By Debbie Forde, Beth Lane and Heidi Kocher
Although patient confidentiality is an important piece of compliance practice standards, a compliance plan addresses much more. Many insurance contracts, including Medicare and Medicaid, require a physician office to have a compliance plan, and components of a compliance plan are required in obtaining hospital privileges. An effective compliance plan helps an office run more smoothly from check-in to check-out and for patient care.
Implement compliance practice and standards.
Each practice must have standards and policies in writing. These include HIPAA privacy and policies, and policy topics as varied as submitting claims to payers, training staff, checking sanctions lists, and entering into contracts with vendors. Patient privacy policies that may unknowingly be overlooked include verifying who can access patient information, allowable employee posting to social media, and use of texting to communicate with patients.
Designate a compliance officer or contact.
It is critical for a practice to designate a compliance officer — either a senior staff member or an outside expert who is contracted to provide these services. The compliance officer must be aware of current laws, as the practice can be held responsible for compliance failures. To demonstrate more importance to compliance requirements, practices should establish an employee compliance committee that meets periodically. This helps the compliance officer become aware of developing issues and helps drive compliance awareness throughout the practice. When employees can see that their peers are participating in compliance and serving as a conduit for raising concerns and resolving issues, they are more likely to comply.
Conduct training and education.
Practices cannot hold their employees responsible for policies that are unwritten and unavailable for review, or for training they have not undergone. Training must include general compliance topics such as fraud and abuse laws, HIPAA, and training on topics specific to the practice and specialty. Employees must have an initial training within 60 days of hire and annually thereafter. Conducting compliance training in your office usually results in better patient care because employees and physicians become aware of areas of risks that they may not have considered.
Conduct internal monitoring and auditing.
Monitoring is the routine ongoing checks a practice implements to make sure it is functioning smoothly, such as keeping track of how many days it takes to obtain payment/reimbursement and the amounts of your practice’s write-offs. Increases in either may warrant an investigation. Audits typically are performed best by an outside consultant who specializes in compliance and coding. These consultants can help identify issues that practice personnel may not recognize.
The audit should include:
- a walk through the office to identify possible HIPAA violations
- a billing/coding audit by a certified coder
- a review of staff training and training materials
- a review of the practice’s policies and procedures.
Audit results should be used in correcting identified issues and in conducting staff training.
Develop open lines of communication.
Employees must be able to report compliance concerns anonymously. Although employees often have a physician’s best interest in mind when making a report, they may be concerned that by doing so, they could be perceived as not being team players or as a target for retribution from practice managers. Employees should be able to leave an anonymous report, complaint or suggestion, whether through an outsourced third-party telephone hotline or a physical suggestion box. Be sure to deal with these concerns; a concern that is ignored or dismissed as simply an employee complaint can turn into a whistle-blower lawsuit.
Respond appropriately to offenses and develop corrective action.
If the practice finds a problem or issue, whether the result of an audit, patient complaint or employee report, the practice must quickly investigate the issue, take actions to “stop the bleeding,” and determine corrective actions. These can include revising policies, conducting additional training for staff, or issuing a refund to a payer or a patient. Document corrective actions in writing. Enforce disciplinary standards through well-publicized guidelines. Employees must know the consequences for any violations, and these standards must be in writing. This is a compliance issue and an HR issue.
The practice must verify that an employee’s licensure is current and accurate, and that the employee is not excluded from Medicare or other federal or state programs. If an employee is excluded, the practice must repay any reimbursement that can be linked to an excluded employee. Furthermore, the practice itself could be excluded. Sanctions screening can be time consuming, and validating potential matches can be tricky. This is another area in which outsourcing may make sense.
Purchase compliance insurance. Cases of HIPAA violations and related data privacy and security breaches have increased dramatically, mostly through break-ins and lost or stolen electronic devices. Costs of dealing with a breach can easily top $25,000, and defending against an audit from Medicare or investigation by another agency can quickly become expensive. Compliance insurance will help a practice pay for some of these costs. In addition, physicians should know an experienced healthcare and compliance attorney before they need one; situations can quickly turn into matters where legal representation should be retained. Your insurance broker and your attorney should be considered part of your team.
Implementing an effective compliance program is no guarantee your office will not face a compliance incident, but having a program shows good faith effort on the part of the practice. This can reduce any fines and help prevent an issue turning from a civil matter (where only fines are levied) to a criminal matter (where jail time is possible). Few other initiatives in your practice can demonstrate such a return on investment.
Debbie Forde is president and owner of YourMedSource, and a nationwide compliance speaker. Beth Lane is vice president of CnStaffing, Inc., the DCMS endorsed staffing firm. Heidi Kocher, a healthcare attorney with Liles Parker, PLLC, has more than 20 years’ experience representing physicians and other providers.