It is tough being a provider today. Providers are expected to provide top quality clinical care to their patients and comply with the myriad of rules and regulations governing health care providers at the federal and state level, in additional to rules and regulations instituted by third party payors. Failure to comply can result in serious repercussions, including an audit and subsequent overpayment demand in connection with services previously rendered and paid for, criminal action, financial penalties and potential loss of license. In order for providers to help reduce their exposure to an audit or investigation, it is recommended that providers implement a compliance plan addressing many of these “targeted” areas, including appropriate documentation and coding. Among other things, an effective compliance program helps to establish the culture of compliance for an organization, and correct problems and potential issues before they escalate. In other words, providers should be “proactive” rather than “reactive”. Additionally, an effective compliance plan may speed and optimize proper payment of claims, minimize billing mistakes, and avoid conflicts with the self-referral and anti-kickback statutes.
New York’s Office of the Medicaid Inspector General (OMIG) requires that providers maintain compliance programs if they meet certain criteria as follows: The organization submits claims or orders (or can be reasonably expected to submit claims or orders) for Medicaid services or supplies of at least $500,000 in any consecutive twelve (12) month period; The organization receives (or can reasonably expect to receive) Medicaid reimbursement-directly or indirectly-of at least $500,000 in any consecutive twelve (12) month period; The organization submits Medicaid claims of at least $500,000 in any consecutive twelve (12) month period on behalf of another person or persons; or The organization is subject to Article 28 or Article 36 of the NYS Public Health law or Article 16 or 31 of the NYS Mental Health Hygiene Law. All Medicaid providers subject to New York’s Mandatory Compliance Program Obligation must certify by 11:59pm on December 31st that they have in place a compliance program meeting the applicable requirements. The certification is completed using a form provided by OMIG on its web site which has been recently updated. Specifically, there are now five (5) separate categories on the certification form as follows: (i) Annual Certification, (ii) Enrolling Provider Certification, (iii) Revalidating Provider Certification, (iv) Certification After Correcting Insufficiencies Identified in a Compliance Program Review, and (v) Certification After Receiving Notice of Regulatory Action for Failing to Complete Your Annual Certification.Applicable Medicaid providers are also now required to include their Provider ID and National Provider Identifier Number (NPI) on the certification. Additionally, multiple Provider IDs may be able to be submitted in a single certification form provided the following conditions are met: (i) The same compliance program applies to all Provider IDs listed on the certification form; (ii) The Certification Category chosen is the same for all Provider IDs; (iii) The Compliance Officer is the same for all Provider IDs; (iv) The Certifying Official is the same for all Provider IDs (the Certifying Official must be someone other than the Compliance Officer); and (v) All Provider IDs reported on the certification have the same FEIN.
As per OMIG, the purpose of this program is “to enhance the integrity of the NYS Medicaid program by preventing and detecting fraudulent, abusive, and wasteful practices within the Medicaid program and recovering improperly expended Medicaid funds while promoting high-quality patient care.” There are eight (8) elements described by OMIG that are required in every compliance program. The eight (8) elements are as follows:
Element 1: Written policies and procedures that describe compliance expectations as embodied in a code of conduct or code of ethics.
Written standards and procedures are a key component to an effective compliance program as they help to identify and address the practice’s risk areas. Potential risk areas for physician practices may include (1) coding and billing; (2) reasonable and necessary services; (3) documentation; and (4) improper inducements, kickbacks and self-referrals.
Element 2: Designation of an employee vested with the responsibility for the day-to-day operations of the compliance program.
In order to streamline the compliance process, a compliance officer/contact should be designated. This person should be responsible for the following: Overseeing and monitoring the implementation of the compliance program; Establishing methods, such as periodic audits, to improve the practice’s efficiency and quality of services, and to reduce the practice’s vulnerability to fraud and abuse; Periodically revising the compliance program in light of changes in the needs of the practice or changes in the law and in the standards and procedures of Government and private payor health plans; Developing, coordinating and participating in a training program that focuses on the components of the compliance program, and seeks to ensure that training materials are appropriate; and Investigating any report or allegation concerning possible unethical or improper business practices, and monitoring subsequent corrective action and/or compliance.
Element 3: Training and education of all affected individuals on compliance issues, expectations and the compliance program.
If a practice’s staff is unfamiliar with the terms of the compliance program, the compliance program is unlikely to be successful. Accordingly, all employees should receive training on how to perform their jobs in compliance with the practice’s standards, and employees should understand the significance of compliance with respect to their jobs.
Element 4: Communication lines to the compliance officer that are accessible to all affected individuals to allow compliance issues to be reported.
Employees need to feel like they can communicate any concerns regarding compliance they may have. Employees should be made aware that they should report conduct that may be deemed to be fraudulent. There should also be a mechanism outlined by which employees would make such reports.
Element 5: Disciplinary policies to encourage good faith participation in the compliance program.
Having a compliance program is useless unless employees are made aware of the compliance program, and actually understand the requirements. Employees should regularly acknowledge receipt and review of the compliance program, and be made aware of any updates.
Element 6: System for routine identification of compliance risk areas and non-compliance.
Self-auditing is one of the best ways to ensure practice compliance with State and Federal billing and coding laws, as well as kickback and self-referral laws and regulations. Conducting self-audits can help determine whether bills are accurately coded and accurately reflect the services provided (as documented in the medical records); documentation is being completed correctly; services or items provided are reasonable and necessary; and any incentives for unnecessary services exist.
Providers should consult with a coding/billing expert and work with their legal team to conduct internal audits and external audits to determine whether the practice complies with applicable rules and regulations.
Element 7: System for responding to compliance issues when raised, for investigating and correcting problems.
Providers also need to determine the consequences or ramifications of non-compliance, including for instance documentation of non-compliance in the employee’s file. Other instances of non-compliance, including billing errors and potential overpayments, may require the advice of an attorney as notifications may have to be made.
Element 8: Policy of non-intimidation and non-retaliation for good faith participation in the compliance program.
In order to encourage employees to participate in the compliance program and report instances of non-compliance, it is important for employees to understand that they will not be retaliated against if they participate in good faith.
Although the “Compliance Questions” are no longer a separate section, they are incorporated into the Certification Section which includes a compliance self-assessment form. OMIG has recommended that practices conduct the self-assessment prior to completing the Certification Form, as false statements on the Certification Form can result in serious repercussions.
Although a compliance program it is not required for providers at the federal level, it is certainly advisable as the U.S. Department of Health and Human Services’ Office of the Inspector General (OIG) has set forth guidelines for voluntary compliance plans for individual and small group practices. While adopting all of the components may not be feasible for a small practice due to staffing and financial restraints, integrating at least some of the components may reduce a practice’s exposure to liability. As per the OIG, the following seven (7) components provide a solid basis upon which a physician practice can create a voluntary compliance program. Although most of them align with the OMIG guidelines, there are a few differences.
Element 1: Conduct internal monitoring and auditing
Element 2: Implement compliance and practice standards
Element 3: Designate a compliance officer or contact
Element 4: Conduct appropriate training and education
Element 5: Respond appropriately to detected offenses and develop corrective action
Element 6: Develop open lines of communication with employees
Element 7: Enforce disciplinary standards through well-publicized guidelines
Each year, the OIG identifies in its Work Plan various projects that are underway or planned to be addressed during the fiscal year. These projects should be reviewed, and the practice’s compliance plan be updated as necessary to address areas of potential risk. As of August 2018, certain items were added to the OIG Work Plan including opioid abuse; physicians billing for critical care evaluation and management services; and Medicare payments for clinical diagnostic laboratory tests. The OIG has also recently launched a new compliance resource portal, compiling some of its resources into one user-friendly webpage.
It is also imperative that providers comply with the applicable rules and regulations governing employers in general. For instance, as of October 9, 2018, every employer in the New York State is required to adopt a sexual harassment prevention policy that meets the following standards at a minimum:
- prohibit sexual harassment consistent with guidance issued by the Department of Labor in consultation with the Division of Human Rights;
- provide examples of prohibited conduct that would constitute unlawful sexual harassment;
- include information concerning the federal and state statutory provisions concerning sexual harassment, remedies available to victims of sexual harassment, and a statement that there may be applicable local laws;
- include a complaint form;
- include a procedure for the timely and confidential investigation of complaints that ensures due process for all parties;
- inform employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially;
- clearly state that sexual harassment is considered a form of employee misconduct and that sanctions will be enforced against individuals engaging in sexual harassment and against supervisory and managerial personnel who knowingly allow such behavior to continue; and
- clearly state that retaliation against individuals who complain of sexual harassment or who testify or assist in any investigation or proceeding involving sexual harassment is unlawful.
Employers should review their existing employee manuals and policies in order to ensure that they are up to date and reflect any changes in applicable law. If an employer does not have an employee manual, this is a good time to implement an employee manual. Although some employees may be subject to the terms and conditions of an employment agreement, not all employees have such an agreement. Therefore, having a comprehensive employee manual that is up to date and comprehensive is critical in order to inform the business’ employees—in a positive yet clear manner–what the employer can expect from them (i.e. what their hours are, start time, job duties, and behavior in the office) and what they can expect from the employer (i.e. overtime), as well as the consequences of violating any policies of the employer (i.e. probation or termination). The employee manual is also a good place to highlight the benefits that are offered to employees (as well as eligibility), including for instance family leave, health insurance, retirement benefits, life insurance, disability insurance, and paid time off. If the employer is located in New York City, the employer must also be cognizant of the New York City Paid Sick Leave Law which requires that employers with five (5) or more employees who work more than eighty (80) hours per calendar year in New York City provide paid sick leave to employees who work in New York City. Employers with one (1) to four (4) employees who work more than eighty (80) hours per calendar year in New York City must provide unpaid sick leave. As per applicable law, employers in New York City are required to provide notice of these rights to their employees, as well as provide a policy to their employees regarding their sick leave policy. The policy can be incorporated into the employee manual.
In today’s healthcare climate, more and more practices are being subject to audits to verify compliance with federal and state rules and regulations, as well as audits of the practice’s records in connection with potential overpayments. Establishing an effective compliance plan taking into consideration applicable federal and state rules and regulations can be a sure-fire way for providers to avoid or limit potential liability while allowing providers to focus on providing care to their patients.
About the Authors:
Mathew J. Levy, Esq. is a Principal of Weiss Zarett Brofman Sonnenklar & Levy, PC. Mr. Levy is nationally recognized as having extensive experience representing healthcare clients in transactional and regulatory matters. Mr. Levy has particular expertise in advising health care clients with respect to contract issues, business transactions, practice formation, regulatory compliance, mergers & acquisitions, professional discipline, criminal law, healthcare fraud & billing fraud, insurance carrier audits, litigation & arbitration, and asset protection-estate planning. You can reach Mathew Levy at 516-627-7000 or email@example.com.
Stacey Lipitz Marder is senior counsel at Weiss Zarett Brofman Sonnenklar & Levy, PC with experience representing healthcare providers in connection with transactional and regulatory matters including the formation and structure of business entities, negotiating and drafting contracts and commercial real estate leases, stock and asset acquisitions and general corporate counseling. Ms. Marder also has experience advising healthcare clients on a wide range of regulatory issues including Stark, the Anti-Kickback Statute, fraud and abuse regulations, HIPAA, reimbursement and licensing matters.
Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a Long Island law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.
ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.