Corporate Compliance: Critical to Organizational Success

Executive Summary

• Operation Restore Trust (0RT) has focused increased governmental attention on health care fraud and abuse activities, making it more costly to be noncompliant, and thus has led to significant behavioral changes within the health care industry.

• Initially five states (California, Florida, Illinois, New York, & Texas) were included in the 1997 ORT pilot program. This has been expanded to include Arizona, Colorado, Georgia, Louisiana, Massachusetts, Missouri, New Jersey, Ohio, Pennsylvania, Tennessee, Virginia, and Washington.

• The author presents a road map for developing of a compliance program that includes suggested strategies for staff training in anticipation of heightened scrutiny of compliance standards and procedures.

• Effective Corporate Compliance Programs (CCPs) should include policies and procedures and monitoring systems that can provide reasonable assurance that fraud, abuse, and systematic billing errors are detected in a timely manner.

In recent years, we have seen government initiatives, designed to detect fraud and abuse, as well as federal sentencing guidelines and whistleblower suits serve as catalysts in bringing about change in the health care delivery system. These government strategies, coupled with President Clinton's affirmation that combating fraud and abuse in the Medicare and Medicaid programs is a "top personal priority," make it more costly to be noncompliant and more rewarding to report noncompliance.

The health care industry faces a growing challenge from private insurance payers, the Medicare and Medicaid programs, and law enforcement entities at all government levels. The challenge today is to conduct business, including treatment, billing, and relationships with other health care providers, in compliance with a variety of laws, regulations, and program requirements. Many of these laws, regulations, and requirements are ill-defined in their practical application, but all a-re designed to assure that "normal" business practices do not cross over into intentionally designed health insurance system abuse. When discovered, fraudulent and abusive practices are dealt with by a wide range of enforcement actions, including application of administrative sanctions, such as exclusion from Medicare or Medicaid participation; civil and criminal monetary penalties; and criminal prosecution. Criminal penalties and incarceration are other methods of dealing with corporations and those individuals who violate program integrity.

Because of the interpretive and subjective nature of these limits on business activity, never have health care providers been more at risk. Subsequently, the number of providers turning to CCPs in order to assess and control this risk is growing. Moreover, federal authorities now expect to see corporate compliance programs in place when auditing or investigating. When they do not, they exact harsher, more severe penalties if wrongdoing is discovered.

Background

In May 1997, Department of Health and Human Services (HHS) Secretary Donna E. Shalala announced the expansion of Operation Restore Trust (ORT). ORT, a 2-year demonstration project launched in May 1995, was designed to test several innovative approaches in combating fraud and abuse in the Medicare and Medicaid programs. The project initially targeted five states - California, Florida, Illinois, New York, and Texas - where collectively, more than one-third of all Medicare and Medicaid beneficiaries live. The principal goal of ORT was to increase enforcement in health care programs where the government believed that fraud and abuse were prevalent. The critical elements of the initiative included guaranteed funding for antifraud and abusive activities carried out by HHS and its agencies; a coordinated "partnering" effort involving multiple federal and state agencies; local control over these programs; and a focus on specific high-growth program areas, including home health agencies, nursing homes, hospice care, and durable medical equipment suppliers. The expansion and extension of the project beyond the original five in the demonstration project indicates that health care fraud and abuse investigations will continue.

The Office of inspector General (OIG) FY '96 medical and audit review of a statistical selection of 600 beneficiaries nationwide with 5,314 fee-for-service claims processed for payment during 1996 revealed that 1,577 claims (30% of all claims reviewed) did not comply with Medicare laws and regulations. The report estimated that the dollar value of improper Medicare benefit payments made during FY'96 was $23.2 billion, or about 14% of the $168.6 billion in processed fee-for-service payments reported by HCFA. Of this total the report estimated that improper home care claims accounted for $3.6 billion, 15.74% of the improper payments (Gibbs-Brown, 1997). Further, in a report dated July 17, 1997 from the Inspector General, June Gibbs-Brown, to Bruce Vladek, then administrator of HCFA, the four leading causes of improper Medicare payments were revealed:

1. Insufficient or no documentation (46%).

2. Lack of medical necessity (36.78%).

3. Incorrect coding (8.53%).

4. Noncovered or unallowable services (5.26%).

The OIG FY '97 medical and audit review revealed that Medicare paid out $20.3 billion, or 11% of its total outlays, on improper claims. On April 4, 1998, Gibbs-Brovtrn reasoned, "Compared with the 14% error rate that the OIG found in FY '96, the new figures suggest that overall Medicare claims accuracy is improving" (Schorr, 1998, p. 9). For example, "claims of all kinds submitted without any documentation accounted for only $850 million of the FY '97 erroneous payments, compared with more than $3 billion a year earlier" (Schorr, 1998, p. 9).

To its credit, ORT has effectively curtailed some fraud and abuse and contributed to behavioral changes throughout the health care industry - so much that over the next 3 years, the project's geographic focus will expand to include all 50 U.S. states.

0VER the past 5 years, the incidence and impact of qui tam lawsuits and dollar amounts recovered has increased dramatically. Qui tam lawsuits are filed when the "whistleblower," who could be a former or current employee, consumer, competitor, or even a government agent, feels he or she has no other alternative than to report an alleged problem within the organization to the government. The False Claims Act authorizes suits initiated by qui tam plaintiffs and offers the incentive of collecting up to 25% of the government's ultimate recovery in the case, which has led to an increase in these suits. Furthermore, over 50% of cases filed (530) in 1997 were homehealth related (Department of justice [DOJ], 1997) (see Figure 1). Recoveries as of October '97 were $625 million (DOJ, 1997) (see Figure 2). Had these agencies had an effective corporate compliance plan in place, the amount recovered could have been much less.

In reviewing the current literature, we see the terms "corporate compliance plan" and "corporate compliance program" used interchangeably. However, the two are not the same. A CCP is actually an umbrella term for the sum total of a corporation's efforts to comply with the various laws and regulations the corporation faces and to project itself as a "good corporate citizen." A corporate compliance plan on the other hand, is a detailed document designed to address specifically those areas identified as presenting the corporation with significant liability. For example, based on areas identified as risks, an organization's billing department may have its own specific, separate compliance plan, apart from the Medical records department.

Benefits

• Providing agencies with a more accurate view of its employees' behaviors.
• Identifying and ferreting out criminal and unethical conduct.
• Designing a plan specifically for the needs of the home care provider.
• Creating a compliance plan for efficient dissemination of information relating to changes in the government requirements.
• Establishing a structure which encourages employees to report concerns internally rather than externally, which may reduce the risk of governmental investigations.
• Lastly, compliance programs make good business sense.

Penalties

Organizations that do not develop an effective CCP run the risk of having to deal with the potential consequences for not being in compliance, including:

• Probation and a court-imposed, government-designed program.
• Fine set at an amount sufficient to divest the organization of all of its net assets.
• Exclusion from the Medicare and Medicaid programs.
• Management liability.
• Stockholder lawsuits.
• Qui tam lawsuits.

How to Develop a Compliance Program

1. Compliance standards and procedures.
2. Overall compliance program oversight by high-level personnel.
3. Due care delegating authority.
4. Employee education and training.
5. Monitoring, auditing, and reporting systems.
6. Consistent enforcement and discipline.
7. Response and corrective action.

• What are the current sources of compliance risk?
• How do the leaders and staff view compliance?
• Who is responsible for compliance-related tasks?
• Has there been anyone contacted by the government or other parties regarding compliance?
• How is regulatory information disseminated through the organization?
• What policies are in place for handling billing errors or denials?
• What actions are taken for resolving recurring billing issues?
• How are billing and coding staff evaluated?
• What process, if any, is used to evaluate billers' accuracy?

• Billing for services not provided.
• Plan of cares not signed by physicians.
• Falsifying physician signatures.
• Backdating physician signatures.
• Physician consultation and administrative fees.
• Kickbacks.
• Cost report fraud.

After the risk assessment and interviews have been completed, the next step is to develop a compliance program using the Federal Sentencing Guidelines (1991).

Establishing Compliance Standards and Procedures

Guideline: The organization must have established compliancestandards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal conduct.

Using the information identifying the areas of risk, the next step is establishing and standardizing an organization-wide code of conduct. Creating a code of conduct ensures that all parties understand the expectations regarding compliance. A code of conduct should include:

• Ethical principles.
• Explanation of laws.
• Schedule for amending the code of conduct.
• A vehicle to report potential compliance issues.
• A nonretaliation policy for whistleblowers.
• Description of disciplinary measures.

The code of conduct should also address qui tam suits under Federal False Claims Act, 31 U.S.C. §3729. The compliance plan should take measures to prevent employees from withholding damaging information related to fraudulent or abusive corporate conduct. A method for relating fraud and abuse to senior management should be established within the organization so it would not be possible for a person knowing of fraud to disclose it to the government before disclosing it internally. Once the code of conduct and compliance plan are developed, they should be submitted to and approved by the board of directors or top officers in the organization.

Overall Compliance Program Oversight

Guideline: Specific individual(s) within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures.

Once the code of conduct has been created, the daily tasks regarding corporate compliance should be managed by a delegated corporate compliance officer (CCO). This individual should be delegated with due care. It should be someone who has a vested interest in the organization, who can be trusted to always do the "right thing." If an agency decides not to hire a CCO, this function may fall to either the chief financial officer, executive director, director of quality insurance, or other high-level personnel. The role of the CCO includes:• Developing and updating compliance plans.

• Developing standards, policies, and procedures for investigating, reporting, and correcting problems and distributing to employees and others concerning compliance.
• Oversees and monitors adherence to compliance plans.
• Develops an open communication system. Provides ongoing communication to employees regarding compliance issues.
• Manages periodic audits.
• Assures that all employees are educated during orientation regarding compliance and ethics.
• Reporting to the CEO and board, as necessary.

An organization may also wish to appoint a compliance committee to provide oversight to all corporate compliance activities. The committee membership could include:

• CCO (as chair)
• Board chairman
• CFO
• Medical director
• Director of human resources
• In-house legal counsel. (Should attend when compliance-related decisions are to be made. Should not be involved with day-to-day oversight of the CCP, so as to remain objective should issues arise.)

The functions of this committee would be to:

• Analyze business and legal requirements of areas of high exposure.
• Assess existing policies and procedures.
• Approve standards of conduct.
• Monitor internal systems and controls.
• Determine general approach for compliance program,
• Develop and oversee problem resolution system.

Due Care in Delegation of Authority

Guideline: The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities.

New applicants. The organization should institute procedures to screen prospective employees to identify those who may have a propensity to engage in illegal activities, for example, previous illegal activity or disciplinary action for unethical behavior.

Current employees. The corporation should conduct ongoing employee training on the company's standards of conduct and the applicable fraud and abuse laws and regulations. Procedures should be established for monitoring employee performance and behavior. Employees who have knowingly engaged in illegal activity in the past should not be given responsibility in areas where there may be potential for similar activity. Employees who unknowingly engage in illegal activity, such as billing errors, should be educated to correct the problem or reassigned, if necessary. Procedures for reporting complaints to the CCO about an employee's behavior as well as any disciplinary actions taken against employees by management should also be included in the CCP. Policies and procedures concerning the organization's response to my employee who violates the standards of conduct (for example, disciplinary action or discharge) should also be integrated into the compliance program.

Employee Education and Training

Guideline: The organization must have taken steps to communicate effectively its standards and procedures to all employees and agents.

The next key component when developing a CCP is providing employee education and training. All newly hired employees should receive information about the existence of the organization's CCP in orientation. Current employees should receive updates and additional training on a regular basis. It is suggested that they sign a statement acknowledging they were trained on corporate compliance, and understand their responsibility to report any type of suspected wrongdoing. Additionally, participation at these inservices must be mandatory. Keep records of attendance and content and if appropriate, make the inservices bilingual. A variety of teaching methods can be used which target training to each audience. If an organization does not have the expertise to conduct these educational inservices, videos and/or outside consultants should be used to assist.

Monitoring, Auditing, and Reporting Systems

Guideline: The organization must have taken reasonable steps to achieve compliance with its standards.

Ongoing monitoring of compliance programs ensures that compliance standards are being met and identifies any potential new issues. Using internal and external auditors, monitoring should be done in each department at least annually and focus on those areas with the most exposure. Once a baseline has been established, look for deviations. Moreover, any deviations found should be made part of an overall quality assurance/performance improvement program. For example, if during chart audits a trend is found that Medicare patients have been seen who do not appear homebound, then part of the next quarter's QI plan should include training clinician's on homebound status. This should then be followed up with a subsequent audit of all new admits to evaluate the effectiveness of the training and compliance.

Consistent Discipline and Enforcement

Guideline: The standards must have been consistently enforced through appropriate disciplinary mechanisms, including as appropriate, discipline of individuals for failure to detect an offense. Adequate discipline of individuals responsible for an offense is a necessary component of enforcement, however, the form of discipline that will be appropriate will be case specific.

An effective compliance plan must incorporate a written discipline and enforcement policy that provides for the punishment of employees whose activities violate comphance standards and governmental rules and regulations. Employees who are aware of potentially fraudulent practices but fail to report or investigate them should also be disciplined.

Response and Corrective Action

Guideline: After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses - including any necessary modifications to its program to prevent and detect violations of law.

When an organization receives complaints or uncovers evidence of improper practices, it must demonstrate that it responded appropriately to the situation, by investigating reports of wrongdoing and correcting improper practices. When intentional wrongdoing has been uncovered, an organization will have to consider voluntarily reporting the results of its investigation to its fiscal intermediary or carrier, to the OIG, or to the U.S. Department of justice. It is recommended that legal counsel be consulted prior to any voluntary disclosures, as this carries substantial risks.

Conclusion

As aforementioned, ORT reported millions of dollars in recoveries from health care organizations in 1997. Other governmental initiatives have been developed with the sole purpose of detecting fraud and abuse in health care delivery. These governmental investigations could have a severe impact on health care agencies and their future business ventures if these organizations are unprepared in corporate compliance. It is foreseeable that the government will continue to intensify its enforcement activities. Effective programs should include policies and procedures and monitoring systems to provide reasonable assurance that fraud, abuse, and systematic billing errors are detected in a timely manner. A corporate compliance program can only be considered effective if it results in a well-informed employee population that (a) understands the plan's provisions, (b) knowshow to apply a code of conduct to work processes, and (c) knows who to contact with concerns about fraud and abuse. Lastly, the plan must be evaluated and updated as appropriate.

REFERENCES

• Department of Justice, Qui Tam Cases Filed and Recoveries. (1997, October). Available: http://www.taforg/taf/docs/pub.htmI
• Federal Sentencing Guidelines, 1991.
• Federal False Claims Act, 31 U.S.C. §3729.
• Gibbs-Brown, J. (1997). Results of Operation Restore Trust Audit of Medicare home health services in California, Illinois, New York and Texas (A-04-96-02121) (pp. 4-22) (Report sent to HCFA from OIG). Washington, DC: U.S. Government Printing Office.
• Schorr, B. (1998). OIG knocks DME claims for documentation & HHA claims for lack of necessity. Home Health Line, 23(18), p. 9.

• Federal Provisions Regarding Exclusion from Medicare and Medicaid 42 U.S.C. §1320 a-7.
• Fraud and Abuse Provisions from the Balanced Budget Act of 1997, §43014331.
• Haddad, L., Mulholland, D., & Casale, H. (1997). Rethinking corporate compliance: Survival strategies for the 21st century. Action Kit Seminars. Pittsburgh, PA.
• Stark, P. (1995). Comprehensive Physician Owneiship and Self-Referral Act (Stark I[) 42 U.S.C. §1395nn

Reprinted from Nursing Economic$, 1999, Volume 17, Number 1, pp. 15-19, 52. Reprinted with permission of the publisher, Jannetti Publications, Inc., East Holly Avenue Box 56, Pitman, NJ 08071-0056; Phone (609)256-2300; FAX (609)589-7463. (For a sample of the journal, please contact the publisher).