By Robert Liles
(January 5, 2018): Does your health care organization have a compliance hotline / fraud hotline in place? If not, it should implement one as soon as possible. As proof positive that hotlines are effective you only have to check out the most recent hotline activity reported by the Department of Health and Human Services, Office of Inspector General (HHS-OIG)!
Although HHS-OIG’s hotline serves as merely one of its sources for case referrals, it has been an invaluable tool for the agency in identifying cases of fraud, waste and abuse against the Medicare and Medicaid programs. In point of fact, As HHS-OIG’s “Semi-Annual Report to Congress” reflects, the agency received 58,510 tips during the six month reporting period ending September 30, 2017, which resulted in almost 11,000 referrals for further action.
The question for you is simple, can you use a compliance hotline / fraud hotline to reduce your level of regulatory risk? As discussed below, we believe that hotlines are an essential tool that you can use to bring and keep your health care organization into compliance.
I. From a Practical Standpoint, Hotlines Reduce Your Level of Risk.
If an employee, a patient or a third-party has knowledge of an instance of fraud, waste, abuse or another compliance concern that has occurred in your practice, home health agency or hospice, what reporting systems have you established to facilitate such a report? It is essential that you provide multiple avenues for individuals to advise you of any concerns that they might have. If an individual finds it difficult to report a problem directly to you, anonymously if desired, he or she won’t hesitate to pick up the phone and submit a billing fraud or patient abuse report to HHS-OIG’s hotline.
Ultimately, you want to learn about a problem as quickly as possible so that an internal investigation of the allegations can be conducted and remedial action can be taken, if necessary. Maintaining your own compliance hotline can greatly enhance your ability to deal with a potential problem as quickly as possible, thereby keeping potential overpayments at a minimum and allowing you to address and correct a potential patient care problem before someone is injured or adversely impacted. It is also worth noting that the Department of Justice recently reported that over 90% of the new False Claims Act matters referred to it by HHS-OIG in FY 2017 were “whistleblower” cases – many of which could possibly have been avoided if a hotline had been available!
II. In Addition to Reducing Your Level of Risk, Hotlines are an Essential Part of a Compliance Program.
One of the questions we routinely hear is “Where does it say that we are required to have an Internal Reporting System as part of our Compliance Program”? Well, that’s a fair question, but it requires that we look at the underlying statutes which mandate compliance for program participants of the Medicare and Medicaid programs. As discussed below, the initial issue to decide is whether a health care provider is required to develop and implement an effective Compliance Program in the first place. If so, are there specific components that must be included in an Internal Reporting System? What reporting options should we build into our system?
A. Are Medicare Providers Required to Have a Compliance Program in Place?
Turning first to Medicare, as you will recall, on March 23, 2010, the Affordable Care Act (ACA) was signed into law by President Obama. Among its various requirements, the ACA includes a provision which authorizes the Secretary for the Department of Health and Human Services (HHS) to mandate that health care providers and suppliers establish a Compliance Program as a condition of their enrollment in Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP). The statute provides:
‘‘(7) COMPLIANCE PROGRAMS.—‘‘(A) IN GENERAL.—On or after the date of implementation, as determined by the Secretary under subparagraph (C), a provider of medical or other items or services or supplier within a particular industry sector or category shall, as a condition of enrollment in the program under this title, title XIX, or title XXI, establish a compliance program that contains the core elements established under subparagraph (B) with respect to that provider or supplier and industry or category.”
In September 2010, the Centers for Medicare and Medicaid Services (CMS) asked for comments from the health care community regarding the implementation of these new obligations. The subsequent February, CMS announced that it would be issuing additional guidance with respect to the mandatory compliance program provisions of the ACA at a “later date.” Since February 2011, CMS has not issued any additional proposed or final regulations setting out the deadline to meet these mandatory compliance requirements. Despite the fact that no additional guidance has been forthcoming, we believe that the government already expects Medicare and Medicaid providers to have an effective Compliance Program firmly in place. Why do take this position? Several of our reasons are outlined below.
B. What Compliance Obligations Have Been Placed on Medicare Managed Care Providers?
First and foremost, it is important to keep in mind that in order to participate as a Medicare Advantage provider, you must first qualify as a participating provider of the original Medicare program. Once you sign-up to participate as a Medicare Advantage provider, you are required to implement an effective Compliance Program. Pursuant to 42 C.F.R. §§ 422.503(b)(4)(vi), 423.504(b)(4)(vi), and as incorporated into Chapter 21, Section 30 of the “Medicare Managed Care Manual”:
“All sponsors are required to adopt and implement an effective compliance program, which must include measures to prevent, detect, and correct Part C or D program noncompliance as well as FWA. The compliance program must, at a minimum, include the following core requirements:
- Written Policies, Procedures and Standards of Conduct;
- Compliance Officer, Compliance Committee and High Level Oversight;
- Effective Training and Education;
- Effective Lines of Communication;
- Well Publicized Disciplinary Standards;
- Effective System for Routine Monitoring and Identification of Compliance Risks; and
- Procedures and System for Prompt Response to Compliance Issues.”
Collectively considered, the only reasonable conclusion that can be reached is that if you intend to care for patients covered by Medicare, Medicaid or other Federal or State health benefits programs, you must have a Compliance Program in place.
C. What Compliance Obligations Have Been Placed on Medicaid Providers?
Although the requirements of every state are different, in recent years there has been increasing pressure for Medicaid programs to require that participating providers adopt develop and implement an effective Compliance Program. New York and Texas have two of the strictest sets of compliance requirements currently in place. For example, the Texas Medicaid Provider Enrollment Application requires that prospective Texas Medicaid providers attest to the application’s Compliance Program Requirement. As the application requires, a Medicaid provider must verify that in accordance with requirement TAC 352.5(b)(11), the provider has implemented a Compliance Program containing the seven core elements as established by the Secretary of Health and Human Services referenced in §1866(j)(8) of the Social Security Act (42 U.S.C. §1395cc(j)(8)), as applicable. It is important to keep in mind that Texas Medicaid providers are required to affirmatively attest that the provider has a Compliance Program in place prior to submitting an application for enrollment.
D. The Government’s Latest Variation of the Seven Elements:
The seven elements set out above are functionally equivalent to those identified by HHS’s Office of Inspector General (HHS-OIG) in its various iterations of Compliance Program Guidance and more recently restated during an HCCA‐OIG Compliance Effectiveness Roundtable conducted on January 17, 2017. As the guidance developed during the roundtable session reflects, the seven elements have most recently been summarized as:
- Standards, Policies and Procedures;
- Compliance Program Administration;
- Screening and Evaluation of Employees, Physicians, Vendors and other Agents;
- Communication, Education, and Training on Compliance Issues;
- Monitoring, Auditing, and Internal Reporting Systems;
- Discipline for Non-Compliance; and
- Investigations and Remedial Efforts.
E. Role of an Internal Reporting Systems in Your Compliance Program:
As the joint HCCA / HHS-OIG Resource Guide published in March 2017 reflects, an Internal Reporting System is an essential part of the fifth element in your Compliance Program. Although “Monitoring” and “Auditing” are equally important, this article focuses generally on the Internal Reporting System component of the element, and the compliance hotline / fraud hotline tool in particular.
- Assessing the Adequacy of Reporting Options. When assessing the adequacy of your Internal Reporting System in your Compliance Program, you must first review the various communication options available to employees, patients, members of the public and other individuals should they wish to notify you of a compliance concern or of a regulatory violation. These communication options would typically include U.S. Mail, E-mail, Facsimile and Anonymous Compliance Hotline / Fraud Hotline options.
- Publication of Reporting Options. Even if your health care organization has set up an Internal Reporting System that offers a full range of communication reporting options, your system isn’t going to be effective if you fail to educate your staff of its existence and publicize its existence among your patients and the public. Moreover, have you clearly communicated to your staff, patients and the public how to submit a report and what an individual should expect after a report has been submitted? For instance, if a patient submits a complaint through your Compliance Hotline (either by U.S. Mail, E-mail, Facsimile or by Phone), does your website description of the internal hotline reporting service discuss when the patient should expect a response? Is your system ALWAYS acknowledging each and every compliant that is filed? If not, a patient may feel that their concerns have been ignored. The next step for them would likely be to file a complaint on the HHS-OIG hotline or submit a complaint to the State Medical Board.
- Monitoring Effectiveness of the Internal Reporting System. Periodically, you will need to test each of the internal reporting systems you have established to ensure each mode of communication is readily available, easy to use and effective. For instance:
- Are reports sent by mail promptly reported to Compliance?
- Are faxes transmitted within one business day to Compliance?
- Is the online reporting system both easy to use and file a submission?
- Are Compliance Hotline / Fraud Hotline phone calls answered promptly? Is the information accurately relayed from the caller to the Compliance Report Form? Is the information then transmitted to Compliance within one business day?
- Effectiveness of Internal Reporting System Policies. The utilization of an organization’s Internal Reporting Systems should be memorialized for use by your staff and set out in Policies and Procedures. These Policies and Procedures must be made available to all of your staff and the information covered within them must be incorporated into your annual compliance training.
Setting-up a Compliance Hotline / Fraud Hotline is one of the most cost-effective steps you can take to reduce your level of regulatory risk. Understandably, you may be worried that you will receive a call putting you on “notice” of an incorrect billing practice. Alternatively, what if someone lodges an anonymous complaint that one of your employees is accepting money for referrals. Although both of these situations are serious and require that you immediately investigate the allegations, you need to keep in mind several points. First, as a participating provider, you have an affirmative obligation to be regularly reviewing your billing, coding, medical necessity and documentation practices to ensure that your claims fully comply with applicable requirements. To the extent that your claims are deficient and an overpayment exists, you are required by law to promptly report and return any overpayment that may be owed to Medicare or Medicaid. Second, to the extent that there is, in fact, a problem, you want to learn about it as soon as possible so that remedial steps to correct the problem can be taken and the wrongful conduct will not continue. Third, whether you like it or not, improper billing practices and wrongful business conduct will eventually be uncovered. It will either be uncovered and reported by a potential whistleblower or it will be identified by one of the many private contractors that the Centers for Medicare and Medicaid Services (CMS) employs for program integrity purposes. The effective use of a Compliance Hotline / Fraud Hotline can help your health care organization stay within the four corners of the law. For more information on cost-effective hotline options for your health care organization, call the folks at www.ComplianceHotline.com They can be reached at: 1 (800) 294-0952
Robert W. Liles, J.D., M.B.A., M.S., is a health lawyer with the firm Liles Parker. Mr. Liles and the other attorneys at Liles Parker represent health care providers and suppliers around the country in connection with Medicare, Medicaid and private payor regulatory and contractual actions. He also develops and implements efeective Compliance Programs for providers and suppliers. Are you facing a potential government audit or need compliance assistance? Call Robert for a complimentary consultation. He can be reached at: 1 (800) 475-1906.
 HHS-OIG first published draft Compliance Program guidance for Individuals and Small Group Practices in June 2000. Later, on October 5, 2000, HHS-OIG published its final program guidance in the Federal Register, entitled “OIG Compliance Program for Individual and Small Group Physician Practices.” (65 Fed. Reg. 59434). At that time, HHS-OIG noted that more formal reporting systems, such as hotlines and e-mail may be out of the reach of small physician practices. Therefore, they encouraged such practices to at least implement an internal reporting system that was less formal and less costly. Since that time, the cost of both hotlines and e-mail have dropped to the point that even a single physician practice can easily afford to implement these reporting mechanisms. Notably, HHS-OIG also recommends that physician practices (and other health care providers, for that matter), post the HHS-OIG Hotline telephone number. As the Federal Register discussed in Footnote 43:
“In addition to whatever other method of communication is being utilized, the OIG recommends that physician practices post the HHS–OIG Hotline telephone number (1–800–HHS–TIPS) in a prominent area.”
 This roundtable led to the formal development and issuance of “Measuring Compliance Program Effectiveness: A Resource Guide.” Issue Date March 27, 2017.