A New Year’s Resolution: Update Your Compliance Program Based on New Government Guidance
For the year ending September 30, 2023, federal False Claims Act settlements and judgments exceeded $2.5 billion, much of which came from the health care industry. The largest, at over $487 million, stems from a finding by a federal jury in Minnesota that a provider of ophthalmic products violated the Anti-Kickback Statute resulting in the submission of 64,575 false claims to Medicare. So, what is a health care organization to do in order to minimize compliance risk? One prudent step is to make sure your compliance program (you have one right?) is updated and effective. To help, on November 6, 2023, the Office of Inspector General (“OIG”) issued a 91 page compliance reference guide for health care organizations, which contains compliance advice, recommendations and guidance.
The OIG’s General Compliance Program Guidance (“GCPG”) is a user-friendly resource manual which applies to all individuals and entities involved in the health care industry. It addresses not only the seven elements of an effective compliance program, but also provides as a summary of the various fraud and abuse laws that impact health care organizations, specifically the Anti-kickback Statute, the Stark Law, the False Claims Act, the Civil Monetary Penalty Laws, the exclusion authority statutes and HIPAA. While health care organizations are not required to maintain a compliance program, if an organization is subject to a fraud investigation or prosecution, having an “effective” compliance program that is tailored to the organization and used as a “self-monitoring” tool may help reduce any penalties.
Beginning in 2024, the OIG will publish industry specific compliance guidance for different types of health care providers and suppliers. Of note, the GCPG recognizes the growing prominence of private equity in the health care industry and cautions that private equity firms should “carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse laws and that they are delivering high quality, safe care for patients.” The GCPG can be found here.
The GCPG reiterates the OIG’s view that an “effective” compliance program contains seven elements:
Element 1 Written Policies and Procedures:
This element includes a code of conduct and relevant compliance policies and procedures to address common risk areas, including billing, coding, sales, marketing, quality of care, patient incentives and arrangements with other health care organizations.
Element 2 Compliance Leadership and Oversight:
This element includes appointing a Compliance Officer with defined responsibilities, a Compliance Committee (depending on the size of the organization) and establishing governing body oversight.
Element 3 Training and Education:
This element includes annual compliance training for all owners, employees and certain contractors. Training should address the specific needs and risks presented by the health care organization.
Element 4 Effective Lines of Communication:
This element includes developing and publicizing methods by which individuals in the organization may bring compliance questions or concerns to the Compliance Officer or other individuals in leadership.
Element 5 Enforcing Standards (Consequences and Incentives):
For a compliance program to be effective, a health care organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance. Consequences may involve remediation, sanctions, or both, depending on the facts. Incentives may be used to encourage compliance performance and innovation.
Element 6 Risk Assessment, Auditing and Monitoring:
Risk assessment is an annual process for identifying, analyzing and responding to risk. The compliance program should include a schedule of audits to be conducted based on risks identified by the annual risk assessment. Examples of routine monitoring of known risks include: monthly screening of the Federal and State Medicaid exclusion lists; regular screening of State licensure and certification databases; and annual review of the organization’s policies and procedures.
Element 7 Responding to Detected Offenses and Developing Corrective Action Initiatives:
An effective compliance program should include processes and resources to thoroughly investigate compliance concerns, take the steps necessary to remediate any legal or policy violations that are found, including reporting to any Government program agencies or law enforcement where appropriate, and analyze the root cause(s) of any identified impropriety to prevent a recurrence.
The GCPG recognizes that compliance programs will likely be structured differently depending on the health care organization’s size and financial resources. The GCPG notes that “[s]mall entities, such as individual and small-group physician practices, or other entities with a small number of employees, may face financial and staffing constraints that other entities do not.” Among the recommendations for small entities, the GCPG suggests that:
Small organizations that cannot support a compliance officer on either a full-time or part-time basis should consider designating one person as the organization’s compliance contact and have them be responsible for ensuring that the organization’s compliance activities are completed. This person should not have any responsibility for the performance or supervision of legal services to the organization and, whenever possible, should not be involved in the billing, coding, or submission of claims.
Small organizations may provide compliance education through a variety of means, including during meetings, through email, on a website or through postings in physical or virtual common areas.
Small organizations should use user-friendly methods appropriate to their size and setting to facilitate communication about compliance concerns and potential issues. This may include: an explicit “open door” policy for personnel to raise concerns with the compliance contact, the owner, or the CEO; the creation of a user-friendly process (such as an anonymous drop box) for effectively reporting erroneous, improper or fraudulent conduct; a policy indicating that there will be no retribution for reporting conduct that a reasonable person acting in good faith would have believed to be erroneous, improper or fraudulent.
Small organizations should assess their compliance risks at least once a year. This includes an annual audit to identify potential risks, such as claims denials, recoupment of overpayments, challenges to medical necessity and patient safety data (e.g., fall rates, product return rates, complaints).
Small organizations should ensure that they have enforcement and disciplinary mechanisms in place before violations of compliance policies, government health care requirements or other applicable laws occur. When implementing a compliance program, small organizations should anticipate that the program may uncover potential legal violations or other noncompliance. Small organizations should be prepared to designate someone, whether it is the compliance contact, an organization leader, or another designated employee, to determine whether a violation exists and the steps necessary to correct any problems.
An effective compliance program will assist health care organizations in decreasing errors, improving the quality of patient care and patient safety and preventing, detecting and addressing fraud, waste and abuse. The GCPG is required reading for all health care organizations seeking to address these compliance risks and provides easy to understand examples and helpful “tips” that highlight critical areas identified by the OIG.