The Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) recently released the summary of a roundtable meeting the agency held with representatives from 32 companies that have entered into Corporate Integrity Agreements (CIA) since 2009. The companies included hospitals, ambulance companies, medical device manufacturers, physician practices, laboratories, home health agencies, and skilled nursing facilities.
This is the second time OIG has held a roundtable regarding CIAs this year. Back in February, OIG held a roundtable regarding CIAs with pharmaceutical companies.
The purpose of the August 2012 roundtable was to solicit feedback from the representatives regarding their compliance “best practices” and their efforts to implement the requirements of their CIAs. OIG will consider the feedback when deciding what terms to include in future CIAs. The roundtable involved small-group discussions of several topics:
(1) the definitions of “covered persons” and “relevant covered persons” and CIA requirements relating to a code of conduct, compliance policies and procedures, and training and education;
(2) the role of the compliance officer, internal auditing and audit plans, and the role of the board of directors;
(3) claims review requirements; and
(4) arrangements review requirements. The discussions of each of these topics are summarized below.
Definitions of “Covered Persons” and “Relevant Covered Persons”
All CIAs include definitions of “covered persons” and “relevant covered persons” that identify which individuals and entities are subject to CIA requirements. For example, most, if not all, CIAs require that companies provide training on the compliance program and the CIA to all covered persons, which generally includes all employees. CIAs also require that companies provide training on defined subject areas to individuals who meet the CIA definition of relevant covered persons, which generally includes those employees and contractors who provide patient care or who are involved in coding or billing for health care items or services.
Participants expressed difficulty determining which employees and contractors fit within the definitions, whether vendors and contractors are covered persons or relevant covered persons, and with requiring vendors and contractors to comply with any applicable CIA requirements. Some participants commented that they now discuss training requirements as part of contract negotiations with vendors and contractors.
Many CIAs exclude individuals from the covered persons definition and corresponding requirements if the individuals work fewer than 160 hours per year. Some participants said the 160-hour threshold requires time-consuming tracking to determine when and if someone becomes a covered person. Some participants suggested that, instead of a 160-hour limit, any exceptions to the definition of covered persons should focus more broadly on the individual’s role and responsibilities and status as a full-time or part-time employee. In addition, most participants felt that more tailored definitions would result in a better use of resources because the companies could better tailor the training to the job responsibilities of those being trained.
Code of Conduct and Policies and Procedures
CIAs require each participant (1) to have a code of conduct setting forth the company’s commitment to compliance and the importance of adhering to Federal health care program requirements and its policies and procedures, and (2) to implement policies and procedures governing the company’s compliance program and adherence to Federal health care program requirements. In general, participants supported this provision, but recommended that CIAs permit companies to make revisions and obtain certifications during annual general training, as long as current versions of the code of conduct are posted and accessible electronically. Other participants stated that a more in-depth discussion of what policies and procedures are needed for their companies during negotiations would make implementation easier.
Training
Some participants reported the annual training requirements are too prescriptive and that companies under CIAs should be permitted to identify their own annual training topics. Participants also recommended eliminating the requirements that covered persons and relevant covered persons receive a minimum number of hours of annual training and focusing instead on whether the training thoroughly addresses the topics specified in CIAs. Participants also suggested that compliance officers should be able to target different groups of employees year to year for education because it is difficult to create different modules to make training relevant to all employees on an annual basis. Some participants noted they use scenarios drawn from complaints or audit results to make training more real and to facilitate discussions of subtler topics with employees.
Many participants suggested that the CIA requirement to track 100 percent training completion is burdensome, especially for the last 2 or 3 percent of employees and for non-employed or contractor physicians. Participants reported that training for two or three hours at a time detracts from the trainees’ retention of information, but that tracking completion of the training requirement over multiple shorter sessions was too time-consuming and difficult. Some participants reported logistical difficulties in ensuring that employees in the field are trained.
Participants reported that 30 days was not sufficient time to train new employees and that requiring training within 30 days of hire meant that new employees either did not have enough knowledge to place the requirements in context or the training was not retained because so much other important information was being received at the same time. Many participants felt the annual training requirement was more effective. Some recommendations were:
- require training only during the first year;
- limit training to those who could cause improper conduct or have the ability to cause false claims; and
- require training only for employees who fail to pass an annual competency test.
Role of Compliance Officer
CIAs require that each company appoint a compliance officer to be responsible for developing and implementing policies, procedures, and practices designed to ensure compliance with the CIA and Federal health care program requirements. Overall, participants reported that the compliance officer description in CIAs satisfied their needs. Participants emphasized the importance of having the compliance officer report directly to the board of directors, and not to the general counsel or chief financial officer. They also stated the importance of having the compliance officer be a member of senior management. Many participants reported that resource allocation is important in establishing an effective compliance program and that the more engaged the compliance officer is with senior management, the more successful the compliance officer is likely to be in getting a fair allocation of the company’s resources. Participants suggested OIG include resource allocation requirements in CIAs.
Board of Directors’ Involvement in the CIA
CIAs generally require that the board of directors receive training, receive reports from the compliance officer, and pass an annual resolution certifying to the board’s oversight of the compliance program. Participants reported that the board’s responsibilities, including certifications, resulted in more engaged board members. They also stated that keeping the board engaged assisted in the allocation of resources because the board felt a responsibility to mitigate risk. Participants emphasized the importance of having the compliance officer report directly to the board. Some participants felt that IROs also should report directly to the board.
Others noted that an engaged board motivated executives and health care providers to commit more fully to compliance. Some participants thought the board could have more training. They also thought the board needed additional tools to help assess risk, such as a compliance “dashboard.” Many participants asked OIG to publish more board of director guidance on the OIG Web site. Overall, participants stated that the board would remain engaged in the compliance program even after the CIA’s term ended.
Role of Internal Audit
Participants described several ways of performing internal audit functions. Some had separate internal audit and compliance departments, while others worked in compliance departments that conducted audits. Participants used several resources to develop internal audit plans. Most used the OIG Work Plan. Others used issues raised in hotline calls and prior audit results. Participants performed audits by conducting quarterly billing audits using external entities, internal reviews of contracts and other risk areas, certification reviews, and as-needed audits when problems arose. Some participants noted that their companies find the results of their internal auditing more valuable than the IRO results—in part because the issues reviewed in those audits are set by the company, using identified and changing risk areas.
Claims Review Requirements
The purpose of this session was to discuss OIG’s approach to annual claims reviews required under CIAs. Most CIAs require the provider to conduct a discovery sample of 50 paid Medicare claims randomly selected from those submitted by the provider during a specified 12-month period. If the net financial error rate for the discovery sample is 5 percent or greater, the provider is required to conduct a full sample (review of additional claims) and a systems review (review to identify the underlying causes of the claims errors). Most CIAs require that this annual claims review be conducted by an IRO selected by the provider.
Several participants indicated that 50 claims was not a large enough sample size to identify problems with coding and billing, particularly if the 50-claim sample was selected from across a large organization or an organization with multiple locations. Suggestions included increasing the sample size and focusing the claims review on particular types of claims or particular issues. Some suggestions included:
- larger discovery sample in 1st year of CIA, reduced after if error rate below 5%
- quarterly reviews, rather than annual
- systems review in 1st year to identify areas for claim review
- allow provider to conduct internal reviews of claims or issues identified by OIG.
Several participants said their organizations conduct internal audits regularly, through prepayment reviews, audits of individual locations, and reviews of coding or billing reports, to identify issues more quickly. The initial results of the audits may be used to expand the scope of the audit or as a basis for conducting a more in-depth review of a particular issue. Some participants considered their internal audits more useful than the claims review performed by the IRO.
Participants also discussed the process for selecting an IRO, the interaction between the provider and the IRO, and the value and cost-effectiveness of using an IRO to conduct the claims review. Some participants said it was a challenge to identify a qualified IRO in the time allowed under their CIA, particularly if the provider operates in a specialized area that requires a particular expertise. Many participants said the first year of working with the IRO can be the most challenging, as both parties are trying to understand the claims review requirements and prepare and review the IRO’s claims review report to be submitted to OIG. Also, it often takes time to familiarize the IRO with the specifics of the provider’s business operations.
Many of the participants indicated that they value the perspective of an independent third party to conduct a claims review; however, the costs, particularly in the first year of the CIA, can be high. Some participants suggested that a better use of resources might be to permit the provider to conduct its audits internally and have the results verified by the IRO. Participants indicated that the results of the IRO review are used to identify issues for continued auditing or monitoring and as a source of “real life” examples that can be used in training.
Participants were asked what approach they would take with regard to auditing after their CIAs expire. Most indicated that internal audits would be continued with some external verification, either using the current IRO or another third party. Some participants thought that the continued use of a third party would be valuable, but said they would want to reduce the costs of using an outside auditor.
Arrangements Review Requirements
Some CIAs also require providers to implement arrangements procedures and retain an IRO to conduct an arrangements review. “Arrangements” under a CIA typically include transactions between the provider and a potential or actual source of Federal health care program business or referrals. The CIA requires the provider to implement procedures to ensure that existing and new arrangements do not violate the Anti-Kickback Statute or the Stark Law. These procedures typically require a provider to
- create a centralized tracking system for arrangements,
- track payments made under the arrangements,
- track services provided or the space/items leased under the arrangements, and
- implement a written review and approval process for arrangements that includes a legal review and a business review, including a process for determining the fair market value of the payments made under the arrangement.
Scope of Focus Arrangements Definition
Participants suggested that OIG revise the arrangements reviews to require providers to examine the intent behind the arrangement and the internal business processes of the provider to monitor the appropriateness of each arrangement. Participants uniformly agreed that, to provide a comprehensive review of arrangements, the provider must have a detailed database containing data elements specified in the CIA. Participants agreed that requiring providers to aggregate all arrangements into a database was critical to monitoring the entity’s arrangements and beneficial to implementing document management processes.
Participants recommended that OIG narrowly define arrangements by tailoring the review to the type of provider under the CIA and specifically identifying a subset of transactions on which the provider should focus its review. Suggestions included:
- OIG tailoring the arrangements review based on a provider’s industry sector, providing different review processes for the businesses with which the provider primarily contracts.
- OIG narrowly tailor the scope of arrangements to reflect the covered conduct within the parties’ settlement agreement.
- Focus of the narrower arrangements review include a review of internal processes to evaluate the business purpose behind the arrangement and to determine whether the remuneration under the arrangement is fair market value
- OIG consider having different arrangements review elements that relate specifically to the risk under the arrangement, rather than applying the same review elements to all arrangements.
Some participants suggested that the IRO review should include a review of fair market value under the arrangement, a review of payments made under the arrangement, a review of the procedures used by the entity to enter into the arrangement, and other elements that examine the terms of the arrangement. Additionally, participants recommended that OIG clarify ways to measure the legal sufficiency of the arrangements included in the review.
External Review of Arrangements
Participants agreed that external reviews performed by legal counsel, IROs and fair market value consultants are necessary to ensure that their arrangements are in compliance with the Anti-Kickback Statute and the Stark Law. However, they expressed concern about the costs of retaining outside experts and the application of attorney-client privilege during the IRO review and desired greater clarification on when the privilege applies in the CIA context.
Participants uniformly agreed that OIG should consider defining the scope of the IRO review more specifically. Many participants felt that the purpose of the IRO review was unclear and many arrangements reviewed by the IRO were not relevant to the CIA. Participants would like greater input from OIG regarding the scope of the IRO reviews and would like flexibility during the CIA term to identify risk areas and suggest modifications to the scope of the IRO reviews to evaluate evolving risk areas.
Some participants suggested that OIG further define IRO testing attributes or allow IROs to test arrangements according to “best practices.” Participants requested guidance from OIG on how to interpret exceptions noted by an IRO. Participants recommended standardizing core controls for IRO testing and suggested increased involvement by OIG during negotiation of the IRO engagement.
Request for Additional Guidance from OIG
Participants requested that OIG consider providing additional compliance guidance to the industry by issuing “Frequently Asked Questions.” They felt that FAQs, with specific examples of provider behavior, would be useful in their daily compliance oversight.