Re-Thinking Risk Assessment: Are You Counting the Ants While the Elephants Run By?

April 28, 2009

Karen Murray

Chief Compliance Officer

Yale New Haven Health System

Office of Privacy & Corporate

Compliance

New Haven, CT

Phone: 203-688-3369

Email: karen.murray@ynhh.org

Stephen Gillis

Director, Office of Billing Compliance

MGH/MGPO

Boston, MA

Phone: 617-643-5711

Email: sjgillis@partners.org

Phyllis A. Patrick

Compliance and Privacy Officer

Office of Privacy & Corporate

Compliance

Greenwich Hospital

Greenwich, CT 06830

Phone: 203-863-3783

Email: phyllisp@greenhosp.org

Kelly J. Sauders

Partner

Deloitte & Touche LLP

New York, NY

Phone: 212-436-3180

Email: ksauders@deloitte.com

Presented by Karen Murray

� Increased Enforcement

� MAC Data Mining

� Increased # of Government Audit

Do you know what your hospital departments are

currently auditing and monitoring with respect to compliance issues?

The Compliance Department should work to help hospital

department directors understand “their responsibilities” for

compliance within the department.

Hospital Department Risk AssessmentHospital Department Risk Assessment

Compliance professional should work in collaboration

with hospital department director (or designee) to research and identify what specific risks lie in the hospital

department?

Examples to begin research (external & internal risks):

• Review OIG Work Plan

• Recent Government Focus / Regulatory Review

• Review PEPPER Report

• Billing Software Interfaces

• CDM Accuracy

• HIPAA Compliance

Hospital Department Risk AssessmentHospital Department Risk Assessment

Hospital department and compliance professional work

together to develop list, analyze the level of risk and prioritize accordingly.

Larger organizations may have resources for utilization of a

software program and dedicated compliance professionals.

Hospital department develops “Department Work Plan”

focusing on top risk areas.

Size and complexity of the Department Work Plan will need

to be based on resources within both the hospital

department and the compliance department.

Developing the Hospital DepartmentDeveloping the Hospital Department

Work PlanWork Plan

General areas to consider for Monitoring Tool:� Description of risk area

� Period covered / sample size

� Findings

� Name of policies associated with risk area- revisions to policy needed based on findings

� Education provided

� Overpayment / underpayment

� Further actions

This tool should be completed by the hospital department

and shared with the Compliance Department. Findings

should be shared with the hospital compliance committee

(and the department compliance committee).

The risk remediation process should be

“operationalized” to the department day-to-day

activities.

Policies and procedures should accurately account

for the risk / regulation and provide clear and

practical instructions to the employee.

� Limited resources

� Lack of senior management

support

� Lack of hospital department

support

� Start small, pilot the process in a few

higher risk departments (e.g. lab,

radiology, coding)

� Important to educate on the benefits

and to obtain buy-in before beginning

the process.

� Educate on the benefits. Form special

committee of Hospital Department

Directors involved in the process to

assist with sharing of ideas. Also

consider adding department compliance responsibilities to job descriptions

Presented by Stephen Gillis

“The process of discovering meaningful new relationships, patterns and trends by sifting through data using pattern recognition technologies as well as statistical and mathematical techniques.”

- The Gartner Group

� Everyone else is looking at your data

� Puts logic/reason behind you compliance audit plan

� Validates findings through other assessment techniques

� Allows you to monitor patterns or trends concurrently

and prevent “big” problems

� Determine what data you want and for what purpose

• Identify areas to focus on “first pass”

• Dig into an area and conduct an audit “deep dive”

• Establish monitoring process that will enable you to

see previously identified patterns relatively quickly or identify new trends

� Stages in mining:

• Define potential risk(s)

• Define data population

• Obtain data and validate integrity

• Develop initial impressions and share

• Confirm initial impressions

� Identifying data sources

• Billing System

• Claim Editing System

• CMS Historical Data (identifiable and non-identifiable)

� MEDPAR (IP & OP)

� PEPPER

� Physician volume data by specialty

• American Hospital Directory free data

(www.AHD.com)

� By department, by practitioner (ordering or providing)

• Total amounts billed

• Total number of patients

• New service offering

� Per-patient averages

• Billing amounts

• Visit numbers

• Medical visits

• Medical test costs

� CPT codes

• Highest volume codes

• Highest reimbursement (not necessarily highest charges)

• Identified as industry risk area

• Previous audit result (internal or external)

• New service offering

• Data surfing

� Claim denials/rejections/pre-bill queues

• Incidental only

• Medical necessity

• Particular groups, MDs, codes, locations

• Date denials started

� Validate the accuracy/completeness of data before

sharing

� Understand business processes to help understand data

� Don’t jump to conclusions, confirm what you think the data is telling you

� Find out what the data tells other people

Presented by Kelly J. Sauders

� Now more than ever, arrangements with non-hospital

employed physicians in a position to refer patients are under regulatory scrutiny (e.g. CMS, OIG and other

requests for information e.g. DFRR)

� Entering into certain contractual arrangements with key physicians in the community is a priority for many

hospitals in competitive markets to maintain/increase

volume

� Hospitals often struggle between the need to “get deals done” and implementing compliance procedures to

monitor such arrangements on an on-going basis

� Medical directorships

� Office space leases

� On-call agreements

� Recruitment agreements

� Professional services agreements

� Services Joint Ventures

� “Pay for Performance” agreements

� Clinical research

� Gain Sharing arrangements

� GME/IME programs

� Practice management (full and individual component)

� Joint managed care contracting and care management/utilization review

(PHOs/IPAs)

� Provision of EMRs – special Stark exemption

� Expired contracts

� Financial arrangements lacking a written contract

� Undocumented modification of payment terms

� Contracts incorrectly outlining services to be provided

� Payment terms not meeting “fair market value”

� Contract term length not meeting regulatory requirements

� Undocumented physician faculty time

� Inadequate clinical and cost documentation to support gain sharing payments

� Creating and maintaining databases of all existing and new or renewed

arrangements

� Tracking remuneration to and from all parties to each arrangement

� Tracking service and activity logs to ensure parties to each arrangement are

performing the services required under the arrangement

� Requiring all “covered persons” to sign an agreement agreeing to abide by the

organization’s code of conduct in connection with arrangements

� Establishing and implementing a written policy and procedure regarding the

review and approval of all arrangements

� Requiring the compliance officer to conduct quarterly reviews of all existing,

new or renewed arrangements as well as a review of the internal review and

approval process

� Implementing effective responses when suspected violations of the Stark or

Anti-Kickback law are discovered.

� Consider conducting project under attorney-client privilege

� Use questionnaires/interviews to identify potential types of

arrangements

� List of current, active medical staff and all W2’s and 1099 forms

� Accounts payable (A/P) search

� Comparison of payroll to A/P data (e.g. potential duplicate

payments)

� Verify receipts from physicians (leases/rentals)

� Consider if your organization is providing staff, technology or other

services you need to know about, for example:

• Free or reduced cost IT/EMR, coding/billing services, etc.

• Support staff (administrative, nursing, housekeeping, etc.) in a

hospital-based office location that is a private practice

� Key elements to look for:• Written agreements with physicians.

• Documentation of fair-market value.

• Documentation of the business purpose or community need of a

financial agreement.

• Review and approval of the contract by legal counsel.

• Leadership and board of trustees' approval.

� Obtain and review your organization’s written policies and procedures used by legal and others around contracting with physicians

� Consider using interviews with leadership to narrow your scope (if you can)

� Start with data analysis, prioritize areas for review

� Consider the current environment (CMS requests, new 990 reporting, etc.) in weighing potential risks

Presented by Phyllis Patrick

� Trends in Disclosure Reporting• Cleveland Clinic (www.clevelandclinic.org)• Sarbanes Oxley• PhRMA Code on Interactions with Providers• AdvaMed/Device Industries – New Code of Ethics• Exemplary Reporting

� Inadequate Reporting and Monitoring of Conflicts of Interest; COI “Management” Issues

� Media and Public Interest� New Environment of Transparency

� Reputation

� Integrity

� Loss of Potential Funding Sources

� Financial Stability and Solvency

� Participation in Research

� Public Trust in Research Community

� Impact on Research Results and “Bench to Bedside”Implementation

Be aware of Unrecognized Risk

and Be alert to Unmanaged Risk

Permissive vs. Restrictive

Approaches

� Organizational Considerations

• Appetite for Risk

• Cultural Tolerance

• Consistency with Mission and Values

• Reaction to news/popular press regarding COI

• Champion(s)

� Resources

• Who does the work?

• Can you utilize existing processes (e.g., medical staff credentialing, board orientation)?

� Development of Policies

• Definitions – Conflict, Disclosure

• Professional Standards and Guidance (AMA, AdvaMed, PhRMA, NIH, ACP, etc.)

• Regulations

• Applicability: Patient Care, Research, Education

• Types of Conflicts (Advisory Board, consulting,

investment, honoraria, gifts, T&E, royalties, etc.)

� Participants

• Who is required to file?

• Role of Trustees, Medical Staff, Management, Purchasing, Research

• Fellows and Residents?

• What about Vendors and Contract Employees?

� Education and Training

• Policies and Requirements

• Expectations

• Full Disclosure – DISCLOSE! DISCLOSE!

DISCLOSE!

• Forms and Procedures

• Who receives training? In what venue(s)?

• Training must be ongoing

� Disclosure Data Collection Process

• Annual or Cyclical?

• Updates during the year?

• New Employees, Physicians, others

• Manual or Automated?

� Analysis and Documentation

• How to achieve 100% completion in a timely way –KISS!

• What data elements should be tracked? Trended?

• Manual or Automated? If automated, does this interface with collection process? Systems approaches?

• Results of analysis

• Data collection/retention policies and procedures

� Auditing and Monitoring the Results

• What are the appropriate roles for: Audit staff, Compliance, Legal, Medical Staff Leadership, Research Leadership, Senior Management, Board Committee?

• Committee Process(es)

• Different processes for Patient Care, Research, Education?

• Sanctions and Leverage (Incentives and Disincentives)

• Managing the Conflicts

� Communication of Results

• Who needs to know?

• How to disclose?

• How much to disclose?

• Confidentiality issues

• Disclosure to Patients? When? How?

� Management of Conflicts

• What constitutes “management”?

� Public disclosure

� Monitoring (independent reviewers)

� Modification (of the plan)

� Disqualification from participation

� Divestiture of significant financial interests

� Severance

� COI Management Plan