New York Issues Compliance Guidance for Hospitals A Look at How the Guidance Stacks Up to OIG Recommendations Jack Wenik / Matthew McKennan Jack Wenik is a member er of the firm Sills, Cummis mis & Gross PC. He is co-chair of the firm s Healthcare Investigations Practice Group. A former Assistant U.S. Attorney of both the Eastern Districts s of New York and Pennsylvania, Mr. Wenik represents health care systems, hospitals, long-term care facilities, pharmacies, doctors, and other health care providers in a wide array of investigations, regulatory matters, and litigation. He can be reached at jwenik@sillscummis.com. Matthew McKennan is an associate in the Sills, Cummis & Gross Health Care Practice Group. The authors would like to thank John Barry, a law clerk with the firm, for his assistance in preparing this article. As promised in the 2006 statute1 and accompanying regulations, 2 which require most Medicaid providers to maintain effective compliance programs, 3 the New York State Office of Medicaid Inspector General (OMIG) issued Compliance Program Guidance for General Hospitals (OMIG Hospital Guidance) on May 11, 1, 2012. 4 OMIG has previously provided less formal guidance for health care providers. 5 Its new guidance is timely given the Supreme Court ruling upholding most of the federal Affordable Care Act. 6 Among the provisions upheld was Section 6401 of the Act, which requires the Department of Health and Human Services to establish core elements of mandatory compliance programs. This article will highlight the most prominent aspects of the OMIG Hospital Guidance, using as a comparison the federal Health and Human Services (HHS) Office of Inspector General (OIG) Compliance Program Guidance for Hospitals. In developing the OMIG Hospital Guidance, OMIG relied heavily on existing guidance issued by the OIG 7 and documents on hospital governance developed jointly by the OIG and the American Health Lawyers Association. 8 With this new guidance, OMIG sought to expand on the OIG s existing framework while also tailoring it to Medicaid providers. This article will examine OMIG s recommendations and the extent to which its guidance adds to or departs from the OIG s recommendations. ELEMENTS OF EFFECTIVE COMPLIANCE The OMIG Hospital Guidance notes that OMIG will assess the effectiveness of a hospital s compliance program. Federal guidance lists seven elements which, Journal of Health Care Compliance September October 2012 21
at a minimum, should be included in a comprehensive compliance program. OMIG mirrors those seven elements and adds an eighth. The following describes what OMIG considers to be critical aspects of effective compliance. Written Compliance Standards and a Code of Conduct The first element in both the federal and New York recommendations is the development and distribution of written standards of conduct and written policies and procedures that promote a commitment to compliance. The OMIG Hospital Guidance goes into finer detail with respect to what a code of conduct and compliance policies and procedures should include, such as the following: the code of conduct should be approved by the governing body of the hospital and include compliance expectations with regard to ethical business conduct, conflicts ct of interest, and billing and coding accuracy; cu cy the code of conduct must be reviewed annually and posted on the hospital s internal employee e Web site, with a summary posted on the hospital s public Web site; when developing written policies and procedures, hospitals should look to not only laws and regulations but also guidance such as official published guidance from the New York Department of Health (DOH), DOH opinion letters and Dear Chief Executive Officer and Dear Administrator letters, and the emedny Provider Manual; hospitals are also encouraged to look for guidance in professional journals, professional associations, accrediting bodies, and IPRO reports; 9 the compliance policies should require that contracts with subcontractors and affiliates include termination provisions for failure to adhere to compliance requirements; and the compliance policies should outline how compliance issues will be investigated, including who will be responsible for conducting the investigation and how the hospital will obtain investigation-specific resources, document investigative efforts, issue reports, and finalize and close investigations. New York has naturally chosen to focus on guidance from its own state agencies and also has provided more detail than the federal guidance as to where hospitals should turn for additional information on best practices. Notably, the OMIG Hospital Guidance strongly encourages transparency by requiring disclosure of the code of conduct on the hospital s internal and public Web sites. Compliance Officer and Compliance Committee The second element of OIG s compliance guidance is the designation of a chief compliance officer and hospital compliance committee. OMIG mirrors and expands on this requirement, adding more concrete suggestions about who the compliance offi- cer should be and what actions the compliance officer and the compliance committee should undertake to ensure effective compliance. The OMIG Hospital Guidance suggests: the compliance officer should be a fulltime employee of the hospital; the compliance officer should have the necessary experience, training, and integrity to perform his or her duties, including relevant experience in compliance, operations, patient care, law, risk management, coding, billing, or auditing and also should periodically attend educational conferences and seminars designed to help him or her better understand the risks related to the hospital s activities; the compliance officer should advise on all contracts which have compliance-related provisions and should have discretionary access to independent counsel or other expertise, as necessary; the compliance officer should consider resignation in certain circumstances, such as unresolved compliance issues; 22 Journal of Health Care Compliance September October 2012
the compliance committee should include executives and managers with compliance-related duties, such as the chief executive officer, chief operating officer, chief financial officer, chief medical officer, a billing and payment representative, a case manager, a risk manager, and a human resources manager; the compliance committee should meet at least quarterly with the compliance officer, and the compliance officer should meet at least quarterly with the governing body committee responsible for oversight of hospital compliance; the compliance officer should report at least annually to the governing body and also meet annually with the governing body in the absence of the chief executive officer and others who report to the chief executive; the governing body should review and approve any annual compliance work plan; and the compliance officer should work closely with the legal l department ent but should not report to the general counsel or to the chief financial al officer or nance department. fi- New York has put greater importance on the qualifications of the individuals selected to serve as the compliance officer and also seeks to ensure that the compliance officer has open communication lines to the executive board while still having sufficient independence from the general counsel and financial officer to operate effectively. Interestingly, OMIG goes beyond OIG recommendations by recommending that the compliance officer consider resignation if compliance issues are not resolved and to have discretionary access to independent outside counsel. Training and Education Next, OIG and OMIG focus on the requirement that hospitals conduct effective training and education. Once again, OMIG mirrors the federal guidelines in that they also require training and education for all affected employees and persons associated with the hospital. Building on the OIG guidelines, New York recommends the following: contracts with subcontractors and affiliates should include provisions regarding training on compliance issues, expectations, and the operation of the compliance program; training should be periodically assessed for effectiveness, through the use of such measures as post-testing and observing the competency of individuals in areas where training was provided; governing body members, employees, and persons associated with the hospital who receive training should be informed of how to obtain additional assistance; training materials should be evaluated on an annual basis, and training should be conducted through a variety of teaching methods and developed at appropriate reading levels; information about training should be disseminated through newsletters, notices of legal and regulatory developments, the employee Intranet Web site, and frequently asked questions (FAQs); employees should have an avenue to comment on training; training should occur periodically for all employees, with general training occurring annually and specific training in more specialized areas of work occurring at more frequent intervals; training should reference relevant laws, including the Affordable Care Act, with a particular focus on obligations to disclose overpayments; 10 and training should occur at appropriate and convenient times and locations, including regular staff meetings, and should be provided by qualified individuals and entities. OMIG has thus chosen to show greater attention to exactly how training is undertaken, who provides it, when and where it is provided, and what it should entail. The OMIG Hospital Guidance increases the frequency of training (as compared to the Journal of Health Care Compliance September October 2012 23
annual recommendation of OIG), and encourages ongoing assessments of employee competency. Effective Lines of Communication For the fourth element, the federal government focuses on the development of effective lines of communication, as does OMIG. The OMIG Hospital Guidance adds suggestions, including: the compliance officer s contact information should be conspicuously posted, including in places such as high traffic areas, nurses stations and admitting areas, hospital Intranet and Internet sites, and included in hospital newsletters and within the patient bill of rights; the compliance officer s contact information should be included in staff orientation documents, compliance-related training, and contractor and affiliate training; compliance staff should be available to answer compliance-related elate questions; and the compliance officer should publicize alternative methods of reporting, including locked drop boxes. OMIG puts greater importance on documentation of compliance issues, suggesting that all hotline calls be logged and tracked while the OIG says that only complaints alleging substantial violations be logged. In addition, while the OIG recommends treating as confidential all issues reported to the compliance team, OMIG takes the alternate stance, assuming that all reports are not confidential unless specifically requested by the person reporting. Publication of Disciplinary Guidelines For the fifth element, the OIG and OMIG alike recommend that there be well-publicized disciplinary guidelines and policies. The OMIG adds more details, suggesting that: collective bargaining agreements should attempt to avoid provisions that are inconsistent with the obligation to encourage good faith participation in the compliance program; agreements with contractors and affiliates cannot include provisions that are inconsistent with the obligation to encourage good faith participation in the compliance program; disciplinary actions should be centralized to ensure consistency; employees should receive training on sanctions that are imposed for encouraging, directing, facilitating, or permitting noncompliant behavior; before initiating disciplinary action, a hospital should consider the cause of the alleged violation and conduct a root cause analysis; and corrective action initiatives should be considered concurrently with disciplinary actions. More so than the OIG, OMIG seeks to clearly delineate: what is included within disciplinary policies and agreements with subcontractors and vendors, how these policies should be enforced, and who should be subject to them. In addition, the centralization ion of disciplinary ip action to ensure consistency is another notable feature of the OMIG guidance. Auditing and Monitoring While the OIG focuses on auditing and monitoring, OMIG focuses on a similar element defined as Identification of Compliance Risk Areas and Non-Compliance. The OMIG Hospital Guidance recommends that the system for identification of compliance risk areas include: Periodic assessments to identify the hospital s risk areas, taking into consideration OMIG work plans and publications, OIG work plans, OMIG audits, DOH surveys, surveys from accrediting bodies, and changes to applicable law and regulations; audits should be conducted with sufficient frequency and thoroughness to effectively identify noncompliance; the results of current audits should be compared with publicly available statistics and prior audits; 24 Journal of Health Care Compliance September October 2012
affected departments should be involved in creating and implementing corrective action plans with the compliance officer; a process should exist for assessing any plan of correction that has been implemented; and the hospital should establish a system of prepayment and post-payment review for claims submission with the goal of identifying inaccurate claims. The OMIG Hospital Guidance encourages hospitals to pay greater attention to government guidance documents and public statistics than the OIG guidance when auditing and monitoring compliance issues. However, the OIG provides somewhat more concrete guidance as to the exact techniques compliance officers should undertake when performing audits, suggesting use of onsite reviews, interviews with personnel, and the development of compliance-related questionnaires. Corrective rec Actions (Investigations) s) The final required element en which h the OIG and OMIG recommendations share is the required response e to compliance issues and of- fenses. The OMIG Hospital Guidance builds on the federal recommendations by adding: policies should be in place to ensure immediate action; potential issues should be timely, fairly, and thoroughly investigated; the compliance officer or his or her designee should be specifically trained in conducting investigations and be assisted by noncompliance department staff, as needed; the compliance officer should have unfettered access to relevant information necessary to conduct the investigation; every effort should be made to ensure transparency in the investigation while still taking into account confidentiality concerns; the hospital should have written policies addressing recusal of employees and persons who have a conflict of interest and are associated with the hospital from previous investigations; employees interviewed during an investigation should be instructed to refrain from discussing the interview with anyone; the legal rights of those related to the investigation should be assured during any interview; at a minimum, the investigative report should include a description of the alleged issue, the identities of those interviewed, a description of the evidence, any findings of fact, and any recommendations for corrective action; management should help ensure that the hospital implements corrective action plans by assigning individual responsibility for each aspect of the corrective action plan and additionally accounting for individual performance for the task assigned in the personnel performance review plan; in the system used to report compliance issues to OMIG, hospitals should comply with Section 6402 of the Affordable Care Act and also use OMIG s self-disclosure protocol 11 when returning overpayments to the New York State Medicaid Program; and a process should be in place to ensure that overpayments are identified, promptly repaid, and not rebilled. The OIG also speaks to the reporting of compliance issues to the government. While OMIG focuses on compliance issues, the OIG focuses on the reporting to the government of potential violations of any civil, criminal, or administrative law. The OIG further recommends that the reporting be done within 60 days of knowledge of the potential illegality. Policy of Non-Intimidation and Non-Retaliation Finally, where the OMIG guidance most differentiates itself from that of the OIG s is the inclusion of an eighth element, which requires the creation of a policy of non-intimidation and non-retaliation. While the OIG speaks to this indirectly in its other seven elements as a necessary part of creating a culture of compliance, OMIG felt it was a significant issue such that the addition of a Journal of Health Care Compliance September October 2012 25
separate element was warranted. The OMIG Hospital Guidance recommends: the policy should address good faith participation in the compliance program with respect to reporting of potential issues; the policy should contain procedures for reporting intimidation or retaliation; to ensure that terminations are not motivated by retaliation, senior managers or human resource managers should review all terminations of those that participate in good faith in the compliance program, and exit interviews of all employees should include questions related to whether they had been the subject of or witnessed any intimidation or retaliation resulting from participation in the compliance program; allegations and suspicions of intimidation or retaliation should be promptly, thoroughly, and objectively investigated; and compliance officers should report to the governing body the frequency and types of alleged and suspected intimidation and retaliation. ti CONCLUSION It is worthy to note that, as of the writing of this article, New York is the first and only state to provide detailed guidance to ensure that Medicaid providers maintain effective compliance programs. Further, both the New York and federal guidelines acknowledge that compliance programs are not one-size-fits-all and specifically allow for variation from the core recommendations. The OMIG Hospital Guidance also explicitly states that any organization with an effective compliance program implemented prior to the issuing of the guidance need not completely overhaul the program and policies. Rather, to the extent that hospitals determine their existing programs can be enhanced, OMIG encourages hospitals to use the guidance to better their compliance programs. According to the OMIG Hospital Guidance, more compliance program guidance that is tailored to other types of providers will be developed soon and made public. Providers in New York should stay abreast of further updates, and providers in other states must keep a close eye on further developments with respect to the potential trend of state mandatory compliance programs for Medicaid providers. Endnotes: 1. N.Y. Soc. Serv. Law 363-d. 2. 18 NYCRR 521.3. 3. The relevant statute and regulations (N.Y. Soc. Serv. Law 363-d and 18 NYCRR 521.3) require certain Medicaid providers, including hospitals, clinics, diagnostic and treatment centers, nursing homes, home health care providers, and providers of services for those with developmental and mental disabilities, to adopt and implement an effective compliance program. 4. Available at www.omig.ny.gov/data/images/stories/ compliance/compliance_program_guidancegeneral_hospitals.pdf. 5. See Wenik, New York Weighs in on the Drafting of Health Care Compliance Programs, Journal of Health Care Compliance, November-December 2011, at 15-20. 6. National al Federation of Independent Business v. Sebelius, 567 U.S. (2012). 7. See e 63Fed. dreg. 8987 (OIG Compliance Program Guidance for Hospitals, dated February 23, 1998); 70 Fed. Reg. 4858 (OIG Supplemental Compliance Program Guidance for Hospitals, dated January 31, 2005). 8. See Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors, available at oig.hhs.gov/fraud/docs/complianceguidance/ CorporateResponsibilityFinal%209-4-07.pdf; Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors, available at oig.hhs. gov/fraud/docs/complianceguidance/040203corpres prsceguide.pdf; An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, available at oig.hhs.gov/fraud/docs/ complianceguidance/tab%204e%20appendx-final.pdf. 9. IPRO, www.ipro.org. 10. 42 U.S.C. 1320a-7k(d) (2010). 11. OMIG s Self Disclosure Guidance, dated March 12, 2009, available at www.omig.state.ny.us/data/ images/stories/self_disclosure/omig_provider_self_ disclosure_guidance.pdf. The OIG s self-disclosure protocol can be found at oig.hhs.gov/authorities/ doc/selfdisclosure.pdf. Reprinted from Journal of Health Care Compliance, Volume 14, Number 5, September-October 2012, pages 21-26, with permission from CCH and Aspen Publishers, Wolters Kluwer businesses. For permission to reprint, e-mail permissions@cch.com. 26 Journal of Health Care Compliance September October 2012