Beginning in the mid-1990s, federal fraud fighters started encouraging health care providers to develop and implement plans to ensure compliance with the confusing array of federal health care laws. Most hospitals and other large institutional providers heeded this advice and put comprehensive compliance plans in place. Unfortunately, many ambulatory surgery centers did not have compliance plans. As a result, the principals of those centers may unknowingly be at significant risk.

The good news is that it's not that hard and it's not too late to implement a compliance plan. Contrary to the beliefs of many ASC managers, a compliance plan does not have to be expensive, time-consuming, or intimidating. In fact, there are relatively simple and inexpensive steps that average facilities can take to promote compliance. This article describes why compliance plans are important and how your facility can start to develop compliance plans.

What is a compliance plan and why do you need one?

Legally speaking, a compliance plan is a program of internal controls that enables a health care provider to efficiently monitor adherence to applicable statutes, regulations and program requirements. In other words, a compliance plan is a way to "keep your butt out of the stir."

That is increasingly important, because the threat of enforcement activity is greater than at any time in our history.

To understand why, consider that in 2001, health care spending totaled more than $1 trillion. That's 13 percent of the nation's gross domestic product. Federal and state governments are responsible for over half of all health care spending, with annual Medicare spending alone topping $224 billion. And those numbers keep on rising. Health spending has increased approximately seven percent in each of the last 10 years, far outpacing overall economic inflation. That means the pressure on the federal budget from health care is at an all-time high.

Now consider that the federal government estimates that nearly $12 billion, or nearly seven percent of Medicare payments, are improperly made, wasted by fraud and abuse and payment errors. Lawmakers and bureaucrats see this as an excellent opportunity for savings. They've stepped up enforcement activities as a result. Between 1997 and 2000, Congress nearly doubled the Federal Bureau of Investigation health care fraud fighting budget, and the FBI nearly doubled the number of agents detailed to combating health care fraud. Prior to September 11, 2001, health care fraud ranked higher than terrorism on the FBI's priority list. Washington cynics have joked that if Osama Bin Laden were a physician, he'd be in custody by now.

How compliance plans help
Compliance plans are one strategy for staying on the straight and narrow and keeping the federal government from becoming interested in your facility. But they are just as helpful if you do run afoul of the law. The Inspector General for the U.S. Department of Health and Human Services evaluates six different factors in determining whether to bring a health care fraud prosecution. One factor is whether the potential defendant had an effective compliance plan in place. In two factually identical situations, if one provider has an effective compliance plan, and the other does not, the IG would look more favorably on the facility with the compliance plan, and think twice before bringing an enforcement action.

In the event that a facility does become the target of a health care prosecution, an effective compliance plan also can help minimize the penalties imposed if convicted. When sentencing convicted felons, federal judges are required to follow Federal Sentencing Guidelines. Under these guidelines, having an effective compliance plan is a mitigating factor, which will reduce the sentence.

If you do not currently have a compliance plan and believe it may be in your best interest to implement one, here's some step-by-step advice on how to build a plan:

Choose who will develop the plan
At its most basic level, there are two ways to obtain a compliance plan: The facility can outsource it by hiring a lawyer or consultant, who will develop a plan for the ASC, or the facility can prepare one itself. The "do-it-yourself" approach may be appropriate for many ASCs, particularly smaller facilities with tight budgets.

For the "do it yourself" crowd, there essentially are two choices: buy a ready-made, off-the-shelf product, or start from scratch.

At first blush, buying an off-the-shelf plan may seem like a no-brainer. Numerous companies advertise off-the-shelf compliance tools, like CD-ROMs, books, manuals, and other things that can be used to develop a compliance plan. Many are quite good.

However, facilities that choose to begin with one of these products should be aware that a compliance plan must be more than policy statements reminding employees to obey the law. A compliance plan must be "effective" to help keep the facility out of trouble, and especially to be viewed favorably by the Inspector General or a federal judge. In other words, it must be reasonably designed, implemented and enforced so that it can detect criminal conduct. You can't buy an off-the-shelf product and then put it right back up on the shelf. Moreover, the plan must be customized to the facility. An off-the-shelf product that involves no more participation than filling in blanks on pre-printed forms will not be very effective. If you buy an off-the-shelf product, you need to use it as a model from which policies specific to and appropriate for the facility can be developed.

It may be just about as cheap and a whole lot easier to either develop a custom plan from scratch or engage a firm to develop a customized plan.

Developing a plan on your own doesn't have to be difficult or expensive. One good way to start is to use one or more of the seven model compliance plans developed by the Inspector General that are specific to certain segments of the health care industry. To date, the Inspector General has developed model compliance plans for hospitals, third party billing companies, durable medical equipment suppliers, hospices, skilled nursing facilities, Medicare Choice organizations, and small group physician practices. These are all available from the Inspector General's web site at oig.hhs.gov.

The Inspector General has not yet developed a model compliance plan specific to ASCs, so most attorneys and consultants working with ASCs combine elements from the model compliance plans developed for hospitals and small group physician practices.

The model plans provide a complete description of what is to be included and step-by-step instructions to develop a plan. Most often, the first step involves an initial base-line audit to identify problems.

Audit your facility.


Typically, you should conduct two initial audits. First, you should audit your "standards and procedures." In other words, you need to assess how well you are complying with the various regulatory requirements. For example, a facility might evaluate the extent to which its standards and procedures are compliant with the requirements of federal patient health information privacy standards rules.

The second type of audit is the claims submission audit, which examines the claims development and submission process all the way from patient intake through to submission and payment of claims. In this audit, facilities should examine the extent to which each step of the claims submission process is consistent with Medicare rules.

In the claims submission audit, facilities typically examine four areas:

• Coding and billing. Areas to examine include instances of double billing, billing for unbundled services, improper use of modifiers, and upcoding, among other things.
• The "reasonable and necessary" standard. To what extent do the services you provide meet the requirements for reimbursement?
• General documentation practices, particularly with regard to claims. Confirm that the documentation in medical records supports the codes and claims submitted for payment.
• The presence of improper inducements in the claims submission process. Evaluate arrangements with hospitals, doctors, and pharmaceutical and medical equipment and supply vendors. Look at contracts with referral sources, equipment and space leases, and joint venture agreements. Make certain that there are no improper incentives that might be weighing upon claims submission. This is one area where it might be appropriate to have an attorney's assistance.

One note: Audits are not a once-and-done proposition. ASCs should periodically re-audit, perhaps annually, to measure compliance and the success of the plan. Document the methodology used in each audit, and follow it from year to year. Also, preserve all records that go along with each audit.

Write the plan
Once the baseline audit is complete, and you've identified any problem areas, the planning process can begin.

There are eight elements to a complete compliance plan.

Element No. 1 is a written iteration of employee obligations. Employees and medical staff alike need to be made aware of acceptable conduct, standards, and expectations, and should have these policies available to them in a handy written format that can be easily accessed and referenced. This section should encourage employees to conform conduct to the standards, to seek clarification when they are unsure of something, and to report any suspected violations of plan rules.

The second element is a list of risk areas. You need to identify the potential pitfalls you found during the audits and any other pitfalls that may exist. For example, identify types of potential coding and billing errors and documentation shortcomings, and generally make employees and medical staff aware of common errors.

Finally, you need to create a document that describes in easily understood terms the federal rules regarding unbundling, double billing, upcoding, and other complex billing policies. While these rules may seem like common sense to many, not all staff will be familiar with every rule. Moreover, even if staffers are well trained and thoroughly familiar with rules such as these, it is beneficial to the ASC to have documentation that it made a good faith attempt to reinforce this knowledge.

Typically, facilities distribute the materials from these first three elements to employees in looseleaf binders so that updates are possible. One other note: Consultants and lawyers are good at creating these materials, so even if you are doing the compliance planning yourself, you may want to outsource this portion.

The fourth step in the planning process is to designate a person within the facility who is responsible for compliance. In larger institutions, such as hospitals, this person often carries the title "compliance officer," and has as his or her main responsibility implementing and enforcing the institution's compliance plan. It is rarely necessary for ASCs to dedicate a full-time employee to compliance activities. In fact, it does not even need to be a major part of a person's day. What is important is that responsibility for administering and enforcing the compliance plan rests with a single individual. This person needs enough seniority to influence the behavior of employees and organizational practices. He or she also needs access to the ASC's governing body and senior management.

The fifth component involves training and educating facility staff. If a facility prepares a compliance manual as described above, but files it on a shelf in the office of the designated compliance officer without anything more, it has failed miserably. The ASC will not improve its compliance if employees are not made aware of the contents of the compliance manual through comprehensive initial training and periodic retraining. All staff should undergo training on employee obligations, risk areas, and federal rules. All new hires should undergo similar training. All staff also should undergo periodic retraining.

An ASC can provide training in a variety of ways, including:

• Organizing training programs on its own;
• Hiring a trainer for a one-day in-house session; and
• Sending employees to conferences that deal with compliance.

However you do it, document that you have provided the training, and keep employee affirmations that they received the training. Also, make participation in training activities a condition of employment and basis for performance evaluation.

Sixth, the facility should foster free-flowing communication between employees and facility management. Remember that most federal prosecutions originate through whistleblowers, and most whistleblowers are disgruntled employees who tried to report concerns to senior management, and were rebuffed or ignored. You need to provide specific mechanisms for employees to report concerns, and have processes in place for handling and responding to such concerns. You may want to allow employees to report suspected problems anonymously, and implement strict non-retaliation policies.

Seventh, establish well-known, well-publicized, and consistently applied disciplinary guidelines. Make compliance with the plan a criterion in employee evaluations and a condition of continued employment. Establish a system of disciplinary actions for violations of the compliance plan, and terminate employees who violate the plan a pre-determined number of times.

Finally, establish procedures for responding to identified or reported problems. A compliance plan will not be viewed as effective by enforcement authorities if reported problems are not investigated and corrected. As such, the ASC should establish a procedure for investigating problems and taking corrective action.

Regulators would consider ASCs who have done everything on this list to have implemented an effective compliance plan. However, even making a good-faith effort to implement even some of these elements will improve a facility's chances to stay in compliance, and also improve its ability to avoid or limit punishment should an enforcement action occur. On the other hand, a half-hearted attempt may be worse than no attempt at all. For example, if you've "gone through the motions" of designating a compliance officer but failed to tell the staff about it, or if you have a compliance plan but have repeatedly ignored an employee's attempts to report a problem, you may actually increase your chances for punishment.

Incomplete but faithfully implemented plans are better than complete but poorly executed plans. Undertake what is appropriate for your facility. As compliance planning becomes more integrated into every day practice, add additional components. Out-source aspects that may be too complicated, time-consuming, or resource-intensive for your facility, but don't be duped into buying ready-made solutions that are not right for your facility. Compliance planning does not need to be intimidating, and it is important, so get started today. Good luck!

Eric Zimmerman is an attorney in the Health Law Department of McDermott, Will