– Medical necessity– Churning of acute to LTC to acute again– Outpatient pricing and coding


• Information Technology– HIPAA privacy and security– CDM accuracy and current information; continued

monitoring– Systems and software for patient care – Biomedical services – Electronic prescribing– Networked information sharing among providers


• EMTALA– Medical screening examination– Transfer rules– Hospital’s capacity to stabilize/treat patients– Medical record issues– Policy – process for on-call providers

CAH rules Medical staff bylaws

Critical Access Risk Areas Critical Access Risk Areas

• Substandard Care– OIG can exclude any provider from participation if

the care is substandard Neither knowledge or intent is required Unnecessary, substandard items or services provided to a

patient even if the patient is not a Medicare beneficiary

– Quality goals and measures – Meet all Medicare CoP for CAHs

Quality assessment and performance improvement Medical staff credentialing and monitoring Care protocols


• Referral Statutes– Anti-kickback

Hospital cannot give or receive a benefit (cash or kind) in exchange for referrals (one purpose)

Safe harbors require legal advice Includes inducements, discounts, etc. No professional courtesy to physicians/providers

– Stark Physicians with compensation or ownership arrangements

with an entity cannot refer government beneficiaries to the entity except where the arrangement meets a legal exception

• Tax exemption and conflicts of interest– No private benefit or inurement– Insiders must be dealt with at arm’s length and

independence– Fair market value is key– Disclosure of conflicts of interest of all leaders,

board members, physicians, vendors


• Beneficiary Inducements– Gifts and gratuities– Cost-sharing waivers (co-pay or deductible)– Free transportation

• HIPAA privacy and data security• Contracts with other providers for services

ConclusionConclusionFailure to implement a compliance program that is culturally integrated and evidence-based creates unnecessary risk in today’s enforcement environment. An effective program, along with the quality and risk management efforts assures ongoing viability and sustainability.

Discussion and Questions

Documents

WPHN Compliance Forum October 13, 2008 Shelley C. Koltnow VP Corporate Responsibility Via Christi Health System