Let’s face it – healthcare auditors have a tough job today. In order to be effective and relevant it requires careful analysis and investigative skills, while at the same time garnering support and respect from departments and people who may see you as the “Corporate Cop.” The pressure is high. There is a lot of importance placed on auditors to ask the right questions and dig in the right places to have a solid, accurate review.
On top of this, senior management and Board of Directors rely heavily upon a compliance auditor’s results to determine where there are weaknesses, areas for improvements, and/or violations of regulations that may require self-disclosure.
Here are seven mistakes others made to gain insight on what Federal regulators (HHS OIG) deem important or compliance audit.
*Updated from original post on Dec 06, 2016
New to the scene? Check out our audit series:
Hi, I am an Auditor and I am Here to Help
How to Conduct an Effective Health Care Audit
Be Audit Ready – All the Time
You’ve Finished Your Internal Audit. Now What?
MISTAKE #1: Ignoring the Advice of OIG and Lessons Learned from Others
What can be learned from the Office of Inspector General (OIG)
The Health and Human Services (HHS) Office of Inspector General (OIG) plays a big role in enforcing federal regulations affecting healthcare fraud, waste and abuse. This is a great first place to learn from other’s mistakes. The OIG website provides an oasis of resources for compliance professionals to utilize such as:
– Compliance Program Guidance by industry
– Cases and examples of Civil Fines and Penalties
– Special Advisory Bulletins
– Corporate Integrity Agreements
- Many lessons can be learned from Corporate Integrity Agreements imposed on companies required to address areas of non-compliance.
- CIAs also resolve potential fines and penalties for previous behavior that must be changed in order to continue to be eligible for Federal healthcare dollar reimbursements such as Medicare, Medicaid, CHIPS or TriCare.
What a CIA typically requires:
- Stronger compliance program, staffing changes and organizational change
- Significant amounts of training on general compliance topics and topics specified by the OIG
- Tailored audits to be conducted by a third-party typically called an Independent Review Organization (IRO) as defined by the OIG
- Significant oversight by the OIG in areas such as:
– Information being monitored and audited by the Compliance Committee
– Metrics to be monitored by the Compliance Committee
– Information presented to the Board of Directors
Mistake #2: Failing to Review Internal Compliance Policies
The good news and bad news of compliance policies and a compliance plan
Another great place to get reacquainted with, is the company policies and procedures. You should definitely look at the compliance policies and procedures, but don’t forget to look at other important areas of the company as well. And last but not least, take a look at the Compliance Plan. Look at all of the policies and procedures and get an idea of what the basic requirements are of the compliance program. This will help you get an idea of where to focus your reviews.
The Compliance Plan can be a blueprint for any auditor.
The good news: The Compliance Plan outlines exactly what the company has agreed are high risk areas and how they plan to audit and/or monitor for ongoing compliance.
The bad news: Following through on the Compliance Plan and implementing changes can be difficult, and some departments struggle to change.
Mistake #3: Not Listening to Employees or Teaching Them the “Right” Thing
Reviewing hotline usage, training, and follow through
One of the most important things to monitor are our employees. First, we have to start by making sure we are training our employees on the right things to do; and making sure they understand the regulations that guide our business practices. So make sure you audit the effectiveness of your training.
Another important area is the compliance hotline. If you don’t listen to your employees, they will go elsewhere to share their concerns. So make sure you build in a review of the compliance hotline.
Questions to Get Started:
– Is there a hotline? Do employees know the number?
– Does the company demonstrate/document that all complaints were properly investigated and resolved?
– How many hours does each employee have for mandated compliance training? Did they attend?
– Are the employees required to take any type of post-test to determine “competency”? Validating competency/understanding of a compliance topic is very important.
– Have third parties acknowledged and been trained on required compliance policies?
Mistake #4: Failure to Comply with Monthly OIG Exclusion Monitoring
Checking the lists
Does each employee and/or contractor have a completed OIG exclusion check upon hire and monthly as recommended by the OIG and required in most States?
The OIG is required by law to exclude from participation, in all federal healthcare programs, individuals and entities on a number of grounds. Do you know the difference? Let’s take a look!
Mandatory exclusions can be imposed for the following six reasons:
– Conviction of program-related crimes. Minimum period: 5 years.
– Conviction relating to patient abuse or neglect. Minimum period: 5 years.
– Felony conviction relating to healthcare fraud. Minimum period: 5 years.
– Felony conviction relating to controlled substance: Minimum period: 5 years.
– Conviction of two mandatory exclusion offenses. Minimum period: 10 years.
– Conviction on three or more occasions of mandatory exclusion offenses. Permanent exclusion.
Permissive exclusions, at their discretion of the OIG, can be imposed for the following eight reasons:
– Misdemeanor conviction relating to healthcare fraud. Minimum period: 3 years.
– Conviction relating to fraud in non-healthcare programs. Minimum period: 3 years.
– Conviction relating to obstruction of an investigation. Minimum period: 3 years.
– Misdemeanor conviction relating to controlled substance. Minimum period: 3 years.
– Default on health education loan or scholarship obligations. Minimum period: Until default has been cured or obligations have been resolved to Public Health Service’s (PHS) satisfaction.
– Individuals controlling a sanctioned entity. Minimum period: Same period as entity.
– Making false statement or misrepresentations of material fact. Minimum period: None.
– Failure to meet statutory obligations of practitioners and providers to provide medically necessary services meeting professionally recognized standards of healthcare (Peer Review Organization (PRO) findings). Minimum period: 1 year.
Keep in mind, companies should search, at a minimum, the OIG LEIE and all state medicaid exclusion lists (currently 40) on a monthly basis for all employees, contractors, third parties and referring physicians.
Mistake #5: Not Knowing Who is Covered by OIG
How to aduit compliance with OIG exclusion monitoring
Step 1: Review job descriptions.
This determines who is reimbursed by Federal healthcare program dollars “directly, indirectly, in whole or in part”, and includes positions “beyond direct patient care”.
Step 2: Know your third parties.
Make sure your organization knows who it is doing business with to ensure vendor compliance. If the organization has paid a third party for services that are “directly, indirectly, in whole or in part” reimbursed by Federal healthcare program dollars in the last 12 months, then that third party company name should be monitored on a monthly basis also.
Step 3: Monitor your staffing company.
If your organization is utilizing a staffing company, audit whether the staffing company contract contains language requiring the staffing company to conduct OIG exclusion monitoring prior to sending them to your organization and monthly monitoring. Create a random audit by contacting the staffing company and asking for verification of the exclusion results for a sampling of the staff sent to your company.
Step 4: Monitor company owners.
An organization should begin trying to capture who owns more than 5 percent of a third party entity it is doing business with because we know that the OIG is concerned about excluded individuals hiding under a corporate shell. This is a tough one since most, if not all, organizations have a hard enough time keeping track of its approved vendors, let alone know the ownership structure of the company. Perhaps a good item for your compliance road map.
Step 5: Know how to monitor for OIG exclusions.
An effective search against the OIG and state Medicaid exclusion lists (see next section) is only as effective as the identifiers that are submitted.
The most reliable identifiers are:
– Full name (maiden or other last names for women)
– Social Security Number (for verification purposes)
– Date of birth
– License number (if applicable)
Mistake #6: Only Relying on the OIG LEIE
Don’t forget about the state exclusions!
How reliable and complete is the OIG LEIE?
The OIG LEIE contains exclusions OIG has imposed as well as certain state Medicaid exclusions reported to the OIG as reported by the state Medicaid Fraud Control Units (MCFU).
According to Performance Standard 8(f) a state Medicaid Fraud Control Unit is required to report to the OIG within 30 days of sentencing all pertinent information of program convictions, including charging documents, plea agreements and sentencing orders.
According to PPACA 6501 if a person or entity is excluded in any state, then he/she/it is excluded in all states. However, an audit of the OIG LEIE found it was missing up two-thirds 2/3’s of exclusions and actions taken by state MCFU. Adding all Federal and state exclusion lists to the OIG LEIE search is the best practice.
Mistake #7: Failure to Self-disclose
A discovered violation to OIG
When to self-disclose?
If your audit discovers your organization has hired or contracted with an excluded individual or entity, then you should report that in your audit findings. The reason is two-fold:
- It is essential to remedy this non-compliance event and improve or correct the policy and training around it.
- If your organization self-discloses to the OIG, it can have the penalty multiplier reduced from three times total damages to 1.5 times total damages.
Self-identification of compliance issues is always in your company’s best interest. With the explosion of whistleblower cases, if you don’t identify it internally and ADDRESS the concern, someone else will report it to State or Federal agencies. Communication and training on how to identify potential fraud and abuse is the best way to protect the company. Proper documentation outlining the plan, the audit, the findings, and corrective actions are imperative. Without proper planning internal documents can easily be overlooked or lost and many assumptions can be made without good communication of the findings.
An imperative part of any successful compliance audit plan is to have a plan and a checklist. Sounds obvious but don’t just start auditing. Take the time to identify the risks, create the audit, create the process and document the “Plan”.
There are many sizes and shapes an audit can take in order to determine and document healthcare compliance.
Read through the Compliance Plan and the Audit Plan and see if it is being followed, documented and/or violated. If you find a violation that could result in fines and penalties, it is better to self-disclose. Doing the right thing is always the best thing but not necessarily the easiest. Hopefully these tips have given you some helpful tips as you create or enhance your audit planning.
Are there any red flags you would suggest? Tell us in the comments below!
Written by Michael Rosen, ESQ
Michael brings over 20 years of experience founding and leading risk mitigation businesses, receiving numerous accolades such as: Inc Magazine’s Inc 500 Award and Nashville Chamber of Commerce Small Business of the Year.