Internal Reporting System for Compliance Concerns

Setting Up Your Internal Reporting Mechanism

One of the primary elements in a Compliance Program is the creation of a system that permits employees and others to provide information regarding potential compliance issues without fear of retaliation.  In larger organizations, multiple pathways permitting employees to make anonymous complaints should be maintained.  Oftentimes providers use 24 hour compliance “hotlines.”  Online reporting systems or “drop boxes” are also commonly used.  Whatever system is used, it is crucial that employee understand that they are encouraged to provide information and that there is a clear prohibition against others in the organization retaliating against them for providing information.  It should also be made clear to employees that wherever possible the identity of the person providing the information will be kept confidential.

Establish Compliance Reporting Process

The establishment of the compliance reporting process and communication to employees that retaliation will not be tolerated is a central element to an effective compliance program.  Such a system will help the practice obtain valuable information, hopefully early on, before the issue becomes a big problem.  Additionally, the openness of the program will send a strong signal to the outside world, such as government regulators, that the organization takes compliance seriously.

If information is obtained through the hotline system it must be taken seriously.  Certainly not every piece of information will be reflective of a serious compliance problem, and an employee could potentially have other motives for making a compliant.  Regardless, it is crucial that the information be acted upon and that the action be documented.  If the compliance officer concludes that there were alternative motivations for the complaint, that fact should be substantiated and documented.  If an objective investigation indicates that there could be a compliance issue, the matter needs to be pursued through an appropriate outcome.  Depending on the circumstances and the result of a thorough investigation, the outcome could range anywhere from additional training through a self disclosure to the government.

 

Successor Liability and Compliance Due Diligence

Due Diligence of Compliance Issues in Acquisitions

Successor liability issues are a central factor to consider when assessing the scope of compliance due diligence.  The acquiring organization must assess the degree to which it will assume liability for the past obligations of the target company.  If there is no risk that past obligations for compliance issues will be assumed, compliance efforts can at least conceptually be focused on integrative activities rather than assessive activities.  In effect, if there is no risk of successor liabilities, the acquiring organization can focus on the future, at least when it comes to compliance issues.  Of course there is never a perfect world and likewise, there is never a perfectly “clean” deal when it comes to successor liability.  This is particularly true in the health care industry, which has some counteractive rules regarding successor liability.

Normally, if an asset acquisition takes place, the acquiring entity will only assume the liabilities that it expressly assumes or which attach to the assets that it is acquiring.  Normally, the closing process will result in satisfaction of liabilities that might attach to the acquired assets.  Past Medicare liabilities can be an exception to this general rule.  Under Medicare rules, even if the transaction is structured as an asset purchase, all of the past provider’s Medicare liabilities will be passed forward to the acquiring provider.  This is because the Medicare change of ownership rules (sometimes referred to as CHOW rules) provide for the automatic assignment of the past provider’s Medicare provider agreement.  By virtue of the automatic assignment of the provider agreement, the acquiring party is deemed to assume virtually all past Medicare obligations of the target company.

Federal courts have consistently upheld these rules and have held the acquiring organization liable for past obligations.  Federal cases have specifically held acquiring parties for overpayments that were previously paid to the seller and civil penalties arising out of the actions of the seller that occurred before the acquisition.

The outside parameters of successor liability are yet to be tested in the context of recently expanded health care fraud and abuse laws.  Medicare regulations specifically state that the acquiring party does not assume past obligations based on personal fraud.  However, questions still remain whether corporate fraud can be assumed under successor liability theories.  Issues regarding the extent to which liability based on “knowledge-based” statutes, such as the False Claims Act, can be passed on to the acquirer.  Our initial reaction may be that it is not possible to assume responsibility for a knowledge-based violation.  But what about violations that are invoked based on the “reckless disregard” for the truth?  Is it possible that failure to perform reasonable due diligence could be construed as “reckless disregard?”

Medicare rules permit the acquiring organization to specifically reject the provider agreement of the previous entity.  However, there are very specific, time sensitive requirements for effectively rejecting past obligations.  Additionally, rejection will require the acquiring party to obtain independent certification and enter into a new provider agreement.  This process will inevitably result in interruption of revenues to the acquiring party.  This will in turn affect purchase price and other business factors.

Yates Memorandum Main Steps and Key Priorities

General Priorities in the Yates Memorandum

  • The Yates Memo prioritizes the manner in which Government civil and criminal law enforcement investigations are conducted.
  • It begins by proclaiming that “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing . . .
  • [accountability] it deters future illegal activity, incentives to changes in corporate behavior . . . and it promotes the public’s confidence in our justice system.”

The Yates Memo identifies six “key steps” to enable DOJ attorneys “to most effectively pursue the individuals responsible for corporate wrongs.”

  • Corporations will be eligible for cooperation credit only if they provide DOJ with “all relevant facts” relating to all individuals responsible for misconduct, regardless of the level of seniority.
  • Criminal and civil DOJ investigations should focus on investigating individuals “from the inception of the investigation.”
  • Criminal and civil DOJ attorneys should be in “routine communication” with each other, including by criminal attorneys notifying civil counterparts “as early as permissible” when conduct giving rise to potential individual civil liability is discovered (and vice versa).
  • Absent extraordinary circumstances, DOJ should not agree to a corporate resolution that provides immunity to potentially culpable individuals.
  • DOJ should have a “clear plan” to resolve open investigations of individuals when the case against the corporation is resolved.
  • Civil attorneys should focus on individuals as well, taking into account issues such as accountability and deterrence in addition to the ability to pay.

Compliance Policy and Procedures List of Compliance Policies

LIST OF COMPLIANCE-RELATED POLICIES AND PROCEDURES

PROCESS POLICIES AND PROCEDURES

  1. Compliance Program Resolutions
  2. Appointment Of Compliance Officer
  3. Compliance Plan Document – General
  4. Code Of Conduct
  5. Statement Of CEO On Compliance
  6. Statement Of Board Of Directors
  7. Compliance Committee Charter
  8. Uniform Compliance Definitions
  9. Compliance Plan Elements
  10. Compliance Oversight Committee Policy
  11. Compliance Office Staff
  12. Yearly Compliance Program Review
  13. Recommendation Of Additional Policies And Procedures
  14. Amendments To Compliance Policies
  15. Non-Retaliation And Non-Retribution Policy
  16. Excluded Individuals And Entities
  17. Compliance Reporting System
  18. Compliance Hotline
  19. Compliance Training Policy
  20. Compliance Reporting To The Board
  21. Discipline For Compliance Infractions
  22. Compliance As A Performance Factor
  23. External Compliance Investigations
  24. Execution Of Search Warrants
  25. Self-Disclosure And Self-Reporting
  26. Compliance Audits, Monitoring And Self-Assessment

RISK AREA POLICIES AND PROCEDURES

 

Tax – Nonprofit Status

  1. Conflict of Interest Policy
  2. Whistleblower Policy
  3. Board Review of 990 Policy
  4. Joint Venture Policy
  5. Community Need Assessments
  6. Physician Recruitment

Document Control

  1. Contract Review and Execution Policy
  2. Contract Control System Policy
  3. Document Retention Policy
  4. Record Management Policy
  5. Offsite Storage of Records
  6. Destruction of Records
  7. Definition of Medical Records

Discharge and Transfer

  1. Discharge Planning
  2. Transfer to Skilled Nursing Facility
  3. Transfer to Hospice

Admissions

  1. Admission and Continued Stay Review
  2. Readmission Policy
  3. Admissions Through Emergency Room
  4. Plans of Care

Billing and Coding

  1. General Billing and Coding Policy
  2. Requests for Coding Changes and Rebilling
  3. Changes to Patient Records
  4. New and Adjusted Billing Codes
  5. Chargemaster
  6. E&M Coding
  7. Specific Area Coding
    • Anesthesia
    • Radiology
  8. Professional Courtesy

Patient Billing and Collections

  1. Patient Billing and Collection Policies/Guidelines
  2. Billing Inquiries and Audits
  3. Reducing a Patient’s Bill
  4. Waiver of Co-Insurance and Deductibles
  5. Determination of Need and Hardship
  6. Referrals to Collections
  7. Advance Beneficiary Notices
  8. Customer Complaints

Additional Policies

  1. Medical Necessity
  2. Professional Behavior
  3. Disruptive Practitioners
  4. Incident Reporting
  5. Alleged Caregiver Misconduct
  6. Caregiver Background Checks
  7. Never Events
  8. Physician Compensation
  9. Physician Contracting
  10. Medical Directorships
  11. Leases to Referral Sources
  12. Anti-Kickback Policies
  13. Stark Law Policies
  14. Relationship with Pharmaceutical Representatives
  15. Acceptance of Gifts
  16. Confidentiality of Information

EMTALA Policies

  1. Interfacility Transfers
  2. EMTALA Triaging
  3. EMTALA – Financial Information
  4. Refusal of Delay of Medical Services
  5. Emergency Room Coverage
  6. Delineation of Roles in Emergency Department
  7. Emergency Room Trauma Diversion

Employment Policies

  1. Make Consistent with Compliance

Credentialing Policies

 

Medical Information, HIPAA, Etc.

  1. Protection of Patient Health Information
  2. Joint Notice of Privacy Practices
  3. De-Identification of Protected Health Information
  4. Protected Health Information Defined
  5. Proposal and Destruction of Protected Health Information
  6. Breach Reporting Policies
  7. Minimum Necessary Use Policy
  8. Permitted and Required Use of Protected Health Information
  9. Use and Disclosure of Protected Health Information for Treatment, Payment, Operations
  10. Use and Disclosure of Protected Health Information to Family and Others Involved in Care
  11. Authorizations for Use and Disclosure with Forms
  12. Uses and Disclosures Not Requiring Authorization
  13. Uses and Disclosures for Fundraising
  14. Uses and Disclosures for Marketing
  15. Uses and Disclosures for Research Purposes
  16. Recognition of Patient Personal Representatives
  17. Business Associates
  18. Verifying Identity of Persons Requesting Protected Health Information
  19. Patient Right to Access Protected Health Information
  20. Denial of Patient Access to Protected Health Information
  21. Patient Right to Accounting of Protected Health Information Disclosures
  22. Patient Right to Request Designated Record Set
  23. Patient Right to Request Alternative Means of Communication
  24. Patient Right to Request Restrictions on Use of Protected Health Information
  25. Protection of Information Subject to FDA Regulation
  26. Protection of Information Subject to AIDS Related Information
  27. Protection of Mental Health Treatment Records
  28. Psychotherapy Notes
  29. Government Requests, Court Orders, Warrants Covering Protected Health Information

Telemedicine Policies

  1. Provider Licensure and Credentialing
  2. Remote Access Policies
  3. Security Policies
  4. Telehealth Policies and Procedures
  5. Telecommuting Application
  6. Telecommuting Agreement
  7. Telecommuting Equipment
  8. Scheduling Telemedicine Services
  9. Emergency Room Consults
  10. Billing Telemedicine Service
  11. Checklists for Providing Telehealth Services

Technology Policies

  1. Passwords, Domains, Local Servers
  2. Individual Password Protection
  3. Information Security Policies
  4. Information Security Incident Process
  5. Encryption Policies
  6. Physician Access and Restriction Policies
  7. Technology Life Cycle Review Policies
  8. Technology Disposal Policies
  9. Wireless Communication Policy
  10. Technology Inventory System
  11. Acceptable Use of Computer Equipment
  12. Internet Usage Policies
  13. Workstation Security
  14. Use of Portable Devices
  15. E-mail Usage Policies
  16. Blogging Policies
  17. Social Media Policies
  18. Firewall Policy
  19. Virus Protection Policy
  20. Vendor Credentialing and Access
  21. Software Licensing Policies
  22. Providing Technology to Referral Sources