The importance of compliance planning

Acompliance plan is a set of documents that helps guide businesses/agencies in their efforts to operate in accordance with various governmental legal requirements. For the past several years, the concept of compliance planning has taken hold across the American economy. In many industries it has become mandatory. Elsewhere it has evolved from a sound management approach to a best practice.

Healthcare providers of all types are certainly no exception to this important trend. And this most definitely includes behavioral health providers. Whether a provider is large or small, for-profit or not-for-profit, having a compliance plan is now integral to its operations.

Many behavioral health providers still do not have compliance plans. Until recently regulatory and enforcement agencies have not made behavioral health providers a focus of their surveillance activities. Because of this, these providers often are not aware of the need for a compliance plan. Moreover, in this historical context, behavioral health providers have viewed the expenditure of funds to establish a plan as an unnecessary burden on their scarce financial resources. “I've never been investigated before” and “I'll wait until the investigation begins” are not unusual responses to suggestions that compliance planning should be undertaken.

Regulatory/Legal Environment

Before considering the elements and implementation of a sound compliance plan, it is important to understand the regulatory and enforcement context in which these plans function.

For many years, Medicare and Medicaid budgets at the federal and state levels have burgeoned. Along with that growth has been a stubborn element of waste, fraud, and abuse. Nationwide, this accounts for billions of dollars in public funding diverted from healthcare programs to inappropriate coffers.

At the same time, the federal and state governments have adopted a panoply of laws and regulations, accompanied by a range of enforcement programs, designed to detect, deter, and sanction waste, fraud, and abuse activities. Impressive strides have been made to curb illegal activities, but the problem is far from being solved. In fact, many argue that waste, fraud, and abuse are on the rise.

An important statutory approach to fraud and abuse at both the federal level and in many states has been the enactment of “antikickback” laws. These laws proscribe any payment, direct or indirect, for any patient referral, direct or indirect. The penalties for payer and payee are severe, ranging from civil recoveries to exclusion from Medicare and Medicaid and/or criminal prosecution. The antikickback statutory/regulatory network is extremely complex and in many ways counterintuitive. Therefore, an important element of a sound compliance plan is a mechanism to help guide the provider in what it may and may not do regarding referrals.

A second category of statutory/regulatory approaches to limit Medicaid and Medicare waste, fraud, and abuse involves the limitation of provider services to those that are “medically necessary.” These laws target activities such as “ping-ponging” a patient to multiple specialists, unnecessary multiple visits, unbundling of services from an all-inclusive visit, unneeded diagnostic testing, and unnecessary ordering of ancillary goods or services such as prescriptions or durable medical equipment. Governmental and private third-party payers want providers to render only those services a patient absolutely needs. And they strictly limit the range of services providers offer. When providers move beyond the circle of medically necessary services for a particular patient, they risk inciting the ire of regulators and enforcement agencies.

A third category involves whistleblower laws. The federal False Claims Act empowers individuals to bring actions against providers for violations of relevant laws. The individual is entitled to a significant percentage of the litigation recovery. States recently have begun adopting their own versions of the False Claims Act. Disgruntled or former employees, unhappy patients, or persons seeing the opportunity for personal aggrandizement are enabled to act.

In addition, “catch-all” categories of federal and state general legal provisions are applied to healthcare provider activity, such as laws dealing with larceny, fraud, false statements, false instruments for filing, and obstruction of justice. Federal prosecutors, aided by agents in the FBI and Office of Inspector General (OIG) in the federal Department of Health and Human Services (HHS), can apply these catch-all laws to provider conduct.

A wide scope of federal and state agencies enforce antikickback, medical necessity, whistleblower, and catch-all laws. They include HHS's OIG, the FBI, the federal Department of Justice, and each state's Medicaid Fraud Control Unit (which have civil and criminal authority). All of these agencies are well-financed and highly sophisticated. The various state licensure and regulatory agencies also play important waste, fraud, and abuse detection roles, including state agencies that license and regulate professionals such as physicians, nurses, and social workers, as well as agencies that license and regulate mental health and alcoholism/substance abuse treatment providers.

Why Compliance Plans Are Needed

A compliance plan provides a road map that providers can use to secure compliance with these laws and to promote early detection and reporting of problems before they blossom into enforcement issues. To be successful, a compliance plan must function as a living organism, rather than just be another book on the provider's shelf. In other words, the provider actually needs a compliance program.

Years ago HHS's OIG determined that proper provider functioning cannot be achieved by enforcement alone. Even with the vast federal and state enforcement resources available, the agencies cannot review and investigate all providers. As a result, the OIG determined that providers should be encouraged to adopt and internalize systems that maximize compliance. The goal is to avoid waste, fraud, and abuse before they occur. States, and more recently private third-party payers, have adopted a similar philosophy.

Thus having a sound compliance plan has become a recognized best practice for healthcare providers. The trend recently shifted from encouraging compliance plans to mandating them. The federal Deficit Reduction Act of 2005 mandates compliance plans for providers who receive annual Medicaid payments of $5 million or more. States such as New York are following that lead by enacting statutes with similar mandates but with lower payment thresholds. Consequently, there is no longer any room for debating whether a provider should have a compliance plan—it's now a necessity.

Elements of a Compliance Plan

The general format for a compliance plan has evolved over the years. It should have seven basic elements:

1. Written standards of conduct that produce a clear commitment to compliance

2. Appointment of high-level individuals to oversee compliance

3. Effective staff training programs

4. Monitoring systems to uncover potential problems and encourage reporting without fear of retaliation

5. Accessible staff/management lines of communication

6. Consistently enforced disciplinary systems for noncompliance

7. Reasonable steps to respond to detected offenses and to prevent reoccurrence

The standards of conduct should be clearly communicated, so that staff at all levels can grasp and internalize the principles. These standards should reflect a strong commitment to legal compliance and fair dealings, as well as a dedication to avoid conflicts of interest. There also should be a strong emphasis on the maintenance of complete and accurate record keeping. The fundamental point of reference for audits and investigations of providers is the records used to document claims for payment.

Every plan should have a compliance officer, who functions as the hub of the compliance wheel. Depending on the provider's size and complexity, the compliance officer can be full time or have other duties such as quality assurance. The provider also should establish a compliance committee to which the compliance officer reports. There also should be regular reporting to the board of directors.

There must be an ongoing employee training program, so that employees can learn and internalize the compliance plan. All employees should receive training upon the plan's adoption, and training should be incorporated into the employee hiring process. Regular periodic training should be established so that staff can remain current with the constantly evolving healthcare regulations. The board of directors also should receive training, as they are expected to be fully conversant with the plan.

As part of the plan, providers must inquire into the background of applicants for employment. There are several Web sites providers can use to determine if an applicant has been excluded from Medicare or Medicaid or if his/her professional license has been suspended or revoked. In addition, employment applications should require the applicant to answer questions regarding past involvement in audits or investigations and whether he/she has been convicted of any healthcare-related or other crimes. Some providers are required to conduct formal background checks including applicant fingerprinting.

Providers also must investigate the backgrounds of persons and entities with which they wish to do business. There are Web sites that can be searched for information about potential contractors. And contractor agreements should reflect representations and warranties regarding the contractor's past conduct.

The plan should make clear that employees are required to report suspected misconduct. It should be clear that there will be no retaliation for reporting misconduct and that it can be done anonymously. Using drop boxes is a common approach to encouraging anonymous reporting.

Finally, the importance of first-rate record keeping cannot be overstated. Accurate, complete, and timely record keeping is essential. When the enforcement agency arrives at the provider's door, the provider's documents will be the point of reference. The provider has the burden of establishing its right to claims made for payments. Missing, sloppy, incomplete, or altered documents result in disallowances, program exclusions, and prosecutions.

Conclusion

Providers should view the compliance plan process as not just an imposition by enforcement agencies. Instead, providers should consider the development of a sound compliance plan, tailored for its specific needs, as an opportunity to implement a new management tool that will improve efficiency, cost-effectiveness and, most importantly, patient care.

David P. Glasel chairs the Health Care & Human Services Practice Area at the law firm of Hiscock & Barclay, LLP. Photography: Denis J. Nally