Compliance

Compliance 360, providers of a governance, compliance, accreditation, and audit software solution, have just added a new module to the already impressive array of features.  The new module helps healthcare organizations navigate the increasingly important world of claims audits.  As many of our readers will know, CMS rolled out a pilot program to attempt to get back a portion of the billions lost to overstated Medicare Claims through a program known as "Recovery Audit Contractor" ("RAC").  As the company's Web page on the module notes, the new module "has been designed for managing a wide variety of claims audits including the Medicare Recovery Audit Contractor (RAC) program, Medicare Program Safeguard Contractor (PSC) audits, Medicare Comprehensive Error Rate Testing (CERT) audits, Medicaid Integrity Contractor (MIC) audits, Medicaid Fraud Control Unit (MFCU) audits and other forms of claims audits."  Click here to see the full description of the audit.

In the 5-minute video, below, I talk a bit about how I came to know Compliance 360's compliance and accreditation software in some of its earliest iterations, and why I continue to recommend the product and the people to my clients who need a comprehensive compliance software solution.  

This standard provides:

The organization has a clearly defined organizational structure outlining direct and indirect oversight responsibility throughout the organization.

It is rather easy to demonstrate your compliance with Core 1 – submit organization charts.  However, you’ll save yourself some trouble if you are mindful about how complete your organization charts.  We recommend that the chart(s) you submit include:
•    All the relevant supervisory relationships among managers
•    The medical director
•    All the relevant committees

As an accreditation consultant and regulatory compliance consultant, I am often called upon by my clients to help them evaluate investments in compliance. Sometimes the question is, "what is the best software for managing our documents?" Sometimes I'm asked "how much should we think about expanding our compliance staff?"

In most cases, though, the question of "return on investment", or ROI, comes in. I thought I'd take this opportunity to write down some of my thoughts the initial considerations in this analysis, inspired in part by a project I'm working on and in part by a conversation I had last night with my long-time friend and colleague Guy D'Andrea, CEO of Discern Consulting. Guy is one of the most thoughtful people I know on this subject, and our back-and-forth got me cranked up about this topic.

As a backdrop to this topic, it's important to remember that compliance activities are all about mitigating the risk of infrequently-occurring events. Despite the daily exposure to the risk, a company can go months or even years without incurring a regulatory fine, suffering a penalty in an accreditation process, or being hammered by an unfavorable jury verdict. The typical state insurance regulatory market conduct exam occurs once every four years; accreditation cycles can be as long as three years; adverse jury verdicts can be years apart, or not occur at all. This can make the assessment of the value of compliance activities not only difficult, but difficult to bring to the attention of decision-makers.

Another issue to address at the outset is definitional -- what, precisely, do we mean by "compliance investment"? While a comprehensive list would be too long to be useful, there are some broad categories:

• Staffing costs, both in terms of size of the compliance staff and in terms of time spent by non-compliance staff spending time on compliance activities;
• Consultant costs, including lawyers, accountants, accreditation consultants, compliance consultants, and software consultants;
• Information systems, including the cost of hardware and software, not only for software dedicated to managing compliance activities (such as Compliance 360's products) but also for sometimes-needed enhancements to operational software in order to meet regulatory and accreditation requirements.

What are the risks against which companies are protecting themselves by compliance activities? Again, the detailed list too long to be bloggable, but here are some categories:

• Regulatory (state vs. federal; industry-specific vs. general requirements)
• Accreditation
• Litigation
• Business (bad regulatory, accreditation, or litigation news can have profound business impact, both in terms of the stochastic shock in the short run that can result from such news and more long-lasting, reputational impact).

The possible benefits of new, increased, or redesigned investment in compliance activities is another issue that needs to be raised at the outset. Again, broad categories only:

• Reduced frequency of bad events
• Reduced severity of bad events
• Greater efficiency -- "more bang for the buck", perhaps even compliance cost reductions
• Intangibles, such as improved performance and performance monitoring.

OK, that's a good start. I'll do some more writing about this in the next few days, I suspect, but this at least sets forth some initial considerations. Stay tuned, and please let me know what I've left out by commenting on this blog, if you're feeling so inspired!

What happens when accreditation standards are different that state or federal laws?

It depends on whether the law is more rigorous than the URAC standard. If the law or regulation is tougher on the applicant than the standard, comply with the law. If the accreditation standard is tougher, comply with the standard.

If the law or regulation prohibits the applicant from following URAC's standard, you'll need to apply for a regulatory variance in your application. To do this, you must submit a copy of the law or regulation and any other information that would be helpful to communicate to the URAC reviewer that to comply with URAC would violate the law.

What will not fly is the preference of the applicant's lawyer. I was once told by an applicant that its general counsel had advised the company not to provide providers with the dispute resolution rights required by URAC's Health Network standards. When I spoke to the general counsel, he explained that state law didn't prohibit the giving of such rights, only that the giving of dispute resolution rights might give rise to litigation. This is not grounds for a variance, only for a good chuckle.

URAC's standard requiring that all clinical applicants have implemented a compliance program first appeared in Core v. 1.0. It remains, unchanged, in the current version 2.0:

The organization implements a regulatory compliance program that:

(a) Tracks applicable laws and regulations in the jurisdictions where the organization conducts business; and

(b) Ensures the organization's compliance with applicable laws and regulations.

So, what does this all mean? In a nutshell, to have an effective compliance program under this standard, you need to know what laws and regulations apply to you organization and have robust mechanisms to assure that these laws and regulations are consistently obeyed by your employees and agents.

I was conducting reviews for URAC at the time, and, at the request of my fellow reviewers, developed some guidelines to help flesh out the meaning behind this rather bare-bones standard. I leaned on the recently released revisions to the Federal Sentencing Guidelines, and came up with what you'll see in the Program Guide:

"Elements of a corporate compliance program include:

• standards and procedures to detect non-compliant conduct by employees and agents;
• promotion of an organizational culture to encourage ethical conduct and a commitment to compliance with the law;
• reasonable oversight by the governing body of the compliance program;
• clear designation of individuals accountable for the organization’s compliance;
• systems for assuring that both hiring and compensation practices encourage the creation and maintenance of a compliant work force;
• the existence of appropriate reporting and disciplinary mechanisms for instances of misconduct;
• ongoing training of employees and managers on the organization’s standards;
• monitoring and auditing to detect misconduct;
• periodic evaluation of the organization’s compliance program;
• post hoc analyses of instances of misconduct to determine whether a systemic change is suggested by the problem; and
• periodic assessment of risk and establishment of compliance priorities

Core 19 applies to both state and federal regulations that are applicable to the program standards."

In the application, all you need do is submit a coherent and comprehensive compliance plan as well as some evidence that you have a decent mechanism for tracking laws and regulations that apply to your organization.

The challenge is in the onsite interview. Typically, in a URAC review, the interview of the compliance officer is brief, usually less than one hour. How can you assure that this interview goes well? Well, if your compliance staff can answer these questions and produce the requested documentation, you'll probably do pretty well:

• How do you track the existing laws and regulations that apply to your company? By what process do you incorporate the requirements of such laws and regulations into the policies and procedures of the company? Please show records demonstrating this tracking mechanism. In addition, please show documentation demonstrating the incorporation of laws and regulations into corporate P&Ps.
• How do you track changes in or new laws and regulations (both state and federal) that apply to your company? By what process do you incorporate the requirements of such laws and regulations into the policies and procedures of the company? Please show records demonstrating this tracking mechanism. In addition, please show documentation demonstrating the incorporation of laws and regulations into corporate P&Ps.
• Please describe your company’s program, including any standards and procedures, to detect non-compliant conduct by employees and agents. Please produce documents that confirm that you implement such standards and procedures.
• What does your company do to promote an organizational culture to encourage ethical conduct and a commitment to compliance with the law? Please describe the role of your governing body in the oversight of the compliance program. Can you produce minutes of meetings of that governing body that would substantiate that it is involved in compliance oversight?
• Who is accountable for the organization’s compliance? Please describe, and produce supporting documentation, of your company’s systems for assuring that both hiring and compensation practices encourage the creation and maintenance of a compliant work force.
• How do you let employees and agents know of the existence of appropriate reporting and disciplinary mechanisms for instances of misconduct? Please produce documentary evidence of such notice to employees and agents, as well as any tracking mechanisms for such reporting. How do you track your company’s program of ongoing training of employees and managers on the organization’s standards? Please produce documentation showing those tracking processes.
• How does your organization monitor and audit to detect misconduct? Who conducts such monitoring and auditing activities? Please produce reports to support this. To whom do these people report the results of their monitoring and auditing activities? Does your organization engage in periodic evaluation of the organization’s compliance program? Who conducts such an assessment? Please produce documentation demonstrating that periodic evaluation.
• Does your organization conduct post hoc analyses of instances of misconduct to determine whether a systemic change is suggested by the problem? Please show records of such analyses. Please describe, and provide supporting documentation, of your organization’s periodic assessment of risk and establishment of compliance priorities.

One last thing -- if a URAC reviewer finds that you haven't complied with a standard that has regulatory ramifications (e.g., clinical licensure), you'll also lose points on this standard and probably find yourself in conditional accreditation -- if not worse.