BY MICHAEL J. MCLAFFERTY CPA, MBA, CHFP, FACMPE
DIRECTOR, HEALTHCARE

The Office of Inspector General (OIG) has issued a Supplemental Compliance Guidance (SPG) for Hospitals in January of this year. The original guidance was issued by the OIG in 1998. The combination of information from these two sets of guidelines should be used to develop and update a hospital's Compliance Program. The SPG covers the importance of establishing internal controls for daily work activities, identifying fraud and abuse risk areas. It also outlines the elements of an effective Compliance Program for hospitals.

We view the SPG as a comprehensive set of traditional Internal Control Standards. These Standards issued by the OIG require hospitals to perform a risk assessment, introduce internal controls into key work processes, test the effectives of the internal controls, monitor the controls and perform routine audits.

Internal controls can be thought of as a series of checks and balances. For example, if services are delivered by a hospital to a patient, what controls are in place to insure that a claim is issued for those services?

A work process in a hospital is a series of activities designed to provide a service. Examples of work processes are all the tasks involved when a patient is registered or all the steps necessary to process a claim.

The OIG has taken the position that positive outcomes alone do not necessarily indicate that a series of activities has effective internal controls. The SPG requires hospitals to review and update their work processes in addition to monitoring them for positive outcomes.

The OIG has taken an aggressive micromanagement approach to assist hospitals in updating their Compliance Programs. Hospitals no longer have to wonder what areas are of importance to the OIG as part of their routine auditing efforts. The SPG suggests hospitals' internal control effectiveness may soon be measured against the Section 404 guidelines of the Sarbanes-Oxley regulations.

The SPG covers numerous fraud and abuse risk areas. The first and most important risk area is outpatient procedure coding. The OIG points out the need for internal controls to reduce risks in these work processes as follows: CPT codes are properly assigned to APC's; new rules for modifiers are followed; proper documentation support for medical records; following National Correct Coding Initiative (NCCI) guidelines and ensuring your Charge Description Master is routinely updated for coding changes.

The second risk area is admissions and discharges. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: failure to follow the "same day" rule; abuse of partial hospital payments for behavioral and mental health patients; same day discharges and readmissions; violation of CMS's post-acute transfer policy; and improper churning of patients by long-term care hospitals located in acute care hospitals.

The third risk area is supplemental payment considerations. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: improper reporting of "pass-through items;" abuse of DRG outlier payments; improper designation of "provider-based" entities; improper claims for clinical trials; improper claims for organ acquisition costs; improper claims for cardiac rehabilitation services; and failure to follow rules for payment of education activity costs.

The fourth risk area is the use of information technology. The OIG points out the need for internal controls to reduce risks in these work processes to be as follows: the Outpatient Prospective Payment System requires attention to billing, coding and information systems; HIPAA Security rules that govern electronic Protected Health Information (PHI) and all new computer systems and software need to be properly assessed.

The Physician Self-Referral Statute (Stark Law) requires the following from physicians and hospitals:

1. Qualify for an exception.


2. Understand fair market value compensation.


3. Insure adequate documentation.


4. Policies and procedures are in place.

The Stark Law now has a new limited exception for inadvertent, temporary instances of noncompliance. Qualifying for an exception does not guarantee compliance with the anti-Kickback statute, proper documentation exists to support compliance, and policies and procedures are in place.

Major areas of risk for hospitals under the Anti-kickback statute include the following: joint ventures; physician compensation arrangements; relationships with other health care entities; recruitment arrangements; discounts for services; medical staff credentialing; and malpractice subsidies. It is important for hospitals to try and utilize a safe harbor for each of the risk areas above to avoid potential liability.

The SPG indicates that gainsharing arrangements cannot encourage physicians to reduce or limit clinical services, may trigger the anti-kickback statute and should fit into the personal services safe harbor. In February 2005 the OIG approved five new gainsharing arrangements with Cardiologists and Cardiac Surgeons. These arrangements had the following program safeguards: limited duration; specific cost savings; no negative effect on patient care; included all payors; established baseline thresholds; supports product choice; avoids steering; documented in writing; and avoids shifting costs.

The SPG covered the Emergency Medical Treatment and Labor Act. The following key points were made by the OIG: an emergency condition cannot be delayed to inquire about a patient's payment or insurance status; hospital emergency departments may not transfer a patient who is unstable, unless a physician certifies the benefits outweigh the risks; a hospital must provide stabilizing treatment and reduce the risk of any patient being transferred; and the receiving facility must agree to the transfer of the patient.

The OIG can exclude a facility for providing unnecessary items or services or substandard items or services. The following issues relate to substandard care: knowledge nor intent is required for exclusion; the patient does not have to be a Medicare or Medicaid beneficiary; and Medicare participating hospitals must meet all of the Medicare hospital conditions of participation.

Relationships with federal health care beneficiaries were covered as follows: the OIG can impose civil money penalties on hospitals that offer or transfer remuneration to a Medicare or Medicaid beneficiary to influence the beneficiary to receive items or services that is paid for under Medicare or Medicaid. Other areas of concern included gifts and gratuities, cost-sharing waivers and free transportation. The SPG also indicated that a final rule may be pursued regarding free transportation and therefore, if certain conditions were met, no administrative sanctions would be imposed at the present time.

The SPG reviewed some key aspects of the HIPAA Privacy and Security Rules. The Privacy Rule addresses the use and disclosure of PHI with an effective date of April 14, 2003. The HIPAA Security Rule specifies a series of administrative, technical and physical safeguards for electronic PHI with an effective date of April 20, 2005.

The OIG addressed excessive over billing of Medicare or Medicaid substantially in excess of usual charges by focusing on the following areas of concern: discounts to uninsured patients; preventive care services; and professional courtesy. In most cases these areas did not pose significant fraud and abuse risks, however, hospitals requested guidance in reviewing these arrangements.

An effective hospital compliance program has the following elements: a Code of Conduct; examines program outcomes and their underlying work processes; designates a Compliance Officer and Compliance Committee; develops compliance policies and procedures; establishes open lines of communication; sets up appropriate training and education; perform routine monitoring and auditing; respond to detected deficiencies and enforce disciplinary standards.

Hospitals that have discovered "credible evidence" of misconduct should report it to the appropriate federal and state authorities within 60 days. Prompt reporting will demonstrate the hospital's good faith and willingness to work with the authorities to fix the problem, and will be considered a mitigating factor by the OIG.

We recommend that hospitals comply with the SPG by taking the following steps for the fraud and abuse areas noted:

1. Perform a risk assessment.


2. Document the work processes.


3. Set up a current list of internal controls for each work process.


4. Add, delete or modify the list of internal controls for each work process.


5. Test the internal controls for each work process.


6. Monitor the effectiveness of the internal controls for each work process.


7. Perform routine audits of each work process.

BY MAUREEN A. DOHERTY, CPC, CPC-H
SUPERVISOR, HEALTHCARE SERVICES

The Healthcare Services Group has been actively involved in healthcare litigation work. Our certified coders have worked directly with healthcare attorneys in the following key areas:

Fraud and Abuse

Over the past two years there has been a significant increase in fraud and abuse audits requested by both governmental and commercial payors as well as the Office of Inspector General (OIG).

The most common reason for the audits has been for coding a disproportionately high volume of high-level Evaluation and Management (E&M) codes that result in increased reimbursement for the practice.

An analysis of the group's billing compliance practices along with a review of the medical charts and billing records are reviewed to determine the appropriateness of the codes billed.

It has been our experience that in most instances the documentation in the patient's chart did not support the coding billed. In this situation or in a situation where it appeared that there were fraudulent billings submitted, we have helped to mitigate the damages due.

It is important for a practice to provide coding and documentation education for the physicians and staff, coding utilization reviews and a billing compliance program to lessen the chance of being audited.

Managed Care Payor Issues

The Healthcare Services Group has worked with numerous practices to determine damages against managed care companies for improper claims processing and payment procedures.

The areas that have been most prevalent are the processing of incorrect reimbursement to the provider based on their contract, re-caps taken by the insurance company in error, down-coding, late payments and inappropriate denials.

Physicians Working With a Management Company

Physicians have entered into contracts with a management company that failed to provide the proper billing services that would benefit the physician. The improper billing services varied from incorrect posting of charges, which created a large volume of claims denials, excessive and non-authorized adjustments incorrect fee schedules for one practice and fraudulent billing for another practice. This resulted in the management company continuing to bill their management fees in excess of the physician's collections per month.

HEALTH CLAIMS AUTHORIZATION, PROCESSING AND PAYMENT ACT

BY LEWIS D. BIVONA CPA
MANAGER, HEALTHCARE SERVICES

Passed on 1/12/06, Public Law 2005, Chapter 352 provides some relief to hospitals and physicians relating to how payors authorize, process and pay claims. The guidance provided in the new law will become effective 180 days from the adoption or 7/11/06. Key provisions include:

1. The health insurer must respond to a hospital or physician's request for authorization of service by either approving or denying the request based on a utilization management decision. Any denial of a request or limitation imposed by a payer on a requested service must be made by a State-licensed physician and must be communicated within the time frames provided in the bill. If the payer does not respond to the request within the applicable time frame, the request shall be deemed approved, and the payer shall be responsible for payment of the covered services. Payment of services provided by a network hospital shall be based on the contracted rate.



2. The law requires payers to provide, through an Internet website, information that describes the payers' utilization management and claims processing and payment policies. The information or changes in the information must be posted 30 days before becoming effective.



3. Health care providers are authorized to appeal on behalf of a covered person, only with the covered person's consent, a payer's utilization management decision to the Independent Health Care Appeals Program established pursuant to section 11 of P.L.1997, c.192 (C.26:25-11). The consent may be obtained at any time and may be revoked by the covered person at any time. Currently under regulation, health care providers are authorized to appeal on a covered person's behalf with his consent. The provider shall notify the covered person as to the progress of the appeal and shall bear all costs associated with the appeal that are normally paid by the covered person. These do not change the type of appeals that can be accepted into the appeals process.



4. A claim, so long as it meets the standards set forth in the bill, must be paid within 30 days, if the claim was submitted electronically, or 40 days, if it was submitted by means other than electronic form. If a claim is not paid within 30 or 40 days, as applicable, the payer shall communicate to the health care provider the reasons, as enumerated in the bill, the claim will not be paid.



5. The bill requires early notification of nonpayment claims that cannot be adjudicated because of missing diagnosis coding or any other missing data. The payer shall electronically notify a health care provider or its agent within 7 days if an electronically submitted claim is missing various technical data. After receiving the data, the payer has 30 days to pay the claim or notify the provider of nonpayment.



6. A claim will be considered overdue if the submitting health care provider is not paid or notified of nonpayment within the time frames established in the bill. Overdue claims shall accrue interest at 12% per annum, up from the previous 10%.



7. Except in cases of fraud, the bill limits to 18 months the time frame in which a payer can seek reimbursement from a provider for overpayment of a claim. Likewise, a health care provider shall only seek reimbursement for underpayment of a claim within 18 months from the date the first payment was received. The bill describes the circumstances in which the payer may seek reimbursement and the procedures through which the payer may collect the reimbursement funds.



8. The bill established a two-part appeals process to resolve disputes concerning compliance with the provisions regarding utilization management and the processing and payment of claims. No dispute concerning medical necessity, which is eligible to be submitted to the Independent Health Care Appeals Program, shall be subject to the appeal process established by the bill. The process involves an internal appeals mechanism, and if applicable, is followed by nonappealable, binding arbitration conducted by an independent arbitrator contracted by the Commissioner of Banking and Insurance.



9. The Commissioner is empowered to enforce the provisions of the bill concerning utilization management and claims processing and payment, and the bill sets forth civil penalties for violation of the bill's provisions.



10. To increase the efficiency of claims processing and payment, the bill requires an advisory board already established under law to make recommendations to include a Statewide policy on electronic health records with the State's health information electronic data interchange technology policy. Further, any State department that uses medical records or health care claims shall participate on the board, and if asked, provide assistance to Thomas Edison State College in its project to monitor the effectiveness of the State's health information technology policy.

HEALTHCARE ORGANIZATIONS START TO ADOPT SARBANES-OXLEY REGULATIONS

BY GEORGINA Y. MENDOZA MHA
SUPERVISOR, HEALTHCARE SERVICES

Congress passed the Sarbanes-Oxley Act of 2002 as a result of several financial scandals that were reported in the for-profit industry sector. It represents the beginning of a new era for improved quality and "corporate responsibility." Companies that report to the Securities and Exchange Commission (SEC) are now required to comply with a new set of standards for good corporate governance.

Evaluation of Internal Controls

Section 404 of the Sarbanes-Oxley Act of 2002 requires: a) that organizations include management's assessment on the company's "internal control over financial reporting" in their annual report; and b) that the company's external auditors audit and report on management's assessment and the effectiveness of the company's internal control.

Although these requirements are designed for SEC reporting companies, these standards are certainly making their way to the healthcare industry in order to establish higher standards of conduct and reduce liability. Several states are now incorporating some of the SOX provisions into their legislation and some hospitals have even begun to implement some sections of Sarbanes-Oxley as best practices for their organizations.

Internal Controls can mean different things to different people. Internal Control over financial reporting is defined by the AICPA SEC Rule 13a-15f as a process designed by, or under the supervision of, the issuer's principle executive and principle financial officer, or persons performing similar functions. It is effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statement for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Maintain records in reasonable detail that accurately and fairly reflect the transactions and dispositions of the assets of the issuer;


2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with authorizations of management and directors of the issuer; and


3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisitions, use or disposition of the issuer's assets that could have a material affect on the financial statements.

Internal controls reside along an entire process of a cycle from beginning to end. Effective internal controls ensure accurate financial reporting, help reduce the loss of resources and increase performance and an organization's ability to achieve its targets. They are methods of providing security over financial transactions and segregation of duties.

Aligning Best Practices and Implementing Internal Controls

There are a lot of similarities between Sarbanes-Oxley requirements and Healthcare Compliance programs. It is important to identify the differences between them in order to develop one framework with which to work.

Begin by mapping out the requirements and then re-examine the current processes in place for gathering information and monitoring procedures.

Internal Audit Program Components

Phase 1: Planning & Scoping

• Conduct a review of the current business processes and the Information Technology environment.


• Identify and interview key process owners to understand the process flow and key transactions.


• Document the current process flow.

• Assess and measure the risks in each process.


• Verify that transactions are complete, accurate and valid.


• Identify any significant events that would create an impact on existing controls.

• Evaluate the operating effectiveness of a control by determining if the control is operating as designed and if the person performing the control has the necessary authority and qualifications to perform the control effectively.

• Test controls using a combination of inquiry, observation, examination (inspection) and re-performance of the procedure / control.

• Try to understand any exceptions to a control procedure that are discovered during the testing of a manual or automated control.

• Outline the audit steps performed, provide audit ratings, findings and recommendations for remediation.


• Monitor the progression of any actions taken for remediation with management and key process owners.