re-thinking risk assessment: are you counting the ants ... · re-thinking risk assessment: are you...
TRANSCRIPT
Re-Thinking Risk Assessment: Are You Counting the Ants While the Elephants Run By?
April 28, 2009
Karen Murray
Chief Compliance Officer
Yale New Haven Health System
Office of Privacy & Corporate
Compliance
New Haven, CT
Phone: 203-688-3369
Email: [email protected]
Stephen Gillis
Director, Office of Billing Compliance
MGH/MGPO
Boston, MA
Phone: 617-643-5711
Email: [email protected]
Phyllis A. Patrick
Compliance and Privacy Officer
Office of Privacy & Corporate
Compliance
Greenwich Hospital
Greenwich, CT 06830
Phone: 203-863-3783
Email: [email protected]
Kelly J. Sauders
Partner
Deloitte & Touche LLP
New York, NY
Phone: 212-436-3180
Email: [email protected]
Presented by Karen Murray
� Increased Enforcement
� MAC Data Mining
� Increased # of Government Audit
Do you know what your hospital departments are
currently auditing and monitoring with respect to compliance issues?
The Compliance Department should work to help hospital
department directors understand “their responsibilities” for
compliance within the department.
Hospital Department Risk AssessmentHospital Department Risk Assessment
Compliance professional should work in collaboration
with hospital department director (or designee) to research and identify what specific risks lie in the hospital
department?
Examples to begin research (external & internal risks):
• Review OIG Work Plan
• Recent Government Focus / Regulatory Review
• Review PEPPER Report
• Billing Software Interfaces
• CDM Accuracy
• HIPAA Compliance
Hospital Department Risk AssessmentHospital Department Risk Assessment
Hospital department and compliance professional work
together to develop list, analyze the level of risk and prioritize accordingly.
Larger organizations may have resources for utilization of a
software program and dedicated compliance professionals.
Hospital department develops “Department Work Plan”
focusing on top risk areas.
Size and complexity of the Department Work Plan will need
to be based on resources within both the hospital
department and the compliance department.
Developing the Hospital DepartmentDeveloping the Hospital Department
Work PlanWork Plan
General areas to consider for Monitoring Tool:� Description of risk area
� Period covered / sample size
� Findings
� Name of policies associated with risk area- revisions to policy needed based on findings
� Education provided
� Overpayment / underpayment
� Further actions
This tool should be completed by the hospital department
and shared with the Compliance Department. Findings
should be shared with the hospital compliance committee
(and the department compliance committee).
The risk remediation process should be
“operationalized” to the department day-to-day
activities.
Policies and procedures should accurately account
for the risk / regulation and provide clear and
practical instructions to the employee.
� Limited resources
� Lack of senior management
support
� Lack of hospital department
support
� Start small, pilot the process in a few
higher risk departments (e.g. lab,
radiology, coding)
� Important to educate on the benefits
and to obtain buy-in before beginning
the process.
� Educate on the benefits. Form special
committee of Hospital Department
Directors involved in the process to
assist with sharing of ideas. Also
consider adding department compliance responsibilities to job descriptions
Presented by Stephen Gillis
“The process of discovering meaningful new relationships, patterns and trends by sifting through data using pattern recognition technologies as well as statistical and mathematical techniques.”
- The Gartner Group
� Everyone else is looking at your data
� Puts logic/reason behind you compliance audit plan
� Validates findings through other assessment techniques
� Allows you to monitor patterns or trends concurrently
and prevent “big” problems
� Determine what data you want and for what purpose
• Identify areas to focus on “first pass”
• Dig into an area and conduct an audit “deep dive”
• Establish monitoring process that will enable you to
see previously identified patterns relatively quickly or identify new trends
� Stages in mining:
• Define potential risk(s)
• Define data population
• Obtain data and validate integrity
• Develop initial impressions and share
• Confirm initial impressions
� Identifying data sources
• Billing System
• Claim Editing System
• CMS Historical Data (identifiable and non-identifiable)
� MEDPAR (IP & OP)
� PEPPER
� Physician volume data by specialty
• American Hospital Directory free data
(www.AHD.com)
� By department, by practitioner (ordering or providing)
• Total amounts billed
• Total number of patients
• New service offering
� Per-patient averages
• Billing amounts
• Visit numbers
• Medical visits
• Medical test costs
� CPT codes
• Highest volume codes
• Highest reimbursement (not necessarily highest charges)
• Identified as industry risk area
• Previous audit result (internal or external)
• New service offering
• Data surfing
� Claim denials/rejections/pre-bill queues
• Incidental only
• Medical necessity
• Particular groups, MDs, codes, locations
• Date denials started
� Validate the accuracy/completeness of data before
sharing
� Understand business processes to help understand data
� Don’t jump to conclusions, confirm what you think the data is telling you
� Find out what the data tells other people
Presented by Kelly J. Sauders
� Now more than ever, arrangements with non-hospital
employed physicians in a position to refer patients are under regulatory scrutiny (e.g. CMS, OIG and other
requests for information e.g. DFRR)
� Entering into certain contractual arrangements with key physicians in the community is a priority for many
hospitals in competitive markets to maintain/increase
volume
� Hospitals often struggle between the need to “get deals done” and implementing compliance procedures to
monitor such arrangements on an on-going basis
� Medical directorships
� Office space leases
� On-call agreements
� Recruitment agreements
� Professional services agreements
� Services Joint Ventures
� “Pay for Performance” agreements
� Clinical research
� Gain Sharing arrangements
� GME/IME programs
� Practice management (full and individual component)
� Joint managed care contracting and care management/utilization review
(PHOs/IPAs)
� Provision of EMRs – special Stark exemption
� Expired contracts
� Financial arrangements lacking a written contract
� Undocumented modification of payment terms
� Contracts incorrectly outlining services to be provided
� Payment terms not meeting “fair market value”
� Contract term length not meeting regulatory requirements
� Undocumented physician faculty time
� Inadequate clinical and cost documentation to support gain sharing payments
� Creating and maintaining databases of all existing and new or renewed
arrangements
� Tracking remuneration to and from all parties to each arrangement
� Tracking service and activity logs to ensure parties to each arrangement are
performing the services required under the arrangement
� Requiring all “covered persons” to sign an agreement agreeing to abide by the
organization’s code of conduct in connection with arrangements
� Establishing and implementing a written policy and procedure regarding the
review and approval of all arrangements
� Requiring the compliance officer to conduct quarterly reviews of all existing,
new or renewed arrangements as well as a review of the internal review and
approval process
� Implementing effective responses when suspected violations of the Stark or
Anti-Kickback law are discovered.
� Consider conducting project under attorney-client privilege
� Use questionnaires/interviews to identify potential types of
arrangements
� List of current, active medical staff and all W2’s and 1099 forms
� Accounts payable (A/P) search
� Comparison of payroll to A/P data (e.g. potential duplicate
payments)
� Verify receipts from physicians (leases/rentals)
� Consider if your organization is providing staff, technology or other
services you need to know about, for example:
• Free or reduced cost IT/EMR, coding/billing services, etc.
• Support staff (administrative, nursing, housekeeping, etc.) in a
hospital-based office location that is a private practice
� Key elements to look for:• Written agreements with physicians.
• Documentation of fair-market value.
• Documentation of the business purpose or community need of a
financial agreement.
• Review and approval of the contract by legal counsel.
• Leadership and board of trustees' approval.
� Obtain and review your organization’s written policies and procedures used by legal and others around contracting with physicians
� Consider using interviews with leadership to narrow your scope (if you can)
� Start with data analysis, prioritize areas for review
� Consider the current environment (CMS requests, new 990 reporting, etc.) in weighing potential risks
Presented by Phyllis Patrick
� Trends in Disclosure Reporting• Cleveland Clinic (www.clevelandclinic.org)• Sarbanes Oxley• PhRMA Code on Interactions with Providers• AdvaMed/Device Industries – New Code of Ethics• Exemplary Reporting
� Inadequate Reporting and Monitoring of Conflicts of Interest; COI “Management” Issues
� Media and Public Interest� New Environment of Transparency
� Reputation
� Integrity
� Loss of Potential Funding Sources
� Financial Stability and Solvency
� Participation in Research
� Public Trust in Research Community
� Impact on Research Results and “Bench to Bedside”Implementation
Be aware of Unrecognized Risk
and Be alert to Unmanaged Risk
Permissive vs. Restrictive
Approaches
� Organizational Considerations
• Appetite for Risk
• Cultural Tolerance
• Consistency with Mission and Values
• Reaction to news/popular press regarding COI
• Champion(s)
� Resources
• Who does the work?
• Can you utilize existing processes (e.g., medical staff credentialing, board orientation)?
� Development of Policies
• Definitions – Conflict, Disclosure
• Professional Standards and Guidance (AMA, AdvaMed, PhRMA, NIH, ACP, etc.)
• Regulations
• Applicability: Patient Care, Research, Education
• Types of Conflicts (Advisory Board, consulting,
investment, honoraria, gifts, T&E, royalties, etc.)
� Participants
• Who is required to file?
• Role of Trustees, Medical Staff, Management, Purchasing, Research
• Fellows and Residents?
• What about Vendors and Contract Employees?
� Education and Training
• Policies and Requirements
• Expectations
• Full Disclosure – DISCLOSE! DISCLOSE!
DISCLOSE!
• Forms and Procedures
• Who receives training? In what venue(s)?
• Training must be ongoing
� Disclosure Data Collection Process
• Annual or Cyclical?
• Updates during the year?
• New Employees, Physicians, others
• Manual or Automated?
� Analysis and Documentation
• How to achieve 100% completion in a timely way –KISS!
• What data elements should be tracked? Trended?
• Manual or Automated? If automated, does this interface with collection process? Systems approaches?
• Results of analysis
• Data collection/retention policies and procedures
� Auditing and Monitoring the Results
• What are the appropriate roles for: Audit staff, Compliance, Legal, Medical Staff Leadership, Research Leadership, Senior Management, Board Committee?
• Committee Process(es)
• Different processes for Patient Care, Research, Education?
• Sanctions and Leverage (Incentives and Disincentives)
• Managing the Conflicts
� Communication of Results
• Who needs to know?
• How to disclose?
• How much to disclose?
• Confidentiality issues
• Disclosure to Patients? When? How?
� Management of Conflicts
• What constitutes “management”?
� Public disclosure
� Monitoring (independent reviewers)
� Modification (of the plan)
� Disqualification from participation
� Divestiture of significant financial interests
� Severance
� COI Management Plan