2018 Compliance Plan Work

First and foremost, initially look backward before looking forward and look inward before looking outward and always be mindful of the goal of any work plan.

The goal of a work plan is twofold: the obvious goal of addressing risk areas to advance fraud and abuse and HIPAA compliance as well as providing a credible narrative to regulatory and law enforcement authorities of the provider's demonstrated commitment to compliance evidenced by audits and remittances, as appropriate. I regularly received an inconsistent message from provider's under investigation in my former capacity as an AUSA—"we are committed to compliance." The proof, however, was often lacking after requesting and reviewing the previous annual work plans. I often heard other projects delayed compliance efforts. I translated that to mean the provider was not actually committed to compliance and the resulting FCA settlement was intended to partly elevate the importance of compliance consistent, of course, with the facts and law.

The initial step in compiling a 2018 work plan is to critically assess your organization's 2017 work plan, including the following areas:

• Look inward before looking outward. Did you completely address the 2017 deliverables? If not, then address the incomplete matters thru either inclusion in the 2018 work plan or retiring the risk area for appropriate reasons to avoid the above perception.
   
• Look inward before looking outward. Complete outstanding audits.
   
• Look inward before looking outward. Ensure hotline complaints have been addressed in a reasonable manner.
   
• Look inward before looking outward. OIG and state work plans offer valuable opportunities to assess 2018 compliance risk; however, your provider's billing conduct is probably the best resource for addressing 2018 risk. Track high volume or high dollar private payer denials and crosswalk them into Medicare, Medicaid AND Tricare in 2018 as audit areas.
   
• Look inward before looking outward. Finalize your 2017 Security Risk Analysis as required by HITECH.
   
• Make any required regulatory year end attestations.

As far as my 2018 observations, they include the following:

• Be dynamic and not static. If you are auditing high risk areas on an annual basis --level 5 CPT codes, incident to, modifier 25, PATH notes, short inpatient stays—then change the audit profile to advance the opportunity to identify risk. For ex., audit different physicians or NPs, time periods, clinics.
   
• Change your mindset. Try to find the problems rather than auditing to validate the incorrect perception that all is well. For ex., when was the last time you tested the FMV valuation for relevant physician contracts to assure Stark and AKA compliance? Set it and forget it creates risk. Do you have appropriate licensure for sites? Just because you are providing services does not mean such services are authorized. For ex., outpatient therapies.
   
• Brainstorm before creating the 2018 work plan. Meet, do not have an e mail dialogue, with the relevant Directors or project managers—the foot soldiers—for purchasing, IT, the chargemaster, coding and other areas to secure their input on compliance areas. Who is no longer here? What compliance function did they perform? Who is doing it now? For ex., secure signatures for annual contracts involving physician compensation and implicating Stark.
   
• Benchmark your organization. There are public resources to address compliance deficiencies. Review and address, as appropriate. For ex., The Bureau of Compliance (BOC) in the New York State Office of the Medicaid Inspector General (OMIG) conducts assessments of Required Providers' compliance programs. The chart below identifies the frequency (on a percentage basis) of Insufficiencies that were cited by BOC during compliance program reviews completed from January 2015 through June 30, 2017. The higher the percentage the more frequent the Insufficiency was observed. (https://omig.ny.gov/compliance/compliance-program-assessment-results)
   
• You might want to consider touching base on the issue of harassment since this topic has been so much in the news lately. Although this area may not rank high on the list of fraud and abuse concerns, it requires attention based on recent publicity. Under the OIG compliance guidance, all programs with high risks should be subject to ongoing monitoring and auditing. Human Resources (HR) is a program, and therefore should be included when considering regulatory and legal risks.
   
• Considering the number of disasters the US has had in 2017, you might want to considers stressing the need to develop a disaster plan and conduct routine drills of the plan; especially w/ a HIPAA and HITECH focus.
   
• And, as always, cybersecurity in healthcare will continue to be an issue in 2018. Do the simple before the complex. For ex., secure a list of vendors from Accounts Payable, determine who has access to phi, then cross reference against BAAs. You will find gaps. Remediate them. Regularly assess your security risk analysis in 2018. I have regularly reviewed an SRA provided by the IT vendor used by small to medium providers outsourcing their IT. I often find the vendor addresses technical safeguards, however, wholly omits the required administrative and physical safeguard assessments.