(January 5, 2016): Now that you have appointed an individual to be responsible for the compliance program and created a compliance committee to help the compliance officer, the focus should turn to basic compliance policies and procedures. If an effective compliance program is like a house with a solid roof to protect the inhabitants from bad weather, policies and procedures function as the studs and support structure. Like walls, policies and procedures establish the outlines of a program, delineating areas of focus. Another way of looking at this is that the basic policies and procedures serve as the constitution of your compliance program. Accordingly, every compliance program should have certain policies at a minimum. The most important ones are (in no particular order):
-
Code of Conduct. This is the basic commitment to comply with federal, state and local applicable rules and regulations applicable to healthcare and your practice. The importance of this policy cannot be overstated. To put it very simply, this policy must say you will not lie, cheat or steal.
-
Appointment of a compliance officer and description of duties and powers. If the compliance officer is like the president, then this policy describes what executive powers that individual has.
-
Ineligible persons and sanctions screening. This policy state that you will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals or entities that are sanctioned, excluded or debarred from federal and state health care programs.
-
Licensure status. Like the ineligible persons policy, this policy should address which individuals must maintain licensure and state that the practice will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals and entities that are not properly licensed. The policy should also indicate how you will verify licensure status and what actions will be taken if you cannot validate proper licensure status.
-
Hotlines and reporting methods for employees, patients and others. This policy should clearly establish how individuals can report concerns and ask questions or request guidance. A key component must be a statement that the reporter may remain anonymous and will not face retaliation for good faith reports.
-
Document internal corrective actions taken. This policy should outline the general steps that will be taken to investigate a report of possible problems. The policy should include direction for how to document the results of the investigation and what, if any, corrective actions were required and implemented.
-
Training. We all know how much the rules and regulations in health care are changing. This policy should indicate how you will be training staff, general topics, frequency of training, and how you will document completion of the training. This policy should also include the repercussions for failure to complete the training as required.
-
Internal auditing and monitoring. This policy should outline your process for conducting audits. If you are billing any insurer, whether federal OR private, you should be conducting audits routinely. Identify what the risk areas are for your practice. The risk areas could be related to particular services, CPT codes, or a particular insurer. As with the Investigations policy, this policy should also detail what actions you will take in response to results that reveal a possible issue.
-
Conflicts of interest. It is not possible to eliminate potential conflicts of interest unless you live on a desert island, isolated from contact with the rest of the world. Accordingly, the first step is identify possible conflicts of interest (for example, family or business relationships, outside employment, ownership interests, etc.). The policy should require that all potential conflicts of interest be disclosed. Once disclosed, the policy should provide a method for addressing the potential conflict of interest. Some conflicts of interest are so significant or impact the practice in such a way that the underlying situation must be unwound. For example, a contract might have to be terminated or a relationship ended. Other conflicts of interest can be managed. Again, the policy should provide for documentation of the disclosure and what actions are taken to end or manage the conflict of interest.
-
Waivers of copayments and deductibles, discounts, charity care, and beneficiary inducement . One of the fastest ways to get in trouble is to inconsistently apply and collect copayments and deductibles or offer discounts, as insurers will take the position that this is an improper beneficiary inducement of the federal and state anti-kickback laws. There are ways to provide free or discounted care, but it must be done thoughtfully and following established procedures. In addition, this is a key area to develop documentation demonstrating adherence to the requirements.
-
Returning overpayments. Since audits are likely to result in overpayments, you must commit to promptly returning any identified overpayments. A good place to start are the Medicare policy manuals, particularly those of the Medicare Administrative Contractor (MAC). Likewise, private insurers often have policies on refunding overpayments. Don’t forget that the Affordable Care Act requires that Medicare and Medicaid overpayments be returned within 60 days from the identification of the overpayment.
-
HIPAA requirements must be met. Actually, the HIPAA policies are more an entire set of policies that address compliance with the Privacy Rule, the Security Rule, and the Breach Notification Rule. I will address HIPPA policies in more detail in a future article.
-
Document retention. This policy should outline what your document retention and destruction policy and procedures are. Not every document needs to be kept forever, and you should create retention time periods for different kinds of documents (including patient medical records). Don’t forget to include electronically maintained documents. One provision the policy absolutely must contain is a requirement that if the practice is under audit, investigation or any other form of scrutiny, that no documents relating to that matter be destroyed, including deletion of emails.
This baker’s dozen of basic compliance policies is only a starting point. A practice’s book of policies should include additional policies that address its particular needs or risks. In fact, I would be extremely worried if I walked into a practice and did not find at least half a dozen more policies specific to the practice. Also, the policies book need not be limited to compliance policies. The practice should also have HR policies, finance policies, patient care policies and OSHA policies
All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.
And finally, policies should not be like the recipe for Coca Cola, kept in a vault and only known to a few. All staff members should have access to and understand the policies, so a best practice is to place the policies in a binder in a common area, easily accessible by all staff members. If you have an intranet, post them on the intranet. Post them on a bulletin board in the staff break room. Make them widely available. Train on them, repeatedly. Never be in a situation where a staff member can say, “Oh, I didn’t know that was our policy!”
Next month we’ll examine exclusions and why they are so important in more depth.