evaluating compliance risks
“Why should I bother creating a compliance program for my practice?” griped the physician at yet another seminar on health care compliance. “Seems like just expensive busywork and what will I get out of it?” he continued.
“Well, if you are dead set against the concept, probably not worth your time investing in it,” responded the seminar speaker. “Just wait for the wheel to fall off, and you should be fine,” she quipped.
The above exchange is probably a fair summary of a few question and answer sessions at compliance seminars these days. Compliance does seem like a chore and of little benefit to physicians who believe they are practicing ethically. Similarly, compliance experts can be equally dismissive of attitudes especially those that do not automatically embrace investment in a physician office compliance program.
Developing some sort of compliance effort in a physician practice does not have to be expensive or involve a massive off-the-shelf policy and procedure manual. What it does have to do as a first and ongoing process, however, is identify risk areas that could lead to costly outcomes if not either headed off to begin with or responded to effectively if something bad does happen. So what are risk areas for physician offices?
What is risk?
Before we even get to risk areas, it might help to break down the concept of risk. A useful definition you can find online at Wikipedia states: “Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed)….” The first thing that should jump out of that definition is the concept of choice, that is, someone can choose to do something or not. Also notable in the definition is the fact that someone choosing to intervene might have some effect on what happens. The odd result from engaging in compliance planning is that you may never know if your efforts prevented a financial catastrophe. That seems very much like the idea of trying to prove preventive medicine works. At the very least, physicians should be able to understand, they have a choice and choosing to engage earlier rather than later, might, repeat, might be the most cost-effective way to treat the potential problem.
How do you identify risk areas?
Identifying risk areas can be both an art and science. The simplest thing for a physician practice to do is to think logically about the practice and jot down a list of routine business operations that present some downside if they are not performed correctly. A more complicated approach would be to numerically rank operational functions and sort them from the highest to lowest amount of risk, that is, a formal risk assessment.
In general, the biggest risk area for most physician practices is the billing function. Coding claims and submitting them to payors for adjudication is fraught with inconsistencies, varying rules, ample room for mistakes, and steep penalties for getting things wrong especially in the federal programs like Medicare and Medicaid. Next in line for a top risk area might be employment legal issues given the myriad of state and federal laws protecting employees in the workplace along with statutory attorney fee provisions that make both mistaken and negligent conduct very expensive for employers. And, perhaps a close third, and rising fast these days, is privacy and security risk. Recent fines levied by the Office for Civil Rights against physician practices instruct us that compliance with the Health Insurance Portability and Accountability Act (HIPAA) rules is going to have to take a new priority for physicians.
How do you mitigate loss in identified risk areas?
Anyone who touts about perfection or a bulletproof compliance program is engaging in a little bit of puffery. Compliance programs are not perfect because they cannot prevent every misstep that may occur in a busy medical practice. Mistakes happen, and something worse than a mistake may happen as well. What the goal of a compliance program should be is to head off or quickly identify issues as soon as possible in order to reduce the amount of loss to the practice whether that loss is in the form of refunded monies, fines, or other losses of value such as reputation. The key to mitigating loss in a risk area, therefore, is to establish either an informal or formal set of checks and balances that help a practice to clearly identify problems in a risk area and come up with a rational approach to take corrective action.
For example, a general rule in the federal health care programs is that you cannot permit someone, who has been formally excluded from participating in those programs, to conduct any of your business that will result in further billing of items or services in the programs. The classic example would be a medical practice employs a physician who years earlier had defaulted on a federal health education loan. Not only might you have to refund every federal program claim generated by that physician, you may also be subject to civil fines. A quick check of the exclusion databases upon hire and at a regular basis would help mitigate the risk of loss in this risk area. Is checking the databases perfect? Not necessarily because people can change their names, etc. The point is that it probably looks better to a government agent if you try to mitigate the risk rather than doing nothing at all.
So before the griping physician and snarky seminar speaker dismiss each other completely, they could focus on some common ground about identifying risks. The physician brings experience to the table with medical risks, and the seminar speaker, compliance risks. The principles of identifying risks and mitigating loss associated with those risks are similar in medicine and compliance. The only open question would be whether a choice should be made to engage early on to head off potential and costly compliance problems.