2021 Compliance Risk Assessment Resource Guide[2]
Table of Contents
Executive Summary…X
Introduction…X
SWOT Analysis…X
2020 Financial Data…X
2020-2021 OIG and State Work Plans…X
Corporate Compliance and Internal Audit Risk Assessment Interviews…X
Recent Prior Audits…X
Voluntary Disclosures …X
Government Audit Summary…X
Program for Evaluating Payment Patterns Report…X
Recovery Audit Contractors…X
Medicare Case Mix…X
Comprehensive Error Rate Testing…X
Professional Fee Documentation and Billing…X
Corporate Compliance Non-Coding Initiatives…X
Office of the Medicaid Inspector General (State) …X
The Patient Protection and Affordable Care Act (PPACA) …X
Conflicts of Interest…X
United States Sentencing Commission - Federal Sentencing Guidelines…X
2021 Reimbursement Changes…X
CMS Medicaid Integrity Program (MIP) …X
Zone Program Integrity Contractor (ZPIC) …X
Medicare Administrative Contractor (MAC) …X
Data Mining…X
2020 Hotline Trend Analysis Summary: Alertline and Internal Cases…X
Annual Mandatory Compliance Training…X
Health Insurance Portability and Accountability Act (HIPAA) …X
Compliance Policies…X
Other Regulatory Topics…X
Conclusion…X
Exhibit A…X
EXECUTIVE SUMMARY
I. INTRODUCTION
A key objective of the Office of Corporate Compliance (Corporate Compliance) is to continuously reassess risk areas, reprioritize compliance projects that are most critical to the mission of the X, and to report compliance developments and compliance audit findings to the Board of Trustee’s Audit and Corporate Compliance Committee, the full Board of Trustees as appropriate, the Executive Audit and Compliance Committee, the Chief Executive Officer and other members of Senior Management.
Compliance risk is mitigated through internal review processes. Monitoring and auditing provide early identification of program or operational weaknesses and substantially reduce exposure to government or whistleblower claims. Although many assessment techniques are available, one effective tool is the performance of regular, periodic compliance audits by internal or external auditors.
The purpose of the 2021 Risk Assessment Guide is to describe briefly the various sources utilized by Corporate Compliance to identify and assess potential risk areas for the 2021 Corporate Compliance Work Plan. The planning process for this Work Plan is ongoing and dynamic, Corporate Compliance continually evaluates new data throughout the year to identify and reassess the likelihood of any potential risk to X.
II. ROLE OF THE BOARD OF TRUSTEES—CORPORATE COMPLIANCE
The role of the Board of Trustees is to oversee the management of the Compliance Program, to actively support the Compliance Program, and ensure implementation of the Compliance Program’s activities. Corporate Compliance is charged with the operational responsibility for the Compliance Program which includes designing and implementing tools and initiatives to sustain an effective compliance program.
Corporate Compliance has a finite amount of resources to focus on compliance matters each year. Accordingly, Corporate Compliance judiciously allocates its resources based on what the Board of Trustees and management believe to be the greatest compliance risks to X. In addition, new legal and compliance developments occur throughout the year which may require a refocusing of compliance priorities.
III. METHODOLOGY OF 2021 CORPORATE COMPLIANCE RISK ASSESSMENT
Resources: The 2021 Compliance Risk Assessment utilized numerous internal and external resources to help determine which risk areas should be evaluated. Two important data resources are the Office of the Inspector General for the United States Department of Health and Human Services’ (OIG) FY 2021 Work Plan and the Office of Medicaid Inspector General (State) 2020-2021 Work Plans. Corporate Compliance utilizes these work plans, which provide roadmaps of the agencies’ planned audit activities. It is an industry standard for healthcare providers to review the OIG and State Work Plans annually and to evaluate their own entities for these potential risk areas.
For the 2021 risk assessment process, Corporate Compliance also conducted interviews with key departments and individuals to identify and assess potential risks throughout the X. In addition, Corporate Compliance evaluated financial data for reimbursement trends, prior X audit data, government data trends, state and federal enforcement agencies’ audit reports and regulatory notices, and internal surveys on various topics to identify other areas of potential risk.
IV. BRIEF SUMMARY OF THE CORPORATE COMPLIANCE RISK ASSESSMENT ANALYSIS
Similar to our 2020 risk assessment, the compliance risk assessment indicates that compliance resources should be placed on X issues as they remain at “X” risk. Under F-SHRP, the Federal-State Health Reform Partnership, the State is mandated to generate $644 million in fraud and abuse recoveries in 2021, its highest financial target to date. In addition, as part of a recent state regulation, X is required to perform risk reviews and audits on facilities that bill over $500,000 in Medicaid billings. We anticipate that the State will audit the effectiveness of X’s compliance program.
The 2021 risk assessment places X at a “X” risk.
This year the X’s vulnerability with respect to X was moved from X to X as a result of current audits. In addition, the 2020 federal health care legislation places an emphasis on ancillary services and will require mandatory compliance programs for these services.
For 2021, inpatient billing is in the “X” risk category since the volume within the organization is great and there is an increase in government audits and investigations, including the launch of new RAC audits. However, prior Corporate Compliance and government audits had not detected any significant audit findings in this area.
X and other new businesses are listed as a separate area of risk because the X has not had an opportunity to complete enough audits to fully assess its internal controls to mitigate potential billing errors.
X also remains a risk category because the government is devoting more enforcement resources in this area. Both federal and state regulators are moving towards quality-based audits, some of which already have resulted in multi-million dollar settlements. These audits are focused on various quality issues, including medical necessity, such as whether a patient should be treated as an inpatient versus an outpatient. X is working on ways to further collaborate between quality and compliance to ensure that we are jointly monitoring quality-related issues.
Issues relating to X remain a “X” risk area because the law is a strict liability statute and the government continues dedicate enforcement resources to reviewing physician arrangements. In 2020, the Department of Justice collected $108 million from an Ohio hospital for unlawful payments to physicians in exchange for cardiac patient referrals. The recently-enacted health care legislation will make it even easier for the government to pursue Stark and anti- kickback claims against healthcare providers.
In addition, the compliance risk assessment found that more resources should continue to be placed on creating a greater awareness of the Compliance Program including its policies related to privacy issues. In 2020, X had a number of privacy breaches despite employee education and awareness initiatives.
See the graph below to view the general risk areas. See the enclosed 2021 Corporate Compliance Work Plan to view the planned compliance and audit initiatives to address potential risks.
INTRODUCTION
In order to have an effective Corporate Compliance Program, it is necessary to continuously assess risk, re-prioritize compliance projects and report compliance developments and audit findings to the Board’s Audit and Corporate Compliance Committee, the full Board of Trustees as appropriate, the Executive Audit and Compliance Committee, the Chief Executive Officer, and the General Counsel. This 2021 Risk Assessment Guide briefly describes some of the various sources utilized by Corporate Compliance to identify and assess potential risk areas. See Exhibit A for a listing of the primary resources consulted for this review.
SWOT ANALYSIS
In 2020, Corporate Compliance assessed the resources available to ensure an effective compliance program at the X. One of the assessment tools utilized was the Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis, depicted below. The primary weakness identified is X. To address this risk, Corporate Compliance did X.
Other weaknesses identified by the Compliance risk assessment include X. To address this risk, Corporate Compliance did X. In addition, X plans to implement the following measures: X; X; and, X to further mitigate this risk.
The primary threats identified demonstrate there are a number of external agencies that are likely to focus various audits at the X facilities. The amount of government resources dedicated to review the X’s coding and billing continues to increase at an accelerated rate because of the new federal legislation. In addition, the government may continue to specifically focus on facility X because of past audits.
Despite these threats, X’s Compliance Program has continued to receive national awards as having the best compliance practices. The Compliance Program also has opportunities in the future to further improve upon its efforts. For example, X may improve throughput times to audit coding records and conduct HIPAA audits. In addition, we can continue to improve our transparency efforts by starting to build X.
X 2020 FINANCIAL DATA
Analyzing X financial data is a key component of Corporate Compliance’s risk assessment process. We review inpatient and outpatient revenue trends including net patient revenues and payor and case mix. For purposes of this guide, financial data is for year-to-date data from January 1, 2020, through and including October 31, 2020. Data is analyzed at the facility level for net patient revenues (net of provision for bad debt), payor mix, and case mix to determine potential external audit risk and allocation of Corporate Compliance Audit resources.
The X’s tertiary centers receive the largest amounts of federal healthcare program revenues and therefore have a higher likelihood of being audited by government agencies. The community hospitals also receive a significant portion of their inpatient revenue from federal dollars. Clinics outside the four walls of the hospitals also have a high likelihood of being audited by state agencies. X will also focus its Medicaid specific audits at facilities that bill over $500,000 of Medicaid revenue.
FY 2020-2021 OIG AND STATE WORK PLANS
Two key work plan resources are the OIG FY 2021 Work Plan and the State SFY 2020-2021 Work Plan. Each year, these governmental agencies release audit work plans which provide a roadmap of their planned audit activities. It is an industry standard for healthcare providers to review the OIG and State Work Plans annually and to evaluate their own entities for these potential risk areas. Corporate Compliance reviewed these work plans and incorporated any applicable audit categories into its 2021 Work Plan.
CORPORATE COMPLIANCE AND INTERNAL AUDIT RISK ASSESSMENT INTERVIEWS
Corporate Compliance, along with Internal Audit (IA), performed interviews of key leaders with the goal of including these individuals in the overall risk evaluation and discussion. After completion of the interview phase, both Corporate Compliance and IA create individualized audit work plans that are shared between them before finalization to avoid audit overlap. Audit results are shared throughout the year between the departments.
RECENT PRIOR X AUDITS
Internal Corporate Compliance Audits Summary
The Corporate Compliance Audit Department conducted a total of X audits in 2020, not including investigatory audits. This is an increase from the X audits Compliance conducted in 2019. Of those audits, X were finalized and submitted to the Executive Audit and Compliance Committee and Senior Leadership. Status update reports of these audits are also shared with the Board of Trustee’s Audit and Corporate Compliance Committee on a quarterly basis. X audits were started in 2020, but are still in the process of being finalized. These audits will be reported to the Executive Audit and Compliance Committee, Senior Leadership and the applicable Board of Trustees’ committees during 2021. Audit topics were chosen based upon the 2020 Risk Assessment and included X audits of faculty practice. Areas audited included:
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
Compliance also conducted a total of X audits of related facility services. Please note that four of these audits began in 2019 and were finalized in 2020. Areas audited included:
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
Professional Fee Services
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
-
XXXX
Corporate Compliance Audit also is responsible for various investigative audits that are requested by management or are referred through the Compliance HelpLine or other referrals. These audits are conducted throughout the year on an as-needed basis. All requests are evaluated and referred to the appropriate member of the audit team for review. In 2020, there were X investigative audits, a decrease from the X investigative audits in 2019. X of the X investigations are closed and resulted in no material findings.
During 2020 Corporate Compliance Audit’s findings were generally non-material in nature and were communicated to key stakeholders. Corrective actions were recommended to the appropriate management and any identified overpayments were refunded. In 2021, Corporate Compliance Audit plans on auditing more relevant potential risk areas through the use of data mining.
VOLUNTARY DISCLOSURES
The OIG, State and Medicare’s Fiscal Intermediaries have processes for health care providers to voluntarily disclose and rectify overpayments received. The benefits of self disclosure include forgiveness or reduction of interest payments, extended repayment terms, waiver of penalties and/or sanctions and possible preclusion of a subsequently filed State False Claims Act qui tam action based on the disclosed matter. As a result of the internal review processes and our proactive Corporate Compliance Program, the X discovered a number of overpayments during 2020 which arose as a result of inadvertent incorrect billing, documentation problems and other issues. X made voluntary disclosures to Medicare or Medicaid of X matters and repaid (or has proposed to repay) an approximate total of $X. This figure does not include items that are not routinely disclosed during our normal audit process.
GOVERNMENT AUDIT SUMMARY
X continues to be audited by government agencies on a regular basis. In 2020, the number of government audits increased significantly, which is not a surprise given the vast amount of new resources the government has dedicated towards ensuring healthcare providers submit accurate claims to Medicare and Medicaid. The number of audits increased by over X percent when compared to 2019. The following grid depicts the status of all government audits at all facilities as of December 2020. Please note this grid does not include the recent RAC requests.
Agency |
# |
Percent of Agency |
Percent of Total | |
---|---|---|---|---|
Medicare Audits | ||||
OIG |
X |
X% |
X% | |
CERT |
X |
X% |
X% | |
NGS |
X |
X% |
X% | |
DOH |
X |
X% |
X% | |
CMS |
X |
X% |
X% | |
NGS Pre Pay Probe |
X |
X% |
X% | |
Sub Total - Medicare Audits |
X |
100% |
X% | |
Medicaid Audits | ||||
State |
X |
X% |
X% | |
AG |
X |
X% |
X% | |
DOH |
X |
X% |
X% | |
HMS/PCG |
X |
X% |
X% | |
Sub Total - Medicaid Audits |
X |
100% |
X% | |
Total |
X |
100% |
PAYMENT FOR EVALUATING PAYMENT PATTERNS ELECTRONIC REPORT (PEPPER)
PEPPER is an electronic report available from the federal government containing hospital- specific data for target areas that have been identified as high risk for payment areas (i.e., specific diagnosis-related groups [“DRGs”] and discharges). It is suggested that anything above the 80th percentile or below the 20th percentile, as compared to National, State and Jurisdiction (i.e., Regional) benchmarks, should be reviewed. The grid below identifies those areas highlighted in red, green, blue and gray for the X. The outliers listed below are facility- specific and no trends were identified as X-wide issues.
Even though a facility may be red (i.e., at or above 80th percentile for National, State or Jurisdiction) for a certain DRG, it does not mean the facility’s coding is inappropriate. A facility could have a higher ranking because of demographic or other environmental reasons. In 2019-2020, Compliance and Quality conducted audits in several of these areas including: X, X, X, X, X and X.
RECOVERY AUDIT CONTRACTOR (RAC) AUDITS
RAC audits recently began after a long delay. Based on the RAC demonstration project (2005-2008), the Centers for Medicare and Medicaid Services (CMS) has identified Medicare payments that were not medically necessary and coded incorrectly for numerous hospitals. During the demonstration project, CMS recouped a total of approximately $X from the X from various audits after the appeals process.
The newly-appointed RAC contractor began requesting charts from X for review this summer. To date, over X records have been requested. CMS-approved audit issues for our region include transfer of care, MS-DRG validation, durable medical equipment, and other services such as pharmacy supply and dispensing fees, clinical social worker services, urological bundling and ambulance services. Currently, there are 71 approved issues listed by DCS for review. The RAC also intends to audit physician documentation and billing in the future. In addition, the RAC plans to use its discretion to extrapolate its findings in certain cases. Extrapolation is the process that Medicare contractors use to estimate a total overpayment based on an audit of a relatively small subset of claims. As a result, even a relatively small finding could result in a potentially large overpayment in the future.
Moreover, the recently enacted Patient Protection and Affordable Care Act (PPACA) also includes the expansion of the RAC program to Medicaid claims. States must implement RACs for Medicaid and must use a contingency fee payment system. The original implementation deadline was December 31, 2020. X has not selected a RAC vendor to audit Medicaid claims, but is expected to do so in 2021. This will be in addition to the Medicaid Integrity Contractors (MICs) that CMS already contracts with to audit Medicaid claims to ensure claims were appropriately coded and paid and the voluminous audits that the state conducts at our facilities.
MEDICARE CASE MIX
The case mix index represents the complexity of a hospital’s patients’ cases and indirectly demonstrates the average level of care provided to its patients in a given time period. Case mix is an effective tool to help identify compliance trends because when monitored over time, trends may indicate changes in coding practices, patient population, and services offered. The frequency of shifts should be minimal and when a shift occurs, management response is required.
Corporate Compliance reviewed the Medicare case mix index. The case mix for a few of X’s facilities increased slightly in 2020.
COMPREHENSIVE ERROR RATE TESTING (CERT)
The Comprehensive Error Rate Testing (CERT) program was initiated by CMS to achieve the agency's mission to emphasize accountability, pay claims appropriately, and to provide a renewed focus on the customer. The program produces national, contractor-specific, and service-specific paid claim error rates, as well as a provider compliance error rate. The paid claim error rate is a measure of the extent to which the Medicare program is paying claims correctly. The provider compliance error rate is a measure of the extent to which providers are submitting claims correctly.
The program has independent medical reviewers periodically reviewing representative random samples of Medicare claims that are identified as soon as they are accepted into the claims processing system. The independent reviewers medically review claims that are paid. Claims that are denied are validated to ensure that the decision was appropriate.
PROFESSIONAL FEE DOCUMENTATION AND BILLING
In 2019, Corporate Compliance identified X as a high risk area and hired an additional resource to help assist in monitoring faculty practice’s coding and billing. Also, a large number of new physicians will be joining the X in 2021. As a result, additional physician documentation and billing audits will continue to be a high priority and a focus of the Corporate Compliance Work Plan based upon this and other factors. In addition, X has budgeted two additional full-time employees to be dedicated to conduct additional coding and billing audits to mitigate risk.
Physician Practice Acquisitions
In 2020, the X acquired several physician office practices as part of its expansion of its service lines. When acquiring physician office practices it is important to conduct appropriate due diligence to ensure that effective compliance controls exist. While the X performs due diligence reviews during the acquisition process, it can be difficult to identify every compliance risk especially with respect to billing and coding. Accordingly, the X’s acquisition of physician office practices is a potential risk area. Listed below are all of the physician practices that were acquired during 2020:
FACULTY PRACTICE |
FACULTY PRACTICE |
FACULTY PRACTICE |
FACULTY PRACTICE |
FACULTY PRACTICE |
---|---|---|---|---|
XXXX |
XXXX |
XXXX |
XXXX |
XXXX |
XXXX |
XXXX |
XXXX |
XXXX | |
XXXX | ||||
XXXX | ||||
XXXX | ||||
XXXX |
CORPORATE COMPLIANCE NON-CODING INITIATIVES
Corporate Compliance spearheaded several non-coding initiatives in 2020 as part of its Work Plan. Among other items, these initiatives included reviewing X, creating additional controls to X, revamping X, launching additional compliance X, and implementing X. These initiatives helped to further enhance the X Compliance Program.
OFFICE OF THE MEDICAID INSPECTOR GENERAL
The core function of State is to conduct and supervise activities to prevent, detect and investigate Medicaid fraud and abuse with the goal of assuring integrity in the Medicaid program. Fraud and abuse control activities are shared with a variety of state agencies including, but not limited to, the Department of Health, the Office of Alcoholism and Substance Abuse, the Office of Mental Health and the State Education Department. These agencies coordinate their work with the State Attorney General’s Medicaid Fraud Control Unit and the State Comptroller.
2019 State Annual Report
State leads the nation in Medicaid fraud, waste and abuse prevention and detection, and serves as a role model for other states to emulate. For FY 2019-20, the Legislature has established a goal of $870 million in state-share recoveries and cost avoidances for State nearly three times the amount assigned in 2016-17.
To achieve this goal, State worked throughout the last year to develop accurate, reliable measures of cost avoidance, and developed new techniques to identify potential for cost avoidance in every part of the agency and the Medicaid program.
State saved $1.61 billion “through cost-savings activities” last year, according to the agency's 2019 annual report, which also shows State exceeding a federal target to recover hundreds of millions of dollars in Medicaid funds as required under the Federal-State Healthcare Reform Partnership agreement (F-SHRP).
Under F-SHRP, State and other agencies are responsible for recouping “fraud and abuse” payments totaling $429 million in 2020 and $644 million in 2021. These recovery goals are in addition to targets set in the State budget for collection of back payments from responsible third-payers – targets which were recently increased by more than $150 million as part of the Deficit Reduction Plan.
State Work Plan
State has continued to take center stage in compliance initiatives as evidenced by the agency’s willingness to communicate their audit plans via frequent presentations given by X, as well as other high-ranking officials within the agency. Currently, the State website lists 2,692 final audit reports from August 2018 to present. In 2020 alone, there were 1,425 final audit reports posted.
On April 24, 2020, the agency released their 2020-2021 Annual Work Plan communicating audit initiatives for the next twelve months in their efforts to improve and preserve the integrity of the Medicaid program. This is the second annual work plan released since the agency was established in July 2006 as a formal state agency. For hospitals, among other items the 2020-2021 plan demonstrates potential vulnerabilities relative to duplicate clinic claims, ninety-day billing exception codes, DRG coding, payment for Medicare coinsurance and deductibles, medical record retention, and physician/hospital financial relationships.
To date, State audits of the X have not increased in comparison to twelve months ending December 31, 2019. Audit letters received during 2019 totaled X while X letters have been received year to date. The majority of these audits are focused on: X, X, X, X and X.
The State 2021 Work Plan was recently issued in December 2020. The 2021 X Work Plan will be reviewed and adjusted to take into account any new potential risk areas.
State - Provider Compliance Programs
Effective October 1, 2009, State health care organizations for which Medicaid constitutes $500,000 or more of the provider’s annual business operations (considered “substantial” and defined as ordering, providing, billing or claiming $500,000 or more from Medicaid in a twelve-month period), must have an “effective” compliance program and certify on an annual basis that the compliance program meets related statutory requirements. The effective compliance program requirement is also applicable to any state provider subject to the provisions of Articles 28 or 36 of the Public Health Law or Articles 16 or 31 of the Mental Hygiene Law, regardless of the amount of Medicaid business.
The State Mandatory Medicaid Compliance Program requirements are contained in New York Social Services Law §363-d and New York State Codes, Rules and Regulations Title 18, Part 521 (“Provider Compliance Programs” or “Part 521”). Part 521 defines the entities to which the requirements apply (“covered providers”) and mandates that each covered provider’s compliance program include eight elements.
To prepare for any future audit regarding this regulation, Corporate Compliance prepared an analysis based upon guidance from State. A few areas of improvement were identified to further enhance X’s existing compliance structure.
State - Governance
State oversight of a hospital’s compliance program is the fiduciary responsibility of the governing body. The State’s new regulation stipulates that the employee vested with the day-to- day operations of the compliance program must report to the governing body and that the governing body must receive compliance education.
To facilitate compliance with governance requirements, our Compliance Program will ensure that the Board and the CEO are fully cognizant of their responsibilities. Currently, the Chief Corporate Compliance Officer reports to the Board of Trustees’ delegated committee (i.e., Audit and Corporate Compliance Committee) on a quarterly basis. The Chief Corporate Compliance Officer also provides a written report quarterly to full Board of Trustees regarding X’s compliance matters. To further enhance our governance structure, will now also report to X.
State - Quality of Care/Mandatory Reporting
To augment quality-related programs, the Compliance program will help ensure that quality assessment systems are in place, that quality-related data is reported both internally and externally as needed, and that the facility engages in continuous, proactive quality improvement plans to address any gaps in the system or other areas of improvement. Quality provides Corporate Compliance with periodic reports to assess as part of its compliance efforts. X completed the following quality-related reviews.
State – Credentialing
State laws and regulations, the CMS Conditions of Participation (COPs), and hospital accreditation standards require hospitals to conduct ongoing and continuous credentialing and competency reviews of clinical and non-clinical staff throughout the period of the staff member’s appointment and reappointment. The Credentialing Offices ensure that the required credentialing and staff-related processes are in place and functioning effectively. Corporate Compliance will verify and, if appropriate, conduct an audit this area in 2021 to ensure compliance with these requirements.
THE PATIENT PROTECTION AND AFFORDABLE CARE ACT (PPACA)
On March 23, 2010, President Obama signed into law the PPACA. This law will increase the risk levels of all health care providers, including our X, given the vast amount of resources and enforcement weapons created by this bill. PPACA includes approximately $300 million of new funding over the next six years to further supplement the government’s already large arsenal of enforcement resources.
One example of the new PPACA enforcement tools is the requirement that health care providers maintain mandatory compliance programs. The Secretary of the U.S. Department of Health and Human Services (HHS) will be rolling out specific standards for various industries. Durable medical equipment and home health providers will likely be among the first to be subject to this requirement since they were highlighted in PPACA as being high risk areas.
Other new enforcement laws include enhanced screening requirements of applicants for enrollment, a requirement that physicians be enrolled in Medicare to order durable medical equipment or certify home health services, more expansive revisions to the anti-kickback statute and False Claims Act, and new Civil Monetary Penalties laws for new health care areas that are subject to fraud and abuse. There is also a plan to introduce a new bill to double the penalties for Medicare fraud which are already significant in nature. This proposed legislation also include changes how long a health care provider has to submit a claim for reimbursement. Facility claims must now be submitted within one year from the date of service, which may impact our ability to recoup funds for services we have provided. In addition, CMS has now been given the authority to suspend payments during a pending fraud investigation. PPACA also includes changes to how health care providers should address overpayments.
Historically there has been no express duty to refund innocent overpayments. However, the PPACA now imposes an express duty to refund and report overpayments 60 days after over- payment is identified or when the cost report is due. The failure to report and return may lead to False Claims Act liability. Taken together, these provisions clearly signal the government's intention to aggressively pursue and prevent fraudulent and abusive activities and to maximize recovery when overpayments are identified. While these changes will not materially change the approach the X uses to identify and address potential compliance risks, the new legislation will further increase the risk level of any non-compliance with the applicable regulations.
CONFLICTS OF INTEREST
The new PPACA legislation also includes the Physician Payment Sunshine provisions, which requires drug, medical device, biological and medical supply manufacturers to disclose direct payments or transfers to physicians and teaching hospitals that are $10 or more (or total over $100 in a calendar year). It also requires those manufacturers to disclose any non-public ownership or investment interests of physicians and their immediate family members in the manufacturers. Those reporting requirements do not take effect until March 31, 2013 and the information will be available online to the public. Also, many states already have proposed or passed similar laws regarding physician financial relationships, including New York and New Jersey.
In order to address this issue, the X recently revised its Gifts policy to make it more stringent. In essence, the new policy is a “no gifts” policy and allows physicians to serve as consultants to health care manufacturers only under appropriate circumstances. In addition, the X has recently implemented a more robust electronic conflict of interest reporting form that our physicians and key employees will be required to fill out on an annual basis and update as appropriate throughout the year.
UNITED STATES SENTENCING COMMISSION - FEDERAL SENTENCING GUIDELINES
Federal law enforcement authorities will often refer to the Federal Sentencing Guidelines (Guidelines) when determining whether to criminally prosecute an organization at the conclusion of a criminal investigation or to pursue the organization on civil grounds. Certain provisions of the Guidelines contain specific compliance plan guidelines that are generally regarded as the template from which effective corporate compliance programs are based. In fact, the OIG based its Compliance Guidance for health care providers on these Guidelines.
The Guidelines are also likely to be considered by corporate governance regulators and private plaintiffs in determining whether to pursue the members of a governing board for breaches of their fiduciary duties to oversee the compliance plan. For these reasons and others, these Guidelines are generally recognized as the benchmark of an "effective" organizational corporate compliance plan. In April 2010, the United States Sentencing Commission proposed amendments to the Guidelines to further strengthen the role of the compliance officer which went into effect in 2010. In short, the new amendments make clear that in order for a corporation to be eligible to receive a reduced sentence it also must have in place the following at the time of a potential criminal act:
-
The compliance officer should have a "direct reporting obligation" to the board or subgroup thereof (e.g., the compliance or audit committee);
-
The compliance program detected the criminal conduct before it was discovered or was reasonably likely to be discovered outside of the organization (i.e., by regulators);
-
The organization promptly reported the offense to the federal government;
-
No corporate compliance officers were involved with, condoned or were willfully ignorant of the criminal offense; and,
-
The organization conducted an assessment of its existing compliance program, including modifications to the program as may be appropriate to prevent the occurrence of similar conduct.
The amendment specifically refers to the use of outside professional advisors to ensure the adequacy of the assessment efforts. Also, the Commentary to this amendment defines "direct reporting obligation" as one which provides the compliance officer with express authority to communicate personally with the governing authority: (1) promptly on any matter involving criminal or potential criminal conduct; and, (2) no less than annually on the implementation and effectiveness of the organization's compliance plan.
The X already has in place reporting measures that meet the intent of these Guidelines. However, X from the State, also recently recommended that the compliance officer provide an in-person presentation to the full board at least on an annual basis. We will implement this reporting in 2021. These changes are a reminder of the federal government’s focus on enhancing governance controls in organizations.
KEY 2021 REIMBURSEMENT CHANGES
There have been a number of key reimbursement changes which can impact compliance initiatives. Below is a summary of some of them which Corporate Compliance will be evaluating as part of its 2021 risk assessment.
2011 Signature Requirements for Laboratory Requisitions
In the new Medicare physician fee schedule, effective starting with dates of service January 1, 2011, a physician’s or appropriate Non-Physician Practitioner’s signature will be required on lab requisitions for tests paid under the clinical lab fee schedule. CMS also clarified that a requisition form does not need to be completed if the appropriate documentation is available in the patient’s medical record.
This change is different from the previous guidance which stated that a physician signature for laboratory requisitions was not required. Compliance plans on conducting a review of laboratory requisitions in the latter part of 2021.
2011 OPPS Physician Supervision Changes
On November 2, 2010, CMS issued the Final Rule for the calendar year 2011 Medicare payment updates for outpatient prospective payment system (OPPS) hospitals and ambulatory surgical centers (ASCs). As part of the Final Rule, CMS identified major changes to its physician supervision requirements for 2011. In order to bill for certain services, CMS requires that a non-physician have an appropriate amount of physician supervision depending upon the service and location of the facility. Corporate Compliance is helping prepare an education tool to ensure the appropriate individuals are aware of the new physician supervision requirements and X is conducting additional education on these new requirements.
2011 OPPS Changes for Critical Care Codes
The OPPS Final Rule contains a revised list of Critical Care services that can be billed to the federal health care programs as Critical Care services beginning in 2011. Any services performed that are not mentioned in CMS’ revised list are required to be reported separately. Corporate Compliance will verify with X to ensure appropriate education has been provided to our clinicians and billing staff on this topic.
2011 Inpatient Prospective Payment System (IPPS)
In the 2011 final IPPS rule, CMS published 121 new diagnosis codes, 12 new procedure codes, 11 deleted diagnosis codes, one deleted procedure code, nine revised diagnosis codes and three revised procedure codes. Of note, CMS also finalized a decision to downgrade acute kidney failure or injury (ICD-9-CM code 584.9) from a Major Complication/ Comorbidity (MCC) to a complication and comorbidity (CC).
CMS is adding the following eight categories of conditions included on the Hospital Acquired Condition (HAC) list:
-
Foreign object retained after surgery
-
Air embolism
-
Blood incompatibility
-
Pressure ulcer stages III and IV
-
Falls and trauma (including fracture, dislocation, intracranial injury, crushing injury, burn, and electric shock)
-
Vascular catheter-associated infection
-
Catheter-associated urinary tract infection
-
Manifestations of poor glycemic control
Freeze for ICD-9-CM Code Updates
The ICD-9-CM Coordination & Maintenance Committee announced the decision to freeze ICD-9-CM codes prior to implementation of ICD-10 on October 1, 2013, making the last annual update to the ICD-9-CM manual effective October 1, 2011.
ICD-10 updates will also be halted until implementation in 2013 when minimal updates will be made to address new technologies and diagnoses. As result, education on new ICD-9-CM requirements this year to staff has been minimized.
Medicaid Reimbursement for Outpatient Services
Medicaid transitioned the method for reimbursing providers for outpatient services, including hospital outpatient clinic services, from the old clinic rate payment system to the new Enhanced Ambulatory Patient Groups (E-APGs) similar to the Medicare APG reimbursement model. The full use of E-APGs for ambulatory care payments will be phased in over a four-year period. This change requires coding and code grouping challenges which, if grouped improperly, could potentially affect reimbursement. Corporate Compliance has modified audit work plan to include Medicaid outpatient service audits to begin in 2021.
Implementing New Coverage Authorized by MIPPA
The final rule with comment period implements several expansions of Medicare coverage that were required in the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), including Pulmonary and cardiac rehabilitation – Effective Jan. 1, 2010, CMS is establishing OPPS payment for new, comprehensive pulmonary and intensive cardiac rehabilitation services furnished to beneficiaries with chronic obstructive pulmonary disease, cardiovascular disease, and related conditions.
Corporate Compliance will evaluate this topic to determine if it is appropriate audit topic for this year’s Work Plan.
THE CMS MEDICAID INTEGRITY PROGRAM (MIP)
The MIP was established via the Deficit Reduction Act and substantially increased funding dedicated to Medicaid program integrity efforts. This program is the first national strategy to detect and prevent fraud and abuse in the history of the Medicaid program and efforts will yield significant savings to help sustain the program. Funding of $255 million will be allocated over five years (2016-2020) and $75 million annually beginning in 2021. CMS will implement this program through Medicaid Integrity Contractors (MICs). Audit targets include physicians, home health/skilled nursing, hospice, nursing facility/nursing home, renal dialysis, durable medical equipment, transportation/ambulance, labs/X-ray and pharmacy.
MIP is the first federal program created to conduct Medicaid provider audits. Its purpose is to support program integrity to the states, and conduct post-payment audits of providers and identify overpayments. MIP is working with the State on joint Medicaid audit projects and is expected to target our state this year. To date, MIP has conducted X audits.
ZONE PROGRAM INTEGRITY CONTRACTORS (ZPICs)
CMS has consolidated the work of Medicare's Program Safeguard Contractors and Medicare Drug Integrity Contractors with new ZPICs. Nationally, there are a total of 7 zones with 3 contractors awarded to each Zone. The new contractors will be responsible for ensuring the integrity of all Medicare claims under Parts A and B (hospital, skilled nursing, home health, provider and durable medical equipment), Part C (Medicare Advantage health plans), Part D (prescription drug plans), and Medi-Medi (Medicare-Medicaid data matches). The advantages of consolidating these efforts include improved data and document information sharing, enhanced project and case tracking in the Federal Investigation Database, and enhanced fraud, waste and abuse leads. To help address this risk, X has invested in an internal data mining tool to help detect irregular coding and billing patterns.
MEDICARE ADMINISTRATIVE CONTRACTORS (MACS)
As required by section 911 of the Medicare Prescription Drug, Improvement and Modernization Act of 2003, CMS is replacing its current claims payment contractors (fiscal intermediaries and carriers) with new contract entities called Medicare Administrative Contractors (MACs). State home health and hospice claims will be processed through X. All Part A and Part B claims will be processed through X.
DATA MINING
The government utilizes sophisticated data mining tools to target health care providers whose claims are not in full compliance with all applicable regulations. Both the federal government and State also plans to specifically invest millions of dollars to further ramp up its ability to effectively data mine aberrant claim patterns.
Corporate Compliance is currently working with a data mining software vendor that will provide the ability to effectively analyze large quantities of data. The goal of this analysis is to allow a heightened focus on identified risk areas that will be audited by optimizing existing resources. This product was implemented on X.
Data Mining Topics |
---|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
Corporate Compliance plans to mine data related to OIG and State topics and conduct probe audits pertinent to data mining results. Corporate Compliance also identified potential risk areas in the grid tot the right through data mining activities that will be audited in 2021. Prior and current audits have already addressed the majority of the items detected through internal data mining.
2020 HOTLINE TREND ANALYSIS SUMMARY: HELPLINE AND INTERNAL CASES
The Corporate Compliance HelpLine is an avenue by which individuals or interested parties may report any issue or question associated with any of the X’s policies, conduct, practices or procedures believed by the employee to be a potential violation of criminal, civil or administrative law, or any unethical conduct. Inquiries can be made via the HelpLine 24 hours a day, seven days a week. Individuals are encouraged to report any problem or concern either anonymously or in confidence via the HelpLine as they deem appropriate.
To date, the number of internal and HelpLine cases received in 2020 was slightly higher than last year. Over X reports were received through the HelpLine and by other means, including walk-ins, mail and telephone. This translates to a rate of approximately 10 calls per thousand System employees, which is above the national average. However, only X% of the employees surveyed knew how to contact the compliance office to report an issue. The grid describes the general categories of reports received in 2020. The largest number of issues arose in the category of X followed by X, X and X.
Category |
Number of Calls |
Percentage of Total |
---|---|---|
Billing and Coding Issues |
X |
X% |
Concern |
X |
X% |
COI |
X |
X% |
Discrimination or Harassment |
X |
X% |
Falsification of Contracts, Reports or Records |
X |
X% |
HIPAA |
X |
X% |
Human Subject Research |
X |
X% |
Improper Lobbying or Political Contribution |
X |
X% |
Inquiry |
X |
X% |
Misconduct or Inappropriate Behavior |
X |
X% |
Other |
X |
X% |
Patient Abuse/Physical |
X |
X% |
Patient Abuse/Verbal |
X |
X% |
Patient Care |
X |
X% |
Patient's Rights |
X |
X% |
PhRMA Code on Interactions with Healthcare Professionals |
X |
X% |
Physician Payment and Referral Concerns |
X |
X% |
Research or Educational Grant Misconduct |
X |
X% |
Staffing or Performance |
X |
X% |
Substance Abuse |
X |
X% |
Suggestion |
X |
X% |
Theft |
X |
X% |
Unauthorized/Fraudulent Use of Company Facilities/Equipment |
X |
X% |
Unsafe Working Conditions |
X |
X% |
Violation of Policy |
X |
X% |
Violence or Threat |
X |
X% |
ANNUAL MANDATORY COMPLIANCE TRAINING
In 2020, over X% of the X employees (including per diem employees) completed the annual mandatory compliance training program. Please note that a few facilities operate on a different training schedule due to internal reasons and their completion rates are estimated based upon past performance and data received to date this year. The program was created in-house and features the X’s Code of Ethical Conduct and X policies and procedures. This year the training highlighted X policy which won a national media award for its content. Among other topics, the X and X rules were also highlighted. In a survey that over X employees completed, approximately X% of the employees agreed or strongly agreed that the compliance training gave them a better understanding of the X’s Compliance program and found the training program effective.
The program includes broadcast news reports on compliance-related health care issues and an original video segment regarding X. New employees of the X are required to complete the Compliance online orientation program before or shortly after they commence work. A list of X employees who have not completed the annual compliance training has been provided to Human Resources to assess appropriate disciplinary action in addition to their managers reflecting this on their annual performance evaluations.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The enactment of the Health Information Technology for Economic and Clinical Health provisions of the American Recovery and Reinvestment Act (HITECH) has dramatically changed the landscape for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. HITECH included significant expansion of HIPAA Privacy and Security requirements to address concerns related to confidentiality in electronic health information storage and exchange. These provisions place new compliance obligations not only on covered entities, but also on their related business associates. HITECH includes provisions to dramatically increase penalties for violations to a maximum of $1,500,000 per violation per calendar year. In addition, the State has been given concurrent jurisdiction with the federal government to enforce HIPAA. This means that the number of enforcement actions under HITECH will likely increase.
The HITECH Act includes a requirement that covered entities must notify individual patients, and the Secretary of HHS in some cases, if unsecured protected health information is inappropriately disclosed and harm to the patient may result. The federal government is in the process of issuing new guidance to comply with the recent changes in the HITECH law. In response to these new legal requirements, Corporate Compliance has implemented a new policy regarding breach notification. As a result of the heightened enforcement environment and new law, the X has reviewed, streamlined and consolidated over X HIPAA policies and forms.
In 2020, the X will report a total of X HIPAA breaches to the Secretary of Health and Human Services to comply with its annual reporting requirement pursuant to the regulatory provisions of the breach notification law. In addition, the X will report a total of X breaches to the state in instances where the breach involved the potential compromise of a patient’s Social Security data. Examples of the breaches that occurred in the X include X, X, X, X, and X.
All of these breaches have been thoroughly investigated and managed in Corporate Compliance with the X Human Resources disciplinary procedures and supporting policies. Further education on the importance of the privacy and security of patient information and new X policies and forms to improve compliance with HIPAA regulatory requirements is ongoing. In addition, the X conducted several HIPAA audits in 2020 and will continue to do so in 2021 to further monitor this area.
COMPLIANCE POLICIES
Based on the gap analysis of compliance policies conducted last year, Corporate Compliance drafted and the X adopted a number of new and revised policies. Of greatest significance is the new “Gifts and Interactions with Industry Policy,” which represents a major change from the X’s previous policy. The policy bans all gifts, including food, from industry to X employees and places new restrictions on consulting arrangements between employees and industry. This policy became effective in May, 2020. The X also reviewed, streamlined and consolidated over thirty X HIPAA policies and forms. In 2021, Corporate Compliance will be reviewing all of its core compliance policies and Code of Ethical Conduct to ensure they are up to date.
OTHER REGULATORY TOPICS
The Joint Commission
X has a comprehensive Joint Commission readiness program. Software is utilized to track compliance for each facility with the standards identified in the Comprehensive Accreditation Manual for Hospitals: The Official Handbook.
Internal Revenue Service (IRS) Form 990
The IRS requires X to file a Form 990 annually. The Form 990 was revised to require full disclosure of all relevant business and family relationships of the members of X’s Board of Trustees. This information can be cross-referenced with other databases, such as the Secretary of State Corporation’s database. It is likely that the State and other enforcement agencies will use the Form 990 filings as an investigatory tool. In public statements, the State has placed particular emphasis on Board responsibility and liability for the actions of the institution. The information contained in the Form 990 also is available publicly on the Internet and elsewhere. In addition, the Form 990 information will continue to be a source of information for media investigations and stories.
Stark Law
The Stark Law, named after its key proponent Congressman Pete Stark (D-CA), prohibits physicians from referring Medicare or Medicaid patients for the provision of certain “designated health services” if the physician (or any member of the physician’s immediate family) has a financial relationship with the entity to which the patient is referred unless an exception is met. Under Stark, such a financial relationship may consist of an ownership or investment interest in or a compensation arrangement with the entity to which the patient is referred. Stark is often enforced in conjunction with other Federal laws, including the anti-kickback statute. Indeed, on March 24, 2009, the OIG narrowed the scope of its Self-Disclosure Protocol (“SDP”). The OIG will now no longer accept disclosure of a matter that involves only liability under the Stark law in the absence of a colorable anti-kickback statute violation. Sanctions for violating Stark can include denial of payment, mandatory refunds, civil monetary penalties and/or exclusion from the Medicare and/or Medicaid program. PPACA, the newly enacted federal healthcare legislation mentioned earlier, amended the Stark Law in several material respects. For example, the law added a new requirement to the In-Office Ancillary Services Exception for referrals of certain diagnostic imaging services, substantially limited the scope of the Whole-Hospital Exception permitting referrals to hospitals which the referring physician has a financial relationship and required HHS together with the OIG to establish a protocol for health care providers to self disclose actual or potential violations of the Stark Law.
The X has mitigated its risk for potential Stark violations by initiating a number of policies and committees to address Stark-related issues such as appropriate physician compensation. In 2020, X continued to streamline its processes to ensure that all X facilities such as X have similar processes that follow the same general procedures as X.
This law presents a significant risk to the organization because it is strict liability law and therefore the government does not need to improve intent. The government would only need to show that X did not technically meet all of the requirements of a Stark exception for liability to attach. The most recent example of the government’s enforcement focus on Stark and anti- kickback laws was a 2020 settlement where the Department of Justice collected $108 million from an Ohio hospital for unlawful payments to physicians in exchange for cardiac patient referrals. In 2020, we anticipate an increase in whistleblower lawsuits on Stark issues with an accompanying increase in government enforcement. As a result, Corporate Compliance will continue to work with Faculty Practice and Legal to evaluate additional controls to monitor this area.
Quality
In 2020, Corporate Compliance continued its efforts to exchange knowledge regarding issues of mutual interest with the X’s Quality departments. Both the federal government and the State reemphasized this year that a principal enforcement focus will be on the quality of patient care. The Compliance Directors attend the quality meetings at their respective facilities on a regular basis and a representative from Corporate Compliance attends the monthly X quality meeting. Corporate Compliance also receives and reviews monthly reports from X Quality.
Manny’s Law
State Public Health Law Section 2807-k (Manny’s Law), effective January 2007, requires all State hospitals to develop and administer a financial assistance program as a condition of receiving funding from the $847 million State Bad Debt and Charity Care, Indigent Care, and Disproportionate Share Pool in 2009. As a result, X revised its Financial Assistance Program Policy, implemented staff training in July 2017 and increased its patient notification channels. Compliance with Manny’s law is one of the enforcement priorities of State.
Qui Tam Lawsuits
In 1986, Congress amended the Federal False Claims Act. One of Congress’s objectives in modifying the Act was to encourage the use of qui tam actions in which citizens are authorized to bring lawsuits on behalf of the United States that allege fraud upon the government. The private citizen plaintiff in such a lawsuit is often referred to as a whistleblower and may potentially receive a significant share of any recovery of government funds. This provision has an enormous impact on healthcare investigations and settlements and presents a significant risk to X. For example, in 2003, the whistleblowers in the $1.7 billion HCA settlement received $151 million. In another qui tam settlement, Bristol-Myers Squibb agreed to pay $515 million. The Department of Justice estimates that almost half of the qui tam filings and more than half of the qui tam recoveries involve healthcare fraud. The United States Department of Justice recently announced it secured $3 billion in fraud recoveries under the False Claims Act for the previous fiscal year – the largest ever annual recovery of funds defrauded from the federal government. According to the Department of Justice, the total amount it has recovered since 1986 now stands at more than $27 billion. State recently adopted its own version of the Federal False Claims Act. X official of the State is expected to vigorously enforce the State False Claims Act in 2021.
Fraud Enforcement and Recovery Act (FERA)
FERA was signed into law by President Obama on May 20, 2009. This statute expands liability under the False Claims Act (FCA) on those who make false statements or claims for reimbursement to the government. FERA also imposes liability on anyone knowingly retaining a government overpayment without regard to whether or not that entity used a false statement or claim to do so. In addition, FERA imposes liability for all false claims paid using government funds and expands the right of action for retaliation under the FCA.
The Emergency Medical Treatment and Active Labor Act (EMTALA)
EMTALA requires hospitals that receive Medicare funding and have an emergency department to provide an appropriate medical screening examination in the emergency department to any individual who requests one. The hospital must provide stabilizing treatment to individuals with emergency medical conditions. The OIG imposes strict penalties for violations of the Act, including fines and exclusion from the Medicare program. A $50,000 fine may be imposed for each EMTALA violation. To address this risk, Corporate Compliance is in the process of completing EMTALA audits throughout the X and will conclude this work in 2021.
Retaliation
Fear of retaliation is one of the principal reasons that employees fail to report ethics and compliance issues. According to a 2007 survey by the Ethics Resource Center, in the preceding twelve months, more than half (56%) of all employees surveyed observed conduct that violated company ethics standards, policy or law. Forty-two percent of the respondents said they do not report misconduct. Further, the survey found that only one in four companies has a well-implemented ethics and compliance program. Corporate Compliance evaluated whether X employees believe they can raise compliance issues without fear of retaliation. A recent 2020 survey that over X employees completed indicated that X% of these employee felt comfortable reporting potential compliance issues to management without fear of retaliation. In 2019, X implemented a non-retaliation policy to address this issue and since then, the HelpLine or compliance referrals have increased and continued to increase in 2020.
Gifts, Conflicts of Interest and Potential Kickback Issues
In 2019, the X made substantial revisions to its policy on Gifts and Interactions with Industry. The policy became effective in X and bans virtually all gifts from outside the X and place significant limits on receiving any form of compensation from industry unless it conforms to the requirements of the new policy. Corporate Compliance will be providing extensive training and information resources on the policy to employees, vendors and other individuals affiliated with the X. Gifts and other potential conflicts of interest can give rise to potential liability under the federal Anti-Kickback Statute, which prohibits the payment or receipt of any “remuneration” that is intended to induce the purchasing, leasing or ordering of any item or service that may be reimbursed, in whole or in part, under a federal health care program.
The federal government sharpened its focus on kickback-related issues and recently settled a number of substantial cases. For example, in September, 2009 the U.S. Department of Justice announced a settlement with Pfizer regarding, among other issues, alleged kickbacks Pfizer provided to physicians to induce them to prescribe Bextra and other drugs manufactured by the company. Although Pfizer denied the allegations, it paid $2.3 billion to the government to resolve the case.
In 2020, Corporate Compliance also significantly revised its employee conflicts of interest form to make it more comprehensive and moved to an electronic process to receive and store this data. The enhanced information we will obtain through this process should further help detect potential compliance issues in the future. Approximately X% of the applicable employees completed the conflicts of interest disclosure forms to date. Any noncompliant employee will be appropriately disciplined.
Identity Theft/Red Flags Rule
Medical identity theft occurs when a person seeks health care using someone else’s name or insurance information. The Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. The FTC promulgated the Red Flags Rule which requires many health care providers to develop a written program and policy to spot the warning signs of identity theft. The program must identify the kinds of red flags that are relevant to our business; explain the process for detecting red flags; and, describe the X’s response to red flags in order to prevent and mitigate identity theft. In 2019, the X adopted a new policy entitled, “Identify Theft Prevention Program,” which became effective in May 2019. The X Compliance Directors are currently providing in-service training to registrars and other personnel directly affected by the new policy and Rule.
Notwithstanding, the U.S. Senate and House of Representatives recently passed similar bills this past month that may exempt physicians and possibly hospitals from the Red Flag requirements.
Research Initiatives
X will be addressing the identified government compliance research related issues. Auditing and monitoring activities in relation to research initiatives will be conducted by X and the Corporate Compliance will assist in some of these activities as required.
CONCLUSION
In conclusion, the compliance risk assessment indicates that the majority of compliance resources should be placed on X. X should continue to conduct audits at facilities in the areas of X. The compliance risk assessment also demonstrates that the need to continue to audit X due to the potential financial impact on X and the increased government scrutiny despite a favorable historical auditing record.
In addition, the compliance risk assessment found that more resources should continue to be placed on creating a greater awareness of the Compliance Program including X. Also, additional controls should be placed on X. To address these issues, the Work Plan has audits or compliance initiatives focused on X.
EXHIBIT A
SAMPLE KEY CORPORATE COMPLIANCE RISK ASSESSMENT RESOURCES: Sample Key Publications
State 2019 Annual Report
State 2019-2020 Audit Work Plan and Office of Inspector General Work Plan for Fiscal Year 2020
2021 OIG Work Plan
CMS 2021 OPPS Final Rule – Dated November 2, 2020, http://www.ofr.gov/OFRUpload/OFRData/2010-27926_PI.pdf
42 Code of Federal Regulations, Ch. IV (10-1-07), http://edocket.access.gpo.gov/cfr_2007/octqtr/pdf/42cfr482.22.pdf
HCPro – “CMS announces physician supervision requirements for 2011,” http://www.hcpro.com/HOM-258562-6962/CMS-announces-physician-supervision-changes-in-2011-OPPS-final-rule.html
“OPPS final rule and physician supervision” posted by Debbie Mackaman, 11/8/2010, http://blogs.hcpro.com/medicarefind/2010/11/opps-final-rule-and-physician-supervision/
American Health Lawyers Association Articles:
“CMS Issues 2011 Final Payment rules for HOPDs, ASCs, Physician Services & HHAs,” by Zachary Cohen, Nora Colangelo, Jacqueline Finnegan, Tracey Hubbell & Greg Smith. Dated 11/8/2010.
“CMS releases CY 2011 OPPS/ASC & Medicare Physician Fee Schedule Final Rules” by Davis Turner. Dated 11/8/2010.
Sample Key Interviews
Hospital A – Executive Director
Hospital B – Executive Director
Hospital C – Deputy Executive Director
Hospital D – Executive Director and Associate Executive Director
Hospital E – Executive Director
Hospital F – Executive Director and Associate Executive Director
Facility A – Executive Director
Facility B – Deputy Executive Director
Hospital G – Executive Director
Faculty Practice Plan – Vice President Corporate Finance
Chief Administrative Officer
Chief Medical Information Officer
Chief Financial Officer
Chief Operating Officer
Chair, Board of Trustees – Audit and Corporate Compliance Committee Administrator, Research Compliance
President and Chief Executive Officer Chief Risk Officer
Hospital I – President and CEO, COO, Executive VP, CFO, VP, Chief of Staff, Executive VP, Administrator, VP Quality/Risk Management
Corporate Quality – VP, Clinical Excellence and Quality Corporate Internal Audit
Home Care:
Lab: CFO
Hospice: CEO, CFO, HR/Compliance Officer CIO