By Charles I. Artz, Esq.

Published December 2000

Special supplement on
Compliance Program Guidance for Individual and Small Group Physician Practices

• Overview of OIG's MD compliance guidance
  

• Physician compliance plan risk areas
  

• How to deal with compliance lapses
  

• Employee education in compliance programs
  

• Compliance and relationships among providers
  

• React to this article in the Discussion Forum.

Is it important to actually write risk area policies and procedures? OIG says that written standards and procedures are a central component of any compliance program. Experience suggests thoroughly detailed written policies addressing risk areas tailored to the unique needs of the practice specialty is the most crucial element of a compliance plan. A missed risk area will never be audited. In many ways, risk areas drive the entire compliance plan. Many practices with "canned" compliance plans say that they will draft detailed risk area policies and procedures, but never do, calling into question the veracity of the entire compliance plan.

Can’t I just buy the plan and risk areas "off the shelf"? OIG says that risk areas need to be addressed based on each practice’s specific needs. Risk areas may differ substantially between primary care practices and surgical practices. They may even differ within the same type of specialty depending upon the types of services and procedures performed, and the types of ventures in which the practice may be involved. It is okay, however, to borrow risk areas from PPMCs, MSOs, PPOs, IPAs or third party billing companies; however, OIG says those materials will need to be tailored to the unique needs of the specific physician practice.

What risk areas has OIG outlined in the PCGs? Generally, OIG outlines risk areas concerning coding and billing; reasonable and necessary services; medical record and HCFA 1500 form documentation; avoiding improper inducements, kickbacks and self-referrals, and proper record retention. The appendix to the PCGs provides additional information concerning reasonable and necessary services. It discusses physician relationships with hospitals (including the anti-dumping rules, teaching physician reimbursement guidelines, gainsharing prohibitions, and physician incentive arrangements). Physician billing practices dealing with third party billing services, professional courtesies, and non-participating physician billing practices are discussed. Advertising restrictions and the OIG’s recent Special Fraud Alert relating to space rental in physician offices are highlighted.

Is the list of risk areas in the preceding section all we have to worry about? No. OIG says the list of risk areas in the PCGs "is not exhaustive, or all-encompassing. Rather, it should be viewed as a starting point for an internal review of potential vulnerabilities within the physician practice." This quote demonstrates the necessity for physician practices serious about compliance to carefully analyze all potential risk areas and to draft appropriate policies to address them.

What is the standard for developing the standards? OIG says that physician practice written standards and procedures concerning proper coding should "reflect the current reimbursement principles set forth in the applicable statutes, regulations and federal, state or private payor health care program requirements." OIG also says that the written standards and procedures must be "clear" and communicated to all employees to ensure the effectiveness of the compliance plan. This is a high standard for practice managers or physicians, who often throw up their hands in disgust because they are neither equipped nor trained to ascertain the source of these precepts, let alone interpret them and summarize them accurately in written policies and procedures. Health law counsel experienced in these areas is usually a welcome relief to physicians serious about compliance planning.

If identifying risk areas is so important, should it be Step 1 or Step 2 in our compliance plan? The PCGs are the ninth set of guidelines OIG has issued. This is the first time OIG acknowledges that full implementation of all components of the compliance plan may not be feasible. OIG recognizes the viability of implementing the various compliance steps gradually, and suggests Step 1 be auditing and monitoring. Thorough analysis of and proper drafting of risk area policies and procedures is arguably an equally viable Step 1.

Practices unaware of their risk exposure areas may never audit a substantial risk. An alternative approach includes reviewing all services and procedures performed or provided by the practice. Reviewing the practice’s "superbill," obtaining information from billing staff and physicians, and obtaining a list of the 10-20 most frequently billed services are effective information gathering tools. Analysis of the Correct Coding Initiative, OIG’s work plan, the practice specialty association’s website, and enforcement activity against the particular specialty provide data sources to form the basis of initial discussions. A personal meeting with physicians and billing staff clarify procedures and understanding of the applicable rules, and usually raise additional questions (while identifying potential inadvertent non-compliance). This strategy requires advanced thinking and implicitly involves use of health law counsel.

Further, under Step 5 relating to Corrective Action Initiatives, OIG states that the compliance plan may require modification if the violation was not detected and that there could be a "flaw" in the compliance plan that failed to anticipate the detected problem which should be itself rectified. This begs the question. If the undetected violation was based upon a risk area never identified at the outset, and the Step 1 auditing process never looked at the issue, it was probably because the risk areas were never thoroughly analyzed at the outset. OIG repeatedly gives physicians flexibility in developing and implementing compliance plans. Developing detailed risk area policies and procedures as Step 1 may be an issue where flexibility and prudence should be exercised.

Where do we keep all this stuff? OIG recommends physicians insert the compliance plan in a "binder," ostensibly a three-ring binder with tabs delineating various sections tracking the steps of the compliance plan itself. The risk area policies and procedures, coupled with OIG Advisory Opinions addressing topics pertinent to the physician practice risk areas as well as all physician practice Special Fraud Alerts published by OIG, should be kept in the binder under the heading entitled Risk Areas.

What coding and billing risk areas has OIG identified? OIG says the most frequent subjects of investigations and audits by OIG that should form the major part of any coding and billing risk area policy should include the following:

• Billing for items or services not rendered or not provided as claimed (fraud of the old fashioned variety).

• Submitting claims for services that are not medically necessary (see more details below).

• Double-billing resulting in duplicate payment (whether by accident, recklessly or intentionally).

• Billing for non-covered services as if covered (e.g., using a covered office visit code when the actual service was a non-covered annual physical exam).

• Knowing misuse of provider identification numbers (e.g., billing under one physician’s license when another physician provided the service).

• Unbundling (billing for each component of the service instead of billing or using an all-inclusive code).

• Failing to properly use coding modifiers.

• Clustering (coding/charging one or two middle levels of service codes exclusively, thinking some will be higher and some will be lower, and the charges will "wash" over time).

• Upcoding (billing for more expensive service than the one actually performed).

It goes without saying in physician practices that E/M coding and documentation is a significant risk area in this context. OIG also stresses appropriate listing of diagnosis codes, and indicates physicians should make sure they have a working knowledge of the CPT, HCPCS and ICD-9 coding systems applicable to their specialty.

What medical necessity risk areas has OIG identified? Medicare defines "medical necessity" as services or items "reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of any malformed body member." Later in the PCGs, OIG restates the federal law making it unlawful to submit claims demonstrating a pattern of services that are medically unnecessary, and the fines and sanctions for such conduct. It restates the physician’s duty to bill for only those services that are medically necessary.

The PCGs also suggest physicians must be knowledgeable of Local Medical Review Policies published by the local Medicare Carrier to determine medical necessity criteria for particular items or services. HCFA anticipates publication of all Carrier LMRPs at http://www.lmrp.net" by the end of 2000.

Other helpful medical necessity criteria include the AMA definition, which states: "Health care services or products that a prudent Physician would provide to a patient for the purpose of preventing, diagnosing or treating an illness, injury, disease or its symptoms in a manner that is in accordance with medical practice; clinically appropriate in terms or type, frequency, site, and duration; and not primarily for the convenience of the patient, Physician, or other health care provider."

Other medical necessity criteria used for compliance planning include documentation that the services were reasonably expected to improve, restore or prevent the worsening of any illness, injury, disease, disability, defect condition or the functioning of any body member. Documentation should specify that the care: was reasonably expected to improve the patient’s condition at the time it was rendered; has improved the patient’s condition; prevented the onset or worsening of any disease or condition; assisted the patient to achieve or maintain maximum functional capacity in performing activities of daily living; or alleviated the patient’s pain and/or mitigated the severity of the patient’s symptoms.

With respect to diagnostic services, medical necessity is indicated if, without the test, the physician is unable to make a differential diagnosis or cannot properly or effectively manage the patient’s condition.

What medical record and HCFA 1500 form documentation requirements has OIG identified? The PCGs set out the following medical record documentation criteria:

• Complete and legible.

• Reason for encounter/relevant history/physical exam findings/prior diagnostic tests/ongoing assessment/diagnosis/progress and treatment outcomes/plan of care/test results/counseling.

• Date and legibility of identity of observer/provider.

• Rationale for ordering diagnostic and other ancillary tests.

• Past and present diagnoses.

• Applicable health risk factors/pertinent negative findings.

• Patient progress, response to and changes in treatment.

• Revisions and diagnoses.

• CPT and ICD-9-CM codes.

• HCFA 1500 form must link diagnosis code to examination and history findings.

What inducement, kickback and self-referral risk areas has OIG identified? OIG outlined in significant detail its concern about physicians’ arrangements with various types of facilities and entities to ensure that no illegal kickbacks, inducements or self-referrals occur. OIG reiterates its Special Fraud Alert relating to space rental agreements in physician practices where those physicians have referral arrangements.

What other risk areas has OIG identified? CMNs. In the context of its kickback concerns, OIG outlines risk areas relating to executing Certificates of Medical Necessity (CMNs) for durable medical equipment and home health services. OIG admonishes physicians to ensure that they do not sign blank CMNs; that they see patients first before the CMN is executed; and that medical necessity must be clearly documented in the patient’s chart.

ABNs. OIG devotes a special section to obtaining properly executed Advanced Beneficiary Notices (ABNs). This appears in the OIG’s 2001 Fraud Work Plan. The proper development of an ABN includes the following:

• Full description of the services.

• Reason the service is to be denied.

• The code should be listed.

• Blank forms are unacceptable.

• Signatures of both the patient and the physician should be obtained.

Physician Relationships with Hospital. Physician and hospital compliance with the teaching physician reimbursement rules, giving rise to the controversial PATH audits, remains a high enforcement priority for OIG, and appears again in its 2001 Fraud Work Plan. Physicians should take advantage of OIG’s suggestion that they rely on a hospital’s compliance plan to satisfy this particular issue. The same would hold true of anti-dumping law issues (if physicians moonlight in the ER) and gainsharing arrangements.

Improper hospital incentives, if they exist, may have been overlooked by the hospital’s compliance plan. Some examples OIG identified of questionable incentive arrangements with hospitals include:

• Free or significantly discounted billing, nursing or other staff services.

• Payment of a physician’s travel and expenses for conferences.

• Payment for a physician’s services that require few, if any, substantive duties by the physician (see the LaHue convictions resulting from medical director contracts that disguised inducements for kickbacks).

• Guarantees that physicians’ income will be supplemented if it fails to reach a pre-determined level.

Third Party Billing Services. Physicians remain responsible for any errors made by third party billing companies (3PBCs) even if they had no actual knowledge of billing improprieties. OIG is very concerned about physician contracts with 3PBCs based on a percentage of collections. Model compliance guidelines for 3PBCs were published in 1998. Physicians with these types of arrangements should ensure:

• Money is paid directly to the physician’s bank account.

• 3PBCs have no authority to change physicians’ codes.

• Protocols concerning the 3PBCs’ collection obligations should be detailed.

• The 3PBC should warrant it has no employees or individuals who were convicted or excluded from any federal payor program.

• It is also prudent to obtain a "hold harmless" from the 3PBC in the event of any recoupment or sanction, and to retain authority to inspect the 3PBC’s records at any time.

Professional Courtesy. OIG outlined appropriate protocols for physician practices in terms of giving professional courtesies, as follows:

• No "insurance" only; services must be free (caveat: any free or below fair market value service intended to induce referrals is an illegal kickback).

• No rewarding past or future referral sources, be they other physicians or practice employees.

• Flexibility in selecting who is the "target" of the courtesy, as long as the services are "free".

What other sources should I consult in developing risk area policies and procedures? OIG’s Annual Fraud and Abuse Work Plan. OIG discloses its resource allocation for the upcoming fiscal year, and identifies existing or new areas of fraud and false claims concerns. PATH audits, ABN compliance, and mid-level practitioner billings are among the top physician related priorities for OIG in 2001.

Correct Coding Initiative. Medicare’s Correct Coding policy is found at ß 4630 of the Medicare Carriers Manual. It outlines in detail Codes that are combined across various specialties, and is fertile ground for risk area analysis.

False Claims Act Settlements. OIG publishes on its website (http://www.hhs.gov/oig) details concerning false claims settlements with physician practices. Corporate Integrity Agreements (a very onerous form of government-imposed compliance planning) can be obtained via Freedom of Information Act (FOIA) requests. The most prevalent reasons for False Claims Act settlements and imposition of significant CIAs against physicians include:

• Lack of medical necessity documentation.

• Lack of supervision by physicians where required under billing rules.

• Unbundling codes.

• Systematic upcoding.

OIG Reports. OIG periodically publishes reports about fraud and compliance issues. In its Error Rate Analysis study published in June 2000, OIG found $13.5 billion in improper payments based upon documentation errors, lack of medical necessity, and incorrect coding.

FOIA Requests. Individuals may freely obtain crucial data from the Medicare Carrier that is extremely helpful in compliance planning. Physicians may file a FOIA request to ascertain utilization data of the practice (referred to as a UR 81 report) for each individual physician within the practice. The UR 81 provides statistical information for evaluation and management services, and all other procedures and services provided by the practice, and compares the practice to peer groups throughout the Carrier’s jurisdiction. If the UR 81 data demonstrate abnormal or "flagged" utilization patterns, the practice can then analyze the basis for its billing patterns and focus its compliance efforts in those areas. Another FOIA opportunity is to request data from the Carrier comparing the practice’s claim denial rate to the rates of other practices in the same specialty. Denial rates in excess of the peer group may form the basis of additional compliance efforts.

What are some of the other risk area "hot spots"? Full exploration of risk area "hot spots" applicable to all physician specialties is beyond the scope of this article. A few of the more prevalent hot spots include the following:

Incident to Rule. Physicians are faced with Medicare, Blue Shield and Medical Board rules and regulations concerning physician supervision over PAs and CRNPs that contain contradictory and inherently conflicting provisions. Physicians have (improperly, but inadvertently) billed Medicare under the "incident to" rule when they have not been on the premises while the service was being rendered (which is not required by Medical Board regulations); have not conducted the initial examination (which is permitted by Blue Shield and the Medical Board regulations, but not by Medicare); and been "victimized" by faulty computer programs and scheduling glitches that cause one or more of these problems. Further, billing PAs or CRNPs at Level 4 or Level 5 E/M codes is suspect, and OIG may be focusing enforcement efforts on that point.

Surgical Rules. Physicians serving as primary or co-surgeons must include in the global surgery fee numerous types of visits relating to the surgery for up to 90 days after the surgery is performed. Confusion is rampant with respect to proper coding and documentation of, for example, evaluation and management services billed that are unrelated to surgery in the post-operative period; providing distinct and separate procedures independent from other procedures performed on a single day; billing separate evaluation and management and same day surgery codes; and multiple surgery codes.

Preventive Services. Separate CPT codes exist for preventive medicine services. Screening services are typically excluded from coverage. Confusion among physicians is rampant with respect to dealing with a patient who is scheduled for an annual physical, but presents to the office with a condition that is billable, and how to deal with billing the preventive and/or "sick" visit.

Consultations. Lack of appropriate documentation to support a consultation as opposed to a regular office visit is another compliance hot spot. The request for a consultation and the medical necessity for the consultation must be documented in the patient’s medical record. Following the consultation, the consulting physician must prepare a written report of findings and provide the report to the referring physician. Transfer of a patient’s care cannot be billed as a consultation.

Diagnostic Screening Services. Certain diagnostic testing services typically excluded from coverage are reimbursable under certain, varied circumstances. Services such as colorectal cancer screening, PAP smears and pelvic examinations, screening bone mass measurements, and prostate cancer screening tests have different criteria that are strictly enforced.

The foregoing list identifies just a few of the many risk area "hot spots" not expressly addressed in the PCGs but which create continuous compliance concerns for physician practices. Careful study and application of the Medicare reimbursement rules and Local Carrier Medical Policies are imperative.

Charles I. Artz, Esq., is the principal of Artz & Associates, a Harrisburg law firm concentrating its practice in health care law, primarily in the representation of physician practices and associations.