Implementing and Maintaining an Effective Compliance Program
Elizabeth Parker, JD
Andrew Buffenbarger, MBA, LNHA
Management Performance Associates
Missouri Health Care Association
August 27, 2013

1. Compliance: Why We Should Care, Now
2. Building an Effective Compliance Program
3. Auditing and Monitoring Workshop
4. Building a Strong Compliance Officer
5. Current Issues and Risk Areas

Elizabeth Parker, JD
Management Performance Associates

1. Who will be in charge of implementing and overseeing your compliance program?
2. How much time have you committed to implement your compliance program?
3. How much will you budget for your compliance program?

• March 23, 2013
• Medicare/Medicaid Condition of Participation
Patient Protection and Affordable Care Act

OIG
Screening
Kickbacks
Stark/ Self-
Referrals
False Claims
Accurate billing and cost reporting
Medicare &
Medicaid requirements
Resident
Rights
HIPAA
Nursing Home
Administrator
Quality of
Care
Federal Health Care regulations are a lot to juggle

• Privacy Rule
• Security Rule
• Breach Notification Rule

• Civil penalties: up to $50,000 per violation
($1.5 Million annual maximum per type of violation)
• Criminal penalties: up to $250,000 and 10 years imprisonment

• Medicare and Medicaid will not pay for services performed by people whom the government has excluded from participating in Medicare and Medicaid.

• The Anti-Kickback Statute prohibits giving or receiving anything of value to induce or reward Medicare or Medicaid referrals.

• Criminal penalties: $25,000; 5 years in prison
• Civil penalties: $50,000 penalty, civil assessment of up to 3 times the kickback, exclusion from federal health care programs, all False Claims Act penalties

• A hospice provides free goods or goods below fair market value to a SNF to induce the SNF to refer patients to the hospice
• A DME company provides free devices to doctors who prescribe and order DME from the DME company
• An imaging center and medical center agree that the medical center will send its patients to the imaging center—and they will split the profits.
• A home health company pays a rehab company cash for every patient rehab refers to the home health co.

Under investigation by the US DOJ for allegedly paying illegal kickbacks:
• One time fee of $600,000 to a SNF chain to get the rehab contract
• Billed SNF 70% of the Medicare rate and split the remaining 30% with the SNF

• The Stark Law prohibits referrals between physicians and health care entities that have certain financial relationships with physicians, such as an ownership or investment interest, or a compensation arrangement.

• Repayment; $15,000 Civil Monetary Penalty per service, 3 times amount claimed, exclusion, False Claims Act liability

PT Co. and a physical therapist paid $62,400 for accepting patients with a physicians order for physical therapy written by therapists spouse.

A hospital paid $9.3 Million after it self-reported arrangements with 70 doctors, over a decade, with illegal financial incentives to refer patients to the hospital. Doctors received incentive pay based on the Medicare revenue generated from their referrals to the hospital.

• The False Claims Act prohibits submitting false or fraudulent claims to the government.
• Penalties: up to 3 times the claim amount, plus $11,000 per claim

Paid $1.5 Million for submitting claims to
Medicare and Medicaid for services provided by an unlicensed speech therapist.

Paid $953,375 for providing services that were unnecessary, and submitting claims to Medicare.
For example, occupational therapy was provided to elderly Alzheimer ’ s Syndrome patients who could never expect to return to the workforce.

• Charged with violating the False Claims Act by encouraging therapists to bill higher amounts and do more expensive therapy—even if patients didn’t need therapy or could be harmed by it.
• Chain billed nearly 68% of its Medicare rehab days at RUH. The national level is 35%.

• Billing and cost reporting
• Medicare/Medicaid requirements
• Resident Rights
• Quality of Care

• up to $50,000 per violation

A hospital discovered that it had made billing errors for the drug Lupron, which resulted in overpayments by Medicare—and did not report the error or repay Medicare.

The operator of SNFs in Atlanta submitted claims for inadequate and worthless wound care services.

A university medical center submitted false claims:
- Double billed Medicare for procedures
- Billed for high reimbursement radiation oncology services when a different, less expensive service should have been billed
- Billed for procedures without supporting documentation in the medical record
- Improperly billed for treatment without corroborating physician supervision

A pharmacy employed a pharmacist who had been excluded from participating in
Medicare/Medicaid .

A hospital entered a settlement in a whistleblower suit to resolve allegations that one of its physicians signed off on vascular tests
(billed to Medicare) without reading the tests.

Los Angeles area hospitals paid “ recruiters ” to bring homeless Medicare and Medicaid patients from Skid Row to the hospitals, for treatment that was medically unnecessary.

Jury assessed penalties against former owner of a nursing facility for submitting false or fraudulent claims for worthless services

Medical equipment company submitted claims for Medicare patients who no longer qualified for the equipment, including patients who had died or were no longer using the equipment.

• A hospital limited treatments at its outpatient cardiology testing location to cardiologists who referred patients to the hospital.
• Cardiologists who referred a certain amount of revenue to the hospital were rewarded with more opportunities to treat patients at the outpatient location.

• SNF DON sentenced to 3 years in prison on a felony count of elder abuse for ordering administration of psychotropic meds to 23 patients
• CEO pled no contest to a felony count of conspiracy to commit an act injurious to the public, for her failure to adequately supervise the DON

• (Former) RN sentenced to 111 months in prison
• Helped admit ineligible patients to partial hospitalization program for mental illness
• Fabricated medical records to support false and fraudulent claims
• Laundered health care fraud proceeds

Most of Us Don’t Look Good in Orange

OIG enforcement activity 2011 Result 2012 Result
Recoveries from audits and investigations
Individuals/entities excluded from Federal health care programs
Criminal actions brought against individuals/entities
Civil actions brought (false claims lawsuits, civil monetary penalty settlements, provider self-disclosures)
$5.2 Billion $6.9 Billion
2662 3131
723
382
778
367

• Paid $675,000 for submitting claims for therapy (provided by Therapy Co) that did not match the residents ’ needs.
• Home is suing Therapy Co for negligence and breach of contract.
• We dont know if Therapy Co will face government penalties.

• 5 years
• Establish and maintain Compliance Program
• Independent review of:
• MDS
• Therapy systems assessment
• Unallowable cost review
• Validation review by the OIG

• Must report to OIG:
• All government investigations
• Substantial overpayments
• Probably violations of the law
• Employment of/contracts with excluded providers
• Bankruptcy
• Failure to provide quality care
• Implementation report
• Annual reports

• A system of policies and procedures, monitoring and auditing tools, communication and reporting methods, enforcement, and leadership, designed to follow federal and state laws and federal healthcare program requirements.

• Comply with health care laws and program requirements
• Ensure excellent quality and accurate billing
• Minimize risk of government penalties
• Identify and correct compliance problems as soon as possible

• Criminal sanctions may be mitigated by a compliance program, but only if that program is effective.
• Most SNFs lack the policies & procedures, staff training, audit functions, and regulatory updates to keep their compliance programs effective.

• Written Policies & Procedures, Code of
Conduct
• Compliance Officer & Compliance Committee
• Training and Education
• Effective Lines of Communication
• Enforcement of Standards
• Responding Promptly to Detected Offenses and Taking Corrective Action
• Auditing and Monitoring

• Quality of Care
• Resident Rights
• Billing & Cost Reporting
• Employee Screening
• Kickbacks, Inducements and Self-Referrals
• Submission of Accurate Claims
• HIPAA Privacy and Security
• Record Creation and Retention
• Anti-Supplementation
• Medicare Part D

Identify risk with a baseline audit:
• Identify risk areas
• Identify strengths and weaknesses
• Seek input from all departments
• Always be on the lookout for “ new ” risks

…keep your compliance program effective

• Annual Review of the overall effectiveness of the compliance program

• Minimize financial loss with reduced sanctions and penalties
• Improve quality of care and enhance your reputation
• Lower exposure to liability
• Reduce whistleblowing
• Minimize repayments
53

Andrew Buffenbarger, MBA, LNHA
Management Performance Associates
Missouri Health Care Association
August 27, 2013

Auditing
Employee Screening for OIG Exclusion
• Does your pre-employment screening meet the requirement?
• Do you screen contractors?
• Do you screen volunteers?
• Do you screen directors, officers, and/or board members?
• Do you screen before hire and monthly?

Auditing
Employee Screening for OIG Exclusion
Your employee screening P&P should require:
- OIG exclusion, GSA suspension/debarment, and state exclusion list screens for new employees, volunteers, directors and vendors, plus periodic re-checks

Auditing
Employee Screening for OIG Exclusion
• Task breakdown
Category
Employee, Director/Officer
Contractor
OIG exclusion
X
X
GSA suspension
X
X
Volunteer
State
(Medicaid)exclusion
X
X
Criminal background
X
Require by contract
X

• The OIG will assess penalties to SNFs that employ or contract with an excluded provider.
– Re-pay Medicare and/or Medicaid reimbursement associated with the specific employee or contractor
– Assign civil money penalties including fines and treble damages
– Potentially become excluded from participation in state and federal health care programs

Auditing
Employee Screening for OIG Exclusion
• The OIG is looking for individuals that pose a risk to the beneficiaries of Medicare,
Medicaid, and all other Federal health care programs.
• Exclusions occur as a result of fraud and abuse convictions, program related convictions, licensure action, and others.

Auditing
Employee Screening for OIG Exclusion
How do we audit this?
See if P&P require these screens
- Interview staff responsible for hiring to determine if they understand these P&P, and if they are followed
- Check employee/vendor/volunteer files to verify OIG exclusion check was documented
- Review contracts to ensure vendors conduct similar screens

• Therapy (part A & B) is a constant focal point for investigators.
• Medicare expenditures in SNFs have more than doubled in the last decade (OIG work plan, 2013)
• An OIG investigation will certainly include a review of your therapy documentation

• Regular audits are essential to minimizing your exposure to false claims
• Start with a therapy checklist, assign the audit process to someone outside of the therapy department, and report results to the
Compliance Officer and Committee

• Quality assurance programs are your best tool to drive strong quality outcomes and avoid penalties.
• A nursing home paid $305,072 and was required to hire a full-time physician or NP after it was found to have sub-standard pressure ulcer treatment and prevention, incontinence care, pain management, nutrition, weight monitoring, infection control, and diabetic care.

• CMS released guidance to SNFs regarding the development of a QA program.
• Quality Assessment and Performance
Improvement (QAPI)
• Five elements

• Design and Scope
• Governance and Leadership
• Feedback, Data Systems, and Monitoring
• Performance Improvement Projects
• Systematic Analysis and Systemic Action

• Your Quality Assurance program should focus on these key elements
– Clinical care
– Quality of life
– Resident choice
– Care transitions

• Executive leadership
– Committee members should have the authority to direct work processes and take corrective action
• Setting facility priorities – establish quality indicators
• Training, equipment, allocating staff time

QAPI
Feedback, Data Systems and Monitoring
• Systems to monitor care
• Auditing tools and methods
• Collect data for analysis

Performance Improvement Projects (PIPs)
• Concentrated analysis
• Review areas of concern
• Well documented, thorough investigation

QAPI
Systematic Analysis and Systemic Action
• Root cause, or similar, analysis
• Repeatable, policy driven solutions
• Documented approach
• Full disclosure to the Committee

Quality Assurance Approach Example
Quality
Indicator
Incidence of new fractures
Result
1
Target
0
Event
Variance from target
1
Variance report
Yes
Resident is found on the floor in her room with a fractured hip at 0200.
Resident cannot report.

• Assemble facts in a storyline.
– Use interviews to determine what may have caused the resident to be on the floor.
• Interview the roommate if applicable.
• Interview the night shift staff using the
“ who, what, where, when, and how?
” approach for an initial understanding of the event.

R1 is found on the floor in her room with fractured hip at 0200.
Resident cannot report.
Roommate R2 reports R1 was assisted to bed by E1 using a sitto-stand lift. R1 was not assisted to the restroom prior to bed.
R2 reports R1 was restless and tried to get out of bed without help.
E2 reports that R1 had noticeably outward rotation to her hip. 911 called, physician,
family, DON & Admin notified.
R2 reports E1 entered the room in less than one minute, then called from the doorway for the nurse E2. E2 entered the room immediately thereafter .
R2 reports R1 tried to stand from bed and immediately fell to the floor. R2 turned on her call light to summon staff.
E2 reports EMTs took R1 to the hospital with probable Fx hip.
Hospital confirmed Fx.

• Where are the gaps in the story?
• Who will you interview?
• What will you ask?
• Drill down for details

• Variance reporting
– Report your summary of findings and action plan to the QA Committee.
– Use the QA meeting to track the progress of your action plan.
– Hold people accountable for results. We ’ re protecting the frail elderly – we do not let this go.

• Good QA programs are comprehensive and fluid.
– Strong, consistent committee
– Standard quality indicators
– Performance expectations
– Variance analysis
– Variable quality indicators to address current issues

• QA is a key communication tool. What do you want to share with your staff?

• Use QA to monitor your compliance program efforts
– P&P reviews
– Complaint log/action
– Staff training
– Billing audit results

• Conduct pre-employment screens using the
OIG exclusion list, GSA suspension/debarment list, State exclusion list (if applicable), and criminal background check
• Repeat screens monthly
• Screen contractors/vendors and require similar screens in contract language
• Conduct criminal background checks on volunteers

• Quality assurance program
– Five elements
– Proactive, reactive, effective
– Therapy audits
• Auditing
– Employee screening and therapy are only two of the many audits that should be performed.

Andrew Buffenbarger, MBA, LNHA
Management Performance Associates
Missouri Health Care Association
August 27, 2013

• First, let ’ s hear from you about the role of a compliance officer.

• Developing a position description will guide your selection
• Essential duties
– Oversee and monitor the implementation of a corporate compliance program
– Help the organization, through policies and procedures, auditing, and training, minimize the risk of fraud and abuse

• Manage facility audits, collect data, develop responsive action plans, report to the
Compliance Committee
• Receive, log, and respond to compliance hotline reports
• Facilitate or conduct compliance training for directors, officers, and employees

• Manage employee, officer, contractor, and volunteer screening
• Oversee HIPAA compliance activity
• Participate in the Quality Assurance program
• Conduct annual compliance program review and update
• Ensure contractors are aware of your compliance program and resident rights

• What qualifications would you look for when selecting a Compliance Officer?

• Suggested background and experience
– Extensive experience in regulatory compliance in a skilled nursing facility or similar environment
– Clinical experience is helpful
– Experience reporting to a Board or senior leadership
– Data system creation and use, auditing, and strong analytical skills
– Education across multiple organizational levels

• Highly organized
• Advanced investigative skills and experience with root cause analysis
• Experience with quality assurance programs including development and implementation
• Understanding of the billing systems applicable to your organization
• General understanding of the inner workings of all departments applicable to your organization

• A CO can hold another position within the organization at the same time, i.e., staff development coordinator, quality assurance nurse
• During interview and selection, consider that this person will have to interact with Board members, CNAs, housekeepers, department leaders, contractors, volunteers, and regulators

• The CO will be highly visible. Acquaint him/her with everyone in the organization
• Walk through key focus areas – as documented in the
Corporate Compliance Program
– Billing
– QA
– Care delivery
– Dining and culture
– Software systems
– Employee screening and on-boarding
– P&P

• You ’ ve selected, hired, and oriented the CO.
Now what?
• Here are the seven steps to creating a compliance program

• Create a job description and an organizational policy for the Officer and Committee
• Appoint a Compliance Officer with the right combination of education and experience
• Appoint a Compliance Committee

• Conduct a baseline assessment of your current compliance level
– Training and education
– Lines of communication
– Enforcement of standards
– Monitoring and auditing
– Response to detected offenses/corrective action

• Assess your current policies and procedures in the following risk areas:
– Quality of care
– Resident rights and safety
– Employee screening
– Billing and claims submission
– Cost reporting
– Kickbacks, inducements, self referrals

• Creation and retention of records
• HIPAA
• Anti-supplementation
• Medicare D plan selection

• Develop plan documents
– Compliance program document
– Code of conduct
– P&P addressing each risk area

• Train and educate
– Provide compliance training to all employees, officers, directors, owners upon hire and annually
– Create a training schedule for each risk area

• Audit and Monitor
– Develop audit tools for each risk area
– Schedule audits throughout the year
– Assign responsibility for audits
– Develop a reporting mechanism for audit results

• Review annually
– Celebrate progress
– Identify areas where you can advance compliance even further

• Stay current
– Monitor and incorporate updates into your
Compliance Program
• New regulations
• OIG updates
• Recent enforcement actions

• Who has a CO in place?
• Do they hold another position within the facility? What is it?
• What do they do?
• Is there anything else you think they should do?
• What advice would you give others about recruiting, selecting, hiring, and employing a
CO?

• Your Compliance Officer is the key to a successful program.
• Use this discussion as the catalyst for the development of a fully operational
Compliance Program led by an outstanding
Compliance Officer!

Elizabeth Parker, JD
Management Performance Associates
Missouri Health Care Association
August 27, 2013

• Waste (unnecessary services)
• Patient safety
• Quality of care
• Fraud and abuse

• Claims processing errors – Medicare payments for Part B claims with G modifiers
• Payments for services after beneficiaries ’ death

• Adverse events in post-acute care for
Medicare beneficiaries
• Use of atypical antipsychotic drugs
• Communicable disease care

• Medicare requirements for quality of care
• Medicaid waivers – adult day health care services

• Hospices – marketing practices and financial relationships with SNFs
• Payments for alien beneficiaries unlawfully present in the U.S. on the dates of services

OIG Finds 25% of SNF Claims Faulty
• 20.3%: Claims with an inaccurate RUG
(upcoded).
• 2.5%: Claims with an inaccurate RUG
(downcoded)
• 2.1%: Claims that did not meet Medicare coverage requirements

• Increase and expand review of SNF claims
• Identify SNFs that are billing for higher paying
RUGs
• Monitor compliance with new therapy assessments
• Change the method for determining how much therapy is needed
• Improve the accuracy of MDS items
• Follow up on the SNFs that billed in error

• Fairfax Nursing Center
• $700,000
• Knowingly submitting claims for nonreimbursable therapy

• How can we prepare for increased review of
SNF claims?

• $100 maximum per violation
• $25,000 yearly limit for identical violations
• $0 if unaware of the violation

• Did not know/would not have known
At least $100, max. $50,000 per violation
• Reasonable cause but not willful neglect
At least $1,000, max. $50,000 per violation
• Willful neglect, corrected in 30 days
At least $10,000, max. $50,000 per violation
• Willful neglect, not corrected 30 days
At least $50,000 per violation
* For identical violations in a calendar year, $1.5M max

• Up to $250,000
• Up to 10 years imprisonment

• Health System, $4.3 Million
• Hospital, $1 Million
• Health System, $865,000
• Former Employee, 4 months in jail

• Health System
• Face sheets and unencrypted digital files of patient information were stolen
• Sued for $50 million

• The Privacy and Security Rules protect PHI: information than can identify a patient and relates to the patient ’ s health condition, treatment, and payment for treatment.
• PHI can be used for treatment, payment, and health care operations. For any other purpose, the use must have a patient authorization, or be permitted by written HIPAA policies and procedures.

• HIPAA keeps us on a “ need to know basis.
” If you don ’ t need to access PHI to do your specific job or provide patient care, don ’ t access it.
• When you need to share PHI, keep others on a need to know basis as well—only share the minimum necessary PHI to accomplish the task.

• Right to receive Notice of Privacy Practices
• Right to access their own PHI
• Right to request to amend their PHI
• Right to request confidential communication
(e.g. cell phone or office number only)
• Right to request an accounting of disclosures of their PHI
• Right to give permission to discuss PHI with family & friends

• Change passwords frequently, never share
• Lock laptops and other devices
• Log off when you leave your desk; use automatic log-off
• Don ’ t download software or install hardware without approval
• Avoid sending PHI over e-mail. When e-mail is required, follow policy.

• Avoid discussing patients in public spaces or areas where you can be overheard.
• Keep patient files and other documents with
PHI on them locked away, or placed upside down so they can ’ t be seen.
• Lock your computer screen. Position your monitor so people cannot see your screen when they walk by
• Verify identity of anyone requesting PHI

• Do not leave PHI on printers, fax machines, copiers
• Do not leave PHI on your workstation
• After using PHI, destroy copies using the shred bin
• Only remove PHI from work if absolutely necessary. Never leave PHI unattended or in your car
• Call IT if your smart phone is lost or stolen
• Do not store passwords on your PDA

• When PHI is breached (stolen, lost, hacked, inadvertently given to the wrong party, etc.), must notify the patient(s) involved, the government, and sometimes the media.
• If you learn of a potential breach, immediately notify your privacy officer

• August 273, 2012: First settlement involving the HITECH Breach Notification Rule
• Blue Cross Blue Shield of TN paid $1.5M

• Impermissible uses and disclosures of PHI
• Lack of safeguards of PHI
• Lack of patient access to their PHI
• Uses or disclosures of more than the minimum necessary PHI
• Lack of administrative safeguards of ePHI

• Required by HITECH
• 150 audits by the end of this year
• Must provide P&P within 10 days
• Site visit

• Privacy Rule policies, procedures, forms
• Security Rule risk assessment, P&P
• Business Associate Agreements
• Breach notification P&P, forms
• Training
• http://www.hhs.gov/ocr/privacy/index.html

• Do you trust your employees?

• “ It ’ s just Facebook, ” “ I ’ ll post what I want ”
• Photos of residents are PHI
• Patient name not required

• Educate your employees about social media use

• E.g. smartphones, tablets, laptops
• Settlement: $1.5 Million
• www.healthit.gov

• http://oig.hhs.gov
• LeadingAge Hotline
• CMS Survey & Certification
• http://www.hhs.gov/news/email/index.html
• MPA Compliance Updates

Elizabeth Parker, JD, General Counsel & Compliance Manager
Andrew Buffenbarger, MBA, LNHA, Managing Associate www.healthcareperformance.com
MPA works with healthcare providers who want to ensure they meet the strict and ever-changing Federal criteria for compliance programs. We are uniquely qualified to manage every stage of compliance program development, implementation, and ongoing management.
This presentation is copyrighted, © 2013 Management Performance Associates
Management Performance Associates is not a law firm and does not provide legal advice. If you have any questions about how compliance applies to your organization, please contact your attorney.