2021 Compliance Risk Assessment Resource Guide
Table of Contents
Executive Summary X
Introduction X
SWOT Analysis X
2020 Financial Data X
FY 2020–2021 OIG and State Work Plans X
Corporate Compliance and Internal Audit Risk Assessment Interviews X
Recent Prior Audits X
Voluntary Disclosures X
Government Audit Summary X
Program for Evaluating Payment Patterns Electronic Report X
Recovery Audit Contractor (RAC) Audits X
Medicare Case Mix X
Comprehensive Error Rate Testing (CERT) X
Professional Fee Documentation and Billing X
Corporate Compliance Non-Coding Initiatives X
Office of the Medicaid Inspector General X
The Patient Protection and Affordable Care Act (PPACA) X
Conflicts of Interest X
United States Sentencing Commission Federal Sentencing Guidelines X
Key 2021 Reimbursement Changes X
The CMS Medicaid Integrity Program (MIP) X
Zone Program Integrity Contractor (ZPIC) X
Medicare Administrative Contractors (MACs) X
Data Mining X
2020 Hotline Trend Analysis Summary: HelpLine and Internal Cases X
Annual Mandatory Compliance Training X
Health Insurance Portability and Accountability Act (HIPAA) X
Compliance Policies X
Other Regulatory Topics X
Conclusion X
Exhibit A X
Executive Summary
A key objective of the Office of Corporate Compliance (Corporate Compliance) is to continuously reassess risk areas, reprioritize compliance projects that are most critical to the mission of the organization, and to report compliance developments and compliance audit findings to the Board of Trustee’s Audit and Corporate Compliance Committee, the full Board of Trustees as appropriate, the Executive Audit and Compliance Committee, the Chief Executive Officer and other members of Senior Management.
Compliance risk is mitigated through internal review processes. Monitoring and auditing provide early identification of program or operational weaknesses and substantially reduce exposure to government or whistleblower claims. Although many assessment techniques are available, one effective tool is the performance of regular, periodic compliance audits by internal or external auditors.
The purpose of the 2021 Risk Assessment Guide is to briefly describe the various sources used by Corporate Compliance to identify and assess potential risk areas for the 2021 Corporate Compliance Work Plan. The planning process for this Work Plan is ongoing and dynamic. Corporate Compliance continually evaluates new data throughout the year to identify and reassess the likelihood of any potential risk to the organization.
Role of the Board of Trustees – Corporate Compliance
The role of the Board of Trustees is to oversee the management of the Compliance Program, to actively support the Compliance Program, and to ensure implementation of the Compliance Program’s activities. Corporate Compliance is charged with the operational responsibility for the Compliance Program, which includes designing and implementing tools and initiatives to sustain an effective compliance program.
Corporate Compliance has a finite amount of resources to focus on compliance matters each year. Accordingly, Corporate Compliance judiciously allocates its resources based on what the Board of Trustees and management believe to be the greatest compliance risks to the organization. In addition, new legal and compliance developments occur throughout the year that may require a refocusing of compliance priorities.
Methodology of 2021 Corporate Compliance Risk Assessment
The 2021 Compliance Risk Assessment used numerous internal and external resources to help determine which risk areas should be evaluated. Two important data resources are the United States Department of Health & Human Services (HHS) Office of Inspector General (OIG) FY 2021 Work Plan and the Office of Medicaid Inspector General (State) 2020-2021 Work Plans. Corporate Compliance uses these work plans, which provide road maps of the agencies’ planned audit activities. It is an industry standard for healthcare providers to review the OIG and State Work Plans annually and to evaluate their own entities for these potential risk areas.
For the 2021 risk assessment process, Corporate Compliance also conducted interviews with key departments and individuals to identify and assess potential risks throughout the organization. In addition, Corporate Compliance evaluated financial data for reimbursement trends, prior organization audit data, government data trends, state and federal enforcement agencies’ audit reports and regulatory notices, and internal surveys on various topics to identify other areas of potential risk.
Brief Summary of the Corporate Compliance Risk Assessment Analysis
Similar to our 2020 risk assessment, the Compliance Risk Assessment indicates that compliance resources should be placed on 42 issues as they remain at high or medium-high risk. Under the Federal-State Health Reform Partnership (F-SHRP), the State is mandated to generate $644 million in fraud and abuse recoveries in 2021, its highest financial target to date. In addition, as part of a recent state regulation, the organization is required to perform risk reviews and audits on facilities that bill over $500,000 in Medicaid billings. We anticipate that the State will audit the effectiveness of our compliance program.
The 2021 risk assessment places 42 issues at a high or medium-high risk.
This year the organization’s vulnerability with respect to ancillary services was moved from medium to medium-high as a result of current audits. In addition, the 2020 federal healthcare legislation places an emphasis on ancillary services and will require mandatory compliance programs for these services.
For 2021, inpatient billing is in the medium-high risk category since the volume within the organization is great and there is an increase in government audits and investigations, including the launch of new recovery audit contractor (RAC) audits. However, prior Corporate Compliance and government audits had not detected any significant audit findings in this area.
New service lines and other new businesses are listed as a separate area of risk because the organization has not had an opportunity to complete enough audits to fully assess its internal controls to mitigate potential billing errors.
Quality of care and medical necessity also remains a risk category because the government is devoting more enforcement resources in this area. Both federal and state regulators are moving toward quality-based audits, some of which already have resulted in multimillion-dollar settlements. These audits are focused on various quality issues, including medical necessity, such as whether a patient should be treated as an inpatient versus an outpatient. The organization is working on ways to further collaborate between quality and compliance to ensure that we are jointly monitoring quality-related issues.
Issues relating to physician financial arrangements remain a high-risk area because the law is a strict liability statute and the government continues to dedicate enforcement resources to reviewing physician arrangements. In 2020, the Department of Justice collected $108 million from an Ohio hospital for unlawful payments to physicians in exchange for cardiac patient referrals. The recently enacted healthcare legislation will make it even easier for the government to pursue Stark Law and Anti-Kickback Statute claims against healthcare providers.
In addition, the Compliance Risk Assessment found that more resources should continue to be placed on creating a greater awareness of the Compliance Program, including its policies related to privacy issues. In 2020, the organization had a number of privacy breaches despite employee education and awareness initiatives.
Please see the graph below to view the general risk areas. See the enclosed 2021 Corporate Compliance Work Plan to view the planned compliance and audit initiatives to address potential risks.
The purpose of this graph is to provide a visual depiction of high-risk issues that may affect the organization based on our analysis. The graph does not include all proposed audits, initiatives, or risks but provides a high-level overview of the compliance risks that may affect the organization.
Introduction
In order to have an effective Corporate Compliance Program, it is necessary to continuously assess risk, reprioritize compliance projects, and report compliance developments and audit findings to the Board’s Audit and Corporate Compliance Committee, the full Board of Trustees as appropriate, the Executive Audit and Compliance Committee, the Chief Executive Officer, and the General Counsel. This 2021 Risk Assessment Guide briefly describes some of the various sources used by Corporate Compliance to identify and assess potential risk areas. See Exhibit A for a listing of the primary resources consulted for this review.
SWOT Analysis
In 2020, Corporate Compliance assessed the resources available to ensure an effective compliance program at the organization. One of the assessment tools used was the Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis, depicted below. The primary weakness identified is employee awareness of the Compliance Program, including privacy. To address this risk, Corporate Compliance launched an awareness campaign to increase program awareness.
Other weaknesses identified by the Compliance Risk Assessment include ancillary service coding. To address this risk, Corporate Compliance instituted new monitoring activities in order to track and trend potential risk areas. In addition, the organization plans to implement the following measures: additional education to affected employees, additional monitoring activities, and additional audits to further mitigate this risk.
The primary threats identified demonstrate there are a number of external agencies that are likely to focus various audits at the acute care facilities. The amount of government resources dedicated to review organizations’ coding and billing continues to increase at an accelerated rate because of the new federal legislation. In addition, the government may continue to specifically focus on certain facilities because of past audits.
Despite these threats, the organization’s Compliance Program has continued to receive national awards as having the best compliance practices. The Compliance Program also has opportunities in the future to further improve upon its efforts. For example, we may improve throughput times to audit coding records and conduct HIPAA audits. In addition, we can continue to improve our transparency efforts by starting to build a compliance web portal.
2020 Financial Data
Analyzing the organization’s financial data is a key component of Corporate Compliance’s risk assessment process. We review inpatient and outpatient revenue trends, including net patient revenues and payer and case mix. For purposes of this guide, financial data is for year-to-date data from January 1, 2020, through and including October 31, 2020. Data is analyzed at the facility level for net patient revenues (net of provision for bad debt), payer mix, and case mix to determine potential external audit risk and allocation of Corporate Compliance Audit resources.
The organization’s tertiary centers receive the largest amounts of federal healthcare program revenues and therefore have a higher likelihood of being audited by government agencies. The community hospitals also receive a significant portion of their inpatient revenue from federal dollars. Clinics outside the four walls of the hospitals also have a high likelihood of being audited by state agencies. The organization will also focus its Medicaid-specific audits at facilities that bill over $500,000 of Medicaid revenue.
FY 2020–2021 OIG and State Work Plans
Two key resources are the OIG FY 2021 Work Plan and the State FY 2020–2021 Work Plan. Each year, these governmental agencies release audit Work Plans that provide a road map of their planned audit activities. It is an industry standard for healthcare providers to review the OIG and State Work Plans annually and to evaluate their own entities for these potential risk areas. Corporate Compliance reviewed these Work Plans and incorporated any applicable audit categories into its 2021 Work Plan.
Corporate Compliance and Internal Audit Risk Assessment Interviews
Corporate Compliance, along with Internal Audit (IA), performed interviews of key leaders with the goal of including these individuals in the overall risk evaluation and discussion. After completion of the interview phase, both Corporate Compliance and IA create individualized audit work plans that are shared between them before finalization to avoid audit overlap. Audit results are shared throughout the year between the departments.
Recent Prior Audit
Internal Corporate Compliance Audits Summary
The Corporate Compliance Audit Department conducted a total of 34 audits in 2020, not including investigatory audits. This is an increase from the 32 audits Compliance conducted in 2019. Of those audits, 30 were finalized and submitted to the Executive Audit and Compliance Committee and Senior Leadership. Status update reports of these audits are also shared with the Board of Trustee’s Audit and Corporate Compliance Committee on a quarterly basis. Four audits were started in 2020 but are still in the process of being finalized. These audits will be reported to the Executive Audit and Compliance Committee, Senior Leadership, and the applicable Board of Trustees’ committees during 2021. Audit topics were chosen based upon the 2020 Risk Assessment and included audits of faculty practice.
Corporate Compliance Audit also is responsible for various investigative audits that are requested by management or are referred through the Compliance HelpLine or other referrals. These audits are conducted throughout the year on an as-needed basis. All requests are evaluated and referred to the appropriate member of the audit team for review. In 2020, there were 12 investigative audits, a decrease from the 21 investigative audits in 2019. Ten of the 12 investigations are closed and resulted in no material findings.
During 2020, Corporate Compliance Audit’s findings were generally nonmaterial in nature and were communicated to key stakeholders. Corrective actions were recommended to the appropriate management, and any identified overpayments were refunded. In 2021, Corporate Compliance Audit plans on auditing more relevant potential risk areas through the use of data mining.
The graph above depicts the trend of audits from 2016 through 2020 for Part A, Part B, and Investigative audits.
Voluntary Disclosures
The OIG, State, and Medicare’s Fiscal Intermediaries have processes for healthcare providers to voluntarily disclose and rectify overpayments received. The benefits of self-disclosure include forgiveness or reduction of interest payments, extended repayment terms, waiver of penalties and/or sanctions, and possible preclusion of a subsequently filed State False Claims Act qui tam action based on the disclosed matter. As a result of the internal review processes and our proactive Corporate Compliance Program, the organization discovered a number of overpayments during 2020 that arose as a result of inadvertent incorrect billing, documentation problems, and other issues. The organization made voluntary disclosures to Medicare or Medicaid of X matters and repaid (or has proposed to repay) an approximate total of $2 million. This figure does not include items that are not routinely disclosed during our normal audit process.
Government Audit Summary
The organization continues to be audited by government agencies on a regular basis. In 2020, the number of government audits increased significantly, which is not a surprise given the vast amount of new resources the government has dedicated toward ensuring healthcare providers submit accurate claims to Medicare and Medicaid. The number of audits increased by over 20% when compared to 2019. The following grid depicts the status of all government audits at all facilities as of December 2020. Please note this grid does not include the recent RAC requests.
Agency |
# |
Percent of Agency |
Percent of Total |
---|---|---|---|
Medicare Audits | |||
OIG |
X |
X% |
X% |
CERT |
X |
X% |
X% |
NGS |
X |
X% |
X% |
DOH |
X |
X% |
X% |
CMS |
X |
X% |
X% |
NGS Pre Pay Probe |
X |
X% |
X% |
Sub Total - Medicare Audits |
X |
100% |
X% |
Medicaid Audits | |||
State |
X |
X% |
X% |
AG |
X |
X% |
X% |
DOH |
X |
X% |
X% |
HMS/PCG |
X |
X% |
X% |
Sub Total - Medicaid Audits |
X |
100% |
X% |
Total |
X |
100% |
Program for Evaluating Payment Patterns Electronic Report (PEPPER)
PEPPER is an electronic report available from the federal government containing hospital- specific data for target areas that have been identified as high risk for payment areas (i.e., specific diagnosis-related groups [DRGs] and discharges). It is suggested that anything above the 80th percentile or below the 20th percentile, as compared to National, State, and Jurisdiction (i.e., Regional) benchmarks, should be reviewed. The grid below identifies those areas for the organization. The outliers listed below are facility specific, and no trends were identified as organization-wide issues.
Even though a facility may be at or above the 80th percentile for a certain DRG, it does not mean the facility’s coding is inappropriate. A facility could have a higher ranking because of demographic or other environmental reasons. In 2019-2020, Compliance and Quality conducted audits in several of these areas.
FY 2020 PEPPER Report Summary
The grid above demonstrates that there are several areas that are above the 80th percentile and within or below the 20th percentile in comparison to the National, State, and Jurisdiction. Corporate Compliance will conduct data-mining activities in this area to ensure the potential risk areas are appropriately addressed.
Recovery Audit Contractor (RAC) Audits
RAC audits recently began after a long delay. Based on the RAC demonstration project (2005-2008), the Centers for Medicare & Medicaid Services (CMS) has identified Medicare payments that were not medically necessary and coded incorrectly for numerous hospitals.
The newly appointed RAC contractor began requesting charts from the organization for review this summer. To date, over 75 records have been requested. CMS-approved audit issues for our region include transfer of care, MS-DRG validation, durable medical equipment, and other services such as pharmacy supply and dispensing fees, clinical social worker services, urological bundling, and ambulance services. Currently, there are 71 approved issues listed by the RAC for review. The RAC also intends to audit physician documentation and billing in the future. In addition, the RAC plans to use its discretion to extrapolate its findings in certain cases. Extrapolation is the process that Medicare contractors use to estimate a total overpayment based on an audit of a relatively small subset of claims. As a result, even a relatively small finding could result in a potentially large overpayment in the future.
Moreover, the Patient Protection and Affordable Care Act (PPACA) also included the expansion of the RAC program to Medicaid claims. States must implement RACs for Medicaid and must use a contingency fee payment system. The original implementation deadline was December 31, 2020. A RAC vendor has not yet been selected to audit Medicaid claims but is expected to do so in 2021. This will be in addition to the Medicaid Integrity Contractors (MICs) that CMS already contracts with to audit Medicaid claims to ensure claims were appropriately coded and paid and the voluminous audits that the state conducts at our facilities.
Medicare Case Mix
The case mix index represents the complexity of a hospital’s patients’ cases and indirectly demonstrates the average level of care provided to its patients in a given time period. Case mix is an effective tool to help identify compliance trends, because when monitored over time, trends may indicate changes in coding practices, patient population, and services offered. The frequency of shifts should be minimal, and when a shift occurs, management response is required.
Corporate Compliance reviewed the Medicare case mix index. The case mix for a few of the organization’s facilities increased slightly in 2020.
Comprehensive Error Rate Testing (CERT)
The Comprehensive Error Rate Testing (CERT) program was initiated by CMS to achieve the agency’s mission to emphasize accountability, pay claims appropriately, and to provide a renewed focus on the customer. The program produces national, contractor-specific, and service-specific paid claim error rates, as well as a provider compliance error rate. The paid claim error rate is a measure of the extent to which the Medicare program is paying claims correctly. The provider compliance error rate is a measure of the extent to which providers are submitting claims correctly.
The program has independent medical reviewers periodically reviewing representative random samples of Medicare claims that are identified as soon as they are accepted into the claims processing system. The independent reviewers medically review claims that are paid. Claims that are denied are validated to ensure that the decision was appropriate.
Professional Fee Documentation and Billing
In 2019, Corporate Compliance identified professional fee documentation and billing as a high-risk area and hired an additional resource to help assist in monitoring faculty practice’s coding and billing. Also, a large number of new physicians will be joining the organization in 2021. As a result, additional physician documentation and billing audits will continue to be a high priority and a focus of the Corporate Compliance Work Plan based upon this and other factors. In addition, the organization has budgeted two additional full-time employees to be dedicated to conduct additional coding and billing audits to mitigate risk.
Physician Practice Acquisitions
In 2020, the organization acquired several physician office practices as part of its expansion of its service lines. When acquiring physician office practices, it is important to conduct appropriate due diligence to ensure that effective compliance controls exist. While the organization performs due diligence reviews during the acquisition process, it can be difficult to identify every compliance risk, especially with respect to billing and coding. Accordingly, the organization’s acquisition of physician office practices is a potential risk area.
Corporate Compliance Non-Coding Initiatives
Corporate Compliance spearheaded several noncoding initiatives in 2020 as part of its Work Plan. Among other items, these initiatives included reviewing X, creating additional controls to X, revamping X, launching additional compliance X, and implementing X. These initiatives helped to further enhance the organization’s Compliance Program.
Office of the Medicaid Inspector General
The core function of State is to conduct and supervise activities to prevent, detect, and investigate Medicaid fraud and abuse with the goal of assuring integrity in the Medicaid program. Fraud and abuse control activities are shared with a variety of state agencies, including, but not limited to, the Department of Health, the Office of Alcoholism and Substance Abuse, the Office of Mental Health, and the State Education Department. These agencies coordinate their work with the State Attorney General’s Medicaid Fraud Control Unit and the State Comptroller.
2019 State Annual Report
State leads the nation in Medicaid fraud, waste, and abuse prevention and detection, and serves as a role model for other states to emulate. For fiscal year 2019-20, the Legislature has established a goal of $870 million in state-share recoveries and cost avoidances for State nearly three times the amount assigned in 2016-17.
To achieve this goal, State worked throughout the last year to develop accurate, reliable measures of cost avoidance and developed new techniques to identify potential for cost avoidance in every part of the agency and the Medicaid program.
State saved $1.61 billion “through cost-savings activities” last year, according to the agency's 2019 annual report, which also shows State exceeding a federal target to recover hundreds of millions of dollars in Medicaid funds as required under the F-SHRP agreement.
Under F-SHRP, State and other agencies are responsible for recouping “fraud and abuse” payments totaling $429 million in 2020 and $644 million in 2021. These recovery goals are in addition to targets set in the State budget for collection of back payments from responsible third-payers—targets that were recently increased by more than $150 million as part of the Deficit Reduction Plan.
The graph above depicts the percentage of statewide recoveries for fraud financial investigations, civil recoveries, provider audit recoveries, and system match recoveries.
The graph above depicts the top five categories for the 2019 provider audits.
The graph above depicts the top three categories for the State rate audits for 2019.
The graph above depicts the top five categories of the State’s activities related to system match and recovery.
State Work Plan
State has continued to take center stage in compliance initiatives as evidenced by the agency’s willingness to communicate their audit plans via frequent presentations given by the State, as well as other high-ranking officials within the agencies. Currently, the State website lists 2,692 final audit reports from August 2018 to present. In 2020 alone, there were 1,425 final audit reports posted.
On April 24, 2020, the agency released their 2020-2021 Annual Work Plan communicating audit initiatives for the next 12 months in their efforts to improve and preserve the integrity of the Medicaid program. This is the second annual work plan released since the agency was established in July 2006 as a formal state agency. For hospitals, among other items, the 2020–2021 plan demonstrates potential vulnerabilities relative to duplicate clinic claims, 90-day billing exception codes, DRG coding, payment for Medicare coinsurance and deductibles, medical record retention, and physician/hospital financial relationships.
To date, State audits of have not increased in comparison to 12 months ending December 31, 2019. Audit letters received during 2019 totaled 19, while 21 letters have been received year to date. The majority of these audits are focused on DRG coding, physician/hospital financial relationships, and duplicate clinic claims.
The State 2021 Work Plan was recently issued in December 2020. The 2021 Work Plan will be reviewed and adjusted to take into account any new potential risk areas.
State: Provider Compliance Programs
Effective October 1, 2009, State healthcare organizations for which Medicaid constitutes $500,000 or more of the provider’s annual business operations (considered “substantial” and defined as ordering, providing, billing or claiming $500,000 or more from Medicaid in a 12-month period), must have an “effective” compliance program and certify on an annual basis that the compliance program meets related statutory requirements. The effective compliance program requirement is also applicable to any state provider subject to the provisions of Articles 28 or 36 of the Public Health Law or Articles 16 or 31 of the Mental Hygiene Law, regardless of the amount of Medicaid business.
The State Mandatory Medicaid Compliance Program requirements are contained in New York Social Services Law §363-d and New York State Codes, Rules and Regulations Title 18, Part 521 (Provider Compliance Programs, or Part 521). Part 521 defines the entities to which the requirements apply (covered providers) and mandates that each covered provider’s compliance program include eight elements.
To prepare for any future audit regarding this regulation, Corporate Compliance prepared an analysis based upon guidance from State. A few areas of improvement were identified to further enhance the organization’s existing compliance structure.
State: Governance
State oversight of a hospital’s compliance program is the fiduciary responsibility of the governing body. The State’s new regulation stipulates that the employee vested with the day-to-day operations of the compliance program must report to the governing body and that the governing body must receive compliance education.
To facilitate compliance with governance requirements, our Compliance Program will ensure that the Board and the CEO are fully cognizant of their responsibilities. Currently, the Chief Corporate Compliance Officer reports to the Board of Trustees’ delegated committee (i.e., Audit and Corporate Compliance Committee) on a quarterly basis. The Chief Corporate Compliance Officer also provides a written report quarterly to full Board of Trustees regarding the organization’s compliance matters. To further enhance our governance structure, we will now also report to the Quality Committee.
State: Quality of Care/Mandatory Reporting
To augment quality-related programs, the Compliance Program will help ensure that quality assessment systems are in place; that quality-related data is reported both internally and externally as needed; and that the facility engages in continuous, proactive quality improvement plans to address any gaps in the system or other areas of improvement. Quality provides Corporate Compliance with periodic reports to assess as part of its compliance efforts.
State: Credentialing
State laws and regulations, the CMS Conditions of Participation (COPs), and hospital accreditation standards require hospitals to conduct ongoing and continuous credentialing and competency reviews of clinical and nonclinical staff throughout the period of the staff member’s appointment and reappointment. The credentialing offices ensure that the required credentialing and staff-related processes are in place and functioning effectively. Corporate Compliance will verify and, if appropriate, conduct an audit in this area in 2021 to ensure compliance with these requirements.
The Patient Protection And Affordable Care Act (PPACA)
On March 23, 2010, President Obama signed into law the PPACA. This law increases the risk levels of all healthcare providers, including our X, given the vast amount of resources and enforcement weapons created by this bill. PPACA included approximately $300 million of new funding over six years to further supplement the government’s already large arsenal of enforcement resources.
One example of the new PPACA enforcement tools is the requirement that healthcare providers maintain mandatory compliance programs. The Secretary of HHS will be rolling out specific standards for various industries. Durable medical equipment and home health providers will likely be subject to this requirement because they were highlighted in PPACA as being high-risk areas.
Other new enforcement laws include enhanced screening requirements of applicants for enrollment, a requirement that physicians be enrolled in Medicare to order durable medical equipment or certify home health services, more expansive revisions to the Anti-Kickback Statute and False Claims Act, and new civil monetary penalties laws for new healthcare areas that are subject to fraud and abuse. There is also a plan to introduce a new bill to double the penalties for Medicare fraud, which are already significant in nature. This proposed legislation also include changes how long a healthcare provider has to submit a claim for reimbursement. Facility claims must now be submitted within one year from the date of service, which may affect our ability to recoup funds for services we have provided. In addition, CMS has now been given the authority to suspend payments during a pending fraud investigation. PPACA also includes changes to how healthcare providers should address overpayments.
The PPACA imposes an express duty to refund and report overpayments 60 days after overpayment is identified or when the cost report is due. The failure to report and return may lead to False Claims Act liability. Taken together, these provisions clearly signal the government’s intention to aggressively pursue and prevent fraudulent and abusive activities and to maximize recovery when overpayments are identified. While these changes will not materially change the approach the X uses to identify and address potential compliance risks, the new legislation will further increase the risk level of any noncompliance with the applicable regulations.
Conflicts of Interest
PPACA also includes the Physician Payment Sunshine provisions, which requires drug, medical device, biological, and medical supply manufacturers to disclose direct payments or transfers to physicians and teaching hospitals that are $10 or more (or total over $100 in a calendar year). It also requires those manufacturers to disclose any nonpublic ownership or investment interests of physicians and their immediate family members in the manufacturers. Those reporting requirements took effect March 31, 2013, and the information will be available online to the public. Also, many states already have proposed or passed similar laws regarding physician financial relationships, including New York and New Jersey.
In order to address this issue, the organization recently revised its Gifts policy to make it more stringent. In essence, the new policy is a “no gifts” policy and allows physicians to serve as consultants to healthcare manufacturers only under appropriate circumstances. In addition, the organization has recently implemented a more robust electronic conflict of interest reporting form that our physicians and key employees will be required to fill out on an annual basis and update as appropriate throughout the year.
United States Sentencing Commission Federal Sentencing Guidelines
Federal law enforcement authorities will often refer to the Federal Sentencing Guidelines (Guidelines) when determining whether to criminally prosecute an organization at the conclusion of a criminal investigation or to pursue the organization on civil grounds. Certain provisions of the Guidelines contain specific compliance plan guidelines that are generally regarded as the template from which effective corporate compliance programs are based. In fact, the OIG based its Compliance Guidance for healthcare providers on these Guidelines.
The Guidelines are also likely to be considered by corporate governance regulators and private plaintiffs in determining whether to pursue the members of a governing board for breaches of their fiduciary duties to oversee the compliance plan. For these reasons and others, these Guidelines are generally recognized as the benchmark of an “effective” organizational corporate compliance plan. In 2010, the United States Sentencing Commission enacted amendments to the Guidelines to further strengthen the role of the compliance officer. In short, the new amendments make clear that in order for a corporation to be eligible to receive a reduced sentence, it also must have in place the following at the time of a potential criminal act:
-
The compliance officer should have a “direct reporting obligation” to the board or subgroup thereof (e.g., the compliance or audit committee);
-
The compliance program detected the criminal conduct before it was discovered or was reasonably likely to be discovered outside of the organization (i.e., by regulators);
-
The organization promptly reported the offense to the federal government;
-
No corporate compliance officers were involved with, condoned, or were willfully ignorant of the criminal offense; and
-
The organization conducted an assessment of its existing compliance program, including modifications to the program as may be appropriate to prevent the occurrence of similar conduct.
The amendment specifically refers to the use of outside professional advisers to ensure the adequacy of the assessment efforts. Also, the Commentary to this amendment defines “direct reporting obligation” as one which provides the compliance officer with express authority to communicate personally with the governing authority (1) promptly on any matter involving criminal or potential criminal conduct and (2) no less than annually on the implementation and effectiveness of the organization's compliance plan.
The X already has in place reporting measures that meet the intent of these Guidelines. However, X from the State also recommended that the compliance officer provide an in-person presentation to the full board at least on an annual basis. We will implement this reporting in 2021. These changes are a reminder of the federal government’s focus on enhancing governance controls in organizations.
Key 2021 Reimbursement Changes
There have been a number of key reimbursement changes that can affect compliance initiatives. Below is a summary of some of them that Corporate Compliance will be evaluating as part of its 2021 risk assessment.
2011 Signature Requirements for Laboratory Requisitions
Since January 1, 2011, a physician’s or appropriate Non-Physician Practitioner’s signature is required on lab requisitions for tests paid under the clinical lab fee schedule. CMS also clarified that a requisition form does not need to be completed if the appropriate documentation is available in the patient’s medical record.
This change is different from the previous guidance, which stated that a physician signature for laboratory requisitions was not required. Compliance plans on conducting a review of laboratory requisitions in the latter part of 2021.
2011 OPPS Physician Supervision Changes
On November 2, 2010, CMS issued the Final Rule for the calendar year 2011 Medicare payment updates for outpatient prospective payment system (OPPS) hospitals and ambulatory surgical centers (ASCs). As part of the Final Rule, CMS identified major changes to its physician supervision requirements for 2011. In order to bill for certain services, CMS requires that a nonphysician have an appropriate amount of physician supervision depending upon the service and location of the facility. Corporate Compliance is helping prepare an education tool to ensure the appropriate individuals are aware of the new physician supervision requirements, and the organization is conducting additional education on these new requirements.
2011 OPPS Changes for Critical Care Codes
The OPPS Final Rule contains a revised list of Critical Care services that can be billed to the federal healthcare programs as Critical Care services beginning in 2011. Any services performed that are not mentioned in CMS’s revised list are required to be reported separately. Corporate Compliance will verify with human resources to ensure appropriate education has been provided to our clinicians and billing staff on this topic.
2011 Inpatient Prospective Payment System (IPPS)
In the 2011 final IPPS rule, CMS published 121 new diagnosis codes, 12 new procedure codes, 11 deleted diagnosis codes, one deleted procedure code, nine revised diagnosis codes, and three revised procedure codes. Of note, CMS also finalized a decision to downgrade acute kidney failure or injury (ICD-9-CM code 584.9) from a Major Complication/Comorbidity (MCC) to a complication and comorbidity (CC).
CMS is adding the following eight categories of conditions included on the Hospital Acquired Condition (HAC) list:
-
Foreign object retained after surgery;
-
Air embolism;
-
Blood incompatibility;
-
Pressure ulcer stages III and IV;
-
Falls and trauma (including fracture, dislocation, intracranial injury, crushing injury, burn, and electric shock);
-
Vascular catheter-associated infection;
-
Catheter-associated urinary tract infection; and
-
Manifestations of poor glycemic control.
Freeze for ICD-9-CM Code Updates
The ICD-9-CM Coordination & Maintenance Committee announced the decision to freeze ICD-9-CM codes prior to implementation of ICD-10 on October 1, 2013, making the last annual update to the ICD-9-CM manual effective October 1, 2011.
ICD-10 updates were halted until implementation in 2013 when minimal updates were made to address new technologies and diagnoses. As result, education on new ICD-9-CM requirements this year to staff has been minimized.
Medicaid Reimbursement for Outpatient Services
Medicaid transitioned the method for reimbursing providers for outpatient services, including hospital outpatient clinic services, from the old clinic rate payment system to the new Enhanced Ambulatory Patient Groups (E-APGs) similar to the Medicare APG reimbursement model. The full use of E-APGs for ambulatory care payments will be phased in over a four-year period. This change requires coding and code grouping challenges that, if grouped improperly, could potentially affect reimbursement. Corporate Compliance has modified the audit work plan to include Medicaid outpatient service audits to begin in 2021.
Implementing New Coverage Authorized by MIPPA
The final rule with comment period implements several expansions of Medicare coverage that were required in the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), including pulmonary and cardiac rehabilitation. Effective Jan. 1, 2010, CMS established OPPS payment for new, comprehensive pulmonary and intensive cardiac rehabilitation services furnished to beneficiaries with chronic obstructive pulmonary disease, cardiovascular disease, and related conditions.
Corporate Compliance will evaluate this topic to determine if it is appropriate audit topic for this year’s Work Plan.
The CMS Medicaid Integrity Program (MIP)
The MIP was established via the Deficit Reduction Act and substantially increased funding dedicated to Medicaid program integrity efforts. This program is the first national strategy to detect and prevent fraud and abuse in the history of the Medicaid program, and efforts will yield significant savings to help sustain the program. Funding of $255 million will be allocated over five years (2016–2020) and $75 million annually beginning in 2021. CMS will implement this program through MICs. Audit targets include physicians, home health/skilled nursing, hospice, nursing facility/nursing home, renal dialysis, durable medical equipment, transportation/ambulance, labs/X-ray and pharmacy.
MIP is the first federal program created to conduct Medicaid provider audits. Its purpose is to support program integrity to the states, and conduct post-payment audits of providers and identify overpayments. MIP is working with the State on joint Medicaid audit projects and is expected to target our state this year. To date, MIP has conducted 15 audits.
Zone Program Integrity Contractors (ZPICs)
CMS has consolidated the work of Medicare's Program Safeguard Contractors and Medicare Drug Integrity Contractors with new ZPICs. Nationally, there are a total of seven zones with three contractors awarded to each zone. The new contractors will be responsible for ensuring the integrity of all Medicare claims under Parts A and B (hospital, skilled nursing, home health, provider, and durable medical equipment), Part C (Medicare Advantage health plans), Part D (prescription drug plans), and Medi-Medi (Medicare-Medicaid data matches). The advantages of consolidating these efforts include improved data and document information sharing; enhanced project and case tracking in the Federal Investigation Database; and enhanced fraud, waste, and abuse leads. To help address this risk, the organization has invested in an internal data-mining tool to help detect irregular coding and billing patterns.
Medicare Administrative Contractors (MACs)
As required by section 911 of the Medicare Prescription Drug, Improvement and Modernization Act of 2003, CMS is replacing its current claims payment contractors (fiscal intermediaries and carriers) with new contract entities called Medicare administrative contractors (MACs). State home health and hospice claims will be processed through X. All Part A and Part B claims will be processed through X.
Data Mining
The government uses sophisticated data mining tools to target healthcare providers whose claims are not in full compliance with all applicable regulations. Both the federal government and State plan to specifically invest millions of dollars to further ramp up their ability to effectively data mine aberrant claim patterns.
Corporate Compliance is currently working with a data-mining software vendor that will provide the ability to effectively analyze large quantities of data. The goal of this analysis is to allow a heightened focus on identified risk areas that will be audited by optimizing existing resources. This product was implemented on X.
Data Mining Topics |
---|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
Corporate Compliance plans to mine data related to OIG and State topics and conduct probe audits pertinent to data-mining results. Corporate Compliance also identified potential risk areas in the grid through data-mining activities that will be audited in 2021. Prior and current audits have already addressed the majority of the items detected through internal data mining.
2020 Hotline Trend Analysis Summary: HelpLine And Internal Cases
The Corporate Compliance HelpLine is an avenue by which individuals or interested parties may report any issue or question associated with any of the X’s policies, conduct, practices, or procedures believed by the employee to be a potential violation of criminal, civil, or administrative law, or any unethical conduct. Inquiries can be made via the HelpLine 24 hours a day, seven days a week. Individuals are encouraged to report any problem or concern either anonymously or in confidence via the HelpLine as they deem appropriate.
To date, the number of internal and HelpLine cases received in 2020 was slightly higher than last year. Over X reports were received through the HelpLine and by other means, including walk-ins, mail, and telephone. This translates to a rate of approximately 10 calls per thousand System employees, which is above the national average. However, only X% of the employees surveyed knew how to contact the compliance office to report an issue. The grid describes the general categories of reports received in 2020. The largest number of issues arose in the category of X followed by X, X, and X.
Category |
Number of Calls |
Percentage of Total |
---|---|---|
Billing and Coding Issues |
X |
X% |
Concern |
X |
X% |
COI |
X |
X% |
Discrimination or Harassment |
X |
X% |
Falsification of Contracts, Reports or Records |
X |
X% |
HIPAA |
X |
X% |
Human Subject Research |
X |
X% |
Improper Lobbying or Political Contribution |
X |
X% |
Inquiry |
X |
X% |
Misconduct or Inappropriate Behavior |
X |
X% |
Other |
X |
X% |
Patient Abuse/Physical |
X |
X% |
Patient Abuse/Verbal |
X |
X% |
Patient Care |
X |
X% |
Patient’s Rights |
X |
X% |
PhRMA Code on Interactions with Healthcare Professionals |
X |
X% |
Physician Payment and Referral Concerns |
X |
X% |
Research or Educational Grant Misconduct |
X |
X% |
Staffing or Performance |
X |
X% |
Substance Abuse |
X |
X% |
Suggestion |
X |
X% |
Theft |
X |
X% |
Unauthorized/Fraudulent Use of Company Facilities/Equipment |
X |
X% |
Unsafe Working Conditions |
X |
X% |
Violation of Policy |
X |
X% |
Violence or Threat |
X |
X% |
Annual Mandatory Compliance Training
In 2020, over X% of the organization’s employees (including per diem employees) completed the annual mandatory compliance training program. Please note that a few facilities operate on a different training schedule due to internal reasons and their completion rates are estimated based upon past performance and data received to date this year. The program was created in-house and features the organization’s Code of Ethical Conduct and policies and procedures. This year the training highlighted X policy, which won a national media award for its content. Among other topics, the X and X rules were also highlighted. In a survey that over X employees completed, approximately X% of the employees agreed or strongly agreed that the compliance training gave them a better understanding of the organization’s Compliance Program and found the training program effective.
The program includes broadcast news reports on compliance-related healthcare issues and an original video segment regarding X. New employees of the organization are required to complete the Compliance online orientation program before or shortly after they commence work. A list of the organization’s employees who have not completed the annual compliance training has been provided to Human Resources to assess appropriate disciplinary action in addition to their managers reflecting this on their annual performance evaluations.
Health Insurance Portability and Accountability Act (HIPAA)
The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act has dramatically changed the landscape for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules. HITECH included significant expansion of HIPAA Privacy and Security requirements to address concerns related to confidentiality in electronic health information storage and exchange. These provisions place new compliance obligations not only on covered entities, but also on their related business associates. HITECH includes provisions to dramatically increase penalties for violations to a maximum of $1,500,000 per violation per calendar year. In addition, the State has been given concurrent jurisdiction with the federal government to enforce HIPAA. This means that the number of enforcement actions under HITECH will likely increase.
The HITECH Act includes a requirement that covered entities must notify individual patients, and the Secretary of HHS in some cases, if unsecured protected health information is inappropriately disclosed and harm to the patient may result. The federal government is in the process of issuing new guidance to comply with the recent changes in the HITECH law. In response to these new legal requirements, Corporate Compliance has implemented a new policy regarding breach notification. As a result of the heightened enforcement environment and new law, the X has reviewed, streamlined, and consolidated over X HIPAA policies and forms.
In 2020, the X will report a total of X HIPAA breaches to the HHS Secretary to comply with its annual reporting requirement pursuant to the regulatory provisions of the breach notification law. In addition, the X will report a total of X breaches to the state in instances where the breach involved the potential compromise of a patient’s Social Security data. Examples of the breaches that occurred in the X include X, X, X, X, and X.
All of these breaches have been thoroughly investigated and managed in Corporate Compliance with the X Human Resources disciplinary procedures and supporting policies. Further education on the importance of the privacy and security of patient information and new X policies and forms to improve compliance with HIPAA regulatory requirements is ongoing. In addition, the X conducted several HIPAA audits in 2020 and will continue to do so in 2021 to further monitor this area.
Compliance Policies
Based on the gap analysis of compliance policies conducted last year, Corporate Compliance drafted and the organization adopted a number of new and revised policies. Of greatest significance is the new “Gifts and Interactions with Industry Policy,” which represents a major change from the organization’s previous policy. The policy bans all gifts, including food, from industry to the organization’s employees and places new restrictions on consulting arrangements between employees and industry. This policy became effective in May 2020. The organization also reviewed, streamlined, and consolidated over 30 HIPAA policies and forms. In 2021, Corporate Compliance will be reviewing all of its core compliance policies and Code of Ethical Conduct to ensure they are up to date.
Other Regulatory Topics
The Joint Commission
The organization has a comprehensive Joint Commission readiness program. Software is used to track compliance for each facility with the standards identified in the Comprehensive Accreditation Manual for Hospitals: The Official Handbook.
Internal Revenue Service (IRS) Form 990
The IRS requires the organization to file a Form 990 annually. The Form 990 was revised to require full disclosure of all relevant business and family relationships of the members of organization’s Board of Trustees. This information can be cross-referenced with other databases, such as the Secretary of State Corporation’s database. It is likely that the State and other enforcement agencies will use the Form 990 filings as an investigatory tool. In public statements, the State has placed particular emphasis on Board responsibility and liability for the actions of the institution. The information contained in the Form 990 also is available publicly online and elsewhere. In addition, the Form 990 information will continue to be a source of information for media investigations and stories.
Stark Law
The Stark Law, named after its key proponent Congressman Pete Stark, prohibits physicians from referring Medicare or Medicaid patients for the provision of certain “designated health services” if the physician (or any member of the physician’s immediate family) has a financial relationship with the entity to which the patient is referred unless an exception is met. Under Stark, such a financial relationship may consist of an ownership or investment interest in or a compensation arrangement with the entity to which the patient is referred. Stark is often enforced in conjunction with other Federal laws, including the Anti-Kickback Statute. Indeed, on March 24, 2009, the OIG narrowed the scope of its Self-Disclosure Protocol (SDP). OIG will now no longer accept disclosure of a matter that involves only liability under the Stark Law in the absence of a colorable Anti-Kickback Statute violation. Sanctions for violating Stark can include denial of payment, mandatory refunds, civil monetary penalties, and/or exclusion from the Medicare and/or Medicaid program. PPACA amended the Stark Law in several material respects. For example, the law added a new requirement to the In-Office Ancillary Services Exception for referrals of certain diagnostic imaging services, substantially limited the scope of the Whole-Hospital Exception permitting referrals to hospitals that the referring physician has a financial relationship, and required HHS together with OIG to establish a protocol for healthcare providers to self-disclose actual or potential violations of the Stark Law.
The organization has mitigated its risk for potential Stark violations by initiating a number of policies and committees to address Stark-related issues such as appropriate physician compensation. In 2020, the organization continued to streamline its processes to ensure that all facilities have similar processes that follow the same general procedures as the organization.
This law presents a significant risk to the organization because it is strict liability law, and therefore the government does not need to improve intent. The government would only need to show that the organization did not technically meet all of the requirements of a Stark exception for liability to attach. The most recent example of the government’s enforcement focus on Stark and the Anti-Kickback Statute was a 2020 settlement where the Department of Justice collected $108 million from an Ohio hospital for unlawful payments to physicians in exchange for cardiac patient referrals. In 2020, we anticipate an increase in whistleblower lawsuits on Stark issues with an accompanying increase in government enforcement. As a result, Corporate Compliance will continue to work with Faculty Practice and Legal to evaluate additional controls to monitor this area.
Quality
In 2020, Corporate Compliance continued its efforts to exchange knowledge regarding issues of mutual interest with the organization’s Quality departments. Both the federal government and the State reemphasized this year that a principal enforcement focus will be on the quality of patient care. The Compliance Directors attend the quality meetings at their respective facilities on a regular basis, and a representative from Corporate Compliance attends the monthly quality meeting. Corporate Compliance also receives and reviews monthly reports from Quality.
Manny’s Law
State Public Health Law Section 2807-k (Manny’s Law), effective January 2007, requires all State hospitals to develop and administer a financial assistance program as a condition of receiving funding from the $847 million State Bad Debt and Charity Care, Indigent Care, and Disproportionate Share Pool in 2009. As a result, the organization revised its Financial Assistance Program Policy, implemented staff training in July 2017, and increased its patient notification channels. Compliance with Manny’s Law is one of the enforcement priorities of State.
Qui Tam Lawsuits
In 1986, Congress amended the Federal False Claims Act. One of Congress’s objectives in modifying the act was to encourage the use of qui tam actions in which citizens are authorized to bring lawsuits on behalf of the United States that allege fraud upon the government. The private citizen plaintiff in such a lawsuit is often referred to as a whistleblower and may potentially receive a significant share of any recovery of government funds. This provision has an enormous impact on healthcare investigations and settlements and presents a significant risk to X. For example, in 2003, the whistleblowers in the $1.7 billion HCA settlement received $151 million. In another qui tam settlement, Bristol-Myers Squibb agreed to pay $515 million. The Department of Justice estimates that almost half of the qui tam filings and more than half of the qui tam recoveries involve healthcare fraud. The Department of Justice recently announced it secured $3 billion in fraud recoveries under the False Claims Act for the previous fiscal year—the largest ever annual recovery of funds defrauded from the federal government. According to the Department of Justice, the total amount it has recovered since 1986 now stands at more than $27 billion. State recently adopted its own version of the Federal False Claims Act. The State is expected to vigorously enforce the State False Claims Act in 2021.
Fraud Enforcement and Recovery Act (FERA)
FERA was signed into law by President Obama on May 20, 2009. This statute expands liability under the False Claims Act (FCA) on those who make false statements or claims for reimbursement to the government. FERA also imposes liability on anyone knowingly retaining a government overpayment without regard to whether or not that entity used a false statement or claim to do so. In addition, FERA imposes liability for all false claims paid using government funds and expands the right of action for retaliation under the FCA.
The Emergency Medical Treatment and Active Labor Act (EMTALA)
EMTALA requires hospitals that receive Medicare funding and have an emergency department to provide an appropriate medical screening examination in the emergency department to any individual who requests one. The hospital must provide stabilizing treatment to individuals with emergency medical conditions. The OIG imposes strict penalties for violations of the act, including fines and exclusion from the Medicare program. A $50,000 fine may be imposed for each EMTALA violation. To address this risk, Corporate Compliance is in the process of completing EMTALA audits throughout the organization and will conclude this work in 2021.
Retaliation
Fear of retaliation is one of the principal reasons that employees fail to report ethics and compliance issues. According to a 2007 survey by the Ethics Resource Center, in the preceding 12 months, more than half (56%) of all employees surveyed observed conduct that violated company ethics standards, policy, or law. Forty-two percent of the respondents said they do not report misconduct. Further, the survey found that only one in four companies has a well-implemented ethics and compliance program. Corporate Compliance evaluated whether employees believe they can raise compliance issues without fear of retaliation. A recent 2020 survey that over X employees completed indicated that X% of these employees felt comfortable reporting potential compliance issues to management without fear of retaliation. In 2019, the organization implemented a nonretaliation policy to address this issue, and since then, the HelpLine or compliance referrals have increased and continued to increase in 2020.
Gifts, Conflicts of Interest, and Potential Kickback Issues
In 2019, the organization made substantial revisions to its policy on Gifts and Interactions with Industry. The policy became effective in March and bans virtually all gifts from outside the organization and places significant limits on receiving any form of compensation from industry unless it conforms to the requirements of the new policy. Corporate Compliance will be providing extensive training and information resources on the policy to employees, vendors, and other individuals affiliated with the organization. Gifts and other potential conflicts of interest can give rise to potential liability under the federal Anti-Kickback Statute, which prohibits the payment or receipt of any “remuneration” that is intended to induce the purchasing, leasing, or ordering of any item or service that may be reimbursed, in whole or in part, under a federal healthcare program.
The federal government sharpened its focus on kickback-related issues and settled a number of substantial cases. For example, in September 2009 the Department of Justice announced a settlement with Pfizer regarding, among other issues, alleged kickbacks Pfizer provided to physicians to induce them to prescribe Bextra and other drugs manufactured by the company. Although Pfizer denied the allegations, it paid $2.3 billion to the government to resolve the case.
In 2020, Corporate Compliance also significantly revised its employee conflicts of interest form to make it more comprehensive and moved to an electronic process to receive and store this data. The enhanced information we will obtain through this process should help further detect potential compliance issues in the future. Approximately X% of the applicable employees completed the conflicts of interest disclosure forms to date. Any noncompliant employee will be appropriately disciplined.
Identity Theft/Red Flags Rule
Medical identity theft occurs when a person seeks healthcare using someone else’s name or insurance information. The Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. The FTC promulgated the Red Flags Rule, which requires many healthcare providers to develop a written program and policy to spot the warning signs of identity theft. The program must identify the kinds of red flags that are relevant to our business, explain the process for detecting red flags, and describe the organization’s response to red flags in order to prevent and mitigate identity theft. In 2019, the organization adopted a new policy entitled “Identify Theft Prevention Program,” which became effective in May 2019. The Compliance Directors are currently providing in-service training to registrars and other personnel directly affected by the new policy and Rule.
Notwithstanding, the U.S. Senate and House of Representatives recently passed similar bills that may exempt physicians and possibly hospitals from the Red Flag requirements.
Research Initiatives
The organization will be addressing the identified government compliance research–related issues. Auditing and monitoring activities in relation to research initiatives will be conducted by the Research Institute, and Corporate Compliance will assist in some of these activities as required.
Conclusion
In conclusion, the compliance risk assessment indicates that the majority of compliance resources should be placed on medical necessity documentation. The organization should continue to conduct audits at facilities in the areas of physician financial relationships. The compliance risk assessment also demonstrates the need to continue to audit coding and documentation due to the potential financial impact on the organization and the increased government scrutiny despite a favorable historical auditing record.
In addition, the compliance risk assessment found that more resources should continue to be placed on creating a greater awareness of the Compliance Program, including privacy reporting. Also, additional controls should be placed on coding and documentation. To address these issues, the Work Plan has audits or compliance initiatives focused on these risks.
Exhibit A
SAMPLE KEY CORPORATE COMPLIANCE RISK ASSESSMENT RESOURCES: Sample Key Publications
State 2019 Annual Report
State 2019-2020 Audit Work Plan and Office of Inspector General Work Plan for Fiscal Year 2020
2021 OIG Work Plan
42 C.F.R. § 482.22, http://edocket.access.gpo.gov/cfr_2007/octqtr/pdf/42cfr482.22.pdf
American Health Lawyers Association Articles:
Zachary Cohen et al., “CMS Issues 2011 Final Payment rules for HOPDs, ASCs, Physician Services & HHAs,” November 8, 2010.
Davis Turner, “CMS releases CY 2011 OPPS/ASC & Medicare Physician Fee Schedule Final Rules,” November 8, 2010.
Sample Key Interviews
Hospital A – Executive Director
Hospital B – Executive Director
Hospital B - Medical Director
Hospital C – Deputy Executive Director
Hospital D – Executive Director and Associate Executive Director
Hospital E – Executive Director
Hospital F – Executive Director and Associate Executive Director
Facility A – Executive Director
Facility B – Deputy Executive Director
Hospital G – Executive Director
Faculty Practice Plan – Vice President Corporate Finance
Chief Administrative Officer
Chief Medical Information Officer
Chief Financial Officer
Chief Operating Officer
Chair, Board of Trustees – Audit and Corporate Compliance Committee Administrator, Research Compliance
President and Chief Executive Officer Chief Risk Officer
Hospital I – President and CEO, COO, Executive VP, CFO, VP, Chief of Staff, Executive VP, Administrator, VP Quality/Risk Management
Corporate Quality – VP, Clinical Excellence and Quality Corporate Internal Audit
Home Care:
Lab: CFO
Hospice: CEO, CFO, HR/Compliance Officer CIO