"Building a Partnership for Effective Compliance"
A Report on the Government-Industry Roundtable
April 2, 1999
BACKGROUND
On March 22, 1999, the Office of Inspector General (OIG) of the Department of Health and Human Services and the Health Care Compliance Association (HCCA) co-sponsored a government-industry roundtable. The roundtable discussions were an opportunity for the health care compliance industry to inform the OIG of issues surrounding the implementation and maintenance of compliance programs. The meeting was also an opportunity for the OIG to present the policy objectives underlying its corporate integrity initiatives and compliance program guidance.
The roundtable was devoted to discussion of a series of compliance-related topics proposed in advance by the participants. These subject areas were organized into ten discussion groups, each lead by a team of government and industry moderators. Each participant attended three sessions of the ten discussion groups during the day. At the conclusion of the day, the moderators presented a summary of the conversations that transpired at their respective discussion groups and allowed time for a question and answer period.
Over 125 compliance officers, health care compliance consultants and government representatives attended the day-long event. The participants represented a wide spectrum of institutional and individual provider organizations. Thanks to the collective efforts of all of the participants, the roundtable was judged to be a success by the great majority of the participants. The free exchange of ideas and differing opinions was constructive and took place in a positive atmosphere. Since the objective of this collaboration was to share perspectives on creating and implementing an effective compliance program, we did not attempt to reach consensus on the many issues that surround compliance with health care program requirements. However, we believe all of the participants gained new insights into the challenges associated with creating effective compliance programs.
In order to share these insights with a large audience, the roundtable moderators agreed to prepare a written summary of the discussions that took place at their respective breakout sessions. Because a number of themes were common to the different discussion groups, we have consolidated the moderators' reports into four topic areas: (1) developing a compliance program; (2) evaluating compliance effectiveness; (3) conducting internal investigations and self-disclosures; and (4) implementing a corporate integrity agreement. The views expressed in these summaries of the discussions do not necessarily represent the views of the OIG or the HCAA.
DEVELOPING A COMPLIANCE PROGRAM
Among the issues addressed in this topic were the scope of a compliance program, the areas and priorities on which to focus when crafting a compliance plan, the coordination of compliance efforts by different departments of an organization, the relationship between the "human resources" function and compliance, the challenges facing a compliance officer with multiple responsibilities, the outsourcing of compliance efforts, and the development of an adequate training program.
Designating the scope of a compliance program. The participants offered general support for including ethics and values as part of a compliance program. A concern was expressed that the OIG's compliance program guidances may appear to focus on compliance to the exclusion of ethics, even if this is unintended. Some participants felt that this failure of the OIG's guidances to highlight an ethics-based approach may discourage providers from adopting such an approach.
Representatives of small and rural health care providers expressed concerns about the costs associated with a comprehensive compliance function. Many cannot afford the cost of extensive employee screening, training and hotline services. Some providers that have made significant investments into human resource functions cannot maintain both offices at full capacity, nor can they meet all the requirements of the OIG's compliance program guidance. Cost is a major factor in implementing a compliance program and, as one attendee stated: "the more compliance you do, the more you have to do."
Identifying and responding to risk areas. In discussing how an organization determines the risk areas to focus upon for purposes of crafting a compliance program, participants indicated they mostly focus on what the government highlights, as identified through OIG compliance program guidances, special fraud alerts, OIG work plans and fraud settlements. Participants also receive input on possible risk areas from provider associations, peer groups, clients and employees. It was noted that the emphasis on federal health care programs may detract from the need to scrutinize the same issues when dealing with private payers.
The group observed that, in addition to externally-identified risk areas, risk assessments of a particular organization may reveal multiple compliance weaknesses that are specific to that provider and require corrective action and/or implementation of preventative measures. A provider's prior history of noncompliance with applicable laws or health care program requirements may indicate types of risk areas where the provider may be vulnerable and require necessary policy measures to be taken to prevent avoidable recurrence. Additional risk areas are often incorporated into the written policies, procedures and training elements developed as part of a provider's compliance program. Ultimately, providers find it essential to document the rationale for the choices made in prioritizing and addressing competing compliance issues, including the factors considered in making those choices.
Coordinating a compliance program among different departments or subsidiaries. The general view among participants was that entities need to coordinate a single compliance program among the different units. Strong communication among the different divisions on compliance issues was viewed as critical. For large companies, one method is to have different units represented in the compliance committee, with a compliance person in each major business unit. Generally speaking, individuals who serve on compliance committees are heads of the following departments within an organization: human resources, internal audit, patient accounts, legal, billing, medical practice billing, and information technology. Some chief financial officers and chief executive officers also participate on the committee. Smaller providers, which may not have a designated compliance committee, can put together a task force (based upon the issue) to address compliance concerns as they arise.
Addressing human resources issues associated with the compliance function. Participants noted overlaps in the responsibilities of a human resources department and the compliance function. Close collaboration between these two functions in the areas of training, hiring, and disciplining, as well as the establishment of hotlines with complaint follow-ups is considered necessary. Cross-training between the two components would lead to a better understanding of each other's responsibilities and duties. This is especially true in cases where both functions must share responsibilities, such as the hotline and training.
Addressing potential conflicts for the compliance officer. The participants discussed the
possible conflict that may exist when a compliance officer holds other key management
responsibilities. From the experiences of the participants, this situation arises primarily at small
or rural health care providers where available financial resources or appropriate expertise make
such joint responsibility a practical necessity. The potential problems created by a compliance
officer having dual responsibilities could be addressed through the recognition of possible
competing responsibilities and the establishment of appropriate checks and balances within the
organization's compliance structure. Such checks and balances can be achieved by establishing a
strong and active compliance steering committee. Smaller health care providers have addressed
the issue by assigning compliance to well-respected managers with a perceived sensitivity to the
potential conflicts.
Enhancing the effectiveness of the compliance officer. Participants noted that compliance officers need to give prompt and clear responses to employee questions to maintain credibility. A compliance office's open door policy, particularly in smaller entities, can help foster good communication. However, compliance officers cannot be reactive only; there is a need to reach out to employees using such methods as field visits to work locations and polling employees about compliance and work issues. If employees know the compliance officer, they may be more likely to talk freely with that person. Employee communication can further be enhanced through creating a nurturing environment, having a strong policy against retaliation, the use of newsletters, exit interviews, and the application of technology such as e-mail and web sites.
Outsourcing Compliance Efforts. Participants from both large and small health care providers indicated that, with the exception of the adoption of codes of conduct, there is little that could not be outsourced to consultants or other compliance experts. Benefits of outsourcing compliance efforts include gaining access to compliance "best practices" by virtue of the consultant's broader exposure to the industry, verifying internal compliance processes and supplementing scarce internal resources. At the same time, the participants observed that relying on outside vendors had drawbacks. These included the potential for lack of institutional "ownership" of the compliance program and the failure to develop internal expertise that could lead to long term cost and operational efficiencies.
Hotlines were frequently cited as a compliance function that could be outsourced. Participants suggested that a health care provider interested in using an outside hotline vendor should look for one with prior health care industry experience. The cost of hiring an outside vendor to operate the hotline was considered a drawback, particulary given that participants claimed about 75% of the calls are related to human resource issues.
Developing an adequate training program. The participants agreed that compliance and human resources training should cover such topics as: code of conduct, ethics, compliance requirements, and corporate policies and procedures. Some participants indicated that they do "cascade" training that permits the training to evolve from the general to the specific. Comprehensive training in the areas of billing and coding was perceived as imperative.
There was no standard for how often compliance training should be conducted. Generally, some form of compliance education should take place once a year. However, for large providers with many regional or state offices, this could be very costly and time-consuming. It was noted that acquiring a training budget for compliance training was easier when the government requires it through a settlement and corporate integrity agreement.
EVALUATING COMPLIANCE PROGRAM EFFECTIVENESS
The topics addressed in this area of discussion included monitoring the functions of compliance programs and verifying their effectiveness. Since the existence of a compliance program can be used as a mitigating factor when determining culpability regarding allegations of fraud and abuse only if the compliance program was "effective," measurement techniques become very important. The participants indicated that, regardless of the organization's shape or size, measuring effectiveness is generally viewed the same way, although the size and structure of the plans would vary.
Assessing the effectiveness of a compliance program. The roundtable participants agreed that assessing the effectiveness of a compliance plan was an ongoing effort, requiring a continuous review of the program to verify that each of the seven core elements of the Federal Sentencing Guidelines is met. Communication with employees, department managers, and the board of directors was considered a key element in determining the effectiveness of a provider's compliance program. Three types of audits were recommended: (1) baseline audits (initial audits); (2) proactive audits (these can be based on the risk areas identified in the OIG's compliance program guidances or Special Fraud Alerts); and (3) issue-based (when the provider knows there is a problem and is trying to ascertain the depth of the problem). Some participants developed auditing teams composed of nurses to review claims both on a pre- and post-claim submission basis. Compliance officers for small providers recommended assembling the proper people together to discuss billing changes as specified in the contractor's bulletins. This team can then assign responsibility to a selected individual to ensure the change is implemented.
In order to establish compliance baselines and develop a trend analysis, the participants recommended an annual forensic review of major areas that have risk exposure linked to prior audit results. It was also suggested that providers develop benchmarks through routine audits, as well as the use of Medicare contractor statistics. Many of the participants noted that one of the largest impediments that they encounter, however, is finding qualified personnel to conduct the audits. Several indicated that they had previously received improper advice from consultants who had conducted risk assessments and evaluations of their respective organizations. The recommendation from the participants was to conduct thorough interviews of consultants prior to contracting with them.
Participants also remarked that the audits tend to be more reactive than proactive. Most of the participants relied heavily upon the OIG's work plan and past investigations by the OIG and the Department of Justice as a basis for establishing their audit work plans. Many of the participants expressed frustration that they were not able to take more proactive measures in their auditing and monitoring. One of the explanations for the reactive approach to audits was that compliance personnel expend most of their audit resources in response to internal investigations. In addition, many of the compliance officers noted the chilling effect that audits tend to have on individual physicians. As a result, the compliance officers had noted a trend toward down-coding and have been focusing their auditing and training efforts on promoting proper documentation, as opposed to detecting fraud and abuse concerns.
The participants had differing views on the size of the sample that was necessary to substantiate the validity of audit results. The OIG's "Provider Self-Disclosure Protocol" represents the OIG's view that an initial probe sample should consist of 30 units, at a minimum. By contrast, the Medicare Carrier's Manual requires a sample of 10 units. The participants believed, however, that defining the sampling unit was a fact-specific matter that depends largely upon the nature and objective of the inquiry. Another issue that was raised regarding the design of the audit plan was the use of retrospective reviews as opposed to prospective reviews. In general, the participants viewed prospective reviews as the favorable method. Prospective reviews tend to be less costly and less time-consuming. However, it was noted that there were situations in which retrospective reviews are necessary (e.g., in response to an investigation).
Demonstrating the effectiveness of a compliance program. Participants believed that documentation is the key to demonstrating the effectiveness of a provider's compliance program. Documentation of the following should be maintained: audit results; logs of hotline calls and their resolution; corrective actions plans; due diligence efforts regarding business transactions; disciplinary action; and modification and distribution of policies and procedures. Given that the OIG is encouraging self-disclosure of overpayments and billing irregularities, maintaining a record of disclosures and refunds to the health care programs was strongly endorsed. Records of employee education, including the number of training hours, the courses offered and the identities of the attendees are valuable and demonstrates to both the employees and outsiders that the provider is committed to its compliance program. Annual reports and web sites are another way to showcase a compliance program.
Documenting Contractor Guidance. Many individuals expressed frustration with reconciling the views of different individuals at the Health Care Financing Administration's (HCFA) contractors (i.e., intermediaries and carriers) and how to respond to conflicting advice received from them. The general feeling of the participants was that a provider receiving advice should: (1) document all communications with HCFA and its contractors in writing; (2) attempt to seek clarification with the HCFA Regional Office; and (3) if necessary, contact HCFA headquarters for any unresolved issues. Industry participants expressed a need for advice on how to address the varying documentation requirements and issues among payers. These participants would like to see HCFA develop a better system for providers to ask questions and obtain guidance on all billing/coding issues.
The Government's Assessment of a Compliance Program's Effectiveness. Government participants in the roundtable cited a number of factors to be considered in evaluating the effectiveness of a provider's compliance efforts. Management's commitment to, and good faith efforts to implement, a compliance program may be measured by the funding and legitimate support provided to the function, as well as the background of the individual designated as the compliance officer. Whether there is "buy-in" by the provider's employees and contractors can be influenced by the sufficiency of training and the availability of guidance on policies and procedures. Evidence of open lines of communication and the appropriate use of information lines to address employee concerns and questions was also referenced. A documented practice of refunding of overpayments and self-disclosing incidents of non-compliance with program requirements was also cited as evidence of a meaningful compliance effort by a provider.
In general, government participants emphasized that the OIG considers the attributes of each individual element of a provider's compliance program to assess its "effectiveness" as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during a provider's day-to-day operations is critical in the process. In order to assess effectiveness, the OIG attempts to look beyond the paper representations regarding a program and assess how it is actually working in practice. For example, a training program that appears appropriate on paper would not be effective if none of the trainees retained the important information imparted during the training. Providers can assess the effectiveness of their programs by testing compliance goals against benchmarks. Both proactive and preventative measures are essential. The OIG does not believe that a compliance program can be expected to prevent any problems from arising.
INTERNAL INVESTIGATIONS AND SELF-DISCLOSURES
An inevitable consequence of an effective compliance program is the identification of practices that warrant an internal investigation and, when appropriate, disclosure to the government. Among the issues discussed in this topic area were determining the parameters and priorities of an internal investigation, the role of attorneys in internal investigations, and the procedures for self-disclosure under OIG's Provider Self-Disclosure Protocol.
Determining the Parameters of an Internal Investigation. The participants identified a series of questions that will guide the scope of an internal investigation:
Prioritizing issues that warrant an internal investigation. Participants reported that, as they implemented their compliance programs, a significant number of issues were identified as requiring further investigation. How a compliance officer should prioritize these investigations was a topic of considerable discussion. The following considerations were raised to help a compliance officer prioritize:
Withholding the results of an investigation when appropriate. Participants expressed great interest in the compliance officer and the provider's general counsel or outside lawyers working together to ensure that problems are reviewed in a timely and professional manner. Some concern was expressed about including attorneys in internal investigations merely to protect the investigative work product. Only true attorney-client communications were viewed as "privileged" within the context of an internal investigation. When the attorney-client privilege or the attorney work product doctrine are improperly asserted to cover the documents that are involved in an internal investigation, a provider risks losing the privilege for any documents. In addition, participants suggested that cloaking all aspects of an internal investigation under the protection of a privilege could be seen to be in conflict with the principles of forthright and honest transactions set out in a code of conduct.
Reporting evidence of non-compliance to the Government. The participants spent
considerable time discussing the circumstances under which the findings of an internal
investigation should be reported, and where to submit such a report. Participants believed that,
where billing errors, honest mistakes or simple negligence result in improper claims, the provider
should return the funds to the affected health care program. Reference was made to a number of
federal criminal laws that target wrongful conversion of health care program funds. In addition,
most states have escheat laws that govern the disposition of assets that do not belong to the
holder of the funds. A provider should consult with its Medicare contractor for guidance
regarding processing Medicare repayments and to establish the information that would be needed
to quantify the amount of the overpayment. When a problem has been rectified, the provider
should add the issue to its list of topics to be reviewed during internal monitoring and auditing
efforts.
Participants had more difficulty defining what constitutes a "simple billing mistake." The size of an overpayment would be one of the determining factors when deciding whether to refund an overpayment to a carrier or intermediary or to proceed through the OIG's Provider Self-Disclosure Protocol ("Protocol"). It was also suggested that the compliance officer determine if there was a pattern to the errors. Problems with a clear pattern may be a candidate for disclosure to the government, whereas an isolated problem with no clear pattern would be less likely to be a candidate.
Industry participants endorsed the recently-issued Protocol. The difficulty, some opined, lies in determining whether the matter is an "overpayment" that should be brought to attention of a HCFA contractor, or whether the discovered matter rises to the level of being "potentially violative of a federal criminal, civil or administrative law" and should be disclosed to OIG pursuant to the Protocol. All industry participants believed that all matters resulting in improper payments, however, must be resolved and refunds must be made. Some viewed the payment of refunds as a fundamental and routine part of doing business.
While the participants briefly discussed clear honest mistakes and patent unlawful conduct, they seemed most concerned and uneasy about those matters that fall in the "gray" areas; in the middle of the black and white spectrum. The determination must be made carefully, for the repercussions can be damaging either way. Rushing to label a finding a fraud without a proper inquiry can have irreparable effects. On the other hand, the careless or deliberate portrayal of a matter as not serious or less grave can have enormous punitive consequences. The need for thoroughness was uniformly expressed among the participants.
To many, thoroughness translates into asking some basic questions. What is the applicable standard? Did the provider have actual or constructive notice of the standard? Was it the result of intentional conduct or gross negligence? Would a reasonable provider operating in a highly-regulated environment have an obligation to inquire? How "material" is the matter discovered? Is it a purely financial matter or is quality of care also implicated? What is the loss to the federal health care programs?
Similarly, industry participants were concerned with the government's potential treatment of a disclosure, i.e., that a disclosure pursuant to the Protocol should not automatically result in multiple damages and penalties, or necessarily any settlement with the government. Such matters are evaluated by OIG in close coordination with the disclosing provider. OIG will make the initial determination regarding matters brought forward under the Protocol as to whether they warrant a referral to DOJ for further inquiry and potential prosecution or whether they merit a referral to a HCFA contractor for overpayment collection.
The role of a disclosing provider's counsel was viewed as important at certain stages. There was awareness by all participants as to the perils of abusing the protections of the attorney-client privilege and the work-product doctrine. Some providers also warned against the problem of focusing on "lawyerly" investigations and the operational and business need to "fix" a problem. While not incompatible, these two approaches can create conflict within the organization.
Overall, participants believed that self-disclosure activities should be "built into" the provider's compliance program.
CORPORATE INTEGRITY AGREEMENTS
Among the issues addressed in this topic area were how the OIG incorporated the elements of a CIA into an existing compliance program, oversight of providers subject to a CIA, and the mechanics of operating under a CIA.
Negotiating and implementing CIAs. As explained by the OIG representative, CIAs are negotiated on an individual basis, subject to certain standard provisions. In determining the necessary terms of a CIA, the OIG considers the conduct that resulted in the enforcement action, the culpability of the provider, the corrective actions taken, the resources of the provider and other relevant facts and circumstances. CIAs generally have a five year term, but can be as short as three years. Where a large hospital system or other chain enters into a CIA, the determination of the scope of the CIA (i.e., single facility or chain-wide) will consider the origin of the problem (e.g., isolated or part of a system-wide lack of controls), and the actions taken by the system to remedy the problem. CIAs generally require certain measures reflecting the sentencing guidelines (e.g., training, confidential disclosure program, and code of conduct). In addition, the OIG will require audits of providers, periodic reporting to the OIG, and breach and default provisions.
Some participants suggested that the OIG should consider an "early release" from CIA requirements if the provider has performed well under the CIA during the first several years. They also sought more guidance from the OIG on the scope of auditing requirements. It was noted that the newer CIAs contain more specificity than older agreements and that both the OIG and the private sector should work toward reaching standards for internal controls and compliance audits.
Adapting a CIA to a voluntary compliance program already in place. Although few of the participants had compliance programs in place when they entered into a CIA, there was a strong belief that such a situation will likely be the norm in the future, particularly with large providers such as hospitals. With the exception of the outside auditing and reporting requirements, CIAs generally require the same measures that a provider with a comprehensive compliance program would already have in place. For example, most requirements of recent CIAs with hospitals are similar to measures recommended in the OIG's Compliance Program Guidance for Hospitals. As a result, having a compliance program in place is expected not only to prevent and detect problems, but also ease the transition to implementing a CIA.
Monitoring of CIAs by the OIG. As the government representative explained, the Compliance Unit of the Civil Recoveries Branch of the Office of Counsel to the Inspector General assigns one of its staff members to each provider operating under a CIA. This person is responsible for monitoring the provider's compliance with the CIA and will act as a liaison to the provider's compliance officer. CIAs require the submission of written reports to the OIG. Almost all CIAs require an implementation report due after the initial deadlines for implementing CIA requirements, as well as annual reports for each year of the CIA. The compliance unit will assess every report to determine whether the provider has complied with its requirements. As appropriate, the OIG will follow up with the provider through written and oral communications.
Several participants expressed interest in working more closely with the OIG regarding issues that arise under a CIA. Some expressed concern that if they raised issues the OIG may try to use that against the provider. Those compliance officers who have contacted the OIG's compliance unit reported that such contacts had been helpful and non-confrontational. In addition to monitoring written reports, the OIG also conducts site visits of providers operating under CIAs. The OIG meets with compliance staff and management of the provider and also with others at the facility to try to gauge the effectiveness of the provider's compliance efforts. A participant who recently experienced such an on-site audit relayed positive comments about the audit and the opportunity to educate the OIG as to the organization's operations. Such an opportunity allows the OIG to more effectively monitor a provider's compliance efforts in the context of its day-to-day operations.
The role of an Independent Review Organization in the CIA process. It was noted that many recent CIAs require an independent review organization (IRO) to perform a billing review and a compliance review. In other cases, the provider's internal audit team is permitted to conduct the billing review, subject to oversight by an IRO. In deciding whether to permit internal billing and compliance reviews, government representatives cited several factors, including the existence of an effective compliance program, a history of voluntary self-disclosures and the expertise of the provider's internal auditing staff to conduct such reviews.
Some participants felt that an IRO should be a firm that does not do any other business for the provider. Most participants took a less restrictive view and felt that the firm that does the compliance review should not be a firm that was involved in the formulation or implementation of the provider's compliance program.
Notifying the OIG about identified overpayments when operating under a CIA. The group discussed the definition of a "material deficiency" triggering reporting requirements to the OIG and the fact that the standard has evolved over time. However, the definition is still somewhat subjective. Several categories of matters are required to be reported: large overpayments, overpayments related to systemic weaknesses in the provider's controls, conduct that appears to violate the law, and, in some cases, quality of care issues. Although some participants desired more certainty regarding what matters would trigger reporting, there was no concurrence on how to reach that goal.
The application of FOIA to a CIA Annual Report. Submissions pursuant to a CIA are subject to the Freedom of Information Act (FOIA). The OIG representatives explained that providers may assert that certain documents are exempt from disclosure under FOIA (e.g., trade secrets). Providers should only designate documents as FOIA-exempt if there is a good-faith basis for such a designation. The OIG will handle requests for documents submitted under a CIA under the normal FOIA process set forth in the regulations.
CONCLUSION
We are very pleased with the outcome of this collaborative effort between the OIG and health care industry representatives. At the roundtable, participants addressed many of the issues confronting compliance officers and staff. Participants gained new insights into the challenges of creating effective compliance programs and had the opportunity to experience perspectives on compliance from both the government and the health care industry. We believe that the outcome of the roundtable discussions will give all of us greater understanding of how the government and provider community can work together to protect the integrity of the health care system. Given the constructive discussion among the participants, consideration will be given to creating other opportunities for government-industry exchanges on these and other issues surrounding health care compliance plans.