Healthcare Compliance Forms and Tools

Professional Fee Reaudits

Compliance will reaudit physician reviews conducted by [MONTH] in [YEAR] and [NEXT YEAR] to ensure coding and billing compliance. These reviews will focus on audits resulting in a financial error rate (FER) of more than five percent and audits where there was no FER.

Physician Supervision Requirements

CMS identified changes to its physician supervision requirements for [YEAR]. These requirements will be reviewed, if applicable, for every professional fee audit performed in [YEAR].

Nonphysician provider services (Incident-To)

As stated in the Medicare Claims Benefit Manual, “incident to a physician’s professional services means that the services or supplies are furnished as an integral, although incidental, part of the physician’s personal professional services in the course of diagnosis or treatment of an injury or illness.”^[1] A physician may have the services of certain nonphysician practitioners covered as services incident to a physician’s professional services. Compliance will review incident-to services, if applicable, for every professional fee audit performed in [YEAR].

Physicians at Teaching Hospitals (PATH)

Compliance will assess the compliance with rules governing PATHs. In 2021, CMS issued revised regulations regarding the PATH coding and billing rules. The focus of these reviews will be to determine whether teaching physicians are documenting appropriately in support of Medicare billing for their services when medical residents were involved in the care of their patients. Compliance will review teaching physician guidelines, if applicable, for every professional fee audit performed in [YEAR].

New Patient Visits

As per the DCS RAC, Issues Under Review List, Issue # A000072009, “Providers should not bill new patient Evaluation and Management services on the same beneficiary within a 3-year period of time. Therefore, an issue may exist when multiple new patient E&M services are reimbursed under Medicare Part B inside of this time frame.” Compliance will review Current Procedural Terminology (CPT) codes 99201–99205 (New Outpatient/Office Visits) through data mining to ensure correct billing and coding within the new patient three-year time frame.

High-Volume Providers by Specialty

Through the process of internal data analysis, Compliance will identify certain physicians who potentially billed excessive services. Compliance will review the physicians’ documentation to determine whether services billed were medically necessary and supported by documentation.

Captive PCs

Compliance in coordination with [X] will review various services billed by physicians within certain physician corporate entities (i.e., captive PCs).

Evaluation and Management (E/M) Services Provided During Global Surgery Periods

Compliance will review claims submitted by physicians and reimbursed during the global surgery period. Under the global surgery fee concept, physicians bill a single fee for all of their services that are usually associated with a surgical procedure and related E/M services provided during the global surgery period.

Compliance will also review the appropriateness of the use of certain claims modifier codes during the global surgery period and determine whether Medicare payments for claims with modifiers used during the global surgery period were in accordance with Medicare requirements. Prior OIG work has shown that improper use of modifiers during the global surgery period resulted in inappropriate payments.

Sleep Testing: Appropriateness of Medicare Payments for Polysomnography

Compliance will review the appropriateness of payments for sleep studies. Sleep studies are reimbursable for patients who have symptoms such as sleep apnea, narcolepsy, or parasomnia in accordance with the CMS’s Medicare Benefit Policy Manual.^[2]

Medicare Payments for Part B Claims with G Modifiers

Compliance will review payments for claims on which providers used certain modifier codes indicating that a denial was expected. Providers may use GA or GZ modifiers on claims they expect Medicare to deny as not reasonable and necessary. (See CMS’s Claims Processing Manual.) They may also use GX or GY modifiers for items or services that are statutorily excluded.

Medicare Part B Payments for Home Blood Glucose Testing Supplies

Compliance will review Part B payments for home blood glucose test strips and lancet supplies to determine their appropriateness. The local coverage determinations (LCD) issued by the four durable medical equipment (DME) Medicare administrative contractors require that the physician’s order for each item billed include certain elements and be retained by the supplier to support billing for those services. Further, the LCDs require that the supplier add a modifier code to identify whether a patient is treated or is not treated with insulin. The amount of supplies allowable for reimbursement differs depending on the applicable modifier.

Physicians: Impact of Opting Out of Medicare

Compliance will verify whether any of our employed physicians are opting out of Medicare and determine whether physicians who have opted out of Medicare are submitting claims to Medicare. Physicians are permitted to enter into private contracts with Medicare beneficiaries. As a result of entering into private contracts, physicians must commit that they will not submit a claim to Medicare for Medicare beneficiaries with whom they have contracted.

Data Mining Review

Compliance is evaluating additional tools that could be used to more effectively evaluate physician’s compliance with the applicable coding rules. If an additional data mining tool is implemented, Compliance will conduct coding reviews based upon the available data.

Place-of-Service Errors

Compliance will review physicians’ coding on Medicare Part B claims for services performed in hospital outpatient departments to determine whether they properly coded the places of service. Federal regulations provide for different levels of payments to physicians depending on where services are performed.^[3] Medicare pays a physician a higher amount when a service is performed in a nonfacility setting, such as a physician’s office, than it does when the service is performed in a hospital outpatient department.

Evaluation and Management Services: Potentially Inappropriate Payments

Compliance will assess the extent to which CMS made potentially inappropriate payments for E/M services and the consistency of E/M medical review determinations. We will also review multiple E/M services for the same providers and beneficiaries to identify electronic health record documentation practices associated with potentially improper payments. Medicare contractors have noted an increased frequency of medical records with identical documentation across services. Medicare requires providers to select the code for the service based upon the content of the service and have documentation to support the level of service reported.^[4]

Part B Imaging Services: Medicare Payments

Compliance will review Medicare payments for Part B imaging services to determine whether they reflect the expenses incurred and whether the utilization rates reflect industry practices. Physicians are paid for services pursuant to the Medicare physician fee schedule, which covers the major categories of costs, including the physician professional cost component, malpractice costs, and practice expense. Practice expenses include office rent, wages of personnel, and equipment.^[5] For selected imaging services, we will focus on the practice expense components, including the equipment utilization rate.

Medicare Brachytherapy

Compliance will review brachytherapy, a form of radiotherapy where a radiation source is placed inside or next to the area requiring treatment, to determine whether the payments are in compliance with Medicare requirements.

Inpatient Rehabilitation Facility Reaudits

In [YEAR], the main objective of these audits will be to determine whether the level of services provided is reasonable and necessary; the documentation within the medical record adequately supports the medical necessity.

Provider-Based Clinics (Medicare)

Since the beginning of the Medicare program, some hospitals have operated as single entities while owning and operating multiple provider-based departments, locations, and facilities that were treated as part of the main hospital for Medicare purposes. Compliance will review the documentation and billing of professional and technical facility services rendered in these clinics.

School-Based Clinics

Compliance will review the documentation and billing of professional and technical facility services rendered in school-based clinics.

Durable Medical Equipment

In accordance with the OMIG work plan, Compliance will review DME and other supply claims submitted by selected providers to determine compliance and ensure that the equipment and/or supplies were properly authorized, the products were delivered, and the claim amount falls within Medicaid payment guidelines. Compliance will also conduct medical reviews of high-ordering DME physicians to support the need for the DME and to determine whether the targeted providers had seen and treated the recipients on the date of service or during the six-month period prior to the DME date of service. We will also review the compliance of suppliers of DME, prosthetics, orthotics, and supplies (DMEPOS) with Medicare requirements for frequently replaced DME supplies to determine whether payments for such supplies met Medicare requirements.

MS-DRGs Gastrointestinal Disorders

As discussed in the DCS, RAC Issues Under Review, Issue # A000962010, MS-DRG validation requires that diagnostic and procedural information and the discharge status of the beneficiary, as coded on the hospital claim, matches both the attending physician description and the information contained in the medical record. Compliance will validate MS-DRGs 332-334, 338-349, 368-370, and 374-395 for diagnoses and procedures affecting the MS-DRG assignment. Compliance will also review “present on admission and discharge” status code indicators for every MS-DRG audit.

Clinical Social Worker (CSW) Services

As discussed in the DCS, RAC Issues Under Review, Issue # A000222009, CSW services rendered during an inpatient acute care or skilled nursing facility stay are not separately payable under Medicare Part B; instead, they are included in the facility’s Prospective Payment System (PPS) payment. CSW providers are expected to render services under arrangement with the facility. Therefore, an issue may exist when a beneficiary received CSW services during an inpatient stay that have been billed and reimbursed under Medicare Part B. Compliance will review both the professional and facility component of these services.

Acute Care Hospital Inpatient Transfers to Inpatient Hospice Care

Compliance will verify with hospice that Medicare claims for inpatient stays for which the beneficiary was transferred to hospice care and examine the relationship, either financial or common ownership, between the acute care hospital and the hospice provider, as well as how Medicare treats reimbursement for similar transfers from the acute-care to other settings. Regulations at 42 C.F.R. § 412.2 state that inpatient PPS payments to hospitals for inpatient stays are payments in full for hospitals’ operating costs. If potential noncompliance is detected after verification, Compliance will conduct an audit accordingly.

Outpatient Dental Claims

Compliance will review Medicare hospital outpatient payments for dental services to determine whether payments for dental services were made in accordance with Medicare requirements.

End-Stage Renal Disease (ESRD): Bundled Prospective Payment System for Renal Dialysis Services

Compliance will review renal dialysis services under the new bundled ESRD PPS for renal dialysis services. CMS is establishing a case mix–adjusted bundled PPS for renal dialysis services beginning January 1, 2020. The ESRD PPS, to be phased in over four years, will replace the basic case mix–adjusted composite payment system and the methodologies for reimbursement of separately billable outpatient ESRD services, and combines the payments for composite rate and separately billable services into a single payment.

Audiology Services

Compliance will review audiology services with a Healthcare Common Procedure Coding System (HCPCS) code of 92567, tympanometry, and HCPCS code 92568, acoustic reflex threshold services. CMS has focused prior reviews in this area of service.

Urgent Care Centers

Compliance will review our urgent care centers to ensure compliance with coding and billing rules.

Home Health

Follow-up Reviews, Home Health

Compliance will conduct a follow-up review for home health based upon new industry guidance of areas to review.

Skilled Nursing Facilities and Hospice

Follow-up Reviews of Skilled Nursing Facilities and Hospice

Compliance will conduct a follow-up review for skilled nursing and hospice based upon industry guidance of areas to review.

Part B Billing for Hospice Patients

Compliance will review Medicare and Medicaid payments for Part B hospice patients to ensure compliance with coding and billing rules.

Laboratory

Trends in Laboratory Utilization

Compliance will review trends in laboratory utilization under the Medicare program. Medicare pays only for laboratory tests that are ordered by a physician or qualified nonphysician practitioner who is treating a beneficiary. We will examine the types of laboratory tests and the number of laboratory tests ordered.

Revise Exclusion Screening Policy

One of the state and OIG’s top priorities is to detect healthcare providers and suppliers that have been excluded from the federal and state healthcare programs. A hospital’s employment of an excluded provider or supplier can result in significant fines and penalties. As part of the Patient Protection and Affordable Care Act (PPACA), civil monetary penalties have been added to address excluded entities. Compliance will review its policy in this area to ensure it is robust.

Compliance Assessments of Medical Office Locations

Compliance will visit numerous medical office locations to conduct a general HIPAA and coding compliance assessment of various medical offices.

HIPAA Electronic Medical Record Access Audits

The HIPAA regulations require healthcare providers to conduct audits to help prevent employees from inappropriately accessing patient data. One of the areas of concern regarding HIPAA is the issue of employees accessing protected health information (PHI) of other employees, family members, or patients widely known in the community (i.e.,VIPs) without a clinical and/or business reason. Compliance will obtain a list of VIPs and/or employees that had an inpatient stay and will audit these employees’ medical records to determine whether other employees inappropriately accessed their records.

Implementation of HIPAA Monitoring and Detection Application

To further strengthen controls, Compliance is working with Information Services (IS) to obtain IS budget approval and assist in the implementation of an IS privacy breach detection application that systematically identifies users who are engaging in patient access patterns that are indicative of snooping, identity theft, or other risky behaviors.

Revise Certain Coding and Billing Policies

One of the areas the government continues to focus on is appropriate coding and billing for healthcare services. In [YEAR], Compliance will review certain coding and billing policy areas and suggest any applicable revisions.

Institutional COI Policy

Institutional conflicts of interest are of significant concern when financial interests create the potential for inappropriate influence over the institution’s activities, personnel, or resources. The risks of such conflicts include the possibility that the integrity and objectivity of the institution’s research may be threatened or may be perceived to be threatened. Compliance will formalize an appropriate policy to mitigate against such influences.

Compliance Committee Charters

[The organization] periodically refines certain compliance committees’ scope of responsibilities as the organization grows. Compliance will create or review and revise appropriately the applicable Compliance-related committee’s charters to ensure they reflect current practices.

Electronic Medical Record Compliance–Related Policies

Compliance will create compliance-related policies to further strengthen our controls with regard to our implementation of electronic medical records.

Revision of HIPAA Security Policies

In [LAST YEAR], Compliance reviewed all of the HIPAA privacy rule policies and made appropriate revisions. In [YEAR], Compliance in partnership with IS will conduct a review of the HIPAA Security Rule policies drafted by IS. In addition, the U.S. Department of Health & Human Services’ Office for Civil Rights will be issuing a final rule regarding additional modifications to HIPAA’s privacy standards. Compliance will consider any further revisions to our privacy policies as applicable.

Compliance Survey

Compliance will implement a compliance survey to obtain feedback from employees regarding various compliance topics such as training, retaliation, HIPAA, and the compliance helpline. Such surveys evaluate how well the compliance program is functioning and identify areas that can be strengthened.

New COI Tracking System

Compliance will move its electronic COI process over to a new application to streamline the process and save costs. This will allow Feinstein and Compliance to better partner to identify and publicly report applicable conflicts of interests on our website pursuant to new federal research regulations.

Audit of the Gifts and Interactions with Industry Policy

As part of the PPACA, the Physician Payments Sunshine Act provisions require drug and medical device manufacturers to publicly report gifts and payments made to physicians and teaching hospitals in [YEAR]. [The organization] recently enacted a more comprehensive “Gifts and interactions with industry” policy to mitigate vendor influence on our institution’s clinical decisions and to maintain a teaching environment free of vendor bias. Compliance will continue to audit applicable sections of the policy to ensure we are in compliance with our policy.

Review of Physician Practices Coding Procedures

Each year the government makes several coding changes that affect physician practices. Not adopting even one coding change can have a material financial impact on a physician’s practice. Compliance plans to survey various physician practices to ensure the physician practices are aware of the applicable coding changes and their procedures reflect all applicable regulatory updates.

Review Accounting of Disclosure Process

In accordance with HIPAA regulations, every patient has the right to request an accounting of disclosure of their protected health information. Compliance will identify and conduct a random survey of the business groups, including physician office locations, that release PHI and their processes to help ensure we are taking appropriate steps to comply with the existing and forthcoming regulation on this topic.

Code of Ethical Conduct Review

In [YEAR], Compliance had an outside consulting firm review our Code of Ethical Conduct. It received a top quartile ranking, but the consulting firm had a number of suggestions to further strengthen our Code of Ethical Conduct. Compliance will review and incorporate the applicable recommendations.

Employee Compliance Training Test Review

Compliance education is a key element of an effective compliance program. As part of annual compliance training, employees are required to complete a test and receive an appropriate score to ensure they understand key compliance areas. Compliance will analyze the test results to determine whether certain areas of training need to be further emphasized in the future and will consider further ways to strengthen its testing process.

New Employee COI Forms

Vendors will begin reporting any compensation over $10 they provide to physicians and teaching hospitals. All new employees fill out a COI form when they join our organization. However, this COI form is not as detailed as the annual COI disclosure form clinicians and key employees fill out each year. Compliance will work with Human Resources to determine a process whereby clinicians and key employees will fill out the same annual disclosure form upon employment to capture the appropriate data.

Professional Fee Data Mining

As the government continues to invest significant resources in sophisticated data mining tools, we need to continue to invest it robust data analytics to ensure we are appropriately coding and billing physicians’ reimbursement claims. Compliance will work with [X] to evaluate methods to strengthen its data mining capabilities regarding professional fee coding.

HIPAA Security Training Awareness

The federal government is placing more attention on healthcare providers’ security controls. Compliance will work with IS to strengthen its employee HIPAA security training.

New OMIG Hospital Compliance Program Guidance Review

OMIG is expected to release a final compliance program guidance for hospitals. Based upon a draft version, Compliance will assess the Health System’s performance under the anticipated new guidance and will evaluate appropriate ways to further strengthen our Compliance Program.

Government Investigations/Audit Policy

The government conducts numerous audit and investigatory inquiries at our facilities. In order to respond to such audits or inquires, it is critical that our staff know how to respond appropriately. Compliance will work to further memorialize our process in responding to such events and to provide education on this topic.

Code of Ethical Conduct Certifications

It is a best practice for employees upon employment to certify that they will comply and abide by their Code of Ethical Conduct. Compliance will work with Human Resources to verify that each new employee upon employment and annually thereafter certifies that they will comply and abide by the Code of Ethical Conduct.

Pharmacy Checklist Review

The state agency released additional guidance to assist healthcare providers in complying with applicable pharmacy-related regulatory requirements. Compliance will further review the state agency’s pharmacy checklist tool as applicable to ensure our applicable business units have appropriate controls to address the state agency’s guidance on this topic.

Medicaid Transportation Providers Checklist Review

The state agency released additional guidance to assist healthcare providers in complying with applicable transportation provider–related regulatory requirements. Compliance will review the state agency’s transportation checklist tool as applicable to ensure our applicable business units have appropriate controls to address the state agency’s guidance on this topic.

Business Associate Audits

In today’s environment, it is common for healthcare providers to outsource various business functions to vendors. Compliance will work with Procurement and Legal to identify all the applicable vendors that handle patients’ protected health information. Compliance will rank these vendors based upon a risk assessment grid and review certain high-risk vendors’ HIPAA practices to mitigate any potential risk.

Third-Party Billing Checklist Review

The state agency released additional guidance to assist healthcare providers in evaluating the regulatory requirements related to third-party billing companies. Compliance will review the state agency’s third-party billing checklist tool to ensure our applicable business units have appropriate controls to address the state agency’s guidance.

Marketing Analysis of Compliance Intranet Site

It is important to improve upon how we educate and communicate with our employees about compliance topics. Compliance will evaluate and trend the number of employees accessing its intranet site. After review, Compliance will implement measures to further improve the access and content of its intranet site.

Strengthen Compliance Public Web Page

Compliance will evaluate how to make the public compliance web page more accessible and will add additional educational content about our Compliance Program.

Additional COI Educational Resources

Compliance will create a frequently asked questions document to further guide employees on questions they may have regarding potential conflicts of interest.

HIPAA Control for Posting Public and Internal Data on Websites

In today’s social media environment, the risk of a patient’s health information inadvertently getting posted to an internal or external website has significantly increased. To mitigate this risk, Compliance will roll out a new educational initiative that will require the applicable employees to undergo additional privacy training to ensure they are careful when posting information to internal and external web sites.

Verify Compliance for Medicare Payments for the Drug Herceptin

Compliance will verify with Pharmacy and Finance that claims we submitted for the drug Herceptin were appropriately billed. For drug claims involving a single-use vial or package, if a provider must discard the remainder of a single-use vial or package after administering a dose/quantity of the drug or biological, Medicare provides payment for the amount discarded along with the amount administered, up to the amount of the drug or biological as indicated on the vial or package label. However, multiuse vials such as those used for supplying Herceptin are not subject to payment for discarded amounts of a drug or biological.^[6] Providers must bill accurately and completely for services provided.

Verify Compliance for Billing for Immunosuppressive Drugs

Compliance will verify with Pharmacy and Finance that Medicare Part B immunosuppressive drug claims are billed according to their Food and Drug Administration (FDA)–approved labels. We will also verify whether Medicare paid for immunosuppressive drugs that should not have been used in combination with other immunosuppressive drugs. Medicare Part B covers drugs that are not usually self-administered and are furnished incident to physicians’ services, such as immunosuppressive drugs.^[7]

The manual also states that use of such drugs must be safe and effective and otherwise reasonable and necessary, and that drugs or biologicals approved for marketing by the FDA are considered safe and effective for purposes of this requirement when used for indications specified on the labeling. Several FDA-approved labels for immunosuppressive drugs state that the drugs should not be used in combination with other immunosuppressive drugs.

Verify Compliance for Medicare Outpatient Payments for Other Drugs

Compliance will verify with Pharmacy and Finance that outpatient payments to providers for certain drugs and the administration of those drugs (e.g., chemotherapy, anemia) were appropriately billed for the correct amount of units.^[8] Providers must report units of service as the number of times that service or procedure was performed (ch. 5, § 20.2, and ch. 26, § 10.4). Compliance will also verify with Pharmacy and Finance that we bill appropriately for any drug overfill in accordance with the new CMS guidance on this topic.

Verify Medicare Inpatient Coding Education on New [YEAR] Codes

Compliance will verify with the applicable business departments that our staff has been educated on the applicable updates to the reimbursement billing codes for [YEAR].

IS HIPAA–Related Risk Assessments

Compliance will review applicable HIPAA security findings related to IS third-party audits that are being conducted at various health system facilities to satisfy a HIPAA Security Rule requirement. Compliance will assist as appropriate in any applicable corrective action plans.

Emergency Medical Treatment and Labor Act (EMTALA)

EMTALA continues to be an area of governmental concern. Corporate Compliance will continue to assess and reassess facilities’ compliance with EMTALA in [YEAR].