Medical Practice Compliance Program in 4 Steps

Identifying and correcting potential vulnerabilities in your practice through a compliance program optimizes claims payment, minimizes billing mistakes, reduces the chance of an audit, averts protected health information (PHI) breaches, and avoids conflicts with Stark and other anti-kickback statutes.

If you haven’t already initiated a compliance program in your practice, here’s how to get started:

1. Identify vulnerabilities.

The Office of Inspector General (OIG) has identified coding and billing, reasonable and necessary services, documentation, and improper inducements as potential risk areas affecting physician practices.

Based on this guidance, begin with the following when evaluating risk areas in your practice:

• Data entry accuracy
• Encounter form vs. billing record
• Explanation of benefits (EOBs)
• Denials
• Secondary insurance submission
• Patient statements
• Sufficient documentation to validate medical necessity (for billing, as opposed to clinical, purposes)
• Legible identity of the provider
• Legibility
• Identification of patient
• Date of service
• Place of service (POS)
• Chief complaint/reason for encounter
• Cloning/copy and pasting
• Documentation of tests, procedures, etc., in the record
• Documentation of time-based codes
• Incident-to compliance review
• Improper use of modifiers
• HIPAA security and privacy
• Financial agreements and contracts
• OSHA and CLIA
• EMTALA

The OIG and the state’s office of Medicaid Inspector General publish work plans, each year, to inventory the risk areas they are targeting. The OIG also publishes alerts and advisory opinions. Be sure to monitor these alerts, opinions, and work plans to identify potential vulnerabilities in your practice. Practice history is also important when determining the risks to be assessed.

2. Benchmark.

Benchmark your data to determine if any of your providers are outliers (i.e., their billing patterns are markedly unlike those of their peers), which could cause them to become targets for an audit. If Medicare identifies a provider as an outlier, it is not a forgone conclusion the provider is submitting inappropriate claims; however, when a practice identifies a provider as an outlier, it is prudent to verify the billed services are accurately and appropriately documented and coded.

By entering provider productivity data (which can be obtained from the practice management system) into a benchmarking tool, practices can determine which providers are at the highest risk for an audit. Measures can then be taken to mitigate risk by implementing controls, such as training and education, policies and procedures, and internal auditing. Catching issues early allows the practice to reduce potential overpayments and potential false claims and civil monetary penalties.

3. Assess risk ratings.

When a vulnerability or risk has been identified, it is important to determine the risk rating. Using a risk matrix similar to the one pictured, below, a risk rating will be assigned to each potential risk.

After risk levels are identified, a compliance officer should prioritize which risks will be addressed. The task is made simpler with an organized risk register to track identified risks and to help prioritize them by risk rating. This provides the manager or compliance officer with a simple tool for allocating resources to mitigate those risks of highest importance.

4. Implement audits and corrective action plans.

After a provider is identified as an outlier, or vulnerabilities are identified with risk ratings, you must develop an audit and corrective action plan. It is not realistic for most practices to review every claim; therefore, it's smart to focus on the highest-revenue and highest-volume services. The practice’s baseline audit can help to determine whether:

• Bills are accurately coded and reflect the services provided in the medical records
• Documentation is being completed correctly
• Services or items provided are reasonable and necessary
• Any incentives for unnecessary services exist

The OIG recommends performing a benchmark audit three months after implementing initial education and training. A baseline audit examines the claim from the initial documentation to the submission. Following the baseline audit, the OIG recommends annual audits of randomly selected records.

Corrective action plans include staff training, new or updated policies and procedures, and follow-up auditing and monitoring in specific areas where vulnerability has been identified.

Control measures depend on the process or service. Adding a claim scrubber program, hiring a certified coder for the practice, or instituting an annual training program mitigates risks. Avoid risks by choosing to discontinue the source, such as a service or procedure. If an area of risk is low for a practice, the organization may decide to accept the risk and monitor at least annually.

Although an effective compliance program may not eliminate all fraud, abuse, and waste from a practice or organization, it does significantly reduce the risk of improper conduct.