Creating a Culture of Compliance in 2018

by  Sean M. Weiss & Frank Cohen
May 30th, 2018

This year (2018), healthcare organizations (Hospitals, Health Systems, and Physician Groups/Practices) must focus on the criticality of creating a culture of compliance to ensure effectiveness and efficiency. Focusing on "compliance"-only approaches leaves healthcare organizations exposed to areas of liability oftentimes far more than what they could ever imagine or even what they are willing to tolerate. In 2018, you will need to walk through your compliance program and determine how to shift from a compliance-only approach to a "Risk-Based" approach.

This will require your compliance team to focus on areas often ignored, those that leave your compliance program exposed to the threats of government agencies, and their investigators. Regardless of the size of your organization, this shift in thinking and in carrying out functions of compliance is a must to ensure you are covering your assets!

To set yourself on the right course of how to approach compliance, you have to first define it. Keep in mind that we are talking about compliance within healthcare, which is different than any other industry; when we talk about healthcare compliance, it is important to understand that it is the process of following rules, regulations, and laws that relate to healthcare practices. Healthcare organizations are held to very strict standards, regulations, and laws from the federal and state levels, and violating these can result in lawsuits, significant fines, loss of licenses, and exclusion.

The "Filip" Factors and how The DoJ uses these dates back to the Filip Memo of 2008, and even before that, you had the McNulty Memo of 2006. As I am sure you will understand the structure of the laws pre-dates even 2006, dating back to 1999 when Eric Holder was the Deputy Attorney General. The guidelines delineate several factors that focus significantly on whether a corporation has been "cooperative" during the course of a government investigation. This became known as the Holder Memo. The level of cooperation leads to whether to indict the corporation or strike a plea agreement. In January 2003, the Holder Memo was replaced by the Thompson Memo (Deputy Attorney General Larry D. Thompson). The Thompson Memo was modified in December 2006 by Deputy Attorney General Paul J. McNulty, who made several critical alterations based on certain friction points between prosecutors, their corporate targets, and the defense bar, which in some instances had led to contentious battles in the federal courts.

This portion is very important, because it set the standard for how future Attorney Generals and their Deputies would advance their agendas. The McNulty Memo altered the treatment of privilege waivers and provision of attorneys' fees, and added focus on pre-existing compliance programs. The Filip Memo further shifted with regard to what factors drive determinations of whether a corporation deserves "cooperation credit," which is the standard(s) used to determine whether a corporation would avoid indictment under the guidelines.

Where cooperation credit had previously turned on factors including waiver of attorney-client privilege or work product protections, under the Filip Memo, it now focused on disclosure of relevant facts. Further, Government requests for disclosure of non-factual attorney-client privileged materials (known under the McNulty Memo as "Category II" information) became expressly forbidden, except in extremely limited circumstances. (In 2015, the Acting Deputy Director Sally Yates created the Yates Memo, which sought to eliminate the Filip Memo and go back to the days of the Wild West in government prosecution.) The McNulty Memo also disallowed as part of the cooperation analysis whether the corporation advanced legal fees to employees, entered into a joint defense agreements, or sanctioned culpable employees. Overall, these changes made it more difficult for the DOJ to conclude that it is appropriate to charge a corporation, and made it easier for a corporation to coordinate and defend itself in a criminal investigation. Again, the Yates Memo of 2015 sought to reverse all of this and thus erode the de-facto attorney client privilege. Since the DOJ has elected to revert back to the Filip Memo, the factors created under this memo are again in effect.

The specific Filip Factors include:

1. The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for particular categories of crime (see USAM 9-28.400);
2. The pervasiveness of wrongdoing within the corporation, including the complicity in, or condoning of, the wrongdoing by corporate management (see USAM 9-28.500);
3. The corporation's history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it (see USAM 9-28.600);
4. The corporation's willingness to cooperate in the investigation of its agents (see USAM 9-28.700);
5. The existence and effectiveness of the corporation's pre-existing compliance program (see USAM 9-28.800);
6. The corporation's timely and voluntary disclosure of wrongdoing (see USAM 9-28.900);
7. The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with relevant government agencies (see USAM 9-28.1000);
8. The collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution (see USAM 9-28.1100);
9. The adequacy of remedies such as civil or regulatory enforcement actions (see USAM 9-28.1200); and
10. The adequacy of the prosecution of individuals responsible for the corporation's malfeasance (see USAM 9-28.1300).

There are also 119 sample questions listed in the "Evaluation of Corporate Compliance Programs," which are separated into 11 topics:

1. Analysis and Remediation of Underlying Conduct
2. Senior and Middle Management
3. Autonomy and Resources
4. Policies and Procedures
5. Risk Assessment
6. Training and Communications
7. Confidential Reporting and Investigation
8. Incentives and Disciplinary Measures
9. Continuous Improvement, Periodic Testing, and Review
10. Third Party Management
11. Mergers & Acquisitions

The DOJ's Fraud Section has found these questions and topics relevant in determining whether to bring charges or negotiate plea and other agreements with entities under investigation. The issuance is the agency's first formal guidance under the new presidential administration, and the latest effort by the DOJ's "compliance initiative," which launched in November 2015 with the hiring of compliance counsel expert, Hui Chen. The new guidance is particularly valuable for healthcare organizations in light of the agency's heightened efforts to prosecute Medicare Advantage plans for fraudulent reporting under the False Claims Act.

This document's main focus is on creating a Risk Based Internal Audit Process (RBIA); it becomes important to understand what this involves. There are six steps of a Risk Assessment Matrix (RAM), in addition to structuring RBIA Policies. There is very good guidance that exists for you to create a Matrix, as well as to structure proper policies. It will, however, take a bit of effort on your compliance team's part to develop these, but it can be done fairly efficiently without having to spend tens of thousands of dollars to hire an attorney or compliance consultant. Still, there are organizations where even their compliance professional(s) do not possess the understanding or requisite skills to make this dynamic shift, thus requiring help from outside professionals.

Just how important is Risk Based Auditing? I tend to take my lead from CMS when it comes to audit risk. In 2011, CMS implemented a new fraud, waste, and abuse detection model called the Fraud Prevention System (FPS). This is how CMS described the FPS in their 2014 report to Congress:

The Fraud Prevention System (FPS) is the state-of-the-art predictive analytics technology required under the Small Business Jobs Act of 2010 (SBJA). Since June 30, 2011, the FPS has run predictive algorithms and other sophisticated analytics nationwide against all Medicare fee-for-service (FFS) claims prior to payment. For the first time in the history of the program, CMS is systematically applying advanced analytics against Medicare FFS claims on a streaming, nationwide basis as part of its comprehensive program integrity strategy.

Basically, CMS has sent a message to healthcare providers that says, "We have upped the ante, now it's your turn." We are being given more than just a hint to move toward a more sophisticated method for determining which of our claims may be most at risk for improper coding and billing. We are being given a mandate. In fact, in that same report, CMS boasted that they prevented nearly $1 billion in payments from going out, and that doesn't even address how much they recouped through their chase and pay efforts.

What providers need to understand is that 100% of all Medicare fee-for-service claims are now being processed through these predictive algorithms prior to payment. What risk-based auditing does is allow us to see what we look like to those algorithms, so to speak. In essence, if we want to see what the auditors see before they come knocking on our doors. The days of conducting random probe audits and assigning fixed annual chart review requirements have gone with the past. These methods aren't just inefficient and inaccurate, they are useless. In fact, a case can be made for doing nothing over random probe audits as they most often will miss some 90% of risk opportunities. While methods and algorithms will improve with time, the fact is, risk-based auditing, in whatever final form, is here to stay.

The other critical aspect of your compliance program is the coding and documentation of professional services rendered to patients by your providers and how you are defining Medical Necessity and other compliance components. Focus on Medical Necessity; make sure you understand how to define it, and more importantly, how it is defined by CMS and Private Payors.

At the end of the day, how you structure your OIG Compliance Program will have significant impact not only on your operations, but how the government looks at you and what their position will be during an investigation as to whether they will structure a plea agreement or proceed with prosecuting the case. Take the time to understand the sample questions broken down by topic under the Filip Memo, as well as how to structure an effective Risk Based Internal Audit Process via the establishment of a Risk Assessment, because your compliance programs are no longer solely based on the "Seven Elements" to an Effective Compliance Program.

Sean M. Weiss is a Partner & Chief Compliance Officer. Sean has dedicated his career to helping healthcare facilities reduce the risk of noncompliance and achieve measurable financial results. An accomplished compliance and management professional, Sean has extensive knowledge of the inner workings of government agencies at both the federal and state level, including the Office of Inspector General, Department of Justice, and The United States Attorney's Office. Sean has been recognized time and again by clients for successfully protecting their organization from unwarranted penalties and ensuring they receive due process. In his medical audit appeal defense work, Sean and his team of auditing and compliance experts have a proven record of success. Sean develops comprehensive, customized compliance plans, and serves as a third-party compliance consultant to ensure that client compliance is absolute.

Frank Cohen, Director of Analytics and Business Intelligence. Frank Cohen's areas of expertise include data mining, applied statistics, and predictive analytics. In addition, he provides compliance risk analysis and meaningful assistance to healthcare organizations in the areas of process improvement, compliance, quality, and profitability. Frank works with a wide range of clients, including solo-physician offices to practices with over 1,000 physicians, academic medical centers, cancer clinics, legal and accounting professionals, government agencies, and national associations, such as MGMA and AMA. He and his team have worked with physicians and practices in nearly 60 different specialties and within every state in the U.S. The author of several books, including his newest, "RVUs: Applications for Medical Practice Success," Frank is a sought-after speaker. He has participated in and published numerous articles and studies and trained thousands of physicians, administrators, CPAs, and other healthcare professionals in all areas of healthcare analytics. His experience also includes eight years as a physician assistant in both the Navy and as a civilian, clinic administrator, and hospital CEO. Frank's clients appreciate his depth of knowledge and especially his ability to deliver complex analytical findings in terms that medical professionals can put into practical use.

References:

• BC Advantage Article