Enforcement and Guidance Efforts Serve as Reminder: Re-evaluate and Update Your Compliance Plans

Laboratories should revisit their compliance programs now that the government has released its latest report on the success of its fraud-fighting efforts as well as new compliance guidance for health care governing Boards. The Departments of Justice (DOJ) and Health and Human Services (HHS) recently revealed that their fraud prevention and enforcement efforts recovered $3.3 billion in taxpayer dollars in fiscal year (FY) 2014. For every dollar spent, the government recovered $7.70, an "extraordinary" return on investment, according to the Departments' joint announcement. They will continue to escalate their efforts, using increased funding, new authority granted by the Affordable Care Act, more real-time data analytics, and continued use of the False Claims Act, which provided $2.3 billion in civil settlements and judgments involving claims against the Medicare and Medicaid programs in FY 2014. In addition, on April 20, HHS' Office of Inspector General (OIG) released a compliance guidance document created through the joint efforts of the OIG, the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA). The document, titled Practical Guidance for Health Care Governing Boards on Compliance Oversight, assists governing Boards of health care entities in their oversight of compliance plans. While the intended audience of the new tool is governing Boards, the document offers anyone with a compliance role insight and ideas for improving compliance within their laboratory or other health care organization. According to a press release, the 19-page document is an educational resource that will benefit compliance officers, auditors and legal counsel in addition to the Boards to which they report and can be adapted for organizations of all sizes. The guidance is the OIG's latest advice for health care Boards, since its last offering in 2012, titled "Toolkit for Health Care Boards." "OIG seeks to provide meaningful guidance to the public on a variety of issues. We published three previous guidance documents regarding Board governance [in conjunction with AHLA, see Box, p. 8] but much has changed since that time," Katherine Matos, senior counsel, Office of the Counsel for the Inspector General, explains. In addition, while prior guidance documents included suggested questions for directors or areas of inquiry, this new guidance includes tools and tips and provides "practical ideas that Boards can use," Matos points out. "This most recent document is a tool to [help] governing Boards responsibly carry out their compliance oversight obligations, and is applicable across the health care industry," she adds. The introduction explains: "A critical element of effective oversight is the process of asking the right questions of management to determine the adequacy and effectiveness of the organization's compliance program, as well as the performance of those who develop and execute that program and to make compliance a responsibility for all levels of management." The guidance also explains the interrelationship between and individual importance of the following compliance functions: compliance, legal, internal audit, human resources and quality improvement. The areas of focus addressed in the guidance include: expectations for Board oversight, compliance roles, reporting to the Board, identifying and auditing risk areas, and encouraging accountability. The document recommends using existing guidance materials available to Boards and compliance professionals as "benchmarks" for evaluating the effectiveness of their compliance plans—including the Federal Sentencing Guidelines, OIG compliance program guidance and Corporate Integrity Agreements (CIA). While a CIA is an agreement that entities enter into once they have already gotten in trouble, the measures negotiated into these agreements "may be helpful resources for Boards seeking to evaluate their organizations' compliance programs," the guidance says. Suggestions for facilitating management's compliance reporting directly to governing Boards include use of dashboards and executive sessions and the document discusses methods for keeping tabs on current compliance risks, including sources such as compliance hotlines and internal audits as well as "professional organization publications, OIG-issued guidance, consultants, competitors, or news media." The guidance also advises: "When failures or problems in similar organizations are publicized, Board members should ask their own management teams whether there are controls and processes in place to reduce the risk of, and to identify, similar misconduct or issues within their organizations." It's worth noting that among the top risk areas highlighted, the first issue mentioned is referral relationships and arrangements—an issue of significant relevance to laboratories particularly in light of last year's fraud alert and current enforcement efforts targeting such relationships. Other risk areas highlighted were billing, privacy breaches and quality-related events. Highlighting the potential for "new incentives and compliance risks" created by current health care reform efforts, the guidance notes: "New payment models have also incentivized consolidation among health care providers and more employment and contractual relationships (e.g., between hospitals and physicians)." Laboratory compliance professionals should heed the guidance's suggestion that "Boards of entities that have financial relationships with referral sources or recipients should ask how their organizations are reviewing these arrangements for compliance with the physician self-referral (Stark) and anti-kickback laws." The guidance also highlighted increasing transparency, with the availability of data from CMS on quality measures, payment data and the Sunshine rule providing public access to more information than ever before. The OIG and its collaborators encourage Boards to "consider all the beneficial uses of this newly available information" for evaluating compliance and establishing benchmarks. Finally, Boards are urged to consider and employ measures to incentivize compliant behavior and create a culture of compliance, while conducting self-evaluations and, when necessary, self-reporting non-compliance and repaying overpayments. "We hope Boards will view this document as a toolkit, and use the practical tips included to foster enterprise-wide compliance within their organizations," says Matos. The new Board guidance is also meant to dovetail with the OIG's existing specific compliance guidances for labs and other providers, which the OIG issued in 1998 but which the OIG still relies on today. That guidance is designed to establish a culture of compliance that promotes prevention, detection and resolution of instances of unlawful conduct or activities that are against a lab's ethical and business policies. "The compliance program guidance documents are directed to present a set of industry-specific guidelines for consideration when developing or implementing a compliance program. Since management generally develops and implements the compliance program, this [lab-specific] document is most helpful for them, although Boards may also review these documents as part of their self-education," says Matos. The OIG's compliance guidance is technically "voluntary." However, having and using a compliance program can not only prevent billing and other problems; it can also demonstrate good faith if a problem is uncovered internally or during an investigation and thereby reduce or avoid penalties. A compliance program also helps a lab minimize loss, identify and prevent wrongful conduct, and develop methodologies that encourage employees to report potential problems, according to the guidance.
Evidence that compliance programs reduce risks, save money Compliance programs do bear fruit. For example, Houston, Texas-based Memorial Hermann Hospital System recently learned that one of its employees had embezzled the System out of nearly $10 million over 14 years in a false invoicing scheme. But the System only learned of the embezzlement because the system's chief compliance officer had received an anonymous letter alerting him to it. Had there not been a compliance officer and an effective line of communication to that officer, the letter writer may not have known where to turn and opted not to reach out, and if sent, the letter could have ended up languishing in the mail room or someone's inbox. Both the special lab compliance guidance and the new governing Board guidance note the importance of communicating clear reporting mechanisms as an essential element of an effective compliance program. The employee has been arrested for defrauding his employer and reportedly pleaded guilty April 22. He faces up to 20 years in prison and payment of up to $250,000. In addition, virtually all of the agreements between providers and the OIG to settle instances of fraud, abuse and improper billing pursuant to the OIG's voluntary self-disclosure protocol are the result of the provider's use of an effective compliance program, which unearthed a problem the provider then brought to the OIG's attention, rather than ignoring or hiding it. Settlements made under the self-disclosure protocol typically cost the provider much less than had the provider not self-disclosed and the government had learned of the improper billing from another source. Moreover, in most instances the OIG won't impose a CIA on the entity that came forward, according to the OIG's latest guidance about its protocol. Time to take the plunge: Review your program for deficiencies Many lab compliance programs may be due for a tweaking or even an overhaul. Before forging ahead, consider these four tips:

Resources for Evaluating Effectiveness of Compliance Programs As the new OIG/AHLA/AHIA/HCCA guidance for governing boards suggests, laboratories and other health care organizations have a wealth of resources available to help them ensure they are implementing effective compliance programs. The joint guidance issued this year is only one of a series of resources the OIG offers specifically for Health Care Boards. Just because they target governing boards doesn't mean they aren't equally useful for compliance officers and others looking to ensure compliance. The following three preceding joint guidance efforts can be found on the OIG's website: •  "Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors," AHLA and OIG, April 2, 2003 (in the wake of the Sarbanes-Oxley Act, this resource helps health care boards "establish, and affirmatively demonstrate, that they have followed a reasonable compliance oversight process"). •  "An Integrated Approach to Corporate Compliance: A Resource for Health Care Boards of Directors," AHLA and OIG, July 1, 2004 (addressing roles of in-house counsel and the chief compliance officer "in supporting the compliance oversight function of health care organization governing boards"). •  "Corporate Responsibility and Health Care Quality—A Resource for Health Care Boards of Directors," AHLA and OIG, Sept. 13, 2007 (continuing the focus on compliance oversight but adding an emphasis on oversight of health care quality and patient safety as well in response to "a new era of focus on quality and patient safety").

Review your compliance program against the OIG's recommendations and fill gaps where needed. For instance, make sure that employees and others know how to report a suspect activity and that the lab communicates that complaints and reports will be promptly investigated. While it was beneficial for Memorial Herman to receive a letter tipping it off to an employee's embezzlement, arguably its compliance program could do with some fine tuning, since the scheme went on for 14 years before it was discovered. Integrate into your compliance program some of the practical suggestions from the OIG's new guidance to governing Boards, such as measures from recent CIAs. For instance, ensure you implement a vigorous employee training program, develop written standards and policies, appoint a compliance officer and compliance committee, and avoid employment of persons ineligible for participation in the federal health care programs. Make sure that the lab's compliance program incorporates more recent requirements, such as fraud alerts and advisory opinions pertaining to lab arrangements with physicians (See "Compliance Perspectives: OIG Advisory Opinion Makes Convenience and Efficiency Suspect," G2 Compliance Advisor, April 2015, p. 5; "Compliance Perspectives: OIG Warns of Anti-Kickback Statute Violations in Laboratory Payments to Referring Physicians," G2 Compliance Advisor, July 2014, p. 5). Keep an eye out for further developments. For example, the Affordable Care Act requires providers to operate compliance programs. HHS has solicited information on what those mandatory programs should entail but has not yet issued rules implementing this provision. While it's expected that the required programs will look similar to the OIG's current compliance guidance or at least incorporate some of those provisions, the new rules may require labs to modify their programs down the road accordingly.

Takeaway: Use tips in the new guidance for health care governing boards to evaluate effectiveness and adapt compliance plans to a changing health care environment.