Deeper Than the Headlines: Diving Into A CIA Part 3: Risk Assessments

For the last month or so I’ve been posting about various CIA compliance program requirements from the OIG in one of their most recently published CIA.

In Part 1, I talked about the Three Parts of An Ownership Agreement

In Part 2, I Covered Written Standards and Training.

This week for Part 3, I’ll take my final deep dive into the CIA by reviewing the requirements surrounding risk assessments, disclosure program and employee screenings for excluded parties.

Risk Assessments

Compliance risk assessments in healthcare are somewhat analogous to home inspections that most of us pay for before closing on the purchase of a new home. And if you’ve purchased more than one home and have had home inspections performed for different homes, you will know that different deficiencies or issues can be identified with different homes being inspected. In other words, even though the list of items that are examined or inspected from home to home may be the same, the deficiencies identified can vary from home to home. In one home is may be plumbing or electrical wiring while in other homes it could be the foundation and heating system.

This is like risk assessments performed for compliance programs. If you work for a physician practice specializing in radiology, the compliance risks identified will probably be different than a risk assessment performed for an acute care hospital or skilled nursing facility, for example.

Risk assessments can help organizations identify and focus their compliance efforts and limited resources on the areas that are most likely to experience non-compliance and cause problems.

In the CIA we’ve been examining, the OIG required the organization to perform an annual risk assessment that involved multiple parties and departments. They required the practice to: “develop and implement a centralized annual risk assessment and internal review process to identify and address risks associated… with the submission of claims for items and services furnished to Medicare and Medicaid program beneficiaries. The risk assessment and internal review process shall require compliance, legal, and department leaders, at least annually, to

1. identify and prioritize risks
2. develop internal audit work plans related to the identified risk areas
3. implement the internal audit work plans
4. develop corrective action plans in response to the results of any internal audits performed
5. track the implementation of the corrective action plans in order to assess the effectiveness of such plans.”

An effective compliance program is a smart and pro-active program. As a profession, the position of compliance officer has matured and developed into a role requiring unique skills and abilities related to the risk assessment process. If your organization doesn’t have this expertise in-house, it is often wise to engage an expert when performing a risk assessment. It is such a foundational exercise that drives the rest of the compliance activities for the year, that this is one area where you don’t want to skimp or “do it yourself” if you don’t have the resident expertise.

Disclosure Program

Compliance programs are designed to prevent, detect and correct noncompliance. To effectively do this there has to be some formal program for internally disclosing, tracking and resolving issues of concern.

The CIA we are examining refers to this as a “disclosure program.” They required the organization to: “establish a Disclosure Program that includes a mechanism (e.g., a toll-free compliance telephone line) to enable individuals to disclose, to the Compliance Officer or some other person who is not in the disclosing individual’s chain of command, any identified issues or questions associated with…policies, conduct, practices, or procedures with respect to a Federal health care program believed by the individual to be a potential violation of criminal, civil, or administrative law.”

In addition to having such a mechanism, it was required for the organization to publicize its existence so people can use it. If you’ve created such a hotline and it’s never been used, you should first question the effectiveness of your publicizing the hotline before concluding that everything is just fine with your compliance program because you never have anyone report anything.

In fact, this CIA required the organization to mandate employees report issues where suspected wrongdoing had occurred.
Once a concern has been reported, the organization needs to make a good faith inquiry into the allegation and conduct further review and correct action when necessary. Lastly, the OIG expects the compliance officer to keep a record of each disclosure, the action taken and how quickly a disclosure is entered into the record (no later than two business days was required).

Screening for Excluded Parties

If an individual or entity has been excluded from participation in the federal healthcare program, then that individual or entity should not be involved in services for which a claim is submitted to the federal healthcare program. Frequent fines are assessed against organizations that have failed to prevent this (see OIG site where these penalties are announced: https://oig.hhs.gov/Fraud/enforcement/cmp/cmp-ae.asp This CIA requires the organization to “screen all prospective Covered Persons against the Exclusion List prior to engaging their services and, as part of the hiring or contracting process.” Best practice is to perform this screening monthly (and in many cases, this is required and not just best practice).

Additionally, the CIA requires the organization to have a policy “requiring all Covered Persons to disclose immediately if they become an Ineligible Person.” If the organization becomes aware of an excluded individual working for them, they must remove that individual from involvement with the federal healthcare program and/or funds.

Summary:

Risk assessments, disclosure programs, and excluded party screening are all essential aspects of an effective compliance program. Our prior two posts on this recent CIA covered what we called the “ownership” aspects of a compliance program, written standards/procedures, training/education, and auditing/monitoring.

As we close this three-part series and deep dive into this recent CIA, remember what the Inspector General, Daniel Levinson, said about using the published CIAs as tools for improving your compliance program, “There are many CIAs with settling companies that will provide incredible detail to you on how to craft the best possible compliance program for your own enterprise.”

Utilize the resources available to you so you can continually improve and grow your organization’s compliance program.