Approximately 10 years ago, the Office of Inspector General (OIG) issued its first guidance on compliance as it relates to federal mandates for physician practices. Although taking the necessary steps can be a daunting task in an era of complex rules and heightened regulations, there are key areas of government-mandated compliance requirements that practices should know about.
Section 6401 of the Patient Protection and Affordable Care Act (PPACA) mandates that all healthcare providers enrolled in the Medicare and Medicaid program establish a compliance program as a condition of enrollment. With this requirement, it is vital for providers to develop a new program or update/revise any existing compliance program as soon as possible. The necessity for physicians to have a compliance program in their practice is not an option, and this is even more urgent for Medicare Advantage organizations and Medicare Prescription Drug Plan sponsors, because compliance programs are already mandatory for these programs. The guidelines can be found at the Department of Health and Human Services Centers for Medicare & Medicaid Services, Pub. 100-16. Section 30 on the Overview of Mandatory Compliance Program gives a foundation as to what is necessary in a compliance program and states: “The compliance program must, at a minimum, include the following core requirements:
- Written Policies, Procedures and Standards of Conduct;
- Compliance Officer, Compliance Committee and High Level Oversight;
- Effective Training and Education;
- Effective Lines of Communication;
- Well Publicized Disciplinary Standards;
- Effective System for Routine Monitoring and Identification of Compliance Risks; and
- Procedures and System for Prompt Response to Compliance Issues.”
Areas of Risk
Currently, the most common areas of compliance concern live in three key areas of risk:
- Privacy, security and meaningful use;
- Clinical coding; and
- Quality data reporting.
Privacy and security top the risk list (meaningful use will be addressed with quality data reporting). Although patient privacy and health information security are not at the top of everyone’s priority list, practices can no longer be undisturbed about HIPAA compliance. There should be thorough protocols on privacy and security in an effort to protect against any violations. Practices can expect closer scrutiny for HIPAA privacy and security compliance. Penalties have increased significantly under the new regulations. Practices can face fines of up to $50,000 per occurrence—quickly offsetting or negating the EHR incentives they received.1
It is no surprise the OIG puts clinical coding second on the list of compliance risks. The increasing regulations have put physicians at greater liability and intensify the pressure to address issues due to improper coding; this has made denial of fees, fines and payback, and increased scrutiny from payers become overwhelming. A proactive approach that validates all insurance information through proper capture of information will save time and money in the long run. Practices will need to work on making sure that every encounter is documented to stand entirely on its own. The documentation must back the decision to conduct any test or exam and validate the nature of a procedure or service.