by Sean M. Weiss & Frank Cohen
May 30th, 2018
This year (2018), healthcare organizations (Hospitals, Health Systems, and Physician Groups/Practices) must focus on the criticality of creating a culture of compliance to ensure effectiveness and efficiency. Focusing on "compliance"-only approaches leaves healthcare organizations exposed to areas of liability oftentimes far more than what they could ever imagine or even what they are willing to tolerate. In 2018, you will need to walk through your compliance program and determine how to shift from a compliance-only approach to a "Risk-Based" approach.
This will require your compliance team to focus on areas often ignored, those that leave your compliance program exposed to the threats of government agencies, and their investigators. Regardless of the size of your organization, this shift in thinking and in carrying out functions of compliance is a must to ensure you are covering your assets!
To set yourself on the right course of how to approach compliance, you have to first define it. Keep in mind that we are talking about compliance within healthcare, which is different than any other industry; when we talk about healthcare compliance, it is important to understand that it is the process of following rules, regulations, and laws that relate to healthcare practices. Healthcare organizations are held to very strict standards, regulations, and laws from the federal and state levels, and violating these can result in lawsuits, significant fines, loss of licenses, and exclusion.
The "Filip" Factors and how The DoJ uses these dates back to the Filip Memo of 2008, and even before that, you had the McNulty Memo of 2006. As I am sure you will understand the structure of the laws pre-dates even 2006, dating back to 1999 when Eric Holder was the Deputy Attorney General. The guidelines delineate several factors that focus significantly on whether a corporation has been "cooperative" during the course of a government investigation. This became known as the Holder Memo. The level of cooperation leads to whether to indict the corporation or strike a plea agreement. In January 2003, the Holder Memo was replaced by the Thompson Memo (Deputy Attorney General Larry D. Thompson). The Thompson Memo was modified in December 2006 by Deputy Attorney General Paul J. McNulty, who made several critical alterations based on certain friction points between prosecutors, their corporate targets, and the defense bar, which in some instances had led to contentious battles in the federal courts.
This portion is very
Where cooperation credit had previously turned on factors including waiver of attorney-client privilege or work product protections, under the Filip Memo, it now focused on disclosure of relevant facts. Further, Government requests for disclosure of non-factual attorney-client privileged materials (known under the McNulty Memo as "Category II" information) became expressly forbidden, except in extremely limited circumstances. (In 2015, the Acting Deputy Director Sally Yates created the Yates Memo, which sought to eliminate the Filip Memo and go back to the days of the Wild West in
The specific Filip Factors include:
- The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for particular categories of crime (see USAM 9-28.400);
- The pervasiveness of wrongdoing within the corporation, including the complicity in, or condoning of, the wrongdoing by corporate management (see USAM 9-28.500);
- The corporation's history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it (see USAM 9-28.600);
- The corporation's willingness to cooperate in the investigation of its agents (see USAM 9-28.700);
- The existence and effectiveness of the corporation's pre-existing compliance program (see USAM 9-28.800);
- The corporation's timely and voluntary disclosure of wrongdoing (see USAM 9-28.900);
- The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with relevant government agencies (see USAM 9-28.1000);
- The collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as
impacton the public arising from the prosecution (see USAM 9-28.1100);
- The adequacy of remedies such as civil or regulatory enforcement actions (see USAM 9-28.1200); and
- The adequacy of the prosecution of individuals responsible for the corporation's malfeasance (see USAM 9-28.1300).
There are also 119 sample questions listed in the "Evaluation of Corporate Compliance Programs," which are separated into 11 topics:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing, and Review
- Third Party Management
- Mergers & Acquisitions
The DOJ's Fraud Section has found these questions and topics relevant in determining whether to bring charges or negotiate
This document's main focus is on creating a Risk Based Internal Audit Process (RBIA); it becomes important to understand what this involves. There are six steps of a Risk Assessment Matrix (RAM), in addition to structuring RBIA Policies. There is very good guidance that exists for you to create a Matrix, as well as to structure proper policies. It will, however, take a bit of effort on your compliance team's part to develop these, but it can be done fairly efficiently without having to spend tens of thousands of dollars to hire an attorney or compliance consultant. Still, there are organizations where even their compliance professional(s) do not possess the understanding or requisite skills to make this dynamic shift, thus requiring help from outside professionals.
Just how important is Risk Based Auditing? I tend to take my lead from CMS when it comes to audit risk. In 2011, CMS implemented a new fraud, waste, and abuse detection model called the Fraud Prevention System (FPS). This is how CMS described the FPS in their 2014 report to Congress:
The Fraud Prevention System (FPS) is the state-of-the-art predictive analytics technology required under the Small Business Jobs Act of 2010 (SBJA). Since June 30, 2011, the FPS has run predictive algorithms and other sophisticated analytics nationwide against all Medicare fee-for-service (FFS) claims prior to payment. For the first time in the history of the program, CMS is systematically applying advanced analytics against Medicare FFS claims on a streaming, nationwide basis as part of its comprehensive program integrity strategy.
Basically, CMS has sent a message to healthcare providers that says, "We have upped the ante, now it's your turn." We are being given more than just a hint to move toward a more sophisticated method for determining which of our claims may be most at risk for improper coding and billing. We are being given a mandate. In fact, in that same report, CMS boasted that they prevented nearly $1 billion in payments from going out, and that doesn't even address how much they recouped through their chase and pay efforts.
What providers need to understand is that 100% of all Medicare fee-for-service claims are now being processed through these predictive algorithms prior to payment. What risk-based auditing does is allow us to see what we look like to those algorithms, so to speak. In essence, if we want to see what the auditors see before they come knocking on our doors. The days of conducting random probe audits and assigning fixed annual chart review requirements have gone with the past. These methods aren't just inefficient and inaccurate, they are useless. In fact, a case can be made for doing nothing over random probe audits as they most often will miss some 90% of risk opportunities. While methods and algorithms will improve with time, the fact is, risk-based auditing, in whatever final form, is here to stay.
The other critical aspect of your compliance program is the coding and documentation of professional services rendered to patients by your providers and how you are defining Medical Necessity and other compliance components. Focus on Medical Necessity; make sure you understand how to define it, and more importantly, how it is defined by CMS and Private Payors.
At the end of the day, how you structure your OIG Compliance Program will have
Sean M. Weiss is a Partner & Chief Compliance Officer. Sean has dedicated his career to helping healthcare facilities reduce the risk of noncompliance and achieve measurable financial results. An accomplished compliance and management professional, Sean has extensive knowledge of the inner workings of government agencies at both the federal and state level, including the Office of Inspector General, Department of Justice, and The United States Attorney's Office. Sean has been recognized
Frank Cohen, Director of Analytics and Business Intelligence. Frank Cohen's areas of expertise include data mining, applied statistics, and predictive analytics. In addition, he provides compliance risk analysis and meaningful assistance to healthcare organizations in the areas of process improvement, compliance, quality, and profitability. Frank works with a wide range of clients, including solo-physician offices to practices with over 1,000 physicians, academic medical centers, cancer clinics, legal and accounting professionals, government agencies, and national associations, such as MGMA and AMA. He and his team have worked with physicians and practices in nearly 60 different specialties and within every