We often look at compliance endeavors and our compliance officers as necessary evils but what if we use our Compliance Program and Compliance Officer as a strategic partner? I believe it would be accurate to define this type of arrangement as one that enables two parties to work together sharing resources so that they can achieve common objectives for success. Some common objectives could be:
- Establish & maintain a legal and ethical corporate culture.
- Bolster goodwill and foster a positive reputation within the community or industy.
- Identify risk areas that could compromise the business.
- Establish programs to address areas in need of improvement and risk reduction.
- Mitigate the chance of costly fines and penalties due to adverse or criminal conduct through communication, education and enforcement.
Having a compliance program can give you the competitive edge when it comes to recruiting top talent, attaining coveted payer network levels and winning a favorable market share of business in your community. People are attracted to businesses that do what is right because it is the right thing to do.
Let’s put some numbers on the table so you can weigh the risks and rewards of having a “real’ compliance program i.e. one that is specific to your clinic and is customized to fit the services you offer as well as the setting that you are in. “While the cost of a compliance program is significant, the cost of noncompliance is now estimated to be FIVE times as great” according to IntelliCentrics.
Assuming that most clinics cannot support a full-time compliance officer I will use a .50 FTE for calculation purposes and use an averge of all salaries on a per hour basis. (Nine employees: 4 licensees averaging $45/hour and 5 support and billing personnel averaging $25/hour.)
Compliance Officer (.50 FTE) $40,000
Compliance Program (attorney or consultant) development 5,000
Compliance Program implementation (est. 30 hours) 1,200
Employee education 4 hours each/year (9 employees) 1,400
Total $46,400
Now you have a general estimate on what it should cost to get a compliance program up and working so let’s look at what it might cost if you, inadvertantly, commited some of the most common violations that occur in the field.
HIPAA Violations & Penalties
Penalties can include millions of dollars in fines, loss of patients, credit-monitoring costs, lost productivity, civil and criminal investigations and damage to institutional and professional reputations. In many cases the repercussions from patient data breaches are difficult, if not impossible, to recover from. Please note the various categories and penalty levels per the Office of Civil Rights (OCR).
Table and Case Study is from Joette Derricks’, Security Risk Assessment for Small Practices: Tolls and Case Studies
HIPAA Violation & Penalty
A physical therapy clinic posted pictures of and testimonials from patients on their website without authorization resulting in a fine of $25,000 in 2016. As part of the settlement the provider was required to develop and implement a corrective action plan and report its compliance status to the Office of Civil Rights.
According to the OCR Director Jocelyn Samuels. “The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and make certain that it is a valid authorization form.”
So now let’s jump to, yet, another frequently violated statute:
False Claims Act (FCA) Violations & Penalties
The civil penalties for a FCA violation are:
- Triple the damages (value of the claims)
- Per claim penalty of $11,191 to $22,363 (adjusted annually)
- Potential criminal penalties—Federal Criminal Laws i.e.Prison
- Potential Administrative Penalty—Federal Program Exclusion
Some examples of False Claims Act violations are:
- Billing with deficient documentation per CMS Benefits Policy Manual Chapter 15 Section 220-232.
- Billing with disregard of code definition compared to actual intervention
- Billing for services by unlicensed personnel &/or students
- Billing for services provided by non-enrolled therapist(s) in Part B Private Practice
- Billing for PTA/OTA services without direct supervision Part B Private Practice
- Billing with coding deficiencies: 1:1 vs. Group, 8 Minute Rule, Modifiers, etc.
- Billing for services provided without a certified/recertified Plan of Care
- Billing under another provider’s # (MSA/rural exception)
- Billing when Conditions of Coverage/Participation are deficient
- Failing to return and report overpayments to the federal government within sixty (60) days
So let’s set the scene…
Medicare requests a copy of forty (40) charts from a physical therapy clinic. The auditor discovers that the therapist bills Medicare, consistently, for three therapeutic exercises and one (1) therapeutic activity for each date of service audited. The auditor also discovers that documentation only supports two therapeutic exercises and that the billed therapeutic activity should actually been billed as gait training.
The BEST outcome would that the clinic only has to refund Medicare one (1) unit of exercise and one (1) unit of therapeutic activities for all dates of service audited ( the provider could resubmit claims for gait training if the dates of service fall within the billing time frame limits).
The numbers:
- Using an estimate of twelve (12) dates of service per chart times forty (40) charts = 480 dates of service
- Calculating two (2) units per 480 dates of service yields 960 units to be refunded
- Using $30 as the average rate per unit times 960 units equals $28,000
The average amount of administrative time to respond to a request for records i.e. pulling charts, copying charts, tracking Plan of Care certifications, signature attestations, packaging of charts, shipping, etc., conservatively, takes about forty (40) minutes per chart which at $25/hour = $670. This does not include the time to establish a corrective action plan which will, minimally, require staff education; this, also, has a price tag of about $1,400 nor does it include attorney or consultant fees.
Another harsh fact to take into consideration is that the FCA requires providers to refund all monies paid by Medicare in error within sixty (60) days of discovery. So this would mean that the clinic must promptly do its due diligence to ascertain if the erroreous billing practice occurred on other claims and make a concerted effort to determine the extent of the problem and refund accordingly. Do you want to calculate those refunds?
So the best scenario results in a cost of about $30,000 for this single episode of improper documentation.
The best of the worst scenarios (i.e. using the minimum fee penalty vs. the maximum fee penalty) would be the activation of the False Claims Act penalty:
- Billed $100/visit (CMS allowable $80/visit)
- 1 visit (DOS) per claim
- Billed $38,400 of claims at Medicare’s allowable 80% portion
- Billed 480 claims to Medicare
Triple the Damages i.e. three (3) times $38,400 equals $115,200
Use the minimum penalty fine of $11,191 times 480 claims equals $5,371,680, yes that is seven (7) digits!
So, the best of the worst scenarios results in a cost of $5,486,880 for improperly billing $38,400 worth of claims. Just imagine if we used the $22,363 penalty for our calculations.
My final example of what a compliance program could thwart is:
OSHA Violations & Penalties:
The most common violations per OSHA are:
- Failure to train on the Bloodborne Pathogens Standard.
- Failure to implement and maintain Bloodborne Pathogens & Hazard. Communication Plan
- Failure to keep training records.
- Failure to keep a Sharps Injury Log.
- Failure to provide Safety Data Sheets.
- Failure to train on the Hazard Communication Standard.
OSHA uses four (4) classification for penalty administration. The DeMinimus classification is not elaborated upon as it only results in the Agency documenting a minor infraction of the business or entity. However, the following three categories do have significant penalties per violation:
Willful. A willful violation exists under the OSH Act where an employer has demonstrated either an intentional disregard for the requirements of the Act or a plain indifference to employee safety and health. Penalties range from $5,000 to $70,000 per willful violation. If an employer is convicted of a willful violation of a standard that has resulted in the death of an employee, the offense is punishable by a court-imposed fine or by imprisonment for up to 6 months, or both. A fine of up to $250,000 for an individual, or $500,000 for a corporation, may be imposed for a criminal conviction.
Serious. Section 17(k) of the OSHA Act provides that “a serious violation shall be deemed to exist in a place of employment if there is a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations, or processes which have been adopted or are in use, in such place of employment unless the employer did not, and could not with the exercise of reasonable diligence, know of the presence of the violation.” OSHA may propose a penalty of up to $7,000 for each violation.
Other-Than-Serious. This type of violation is cited in situations where the accident/incident or illness that would be most likely to result from a hazardous condition would probably not cause death or serious physical harm but would have a direct and immediate relationship to the safety and health of employees. OSHA may impose a penalty of up to $7,000 for each violation.
OSHA will also create press releases to “shame” businesses that have violations, letting the public know about their wrongdoing.
How many of the violations noted above occur in your facility? If you start calculating the penalties as if you were cited, you will probably arrive at the conclusion that having a Compliance Officer and a healthy Compliance Program is one of the best strategic partners you could ever invest in.
Mary R. Daulong, PT, CHC, CHP
Business & Clinical Management Services, Inc.
January 8, 2019