New York Weighs in on the Drafting of Health Care Compliance Programs Perhaps There Is an Alternative to GovernmentImposed Compliance Program Requirements Jack Wenik

I

Jack Wenik is a member of the firm Sills, Cummis & Gross PC. He is co-chair of the firm’s Healthcare Investigations Practice Group. A former Assistant U.S. Attorney of both the Eastern Districts of New York and Pennsylvania, Mr. Wenik represents health care systems, hospitals, long-term care facilities, pharmacies, doctors, and other health care providers in a wide array of investigations, regulatory matters, and litigation. He can be reached at [email protected]. The author wishes to acknowledge the valuable research assistance for this article by Matthew McKennan, an associate in the Sills, Cummis & Gross health care department.

n an earlier article for the Journal of Health Care Compliance,1 I noted that the State of New York had piggy-backed on federal legislation by enacting its own statutory and regulatory requirements for health care providers to implement an “effective” compliance program. At the time, guidance as to how health care providers should draft and structure their compliance programs was promised by the New York Office of Medicaid Inspector General (OMIG). The article questioned whether New York’s enacting its own compliance program directive would be a positive development in giving health care providers more detailed guidance in structuring compliance programs or be a negative in adding yet another regulatory layer of requirements for health care providers to navigate. Now that we have some experience with how New York’s OMIG views health care compliance programs, it is timely to revisit this issue. This article compares and contrasts federal and New York state compliance program requirements. It also offers an alternative of allowing the health care industry to develop its own compliance program structure in lieu of ever increasing and changing statutes and regulations.

FEDERAL COMPLIANCE PROGRAM REQUIREMENTS It is now virtually beyond question that a health care provider of any appreciable size, be it a hospital, nursing home, physician practice, pharmacy, et cetera, should have a formal compliance program in place. Section 6032 of the Deficit Reduction Act of 20052 requires health care providers who receive $5 million or more in Medicaid payments to have written compliance poli-

Journal of Health Care Compliance — November – December 2011

15

New York Weighs in on the Drafting of Health Care Compliance Programs

cies in place.3 Section 6401 of the more recently enacted Affordable Care Act directed the Department of Health and Human Services (HHS) to establish “core elements” of compliance programs, which health care providers will have to implement.4 As of the writing of this article, HHS has yet to promulgate a deadline for health care providers to adopt formal compliance programs or the core elements that such programs must contain. At this point, perhaps the most influential federal authority for health care compliance programs is the United States Sentencing Guidelines. Section 8B2.1 of the Sentencing Guidelines, which became effective in November 2010, sets forth seven elements of effective compliance programs for organizations. Organizations are incentivized to adopt an “effective” compliance program by a threelevel reduction in their culpability score if a violation of law occurs while an acceptable compliance program was in place.5 While not specific to health care, the Sentencing Guidelines compliance program requirements no doubt need to be central to any health care provider’s compliance program. Indeed, HHS has indicated that the seven compliance program elements set forth in the Sentencing Guidelines likely will be a basis for the core elements of required compliance programs to be enacted for those health care providers receiving reimbursement from Medicare and/or Medicaid.6 The seven elements (paraphrased) are: a. Standards and procedures to prevent and detect criminal conduct. b. A governing authority knowledgeable about compliance and exercising reasonable oversight: (i) High-level personnel ensure compliance program is effective and assign individual to be responsible for compliance. (ii) Compliance officers should report to high-level personnel and should be given adequate resources and direct access to governing authority.

16

c. Use reasonable efforts not to include individuals it reasonably should know to be engaged in illegal activities or noncompliant conduct. d. Communicate and train governing authority and employees regarding roles and responsibilities. e. Audit and evaluate the effectiveness of the compliance program and publicize ways to report or seek guidance regarding potential/actual criminal conduct in a confidential manner without retaliation. f. Enforce the program through incentives to promote compliance and disciplinary measures for those who engage in noncompliant conduct or fail to prevent/detect criminal conduct. g. When criminal conduct is detected, take reasonable steps to respond and prevent similar conduct, including modifying the compliance program. Notably, the Sentencing Guidelines recognize that the above compliance program requirements may not be suitable for all organizations. Application Note 2(C) to Section 8B2.1 of the Guidelines provides that small organizations may meet the requirements of an effective compliance program with “less formality and fewer resources than would be expected of large organizations.” Thus, for small organizations, the “governing authority, i.e. the chief executive, can directly manage compliance functions by him or herself. Similarly, in small organizations, compliance ‘training’ can be accomplished via ‘informal staff meetings.’”7 The Sentencing Guidelines’ elements provide only the basic structure and lack specifics. For example, for larger organizations, who should the “individual” be that is responsible for compliance? What sort of compliance “training” should be provided? What “high-level personnel” should the compliance officer report to? Some additional insight can be found in voluntary guidance that has been issued by HHS’s Office of Inspector General

Journal of Health Care Compliance — November – December 2011

New York Weighs in on the Drafting of Health Care Compliance Programs

(OIG) for different categories of health care providers.8 The OIG has set forth seven “fundamental” elements for effective compliance programs that are very similar to the Sentencing Guidelines criteria. They are (paraphrased): a. written policies and procedures; b. compliance officer and a compliance committee; c. effective training and education; d. internal monitoring and auditing; e. effective lines of communication; f. well-publicized disciplinary guidelines; and g. prompt response and corrective action for problems.9 Beyond these general elements, the OIG has, through its voluntary guidance documents, made more specific suggestions as to how a compliance program should be structured in its factors for assessing compliance program effectiveness. Thus, for hospitals, the OIG has suggested that the compliance officer be a member of senior management, independent of the general counsel. The OIG further recommends that the compliance officer have access to all senior management, have the authority to retain outside counsel, and make regular reports directly to the institution’s board of directors.10 As to compliance training, the OIG suggests that it could be via either live instructors or be computer based and that post-training testing be done. It also recommends that senior management be given training on fraud and abuse laws.11 For the different categories of health care providers, OIG guidance documents identify specific risk areas it believes warrant special attention in compliance programs. For example, for ambulance service providers, the OIG has highlighted medical necessity, documentation, billing, reporting risks, and payments for “under arrangements” services as areas of special concern.12 In short, the OIG has recognized that there is no “one size fits all” when it comes to compliance programs and each must be tailored for the industry and provider in

question. This raises the question of whether the OIG, in response to the directive of the Affordable Care Act described above, will enact a series of different core elements for compliance plans applicable to various categories of health care providers. While, in one regard, clear direction would be welcomed by some health care providers, different core elements for different categories of providers would complicate matters for health care systems that own or operate entities in the different categories.

NEW YORK COMPLIANCE PROGRAM REQUIREMENTS New York is the first state to impose on health care providers a mandatory obligation to draft and implement compliance programs, which is in addition to and supplements federal requirements. In 2006, in addition to establishing its OMIG, New York added Social Services Law §363-d, which requires health care providers that receive Medicaid reimbursement to develop and implement compliance programs. Together with 18 NYCRR §521, the Social Services Law sets forth a series of eight elements that must be contained in health care provider compliance programs beginning July 1, 2009. New York’s eight core elements of an effective compliance program overlap those of the Sentencing Guidelines and the OIG and go a little further still. They are (paraphrased) as follows: a. written policies and procedures embodied in a code of conduct; b. an employee vested with responsibility for the compliance program who reports directly to the chief executive officer and an entity’s “governing body,” i.e., board of directors; c. training and education regarding compliance issues and the compliance program; d. open communication lines, including a mechanism for anonymous and confidential reporting of compliance issues; e. disciplinary policies that enforce the policies of the compliance program and encourage the reporting of compliance issues;

Journal of Health Care Compliance — November – December 2011

17

New York Weighs in on the Drafting of Health Care Compliance Programs

f. a system of self-evaluation of compliance risk areas including internal and external audits; g. a system to respond to compliance issues and to take corrective actions promptly; and h. a policy of non-intimidation and non-retaliation for participating in the compliance program.13 Health care providers in New York must certify annually to the OMIG that they have a compliance program in place which meets the requirements set forth above.14 OMIG has the power to exclude from the Medicaid program providers whose compliance programs are determined to be insufficient.15 Interestingly, compliance programs “accepted” by the OIG are deemed to satisfy New York’s requirements as well.16 OMIG has posted various guidance documents and “tools” on its Web site to provide additional instruction on what it believes is the appropriate way to structure and implement an effective compliance program. Officials of OMIG also lecture at various conferences and meetings attended by health care providers regarding effective compliance programs. Finally, OMIG’s Bureau of Compliance conducts “Effectiveness Reviews” of providers’ compliance programs. OMIG’s guidance documents offer significant insight into the agency’s view of the minimum requirements for provider compliance programs. While OMIG notes that it will consider the “uniqueness of providers” when assessing compliance programs, its July 15, 2011 Review Checklist and July 8, 2011 list of examples of “program insufficiencies” suggests that the agency expects to see, at a minimum, the following in a compliance program: formal training materials; initial compliance training for all employees; at least annual compliance training for all employees, including senior management and the board of directors; testing of employees who are given compliance training;

18

documentation (e.g., sign-in sheets) of compliance training; a compliance hot line, including logs of all hot line calls, which allows for anonymous reporting; internal and external audits of risk areas with documentation of same; reporting of any overpayment issues to OMIG with documentation of same; the compliance officer cannot be the chief financial officer (CFO), nor should the compliance officer have any role in billing; the compliance officer should not report to the CFO; and uniform application of disciplinary policies to both lower level employees and senior management. OMIG also has drafted a list of “best practices,” a series of Frequently Asked Questions (FAQs) and accompanying answers, and a list of “Opportunities for Enhancement,” which provide further detail as to what is expected in an effective compliance program. Although OMIG qualifies its suggestions by noting that a compliance program “should reflect a provider’s size, complexity, resources and culture,”17 the Best Practices List, FAQs, and list of “enhancements” suggest that, in addition to the points gleaned from the lists above, a compliance program should be structured as follows:18 the compliance program should be published on a provider’s Intranet or Web site, and contact information for the compliance officer should be posted in prominent locations at the provider; the compliance officer should report directly to the board of directors and, as necessary, the chief executive officer (CEO); compliance issues/reports should be regularly considered by the board of directors; compliance training should be electronic, with online tracking and feedback systems, and should include definitions of “fraud, waste and abuse” as well as disciplinary policies that relate to noncompliant behavior; a brochure should be available to consumers, partners, and vendors which

Journal of Health Care Compliance — November – December 2011

New York Weighs in on the Drafting of Health Care Compliance Programs

sets forth the names and contact information for compliance staff; there should be implementation of a compliance dashboard; providers can operate under the compliance program of a parent organization if it is detailed enough to address risk areas; policies should be in place to prevent the use of excluded parties in Medicaid services; exit interviews for departing employees should include compliance issues; self-assessments of the compliance program should take place annually; and an annual compliance work plan should be prepared. OMIG’s best practices for compliance programs impose very specific requirements for risk management. OMIG expects health care providers to conduct quarterly internal case record reviews both of documentation and quality of service. As part of a utilization review process, OMIG mandates monthly case reviews of admissions criteria and eligibility for continued treatment. Risk areas are to be tracked monthly, with trends analyzed, and a pre-claim review process for billing and coding should be implemented for all Medicaid bills.19 Finally, OMIG has crafted a series of “assessment tools,” which consist of questions to be answered by providers to ensure that their compliance programs meet New York’s requirements. These include specific questions directed to pharmacies and ambulance services. From these documents it can be gleaned that, in addition to all of the characteristics set forth above, (1) OMIG frowns on compliance officers having responsibilities other than for the compliance function; (2) a compliance officer should not report to the general counsel; (3) compliance policies should be approved by the board of directors; and (4) “feedback” should be provided to those who report/raise compliance issues, including to those who report anonymously. Thus, New York, through its statute, regulations, and OMIG guidance documents, provides considerable detail as to what at-

tributes an effective compliance program should have. While there is overlap with the guidance provided at the federal level via the Sentencing Guidelines and OIG documents, New York’s requirements go further.

AN ALTERNATIVE TO GOVERNMENT-IMPOSED COMPLIANCE PROGRAM REQUIREMENTS On one level, having mandatory “core elements” and other compliance program guidance from both the federal government and New York State is welcome in the sense of providing a degree of certainty to health care providers as to what regulators expect of them. However, the trend toward imposing compliance program requirements on health care providers is also troubling. The requirements are multiplying on one level in terms of having specific directives directed at particular categories of health care providers, nursing homes, hospitals, pharmacies, et cetera and on another level by having different governments craft them. Should more states follow New York’s lead and establish their own, unique mandatory compliance program requirements and oversight, the burdens on health care systems who own providers in more than one state and in different categories could become onerous. Ironically, it could make developing and implementing compliance programs and practices more difficult and complex. The alternative to a patchwork of compliance program regulations by a host of different government entities/agencies is to allow the health care industry to police itself. There is precedent for this in the medical device industry. The Advanced Medical Technology Association (AdvaMed) has had a code of ethics in place for a number of years. The code has been updated periodically, and most of the medical device manufacturers in the United States have agreed to abide by its terms. In June 2010, the State of Connecticut enacted a statute requiring medical device and pharmaceutical companies to

Journal of Health Care Compliance — November – December 2011

19

New York Weighs in on the Drafting of Health Care Compliance Programs

adopt a compliance and ethics program.20 Rather than issue its own detailed, regulatory requirements for ethics and compliance programs, Connecticut’s statute allows companies to satisfy this obligation by adopting the AdvaMed Code of Ethics and adopting a compliance program consistent with guidance that had been issued by HHS in 2003. The same approach could be adopted easily for the health care industry. In April 2003, the Health Care Compliance Association (HCCA) published a comprehensive guide, Evaluation and Improving a Compliance Program. As noted in its introduction, the aim of the guide was to provide “a fluid guide to common indicators and recommended best practices for compliance programs, not a collection of rigid standards.” The federal government and states could follow Connecticut’s lead. Effective compliance programs could be mandated, but that requirement could be satisfied by simply requiring health care providers to implement programs consistent with HCCA’s guidance. No doubt, the guide could and should be updated and refined to take into account developments in the industry and changing laws and regulations. In this manner, health care providers nationwide could look to a single, authoritative source for guidance in developing and implementing compliance programs rather than an anticipated host of competing federal and state requirements.

Endnotes: 1. Wenik, State Offices of Medicaid Inspector Generals: Implications for Medicaid Fraud Enforcement, Journal of Health Care Compliance, July-August 2010, at 5-10. 2. 42 U.S.C. §1396a(a)(68). 3. New York requires formal compliance programs for health care providers that receive at least $500,000 in Medicaid payments. 18 NYCRR §521.3 (2009). 4. Section 6102 of the Affordable Care Act sets forth core elements of compliance programs for skilled nursing facilities, but HHS has been tasked to develop the core elements for other health care providers. 5. See United States Sentencing Guidelines, §8C2.5(f )(1). 6. See 76 Fed. Reg. 5942 (February 2, 2011). 7. Id. 8. See, e.g., 63 Fed. Reg. 8987 (February 23, 1998) (hospitals); 65 Fed. Reg. 594354 (October 5, 2000) (individuals, small physician practices); 65 Fed. Reg. 14289 (March 16, 2000)(nursing facilities); 73 Fed. Reg. 56832 (September 30 2008)(nursing facilities); 68 Fed. Reg. 14245 (March 24, 2003)(ambulance suppliers); 68 Fed. Reg. 23731 (May 5, 2003) (pharmaceutical manufacturers). 9. See 68 Fed. Reg. at 23731. 10. See, 70 Fed. Reg. at 4874-75. 11. Id. at 4875. 12. See 68 Fed. Reg. at 14250-51. 13. See N.Y. Soc. Serv. Law §363-d; 18 NYCRR §521.3. The core elements for an effective compliance plan set out by New York are very similar to those for skilled nursing facilities set forth in Section 6102 of the Affordable Care Act. 14. 18 NYCRR §521.3(b). 15. 18 NYCRR §521.4(c). 16. 18 NYCRR §521.4(b). 17. See Best Practices List, July 8, 2011 18. Notably, the FAQs state that, while OMIG is drafting industry-specific guidelines for compliance programs, it will not be issuing “model compliance plans or templates.” 19. See Best Practices List, July 8, 2011. 20. Pub. Act No. 10-117 §94 (June 8, 2010).

Reprinted from Journal of Health Care Compliance, Volume 13, Number 6, November-December 2011, pages 15-20, with permission from CCH and Aspen Publishers, Wolters Kluwer businesses. For permission to reprint, e-mail [email protected].

20

Journal of Health Care Compliance — November – December 2011