Compliance plan offers help, poses dilemmas
Compliance plan offers help, poses dilemmas
Too many sticks and not enough carrots
The federal government's model compliance plan for hospitals offers another tool for risk managers and other administrators struggling to formulate a compliance plan, but it also suggests there may be difficult situations ahead if you ever discover your institution has overbilled or committed other types of fraud. The government offers incentives for voluntarily reporting your discovery as soon as possible, but you may find it difficult to decide when those incentives are enough.
The model compliance plan was released recently by the U.S. Department of Health and Human Services' Office of the Inspector General (OIG). The long-awaited plan clarifies the agency's requirement that fraud be reported within 60 days, indicating that your institution will suffer a much smaller fine if you report the problem sooner rather than later. That's a strong incentive, but some risk managers say quick reporting might be difficult in some situations.
Time limits are short
Titled "The Compliance Program Guidance for Hospitals," the plan states that health care organizations should notify the government within 60 days of finding "credible evidence" of wrongdoing but after conducting a "reasonable inquiry" to determine the validity of that evidence. And in some situations, the OIG provides a reason to report the problem even sooner: If you report a False Claims Act violation within 30 days of learning of credible evidence, you will face double instead of triple damages.
On the whole, the OIG time limits are workable, says Karen Duke, JD, vice president for legal services with Promina in Atlanta. She says the 60-day requirement is a welcome change from the 30-day reporting requirement in the earlier drafts of the plan, and she calls the penalty reduction offer a substantial incentive for quick reporting. Still, she expresses some concern over whether institutions will be able to meet those time restrictions, especially the 30-day limit, in all instances.
"I think in most cases, the 30 days, and certainly the 60 days, will give you enough time to do a good investigation and get everything in order before you go to the government with this information," she says. "But in some cases, I can see that maybe your investigation is taking longer and you really have to push hard to make those time limits. Then you're faced with maybe having to hand over that information just to meet the deadline, whether you think it's ready or not."
That dilemma may be more likely when you're trying to make the 30-day cutoff to lessen your potential penalty; you may find yourself weighing competing interests, Duke says. On one hand, you need to get that report to the government immediately to save your institution a substantial amount of money. On the other hand, you risk exposing yourself to further penalties and even criminal prosecution if you turn in a report that isn't complete or adequately analyzed.
"I know the government says prompt reporting will demonstrate the hospital's good faith, and it's considered a mitigating factor in determining the sanctions imposed on you, and the government expects you to turn over all evidence of what happened and how it happened," Duke says. "But this is fraught with questions of how to do that and still protect our clients' best interests."
Risk manager has role in weighing options
When such difficult situations arise, the risk manager's role should involve acting as a liaison between the compliance committee and legal counsel, as well as actively assessing the risks posed by the different options. (In some situations, the risk manager will be the compliance officer, in which case the risk manager will take on much more responsibility for making the final decisions about how to proceed.) In particular, the risk manager should inform the committee of potential risks of voluntarily reporting the wrongdoing within the 30-day and 60-day time frames. And remember, the government's compliance plan is voluntary; it may not be wise to miss those deadlines, but there are no hard and fast requirements to report so quickly if you decide it would be unwise to do so.
One main reason you might encourage your compliance committee to hesitate before reporting is to avoid inadvertently making all the information discoverable. The question is tricky because it depends on your state's laws, but Duke says it's clear that reporting your institution's wrongdoing to the OIG sometimes can wave the attorney/client privilege and make all of the information discoverable. And that's a scary thought when you consider that criminal penalties against individual administrators are possible.
"Even if you try to make it a limited disclosure, some courts have ruled that that means you forfeit all privilege concerning the case," she says. "So it's a very problematic area. It's a huge issue for hospitals."
Because there is no one solution for all states or all situations, Duke stresses the need to get your institution's legal counsel involved from day one. From the very first day you hear of a potential violation, you should inform your legal counsel so they can direct the investigation.
"Then you'll at least have a prayer that the results of that investigation are protected under the attorney/client privilege," she says. "They might still not be, but it's a certainty that they're not if you don't have your legal counsel involved."
Legal counsel also should be involved in making decisions about whether to report evidence within 30 days and get a lower penalty or hang on to the information while the institution gets its ducks in a row. Duke suggests the risk manager might play an important role in those difficult situations by explaining to the rest of the compliance committee why a higher penalty might be preferable to reporting before the institution has completed its investigation and worked out its response.
Keep your attorneys upfront
That advice is underscored by Jerry Nye, MHA, vice president of the Profile Group of MMI Companies, a risk management consulting firm in St. Paul, MN. Legal counsel is critical to ensuring the institution does not give up any rights unnecessarily. "This is not something you want to try to do on your own," he says.
"You want to discuss the timing, how to best represent the findings with the federal government. You need to keep the law firm involved in discussing the settlement with the third party, rather than trying to do it directly yourself."
The report to the OIG should emphasize that your findings are the result of an overall compliance program and you already are taking steps to correct the problem, Nye says. "You want to be able to demonstrate how you caught it, how you corrected it, and how you will monitor to make sure it doesn't happen again in the future. This is where legal counsel can help you represent all that in the best way to the payer."
Report serious wrongs, but look for patterns
All the issues surrounding confidentiality and attorney/client privilege raise the question of just what evidence of wrongdoing must be reported to the OIG. Even if you have the best intentions of complying with the law and reporting overbilling, for instance, should you report every little error you find? Duke and Nye say you should report any errors you feel are significant, which means just about all errors you find.
They also note, however, that you shouldn't worry that every report will generate huge penalties or the dilemmas possible in more complicated situations.
"If there is a serious, clear violation of the law, you absolutely have to come forward and voluntarily disclose. Otherwise, your problems will multiply, and the government will think you are trying to cover up," Duke explains. "But remember that they're looking for patterns of misconduct, rather than trying to nail you for one error. If there is a pattern of errors, like all of your pneumonias are upcoded or the miscoding is always in favor of the hospital or the physician, that pattern is what you should take very seriously."
Incorporate OIG's suggestions
Overall, Duke and Nye say the OIG's model compliance plan is a good outline for providers to use in developing their own more specific plans. It can't be followed exactly - it must be tailored to meet the individual needs of your organization - but the OIG certainly will be pleased to see that you incorporated its ideas.
Particularly when you have to report wrongdoing to the government, it will be helpful if your report includes information about how your overall compliance program has incorporated the elements outlined in the OIG's model, Nye says. The government won't expect your plan to match its plan exactly, but it will expect to see that yours is more than just a document.
"You can buy a compliance program and put it on a shelf and say you have one, but that doesn't really mean that you have one," he says. "You have to be able to show that your plan is not just sitting in a three-ring binder, that it's an active part of your organization."
Duke describes the model plan as "a glimpse into what the government is thinking about." Especially with the risk areas outlined by the OIG, she says it's useful to know where the government will be looking. (See box, p. 50, for the risk areas outlined by the OIG.)
"For sure, as a risk manager, I would look at those areas and see what policies and procedures I have in place to ensure compliance," she says. "If there is a void there, I'd put policies and procedures in. But don't put something in place that is not realistic and workable. It's worse to have a policy in place that is not followed than to not have one at all."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.