View PDF

The Office of Inspector General (OIG) has issued a Supplemental Compliance Guidance (SPG) for Hospitals in January of this year. The original guidance was issued by the OIG in 1998. The combination of information from these two sets of guidelines should be used to develop and update a hospital's Compliance Program. The SPG covers the importance of establishing internal controls for daily work activities, identifying fraud and abuse risk areas. It also outlines the elements of an effective Compliance Program for hospitals.

We view the SPG as a comprehensive set of traditional Internal Control Standards. These Standards issued by the OIG require hospitals to perform a risk assessment, introduce internal controls into key work processes, test the effectives of the internal controls, monitor the controls and perform routine audits.

Internal controls can be thought of as a series of checks and balances. For example, if services are delivered by a hospital to a patient, what controls are in place to insure that a claim is issued for those services?

A work process in a hospital is a series of activities designed to provide a service. Examples of work processes are all the tasks involved when a patient is registered or all the steps necessary to process a claim.

The OIG has taken the position that positive outcomes alone do not necessarily indicate that a series of activities has effective internal controls. The SPG requires hospitals to review and update their work processes in addition to monitoring them for positive outcomes.

The OIG has taken an aggressive micromanagement approach to assist hospitals in updating their Compliance Programs. Hospitals no longer have to wonder what areas are of importance to the OIG as part of their routine auditing efforts. The SPG suggests hospitals' internal control effectiveness may soon be measured against the Section 404 guidelines of the Sarbanes-Oxley regulations.

The SPG covers numerous fraud and abuse risk areas. The first and most important risk area is outpatient procedure coding. The OIG points out the need for internal controls to reduce risks in these work processes as follows: CPT codes are properly assigned to APC's; new rules for modifiers are followed; proper documentation support for medical records; following National Correct Coding Initiative (NCCI) guidelines and ensuring your Charge Description Master is routinely updated for coding changes.

The second risk area is admissions and discharges. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: failure to follow the "same day" rule; abuse of partial hospital payments for behavioral and mental health patients; same day discharges and readmissions; violation of CMS's post-acute transfer policy; and improper churning of patients by long-term care hospitals located in acute care hospitals.

The third risk area is supplemental payment considerations. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: improper reporting of "pass-through items;" abuse of DRG outlier payments; improper designation of "provider-based" entities; improper claims for clinical trials; improper claims for organ acquisition costs; improper claims for cardiac rehabilitation services; and failure to follow rules for payment of education activity costs.

The fourth risk area is the use of information technology. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: the Outpatient Prospective Payment System requires attention to billing, coding and information systems; HIPAA Security rules that govern electronic Protected Health Information (PHI) and all new computer systems and software need to be properly assessed.

The Physician Self-Referral Statute (Stark Law) requires the following from physicians and hospitals:

1. Qualify for an exception.


2. Understand fair market value compensation.


3. Insure adequate documentation.


4. Policies and procedures are in place.

The Stark Law now has a new limited exception for inadvertent, temporary instances of noncompliance. Qualifying for an exception does not guarantee compliance with the anti-Kickback statute, proper documentation exists to support compliance, and policies and procedures are in place.

Major areas of risk for hospitals under the Anti-kickback statute include the following: joint ventures; physician compensation arrangements; relationships with other health care entities; recruitment arrangements; discounts for services; medical staff credentialing; and malpractice subsidies. It is important for hospitals to try and utilize a safe harbor for each of the risk areas above to avoid potential liability.

The SPG indicates that gainsharing arrangements cannot encourage physicians to reduce or limit clinical services, may trigger the anti-kickback statute and should fit into the personal services safe harbor. In February 2005 the OIG approved five new gainsharing arrangements with Cardiologists and Cardiac Surgeons. These arrangements had the following program safeguards: limited duration; specific cost savings; no negative effect on patient care; included all payors; established baseline thresholds; supports product choice; avoids steering; documented in writing; and avoids shifting costs.

The SPG covered the Emergency Medical Treatment and Labor Act. The following key points were made by the OIG: an emergency condition cannot be delayed to inquire about a patient's payment or insurance status; hospital emergency departments may not transfer a patient who is unstable, unless a physician certifies the benefits outweigh the risks; a hospital must provide stabilizing treatment and reduce the risk of any patient being transferred; and the receiving facility must agree to the transfer of the patient.

The OIG can exclude a facility for providing unnecessary items or services or substandard items or services. The following issues relate to substandard care: knowledge nor intent is required for exclusion; the patient does not have to be a Medicare or Medicaid beneficiary; and Medicare participating hospitals must meet all of the Medicare hospital conditions of participation.

Relationships with federal health care beneficiaries were covered as follows: the OIG can impose civil money penalties on hospitals that offer or transfer remuneration to a Medicare or Medicaid beneficiary to influence the beneficiary to receive items or services that is paid for under Medicare or Medicaid. Other areas of concern included gifts and gratuities, cost-sharing waivers and free transportation. The SPG also indicated that a final rule may be pursued regarding free transportation and therefore, if certain conditions were met, no administrative sanctions would be imposed at the present time.

The SPG reviewed some key aspects of the HIPAA Privacy and Security Rules. The Privacy Rule addresses the use and disclosure of PHI with an effective date of April 14, 2003. The HIPAA Security Rule specifies a series of administrative, technical and physical safeguards for electronic PHI with an effective date of April 20, 2005.

The OIG addressed excessive over billing of Medicare or Medicaid substantially in excess of usual charges by focusing on the following areas of concern: discounts to uninsured patients; preventive care services; and professional courtesy. In most cases these areas did not pose significant fraud and abuse risks, however, hospitals requested guidance in reviewing these arrangements.

An effective hospital compliance program has the following elements: a Code of Conduct; examines program outcomes and their underlying work processes; designates a Compliance Officer and Compliance Committee; develops compliance policies and procedures; establishes open lines of communication; sets up appropriate training and education; perform routine monitoring and auditing; respond to detected deficiencies and enforce disciplinary standards.

Hospitals that have discovered "credible evidence" of misconduct should report it to the appropriate federal and state authorities within 60 days. Prompt reporting will demonstrate the hospital's good faith and willingness to work with the authorities to fix the problem, and will be considered a mitigating factor by the OIG.

We recommend that hospitals comply with the SPG by taking the following steps for the fraud and abuse areas noted:

1. Perform a risk assessment.


2. Document the work processes.


3. Set up a current list of internal controls for each work process.


4. Add, delete or modify the list of internal controls for each work process.


5. Test the internal controls for each work process.


6. Monitor the effectiveness of the internal controls for each work process.


7. Perform routine audits of each work process.