by Sean M. Weiss, CHC, CEMA, CMCO, CP MA, CPC-P, CMPE, CPC
January 26th, 2018
This year (2018), health care organizations (Hospitals, Health Systems and Physician Groups/Practices) must focus on the criticality of creating a culture of compliance to ensure effectiveness and efficiency. Focusing on "compliance-only" approaches leaves healthcare organizations exposed to areas of liability... often times far more than what they could ever imagine or even willing to tolerate. In 2018, you will need to walk through your compliance program and determine how to shift from a compliance only approach to a "Risk-Based" approach. This will require your compliance team to focus on areas often ignored, those that leave your compliance program exposed to the threats of government agencies, and their investigators. Regardless of the size of your organization, this shift in thinking and in carrying out functions of compliance is a must to ensure you are covering your assets!
To set yourself on the right course of how to approach compliance, you have to first define it. Keep in mind we are talking about compliance within healthcare, which is different than any other industry, so when we talk about health care compliance it is important to understand that it is the process of following rules, regulations, and laws that relate to healthcare practices. Healthcare organizations are held to very strict standards, regulations, and laws from the federal and state levels and violating these can result in lawsuits, significant fines, loss of licenses, and exclusion.
The "Filip" Factors and how The DOJ uses these dates back to the Filip Memo of 2008, and even before that you had the McNulty Memo of 2006. As I am sure you will understand the structure of the laws pre-dates even 2006, dating back to 1999 when Eric Holder was the Deputy Attorney General. The guidelines delineate several factors that focus significantly on whether a corporation has been "cooperative" during the course of a government investigation. This became known as the Holder Memo. The level of cooperation leads to whether to indict the corporation or strike a plea agreement. In January 2003, the Holder Memo was replaced by the Thompson Memo, (Deputy Attorney General Larry D. Thompson). The Thompson Memo was modified December, 2006. Deputy Attorney General Paul J. McNulty, who made several critical alterations based on certain friction points between prosecutors, their corporate targets, and the defense bar, which in some instances had led to contentious battles in the federal courts. This portion is very important because it set the standard for how future Attorney Generals and their Deputies would advance their agendas. The McNulty Memo altered the treatment of privilege waivers and provision of attorneys' fees, and added focus on pre-existing compliance programs. The Filip Memo further shifted with regard to what factors drive determinations of whether a corporation deserves "cooperation credit" which is the standard(s) used to determine whether a corporation would avoid indictment under the guidelines.
Where cooperation credit had previously turned on factors including waiver of attorney-client privilege or work product protections, under the Filip Memo, it now focused on disclosure of relevant facts. Further, Government requests for disclosure of non-factual attorney-client privileged materials (known under the McNulty Memo as "Category II" information) became expressly forbidden, except in extremely limited circumstances (In 2015 the Acting Deputy Director Sally Yates created the Yates Memo, which sought to eliminate the Filip Memo and go back to the days of the wild west in government prosecution). The McNulty Memo also disallowed as part of the cooperation analysis whether the corporation advanced legal fees to employees, entered into a joint defense agreements or sanctioned culpable employees. Overall, these changes made it more difficult for the DOJ to conclude that it is appropriate to charge a corporation, and made it easier for a corporation to coordinate and defend itself in a criminal investigation. Again, the Yates Memo of 2015 sought to reverse all of this and thus erode the de-facto attorney client privilege... Since the DOJ has elected to revert back to the Filip Memo, the factors created under this memo are again in effect. The specific Filip Factors include:
- The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for particular categories of crime (see USAM 9-28.400);
- The pervasiveness of wrongdoing within the corporation, including the complicity in, or condoning of, the wrongdoing by corporate management (see USAM 9-28.500);
- The corporation's history of similar misconduct, including prior criminal, civil and regulatory enforcement actions against it (see USAM 9-28.600);
- The corporation's willingness to cooperate in the investigation of its agents (see USAM 9-28.700);
- The existence and effectiveness of the corporation's pre-existing compliance program (see USAM 9-28.800)
- The corporation's timely and voluntary disclosure of wrongdoing (see USAM 9-28.900);
- The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with relevant government agencies (see USAM 9-28.1000);
- The collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution (see USAM 9-28.1100);
- The adequacy of remedies such as civil or regulatory enforcement actions (see USAM 9-28.1200); and
- The adequacy of the prosecution of individuals responsible for the corporation's malfeasance (see USAM 9-28.1300).
There are also 119 sample questions listed in the "Evaluation of Corporate Compliance Programs," which are separated into 11 topics:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers & Acquisitions
The DOJ's Fraud Section has found these questions and topics relevant in determining whether to bring charges or negotiate plea and other agreements with entities under investigation. The issuance is the agency's first formal guidance under the new presidential administration, and the latest effort by the DOJ's "compliance initiative," which launched in November, 2015 with the hiring of compliance counsel expert Hui Chen. The new guidance is particularly valuable for healthcare organizations in light of the agency's heightened efforts to prosecute Medicare Advantage plans for fraudulent reporting under the False Claims Act.
The main focus of this document is creating a Risk Based Internal Audit Process (RBIA). It becomes important to understand what this involves. There are six steps of a Risk Assessment Matrix (RAM) in addition to structuring RBIA Policies. There is very good guidance that exists for you to create a Matrix as well as to structure proper policies. It will however take a bit of effort on the part of your compliance team to develop these, but it can be done fairly efficiently without having to spend tens of thousands of dollars to hire an attorney or compliance consultant. Still, there are organizations where even their compliance professional(s) do not possess the understanding or requisite skills to make this dynamic shift, thus requiring help from outside professionals.
The other critical aspect of your compliance program is the coding and documentation of professional services rendered to patients by your providers and how you are defining Medical Necessity and other compliance components. Focus on Medical Necessity, make sure you understand how to define it and more importantly, how is it defined by CMS and Private Payors and so forth.
At the end of the day, how you structure your OIG Compliance Program will have significant impact not only on your operations but how the government looks at you and what their position will be during an investigation as to whether they will structure a plea agreement or proceed with prosecuting the case. Take the time to understand the sample questions broken down by topic under the Filip Memo as well as how to structure an effective Risk Based Internal Audit Process via the establishment of a Risk Assessment because your compliance programs are no longer solely based on the "Seven Elements" to an Effective Compliance Program.