American College of Cardiology

To Assist Cardiovascular Specialists' Compliance With Health Care Laws, Rules & Regulations

Introduction
The Department of Justice (DOJ) and the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) are continuing their aggressive pursuit of fraud and abuse in the health care system. Bolstered by new programs and resources authorized by the Balanced Budget Act of 1997 (BBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the scope of federal investigative and enforcement activity has intensified. The DOJ and OIG warn of severe financial and criminal penalties for physicians and other providers found to have engaged in illegal conduct.

Listed below are examples of recent cases pursued by the DOJ and OIG:

• University of Pennsylvania – The government recovered $23 million for incorrect billing of resident and fellow services.

• University of Chicago – Oncology superbills did not list all levels of E/M codes, and physicians were aware they were overbilling. This fraud case is newly opened and could result in sanctions and the return of millions of dollars in Medicare reimbursement.

• California – Hospital Therapy Services is defending itself in a false claims suit. Providers allegedly billed for 90-minute therapy sessions that lasted no more than 45 minutes.

• Indiana – A cardiology group practice settled false claims allegations related to overpayments for cardiac bypass graft procedures by paying $125,000 and agreeing to implement compliance safeguards. The group admitted no intentional wrongdoing.

In the government's eyes, an "offense" may range from an "unreasonable" mistake to a determination that a Medicare claim was fraudulently submitted. In a letter to the American Medical Association, Health Care Financing Administrator Nancy Ann Min DeParle offered an assurance that "physicians will not be punished for honest mistakes." However, it is clear from recent settlements that systemic problems coupled with a failure of oversight would probably not be considered an "honest mistake." Implementation of compliance measures provides evidence of proper oversight. Therefore, even if mistakes occur, physicians who implement compliance programs are in a better position to defend against false claims allegations.

Role of Compliance Plans
Compliance programs establish a system for reviewing and monitoring practice administration to help avoid acts or omissions that could be targeted as evidence of fraud or abuse. A good compliance plan prevents problems before they occur. These programs can also enhance practice management, as they focus attention on the administrative aspects of care delivery.

Although the government's focus is on business practices, many existing compliance programs focus on administrative as well as clinical issues. This broad coverage of compliance plans is due to the fact that, in health care, business and clinical operations are closely intertwined. Effective compliance programs cover all aspects of business and clinical practice. Misconduct or problems in clinical areas can be just as detrimental as fraudulent billing. Results of such problems may include risk to patients, malpractice claims, and a tarnished reputation. Therefore, compliance programs should be geared to identify and rectify clinical as well as administrative misconduct.

Compliance plans must be tailored to the environment, needs, and characteristics of each provider. There is no one-size-fits-all strategy. Group practices can be expected to develop a more formalized program with a greater resource commitment than a sole practitioner. However, all programs should include the basic elements of ensuring compliance—clear guidance, appropriate education, effective communication, and continuous monitoring.

Contents of This Document
This document provides the following:

• An explanation of why your practice needs a compliance program to help minimize legal exposure;
• A description of the key steps involved in establishing a compliance program;
• A suggested checklist for documenting evaluation and management services, with cardiac-specific examples;
• An overview of the legislative and regulatory tools used by the federal government to control health care fraud and abuse; and
• Sources of additional information on compliance with fraud and abuse laws.

(Portions of this document have been adapted from information provided by the American Medical Association.)

WHY YOU NEED A COMPLIANCE PLAN: Government Efforts to Fight Fraud and Abuse in the Health Care System

Government Alleges Billions of Dollars Lost to Health Care Fraud
The health care community, including physician practices, is facing an environment in which the federal government is categorizing billions of dollars' worth of claims for services as inappropriate and possibly fraudulent. According to the Department of Health and Human Services' (HHS) Office of Inspector General (OIG), approximately $23 billion in Medicare fee-for-service overpayments were made in FY1996, with physicians accounting for 21.68 percent of these improper payments. Inappropriate payments amounted to $20.3 billion in FY1997. Medicare is reaching the point where over a billion claims for payment will be submitted annually, with approximately two-thirds of these claims being for physician services. The agency notes that it "cannot quantify what portion of the error rate is attributable to fraud" but acknowledges estimates that the amount of spending attributable to waste, fraud, and abuse ranges from 3 to over 10 percent of national health care expenditures. With these expenditures now surpassing a trillion dollars, the attention on efforts to reduce spending attributable to criminal and other inappropriate behavior is more readily understood.

Government Devoting Great Resources to Fighting Perceived Fraud
To recoup inappropriate health care payments, the authority and ability of the federal government to combat health care fraud was clarified and expanded with the enactment of Health Insurance Portability and Accountability Act (HIPAA). Among other provisions, this law (1) earmarked funding to virtually double the number of OIG auditors and investigators, (2) expanded the Federal Bureau of Investigation's ability to investigate health care fraud, (3) created the Medicare Integrity Program whereby HHS may enter into contracts with private entities to review and audit activities where Medicare provides coverage, and (4) established a reward program to encourage Medicare beneficiaries to report questionable behavior. These efforts are bringing results; in its September 1998 Semi-Annual Report, the OIG stated that it recovered a record $11.6 billion in "improper" payments.

Be Alert; You Could be Targeted
Anyone submitting a claim for payment must be alert to the potential for liability stemming from an inappropriately submitted claim. OIG enforcement investigations may be initiated based on—

• Carrier records,
• Computer programs designed to identify outliers,
• A call from a disgruntled employee,
• A patient complaint,
• An anonymous tip to the HHS "Confidential Tip Line",
• Qui tam (whistleblower) lawsuit.

Physicians are understandably alarmed by potential liability and the broad range of practices considered offenses by fraud and abuse prosecutors. Although federal officials emphasize that innocent billing mistakes are not illegal, patterns of mistakes may be evidence of misconduct, and physicians can be prosecuted despite their lack of deliberate intent to commit fraud or abuse. Many physicians are concerned that routine Medicare billing or patient referrals may subject them to investigation and/or prosecution. In addition to these federal activities, state law enforcement authorities are pursuing anti-fraud efforts on the local level.

Penalties for Inappropriately Submitted Claims

• Civil sanctions may be imposed when an individual submits a claim that he or she "knows or should know" will fall into a prohibited category. Civil sanctions may be imposed for each inappropriate claim submitted for payment. Civil money penalties may amount to $10,000 per claim ($50,000 for an anti-kickback violation) plus an assessment of up to three times the amount improperly claimed.

• Criminal penalties may be imposed when an individual "knowingly and willfully" defrauds the Medicare, Medicaid, or other federal health care benefits program. Sanctions may include imprisonment for up to five years, a fine, and exclusion from participation in government health care programs.

The existence of an effective compliance program provides evidence that the physician or health care entity was providing proper oversight of its business practices and any mistakes were inadvertent. This evidence would be considered in determining the existence of intent to commit health care fraud. Although an effective compliance plan cannot be instituted without expense, it does carry the advantages of (1) identifying under- and overcoding, (2) reducing the likelihood of civil or criminal wrongdoing, and (3) reducing potential penalties if wrongdoing is detected.

Core Elements of Compliance Plans
1. Make a clear commitment to compliance. A compliance plan must ensure that everyone in the organization understands the obligation to comply with established and understood compliance standards and knows the organization will take actions to uphold those standards.

• Ensure high level oversight of the compliance program or related activities.

• Write a code of conduct, with simple, declarative sentences defining your ethics, standards, and philosophy. Update it as needed. Have employees sign an acknowledgment that they have read and understood it.

• Maintain written policies related to records (creation, access, retention, etc.) and to the compliance plan itself.

• State a commitment to quality care for patients, accuracy of financial books and other record keeping, and observance of billing guidelines.

• Facilitate confidential reporting of alleged problems and violations.

• Your assessment should reflect the operation of your own practice, rather than some generic medical office.

• Begin with the most glaring areas of omission or weakness.

• Determine whether your existing policies and procedures (if any) reflect current law and are understood by your staff.

• He or she must be trusted and respected by the physicians and staff.

• An individual has sufficient authority if he or she is able to influence behavior and organizational practices. Consider appointing an individual who has substantial control over the organization or a significant role in setting policy for the organization.

• The compliance officer may perform this role as an adjunct to his or her normal duties in the office.

• Documentation must become a routine step that demonstrates operation of the compliance plan and delivery of quality patient care.

• The medical record may be used to legally validate the site of service, and the medical necessity and appropriateness of the diagnostic and/or therapeutic care provided. The medical record also shows that services have been reported accurately.

• The CPT and ICD-9-CM codes reported on the health insurance claim form should be supported by documentation in the medical record.

• The organization must have a routine training and education process that makes participation in the compliance program understandable. Also, the organization should document educational activities.

• Educational activities must be conducted on a regular (at least annual) basis, with frequency of participation dictated by an individual's functions in the organization. Because laws, regulations, and enforcement policies change, staying abreast of compliance developments must be viewed as an ongoing process.

• An education and training program should include an overview of the fraud and abuse laws, the operation and importance of the compliance plan, and the role of each employee in it. The ACC or other associations (see "Additional Resources") can provide information on seminars or educational audio/videotapes.

• Establish a baseline compliance level at the start of the compliance program,

• Regularly assess compliance to determine progress,

• Identify and address problem areas, and

• Monitor the work of new employees.

• One of the keys to a commitment to compliance is the existence of effective communication concerning compliance within an organization.

• Communications must be able to flow in both directions between the compliance officer and professional and support personnel within the organization.

• Employees and others who may use any communication channel should be assured that there will be no retaliation and that the issue will be thoroughly reviewed or investigated.

• Organizations should establish an alternative communication channel that employees can use confidentially or anonymously to report problems or concerns.

• Demonstration of a commitment to compliance includes an appropriate investigation of compliance issues and an established procedure when a compliance issue is identified. This procedure must include a disciplinary process for any individual within the organization who fails to comply with his or her obligations under the compliance plan.

• The OIG will be critical of any compliance program that is not enforced. Accordingly, you should document corrective action, including steps to prevent recurrences. Demonstrate that you can be trusted to identify and correct any neglect or wrongdoing.

• To ensure fairness and consistency in the application of the disciplinary process, organizations should maintain a written internal enforcement and discipline policy.

• Where an organization's investigation has identified the receipt of overpayments or other deviations from federal legal standards, the nature of the corrective action and disclosure of the compliance problem to the federal government should be discussed with counsel.

• A practice should not attempt to alter any records.

• Physicians should describe their coding education and compliance program and explain when it was initiated.

• The OIG maintains a searchable list of excluded individuals and entities on its web site at www.dhhs.gov/progorg/oig/cumsan/index.htm.

The Civil False Claims Act
The civil False Claims Act (FCA) outlaws the "knowing" submission of false information in an attempt to obtain payment of claims by the government. To "knowingly" submit a false claim, a provider need only act in "deliberate ignorance" or "reckless disregard" of whether the claim contains false information; specific intent to commit fraud is not required. Thus, providers are liable if they know or "should know" that false information has been submitted. Violators are subject to fines ranging from $5,000 to $10,000 for each false claim submitted, plus three times the amount of the claim. Total financial penalties can far exceed the dollar value of disputed claims.

The False Claims Act
Similar to the civil FCA, this criminal statute outlaws the "knowing" submission of false information in an attempt to obtain payment of claims by the government. However, to be criminally liable under this statute, the defendant must know the claim was false, fraudulent, or fictitious. The potential financial penalties are the same as the civil FCA, but it also includes potential incarceration as well.

Civil Monetary Penalties Law
The Civil Monetary Penalties Law (CMPL) provides the OIG with authority to pursue civil penalties for violation of program rules and regulations. Originally, it was enacted to provide an administrative remedy similar to the False Claims Act. However, it has been amended regularly to expand the basis on which penalties may be levied in support of various program goals. For example, penalties of up to $25,000 could be imposed on providers for such conduct as (1) deliberately upcoding and/or submitting claims for medically unnecessary services, (2) offering inducements to Medicare beneficiaries to persuade them to receive their products or services, or offering/receiving any improper remuneration in return for Medicare or Medicaid referrals, (3) falsely certifying a patient's eligibility to receive home health care services under Medicare, or (4) owning or controlling a health care entity that has been prohibited from serving Medicare beneficiaries.

Exclusion of Providers From Government Health Care Programs
Exclusion from government health care programs is the most potent authority of the OIG. There is an extensive list of substantive bases on which the OIG may exclude practitioners, supplier, and providers. At a minimum, individuals or entities convicted of, or pleading guilty to, a health care felony must be excluded from government health care programs for a minimum of five years. Beyond that, the OIG has discretionary authority to exclude individual and entities for a number of infractions. The OIG's decision whether to exclude a particular provider can depend on the future assurances that misconduct will not re-occur. Therefore, an effective compliance program can be compelling evidence that future misconduct will not occur, thereby avoiding exclusion. Individuals and entities currently under exclusion can be identified online via the OIG's searchable database at www.dhhs.gov/progorg/oig/cumsan/index.htm.

Cash Rewards for Beneficiary Whistleblowers
Private citizens may bring a qui tam whistleblower lawsuit against providers for violations of the false claims act. The person who initiates the suit, know as the relator, is entitled to 15–25 percent of any financial recovery. Furthermore, the Health Care Financing Administration (HCFA) has issued regulations under which Medicare beneficiaries and other citizens may obtain up to $1,000 for reporting health care fraud and abuse. Effective July 1998, the rule makes seniors and others eligible for cash rewards if they provide information leading to the recovery of Medicare funds. To boost beneficiary awareness of Medicare fraud, the Department of Health and Human Services (HHS) and the American Association of Retired Persons (AARP) announced a joint campaign to inform seniors of the problem. HCFA is asking Medicare beneficiaries to serve on the "front lines" in efforts to control fraud and abuse and is encouraging them to report irregularities in their medical bills and records.

Government Developing Data Bank Identifying Physicians Convicted of Fraud or Abuse Offenses
Among other mandates, HIPAA requires creation of a national database for collecting and disclosing the identities of physicians, other providers, and medical suppliers convicted of certain fraud and abuse offenses. The database, termed the Healthcare Integrity and Protection Data Bank (HIPDB), would be accessible by federal and state government agencies, health plans, and providers for self-queries. Regulations creating the database have been proposed by the Health Resources and Services Administration (HRSA), which is in the process of considering comments on its proposal.

Fraud and Abuse Control Program
The purpose of this HHS/OIG/DOJ program is to—(1) coordinate federal, state, and local law enforcement programs to control fraud and abuse in health plans; (2) conduct investigations, audits, evaluations, and inspections relating to the delivery of and payment for health care; (3) facilitate the enforcement of health care fraud and abuse laws; (4) issue advisory opinions and special fraud alerts; and (5) provide for the reporting and disclosure of "final adverse actions" against health care professionals, providers, or suppliers. The HHS and the DOJ are to issue guidelines concerning the provision of information from health plans, health care professionals, and entities.

Health Care Fraud and Abuse Control Account Act
HIPAA established the Health Care Fraud and Abuse Control Account within the Medicare Part A Trust Fund to fund administration and operation of the fraud and abuse control program by the HHS, the DOJ and the FBI. In addition to federal appropriations, the fund will receive a portion of monies obtained from health care fraud and abuse penalties and fines. Annual authorizations for this fund grow from $104,000,000 FY 1997 to $240,558,320 in FY 2004 and beyond. From the account, funding for the HHS OIG is authorized to grow from between $60,000,000 and $70,000,000 in FY 1997 to between $150,000,000 and $160,000,000 in FY 2003 and beyond. (HIPAA also authorized funds for the FBI from general revenues to combat health care fraud and abuse. This funding is scheduled to grow from $47,000,000 in FY 1997 to $114,000,000 in FY 2003 and beyond.)

Limitations on Certain Physician Referrals or "Stark II"
Stark II prohibits the referral for a wide range of "designated health services" of patients to health care entities in which the referring physician has some kind of financial interest. "Financial interest" is defined so broadly under the statute that nearly any kind of direct or indirect benefit received could trigger the referral prohibition. Penalties for violation of Stark II include denial of payment for the designated health services, refund of amounts received via an improper referral, and civil money fines of up to $15,000 for each service. Physicians and entities entering into an arrangement to circumvent the referral restriction law are subject to penalties of up to $100,000. However, there are numerous exceptions to the referral prohibition, including (1) personally providing or supervising the provision of the service, (2) in-office ancillary services provided by the physician or another physician or an employee in the same group practice, and (3) referrals through a prepaid health plan. In January 1998 HCFA published proposed regulations implementing the Stark II law. Due to their complexity and arguably onerous nature, the regulations have caused a great deal of concern in the medical community. The College submitted comments to HCFA addressing areas of concern to cardiovascular specialists. At this time, indications suggest that HCFA will release final regulations by 2000 (although the law is currently enforced). In the meantime, Rep. Pete Stark (D-Ca.) has expressed a desire for Congress to revisit the law given the change in the health care environment since it was enacted.

Medicare Integrity Program
Under the Medicare Integrity Program, HCFA is authorized to contract with third-party organizations to conduct claims assessment, utilization and fraud review, and audits of health care professionals providing services payable under Medicare. These contractors educate individuals and entities regarding payment integrity and benefit quality assurance issues. They also initiate recovery efforts when inappropriate Medicare payments are made. In areas where a Medicare Integrity Program contract exists, Medicare carriers and fiscal intermediaries will no longer perform these functions. Funds also were authorized (pursuant to HIPAA) from the Part A Trust fund to the Health Care Fraud and Abuse Control Account for the Medicare Integrity Program. This funding is scheduled to grow from between $430 million and $440 million in FY 1997 to between $710 million and $720 million in FY 2003 and beyond.

Anti-Kickback Law
The anti-kickback law prohibits the Aknowing and willful" offering, solicitation, payment or receipt of any remuneration, directly or indirectly, in exchange for referring an individual to (or buying) any service or item paid for by a federal health care program. The federal health care anti-kickback law has a broad impact on the structure of the U.S. health care system. Health care providers must consider the law's effect when undertaking a variety of initiatives, including integration projects, certain managed care contracts, discount arrangements, management contracts, and agreements for personal services. However, a variety of exceptions (or "safe harbors") exist, including (1) certain provider discounts, (2) payments by employers to employees, (3) provider payments to group purchasing organizations, (4) waivers of coinsurance for federally qualified health care centers, and most recently (5) certain risk-sharing arrangements. Provider arrangements falling within the safe harbors are immune to prosecution for fraud and/or abuse. Arrangements outside the safe harbors are not necessarily illegal but, if challenged, would have to pass muster under analysis by the DOJ and/or the OIG.

Advisory Opinions
The OIG issues advisory opinions in response to requests for guidance on the application of federal fraud and abuse rules to practice arrangements. These are binding on the party requesting them. Recent modifications to the rules governing advisory opinions (1) allow submission of requests by counsel, (2) provide for informal discussions between OIG personnel and those submitting requests, and (3) allow requestors a notice period and an opportunity to respond (in the event of an adverse decision). However, the final rule notes that submission of advisory opinion requests does not shield requestors from subsequent investigation by the OIG. Information on advisory opinions can be found on the OIG's Website at www.dhhs.gov/progorg/oig/advopn/index.htm.

Self-Disclosure Protocol
In addition, the OIG has issued a "Provider Self-Disclosure Protocol" to assist health care providers to voluntarily disclose credible evidence that indicates a violation of criminal, civil or administrative law. The OIG states that prompt reporting will demonstrate an organization's good faith and willingness to work with government authorities to correct and remedy problems. Timely reporting of misconduct will be considered a mitigating factor in determining sanctions. Serious misconduct should not be confused with routine overpayment, which requires adjustment with the carrier but not formal disclosure. The OIG's protocol can be found on their Web page at www.dhhs.gov/progorg/oig/modcomp/oigdis.pdf.

Additional Resources

A number of health care organizations have developed compliance-related materials that physicians may find useful. These are as follows:

• The American College of Cardiology offers its comprehensive and popular Guide to CPT: Practical Reporting of Cardiovascular Services and Procedures. Call 800-253-4636 or order.

• The Medical Group Management Association (MGMA) has produced a publication titled Compliance Programs: A Resource Guide for the Small Group Practice. This 30-page booklet overviews the subject, lists core elements of compliance plans, and provides good practical advice. Call 888-608-5601 or access www.mgma.com.

• The American Medical Association (AMA) has a developed a pamphlet titled Federal Fraud Enforcement: Physician Compliance. This booklet reviews federal fraud and abuse enforcement efforts as well as the essential elements of compliance programs. The AMA is reportedly creating an extensive compliance manual for physicians generally. Call 312-464-5000 or access www.ama-assn.org/physlegl/legal/legal.htm.

• The American Health Lawyers Association offers of variety of compliance resources, including its own compliance manual, extensive information on fraud and abuse laws and regulations, and related materials. Call 202-833-1100 or visit www.healthlawyers.org/compreso.htm.

• The Healthcare Financial Management Association has newsletters, books, and practical self-assessment materials. Call 800-252-4362 or access www.hfma.org.

• The Office of Inspector General (OIG) has issued compliance guides for hospitals, clinical laboratories, and home health agencies, that may prove instructive. A guide for physicians may be forthcoming. The OIG also issues useful "fraud alerts" and Medicare Advisory Bulletins. Call 202-260-1544 or access www.hhs.gov/progorg/oig/.

• Consultants and Attorneys can provide additional compliance guides and materials. The AMA's "Consulting Link/Doctors Advisory Network" provides a national network of pre-screened health care consultants and attorneys (access www.ama-assn.org).

• Compliance conferences and symposia are also held periodically around the country. Check with the above organizations, health care journals and periodicals, or your local ACC chapter to learn where and when.

For additional information, please contact the ACC's Advocacy Division at 800-435-9203.