ISDN. Over the past few years, the Office of the Inspector General. Assisting Network Members Develop and Implement Corporate Compliance Programs

Transcription

1 Information Bulletin #7 ISDN National Association of Community Health Centers, Inc. INTEGRATED SERVICES DELIVERY NETWORKS SERIES For more information contact Jacqueline C. Leifer, Esq. or Marcie H. Zakheim, Esq. Feldesman, Tucker, Leifer, Fidell & Bank LLP 2001 L Street N.W Washington DC (202) ; Fax: (202) MZakheim@feldesmantucker.com or Malvise A. Scott Vice President Division of Programs and Planning National Association of Community Health Centers, Inc Wisconsin Avenue, Suite 210 Bethesda, Maryland (301) ; Fax: (301) MScott@nachc.com This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is published with the understanding that the publisher is not engaged in rendering legal, financial or other professional service. If legal advice or other expert assistance is required, the services of a competent professional should be sought. Assisting Network Members Develop and Implement Corporate Compliance Programs Over the past few years, the Office of the Inspector General (OIG) within the U. S. Department of Health & Human Services (DHHS) has issued a number of compliance program guidances designed to aid specific sectors of the health care industry in developing and implementing voluntary corporate compliance programs. In general, compliance programs assist health care providers in uncovering and deterring fraudulent and wasteful behavior that adversely affects the government s health care programs, and help to educate Board members, management and staff about compliance with applicable laws and regulations. 1 While recommended for all organizations (regardless of type or size), implementing a corporate compliance program that is reasonably comprehensive, yet cost effective, can be a major challenge for any organization. Depending on its size, the organization may decide to launch a comprehensive corporate compliance program or to implement the program in stages over a defined period of time, such as a year. Most health centers already have internal controls in place that can be used as the program s foundation, making the process less burdensome. What is important, ultimately, is that the organization promptly establishes a compliance program that fits, i.e., that takes into account the health center s size, resources, complexity of operations, and compliance history. This Information Bulletin addresses the steps that Integrated Service Delivery Networks (ISDNs) can take to help their health center owners and/or mem- 1 Of particular importance to health centers is OIG Compliance Program for Individual and Small Group Physician Practices, 65 FR 59434, Oct. 5, October 2003 National Association of Community Health Centers, Inc.

2 bers develop and implement corporate compliance programs. It begins with an explanation of the critical elements of corporate compliance programs and why health centers should create such programs. The Information Bulletin further suggests ways that ISDNs can assist their members as they establish compliance programs, considers the steps that should be taken to ensure effective and successful development and implementation, and addresses the critical elements that are best left to the individual health centers. 2 conduct, improve the quality of patient care, and demonstrate its commitment to honest and responsible corporate conduct. The OIG recommends that organizations incorporate seven core elements into a corporate compliance program (see Text Box). The OIG guidelines permit all functions to be outsourced, e.g., to the ISDN. However, in order to be mindful of member relations, maintain the confidentiality of its health center owners /members sensitive information, and provide the members with flexibility to tailor compliance efforts to best suit their particular needs, we recommend that an ISDN assist in developing and implementing only a few of these elements. Thus, in our view, some elements of corporate compliance programs are better left to each health center to structure and implement individually. Each element will be discussed in detail below with recommendations for possible ISDN involvement. WHAT IS A CORPORATE COMPLIANCE PROGRAM? A corporate compliance program is a voluntary system of internal controls designed to ensure that health care providers (including health centers) regularly evaluate and monitor their own adherence to applicable statutes, regulations and program requirements. Additionally, a compliance program educates the provider s Board members, employees, contractors, and agents about complying with the laws and regulations that govern the health care industry. A compliance program helps the provider identify, prevent, and correct illegal and unethical SEVEN CORE ELEMENTS OF A CORPORATE COMPLIANCE PROGRAM (from OIG Compliance Program for Individual and Small Group Physician Practices, 65 FR 59434, Oct. 5, 2000) 1. Designating a compliance officer and/or committee to monitor compliance efforts and enforce practice standards; 2. Conducting internal monitoring and periodic auditing; 3. Implementing compliance and practice standards through the development of written standards and procedures; 4. Conducting appropriate training and education on the laws, rules, standards and procedures that apply to each employee s and contracted personnel s job responsibilities; 5. Developing open lines of communication to update employees and contracted personnel about compliance activities and to encourage the reporting of potential problems; 6. Investigating detected problems and developing and implementing corrective action; and 7. Enforcing disciplinary standards through well-publicized guidelines. 2 This Issue Brief is intended to give broad guidance to ISDNs about corporate compliance. ISDNs seeking guidance pertinent to their specific network should consult experienced legal counsel. National Association of Community Health Centers, Inc. 2 October 2003

3 WHY SHOULD ISDNS ASSIST THEIR MEMBERS IN CREATING CORPORATE COMPLIANCE PROGRAMS? As discussed above, an effective corporate compliance program promotes self-regulation by: Encouraging health center employees and contracted personnel to report potential compliance problems, Establishing a procedure for prompt and thorough investigations of alleged misconduct, and, as necessary, Implementing immediate, appropriate corrective actions. As such, a well-designed compliance program can optimize proper payment of claims, minimize billing mistakes, minimize exposure under Federal fraud and abuse statutes, and reduce the chances of an investigation by DHHS (or the State Medicaid agency). The OIG expects all providers, regardless of size or type, who participate in government health care programs to develop and implement corporate compliance programs. In the last year alone, the OIG investigated thousands of providers suspected of fraud and abuse or other activities deemed to be a risk to Federal health care programs or their beneficiaries. Non-profit health care providers are no exception. Because the civil and criminal sanctions are so severe (including exclusion from Medicare, Medicaid, and other Federal health care programs), ISDNs that assist their health center members in implementing voluntary corporate compliance programs are signaling to the OIG, their members, and the greater community their commitment (as well as that of their members) to compliance with required laws and regulations. It is noteworthy that implementation of a corporate compliance program is voluntary for most providers per the OIG guidelines. However, the regulations that implement Section 330 of the Public Health Service Act require health center Boards of Directors to ensure that their centers are operating in compliance with all applicable Federal, State, and local laws and regulations. 3 Development and implementation of a corporate compliance program can assist health centers in meeting this obligation. Typically, ISDNs strive to further health center goals by maximizing resources and reducing costs as they integrate and coordinate certain operational, administrative, financial and/or clinical functions of health centers. In this respect, ISDNs can play a key role in establishing and supporting their health center owners /members compliance program efforts. 3 These regulations can be found at 42 C.F.R. 51c.304(d)(3)(v) for community health centers and 42 C.F.R (d)(4)(vi) for migrant health centers. According to the Bureau of Primary Health Care, other types of Section 330-funded centers, such as those that serve homeless people or residents of public housing, are not bound by these regulations but may wish to look to these regulations for guidance. BPHC PIN 98-23, Program Expectations. 3 October 2003 National Association of Community Health Centers, Inc.

4 HOW CAN ISDNS ASSIST HEALTH CENTER MEMBERS? The OIG recognizes the need to allow smaller providers considerable flexibility in designing compliance programs, relative to the specific characteristics of each provider. In this respect, an ISDN can perform certain functions that will facilitate its owners /members compliance efforts while reducing the costs associated with such efforts. Generally, an ISDN is best suited to perform compliance programming support services, such as: 1. Develop plans and techniques by which its health center owners/members can audit and monitor their compliance with laws, regulations and policies in particular high risk areas (e.g. coding/billing, claims submission), as well as the corporate compliance program itself; 2. Design model or sample administrative and operational policies and procedures, as well as policies related to the compliance program that reflect changing laws and rules; and 3. Develop and conduct training and education programs for health center personnel and Board members on applicable laws, regulations and policies (and the compliance program itself). As a first step, the ISDN should appoint an individual as an ISDN compliance contact, who will work closely with the compliance officer of each owner/member center to ensure that the tasks outlined above are accomplished efficiently and effectively. Generally, an ISDN is best suited to perform compliance programming support services. Develop Auditing and Monitoring Plans and Techniques Health Centers Should: Conduct initial audits of its particular internal policies, standards, procedures and practices to determine whether they are (a) compliant with current applicable law, (b) accurate, and (c) implemented correctly. Utilize these audits to identify actual and potential high risk areas that may require improvement and additional oversight. Conduct periodic and ongoing monitoring and evaluation to determine whether their corporate compliance programs and internal standards remain up-to-date, appropriate, and effective (and to follow-up on identified problems). ISDNs Can: Facilitate the development of audit work plans that prioritize high risk areas and internal auditing techniques, both of which, in turn, can be used by each health center (with modifications for the health center s particular facts and circumstances) to guide its auditing and monitoring efforts of high risk areas and the compliance program itself. Develop model plans and auditing techniques that incorporate procedures to assess risk areas common to health centers (as well as to all organizations providing health care programs). Focus on risk areas addressed in the OIG guidance, such as coding/billing, claims submission, contracting, competitive practices, marketing, regulatory compliance (i.e., anti-kickback and self-referral laws), documentation, clinical practices, human resources, general financial policies. Additional guidance from Federal and State agencies, such as OIG advisory opinions and alerts and other agency transmittals, may suggest other risk areas and, as such, should be considered. Because the network, by virtue of its practice management activities, is likely to be familiar with its members specific strengths and weaknesses that might signal trouble, ISDNs are well-positioned to determine appropriate content of education and training programs for their owner/member centers (see below). National Association of Community Health Centers, Inc. 4 October 2003

5 Design Model Policies and Procedures Health Centers Should: Evaluate current law and update administrative and operational policies, standards and procedures, as well as policies and procedures related to the corporate compliance program itself. ISDNs CAN: Develop sample standards, policies, and procedures that all participating health centers can use. The ISDN is, in effect, creating models to reduce costs and ensure appropriate uniformity, which each individual member can tailor to suit its respective needs and circumstances (e.g., size and complexity of operations). In particular, the model policies and procedures should: A. Address the identified problem/risk areas (i.e., billing and coding procedures); B. Incorporate all Federal and State laws relevant to, and that govern the activities of, the health centers (i.e., Federal anti-kickback and physician self-referral rules); C. Take into account the health centers general mission, goals, values, expectations, and needs; and D. Facilitate the effective operation of the compliance program as a whole (i.e., communication and reporting guidelines). E. Include as an essential element in every model job description developed by the ISDN, that cooperation with the compliance program (including, but not limited to, reporting) is essential. F. Develop model standards and policies that are easily readable, with final policies being accessible to all health center personnel and Board members. Areas of focus for the written standards and procedures include: Operational policies and standards that include: Employment-related topics, such as human resources; Trouble spots or high risk areas, such as coding/billing, claims submission, contracting and Federal procurement standards, competitive practices, marketing, regulatory compliance (i.e., Federal anti-kickback and self-referral laws), and clinical practices; Administrative issues, including documentation and records retention; Legal/ethical issues, such as confidentiality issues and conflicts of interest; and Financial guidelines. Communication guidelines and procedures that include: Techniques for assuring effective and open lines of communication between the ISDN s compliance personnel and the health center compliance officer; and Techniques for assuring effective and open lines of communication between the health center compliance officer and health center personnel and Board 5 October 2003 National Association of Community Health Centers, Inc.

6 members who may wish to report instances of suspected noncompliance or may require clarification of applicable laws/rules, including: Confidentiality and anonymity policies applicable to reporting suspected problems (but should not include a guarantee of anonymity); A strong policy prohibiting retaliation against any individual for the good faith reporting of actual or potential non-compliant conduct; and Disciplinary guidelines and standards, such as: the degrees of disciplinary actions that may be imposed; the procedures for handling disciplinary problems; the promotion of consistency in all corrective actions; and assurances that all personnel understand the consequences of non-compliant behavior. As the ISDN develops model policies and procedures, it may want to review and incorporate compliance standards and procedures of other providers and/or model policies that are publicly available (i.e., on the internet), if appropriate to it owner/member health centers. Additionally, the ISDN can develop a written compliance manual using existing health center policies, procedures and practice standards, to be updated as laws change and supplemented with new information as it becomes available. Develop and Conduct Training and Education Programs Health Centers Should: Develop and conduct education and training programs for health center personnel and Board members to ensure that they understand how to comply with laws, regulations, rules and policies applicable to health center operations, with particular emphasis on the specific risk areas identified during the auditing and monitoring process. Train individuals on the details of the corporate compliance program itself. Conduct targeted training for health center personnel who work in high risk areas (i.e., coding, billing, and marketing). On-going training should cover updates of information provided during initial trainings as well as changes in laws/rules, and may be required when problems arise. All training should be conducted in a culturally and linguistically appropriate manner. ISDNs CAN: Assist their health center owners/members in developing their training and education programs, as well as protocols for the dissemination of information to health center personnel and Board members. In doing so, networks should consider a variety of training methods, including in-person training, newsletters, and self-study programs. Conduct trainings and/or coordinate health center training programs with those offered by outside seminars or parties. The training programs should be conducted at various stages of personnel development, including, but not limited to, initial training/orientation for new health center employees, independent contractors and Board members, and periodic training at regularly scheduled times to address continuing education needs. National Association of Community Health Centers, Inc. 6 October 2003

7 WHICH COMPLIANCE EFFORTS SHOULD ISDNS REFRAIN FROM CONDUCTING To avoid potential conflicts inherent in undertaking audits or investigations of high risks areas of a network s owners or members, and/or the inappropriate disclosure of a health center s confidential information. We recommend that ISDNs do not: Conduct auditing and investigation on behalf of their owners/ members. Function as a health center s compliance officer, because the center s compliance officer is responsible for assuring and documenting that all elements of the compliance program are developed and implemented (including auditing and investigations), and certain elements of the program may require the presence of the compliance officer full-time at the health center, e.g., to receive reports from employees and contracted personnel of suspected noncompliance and to conduct prompt follow-up, and network employees are not likely be able to offer ready access. Serve as the contact to whom health center employees report their concerns because such individual may not be sufficiently familiar to health center employees who seek a trusted confidant when reporting suspected noncompliance. Given the above, each health center should designate an individual to serve as the center s compliance officer. The compliance officer should be responsible for developing, implementing, overseeing, monitoring and, as necessary, modifying the compliance program. Further, the compliance officer should be responsible for coordinating the health center s compliance-related efforts with those of the ISDN. 7 October 2003 National Association of Community Health Centers, Inc.

8 EACH HEALTH CENTER SHOULD RETAIN RESPONSIBILITY FOR CUSTOMIZING ITS CORPORATE COMPLIANCE PROGRAM. Because each center s needs and exposures will differ from other members needs and exposures, each health center should assess its size, resources such as budget and staffing constraints, complexity of operations, and compliance history when customizing its specific compliance program. Each center should individually: Conduct internal auditing and monitoring of high risk areas and the compliance program itself, based on the tools and techniques designed by the ISDN; Customize the model written standards and policies developed by the ISDN to address the specific needs of the health center and implement the customized standards and policies; Tailor the compliance program training components to fit the health center s specific circumstances/personnel, and as appropriate, coordinating training efforts with the ISDN; Establish internal reporting and information dissemination guidelines and procedures and implement an effective reporting mechanism designed to encourage the health center s personnel to report instances of suspected noncompliance and to request prompt clarification of applicable laws/rules when questions arise; Investigate suspected problems and, if necessary, designing and implementing corrective action plans; and Enforce disciplinary guidelines and standards. Conduct Audits and Monitor As previously discussed, we recommend that each health center conduct its own internal auditing and monitoring, and as appropriate, each center should: Consider hiring someone with appropriate expertise in statutory and regulatory areas to conduct an initial audit of the health center s internal standards, procedures, and practices to determine whether they are current, accurate, and implemented correctly. The initial audit will serve as a baseline from which to prioritize future audits of high-risk areas. Conduct periodic and ongoing monitoring and evaluation to determine how well their corporate compliance program and internal standards are working. Note high-risk areas for the health center during the initial audit phase, so that the health center can recognize problem areas, conduct appropriate follow-up audits and other actions, and, as necessary, correct any deficiencies. Write an evaluation report after the initial audit and follow-on high-risk audits, a written evaluation report should be presented by the compliance officer to the Board of Directors, the health center s Chief Executive Officer ( CEO ) and if appropriate, other members of the management team. National Association of Community Health Centers, Inc. 8 October 2003

9 Customize the ISDN-Developed Model Policies, Procedures and Programs and Coordinate with the ISDN- Sponsored Program Each health center s compliance officer (supported by a compliance committee if the health center determines such a committee can effectively support the compliance officer s work) should be directly responsible for customizing the model policies, procedures and programs developed by the ISDN, implementing the health center s compliance program and, to the extent appropriate, coordinating compliance-related activities between the health center and the ISDN. The person chosen should have expertise in health care compliance issues and be familiar with OIG-published high-risk areas and the activities of other relevant government agencies, such as the Centers for Medicare and Medicaid Services ( CMS ), and the Health Resources and Services Administration ( HRSA, the agency within DHHS that administers the health center program). Additionally, the compliance officer should have the necessary authority to conduct investigations and communicate with the health center CEO, the Board, and if necessary, legal counsel. The compliance officer should communicate directly with the compliance contact appointed by the ISDN with respect to the work the ISDN is doing in support of the health center corporate compliance program. As appropriate, the compliance officer should: Ensure that any compliance program support efforts undertaken by the ISDN are integrated into his or her particular health center s daily operations. Because each center will have different needs. Tailor the model guidelines, policies, procedures, and training and education programs established by the ISDN, including the manner by which the health center will disseminate information to health center personnel and Board members, to the specific facts and circumstances of his or her particular health center. Once the compliance components are customized and implemented, the compliance officer should conduct follow-up activities necessary to ensure that these policies and procedures remain up-to-date and appropriate for the health center, as well as to ensure the success of each of the components and the compliance program, as a whole. If the health center determines that the ISDN should assist with training and education programs, coordinate such trainings with the ISDN compliance contact Establish Internal Reporting and Information Dissemination Guidelines and Procedures It is critically important to establish effective lines of communication to facilitate the identification of potential compliance problems. Each health center should: Tailor the model communication guidelines and procedures developed by the ISDN, including processes for clear, open lines of communication between the health center s compliance officer and its personnel and Board members. 9 October 2003 National Association of Community Health Centers, Inc.

10 Similar to other policies and procedures, when customizing the communication guidelines, the center should take into account its needs and circumstances and, in turn, implement the individualized processes. Establish and maintain an open door policy so that health center personnel and Board members can comfortably seek clarification about compliance and compliance-related policies and report compliance concerns. To ensure effective two-way communication, each health center member can use informal communication techniques to bolster compliance efforts, such as internal publications and newsletters, posters and notices placed in common areas and bulletin boards. Establish simple, easy methods that personnel and Board members can use to report concerns about possible erroneous or fraudulent activities, including a hotline or anonymous drop boxes. Once such activity is reported, the compliance officer must begin appropriate investigation. Investigate Suspected Problems and Design and Implement Corrective Action Plans If a problem is detected either through auditing and monitoring procedures or through internal reporting, the affected health center, through its compliance officer should: 1. Define the scope of investigation; and 2. Initiate prompt investigation through interviews, review of relevant documents and/or, as necessary, engage outside legal counsel, auditors, or health care experts. The health center should: Maintain complete records of the investigation. Upon completion, present reports identifying the problem areas and summarizing the investigation process and any applicable corrective action (and, if appropriate, a plan to report the findings to the proper authorities) to the Board of Directors, the CEO and other members of the management team. Conduct follow-up review of the circumstances that led to the investigation to determine if the problem and other similar problems have been corrected or still exist. Enforce Disciplinary Guidelines and Standards Each health center should: Tailor the model disciplinary guidelines and standards developed by the ISDN regarding the degrees of disciplinary actions that may be imposed and the procedures for handling disciplinary problems. Develop its own method to publicize and enforce the guidelines and standards to ensure that all personnel understand the consequences of non-compliant behavior. Identify the specific individuals responsible for taking disciplinary action. National Association of Community Health Centers, Inc. 10 October 2003

11 Sources for Further Information on Corporate Compliance Programs The DHHS OIG has several corporate compliance documents available on its website. These are available at: and provide general information about corporate compliance as well as specific guidance for different types of provider organizations. Documents include: OIG Compliance Program for Individual and Small Group Physician Practices, 65 Federal Register 59434, et. seq., Oct. 5, 2000, available at Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors, available at CONCLUSION There are a variety if ways in which ISDNs can assist their health center owners/members in developing and implementing successful and effective corporate compliance programs, including: Drafting audit and evaluation procedures, Recommending audit techniques, Developing model standards and guidelines (both for health center operations and the compliance program itself), Establish key training and educational programs regarding compliance processes and efforts, and Develop guidelines for the dissemination of information to health center personnel and Board members. In implementing their particular compliance programs, however, it is advisable that the health center owners/members tailor the ISDN s corporate compliance products to their specific facts and circumstances. As recipients of Federal grant funds, health centers are required to comply with numerous requirements related to the administration and management of Federal monies (i.e., procurement requirements and property standards contained in department-wide administrative regulations found in 45 C.F.R. Part 74), as well as Federal, State and local laws related to regulatory compliance (i.e. fraud versus abuse laws) and other grant-related requirements, policies and expectations. Further, as businesses, health centers must comply with requirements related to employment and human resources (i.e., Fair Labor Standards Act, Family and Medical Leave Act, and as applicable, the Occupational Safety and Health Act). Ultimately, joint corporate compliance programming efforts between the ISDN and its member centers should help to minimize the health center s exposures for noncompliance with this myriad of Federal, State, and local laws, regulations and policies, while improving the quality and performance of services and enhancing overall health center operations. 11 October 2003 National Association of Community Health Centers, Inc.

12 NACHC acknowledges the Bureau of Primary Health Care (BPHC) in the Health Resources Services Administration, DDHS, whose funding helped to make this document possible. Although this document was prepared with the financial assistance of BPHC, please note that such assistance does not indicate an endorsement from BPHC, or any other governmental agency. National Association of Community Health Centers, Inc Wisconsin Avenue, Suite 210 Bethesda, MD Telephone: Fax: 301/ Website: 12 National Association of Community Health Centers, Inc. October 2003