Compliance… Don’t be a Target

Practices and hospitals often ask about their compliance responsibilities. Many believe that their written compliance plan (that complies with Office of Inspector General, CMS for Medicare and Medicaid and HIPAA Privacy and Security regulations) fulfills their obligations. Let me assure you that this is not the case.

It doesn’t matter whether your compliance plan (the document) was professionally done by an attorney or whether you developed one internally; the compliance plan must be an “effective compliance and ethics program”. What does that mean? There are a number of activities needed to bring your compliance plan to life.

Developing the compliance plan document, and then putting it on the shelf, will work against you in the event of a federal or state government review of your practice (due to patient complaint, whistle blower, or other third party entity). Oh, and don’t forget that these plans should be updated as regulations change. If you have a written compliance plan; in what year was it completed? Has it been updated? Compliance guidance states that compliance plans should be reviewed and updated as necessary, at least annually, or as regulations change.

An effective compliance and ethics program protects your practice by detecting and preventing improper conduct and promoting adherence to your practice’s legal and ethical obligations. In 1991, the U.S. Sentencing Commission established the most recognized standards for an effective program within its Sentencing Guidelines Manual. These Guidelines are closely aligned with the principles provided in OIG’s Compliance Guidance for Physician Practices. While there is no “one-size-fits-all” program for every practice, there are 7 core elements that must exist in an effective program. They include:

  • Compliance officer
  • Written plan (policies and procedures)
  • Training and education
  • Lines of communication
  • Auditing and monitoring
  • Exception/incident procedures
  • Response and corrective action

What can you do to promote compliance in your practice or department? A simple and effective way to begin is professional compliance training which will immediately raise compliance awareness for staff and physicians, and it fulfills one of the 7 core elements of an effective compliance program.

AdvantEdge offers a Web-based Compliance Training Program that can be accessed from anywhere at any time and it fulfills the annual training obligations. It is subscription-based so there is no software to purchase or system to maintain. The educational curriculum is always up-to-date eliminating home-grown compliance educational program development challenges. Upon completion of training, you can print out a proof of training certificate which demonstrates that you have completed annual training requirements.

How much will this cost? The subscription considers the number of users (administrative staff, physicians, non-physician practitioners) that will receive training.

  • 1 to 10 users – $1,050 per year
  • 11 to 50 users – $3,050 per year

If we use an example of a 5-user subscription, it will cost $210 per user/year or calculated another way $87.50 per month for up to 10 users.

You don’t want to be the practice that makes the headlines. It is not the boldly non-compliant physician that always makes the news. There are many innocent mistakes that become compliance issues because the regulation states “or you should have known.”

Here are some samples of course content: Understanding the False Claims Act vignette (opening conversation)

Closing Summary of Understanding the False Claims Act vignette

Below are two examples of innocent non-compliant HIPAA activity:

Physician Revises Faxing Procedures to Safeguard PHI Covered Entity: Health Care Provider Issue: Safeguards

A doctor’s office disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR (Office for Civil Rights) also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all of its employees of the incident and counseled staff on proper faxing procedures.

Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Covered Entity: Private Practice Issue: Access

A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

Two examples of improper billing activities (regulatory compliance) that resulted in fraudulent claims being submitted to payors:

  • Provider was fined $400,000 and permanently excluded from participating in Medicare by overstating face-to-face time with patients. Providers have been known to consider face-to-face time as time required to document the medical record which is not correct.
  • Provider paid $435,000 and entered a 5-year Integrity Agreement for submitting claims that were not supported by accurate patient medical records. How many times have you heard from government authorities “not documented; not done.”

Not having an effective compliance program (an on the shelf compliance plan or no plan at all) may result in the following:

  • Increased fines and penalties
  • Exclusion from Medicare and Medicaid programs
  • Probation, home confinement or incarceration

We can help make regulatory and HIPAA compliance a reality for your practice by arming you and your staff with the latest information and educational resources to ensure that you are knowledgeable, well-prepared, and current with healthcare regulations including HIPAA and federal and state laws. See our brochure and consult with your AdvantEdge Client Manager or contact me directly at 908.279.8104 or .


—Jeanne Gilreath
Senior Vice President and Compliance Officer