A Recovery Audit Contractor (RAC) is asking your organization for medical records to review and determine whether improper Medicare payments have been made. An inspector from the Department of Health and Human Services (HHS) has come to verify that your organization is preserving the privacy of your patients. The IRS just called and is taking a closer look at your recently completed Form 990. Are you prepared?
All of these activities - ensuring proper billing and payment, preserving patient privacy, and completing appropriate and applicable tax forms that show how your organization earns and spends its money, as well as many other activities, can fall within your organization's compliance program.
What is a Compliance Program?
Fundamentally, a compliance program in a health care organization establishes a culture that promotes prevention, detection, and resolution of instances in which organization conduct does not conform with laws and regulations and the organization's ethical and business policies. In practice, a compliance program should effectively articulate and demonstrate the organization’s commitment to the compliance process.1"Compliance programs have been in existence in health care for about 12-15 years," says Lawrence Vernaglia, partner - healthcare industry team - for Foley and Lardner, LLP. "They originally started - and many still remain - focused on billing and payment issues and ensuring compliance with the Centers for Medicare and Medicaid Services (CMS) requirements. However, compliance programs in their most general sense provide a way for organizations to ferret out problems. These problems could relate to a variety of rules and regulations not just those that relate to billing, such as employment laws or tax laws. Compliance programs can even provide organizations a way to identify compliance issues with standards that address patient safety and quality, such as the Joint Commission standards."
There are several benefits to a compliance program. Such a program can1
- concretely demonstrate a strong commitment to honest and responsible provider and corporate conduct;
- provide an accurate view of employee and contractor behavior relating to fraud and abuse;
- identify and prevent criminal and unethical conduct;
- foster an environment in which employees report potential problems
- create a centralized source for distributing information on health care statutes, regulations, and other program directives; and
- improve the quality of patient care provided by an organization.
Who is Responsible for the Compliance Program?
Managing an organization's compliance efforts does not just fall to one person. The board of directors, senior leadership, department managers, and front line staff must all be involved in and committed to the program. "A compliance program must be visible," says Joseph M .Watt, partner for BKD,LLP. "Managers and employees must be familiar with the program, know how to report compliance issues, and feel comfortable with reporting, knowing there won't be a punitive response."
Although a compliance program should involve staff and leadership throughout the organization, there are some key players involved in the program. "The compliance officer is certainly the quarterback," says Watt. "However the compliance committee helps support the work of the program and helps the compliance officer evaluate and communicate compliance issues. Ultimately, the board of directors is responsible for the effectiveness of the program." To fulfill their responsibilities, board members must take compliance efforts seriously, ask questions about compliance, and regularly review data.
Defining the Program
A first step in creating a compliance program is to define what the program encompasses. "Organizations should have a written compliance plan that identifies which laws, regulations, standards, and requirements fall within the plan," says Watt. "For example, is the organization going to focus strictly on billing and payment compliance, or is it going to expand to ensure compliance with other laws, regulations, standards, and recommendations? Regardless of the answer to this question, the organization must do what its plan says it will do and not commit to monitoring compliance for all laws and regulations when they do not have the resources - time, staff, money, leadership commitment - to do so."
The organization must also send a consistent message about compliance. "Within their compliance program, organizations need to "walk the talk" in order for compliance to become embedded in day-to-day operations," says Watt. "If your compliance officer is saying it's important to catch issues, report them, and then resolve them, but the department heads are stressing how the organization needs to save money, bill patients quickly, and not worry about small billing errors or mistakes, your organization is sending mixed messages on what is important."
Determining the Effectiveness of the Program
Once an organization has defined the scope of its compliance program, it should make sure the program is effective. But what does that mean? What one person considers effective may differ from another person's opinion. "One way to determine whether your program is effective is to see if its fulfills its ultimate purpose - to prevent and detect violations of rules, regulations, laws, and so forth," say Vernaglia. "If you have a system for compliance which prevents and detects violations and a culture that respects the compliance process, then you have an effective compliance program."
Some organizations look at the recommendations of outside entities to help determine effectiveness. For example, the Office of Inspector General (OIG) provides some fairly specific guidelines on what it considers an effective compliance program. Since 1998, the OIG has created several documents that provide compliance program guidance for a variety of program types - hospitals, nursing facilities, pharmaceutical companies, and so forth. These documents help promote adherence to applicable federal and state law and the program requirements of federal, state and private health plans.1 "Within these guidance documents, OIG offers a seven-point rubric that organizations can follow," says Vernaglia. "Although no two organizations will implement OIG's recommendations the same way, if an organization embodies within its resources and capabilities some respect for each of the seven elements of the rubric, it is reasonable to assume the organization's compliance program would be effective." While the OIG encourages the use of their guidelines, they are not required. The recommendations are meant to cross the differences between organizations and serve as guidance in developing, maintaining, and ensuring the effectiveness of a compliance program.1 [Link to The OIG's Seven Guidelines for an Effective Compliance Plan]
A critical component to determining effectiveness is measurement. "By looking at objective data about your organization, you can easily see whether your compliance program is doing what it is designed to do," says Vernaglia. Such measures may include the number of compliance committee meetings that occurred in the past year or the number of compliance issues reported in the past month. (See Creating Measures for Assessing Compliance Program Effectiveness [Link to this] for some questions that can help you create potential measures.)
In addition to quantitative measures, organizations may want to use a qualitative approach to assessing compliance. "Surveying and interviewing employees about the compliance program, their familiarity with it, and whether they have ever reported a compliance issue, may be helpful in determining whether the program is real or just on paper," says Vernaglia. Organizations should also consider asking how staff members report issues and whether they are comfortable with the process.
To fully assess the effectiveness of a compliance program, compliance officers - in conjunction with the compliance committee - should conduct period audits of the program. These audits may involve reviewing predetermined measures, looking at data, and interviewing staff and organization leaders. Some organizations choose to hire an outside firm for this process, but even in those cases, the compliance officer and committee should be involved in picking the measures for the audit and overseeing the audit process. Organizations should consider conducting some type of audit - a full or partial audit - on their compliance program at least once per year.