Risk managers must be involved in using OIG compliance plan

Compliance officer probably won’t be your role, but still lots to do

Despite all the frightening reports about the federal government’s crackdown on fraud in health care, many health organizations are still only thinking about creating a compliance plan. Risk management sources say those organizations are greatly increasing their risk of violating federal laws and receiving harsh punishment if they don’t immediately get to work on formulating a compliance plan.

And when your health care organization is putting itself at risk, whose job is it to raise the warning flag and kick the right person in the butt with an admonition to get working? You, the risk manager.

In simple terms, that is the role of the risk manager when it comes to formulating a compliance plan for your health care facility. Once the development is under way, a compliance plan is a major effort that will involve a wide range of senior leadership in the organization, and the risk manager will play a significant role. The good news — good news in the opinion of most — is that you’re not likely to be picked to head the entire effort.

Many health groups are struggling with just how to formulate a compliance plan, and there is not yet any formal plan for how to go about it, notes Jan Johnson, vice president of the Profile Group of MMI Companies, a consulting group in St. Paul, MN. Johnson has been working closely with many health care organizations that already are developing compliance plans and appointing compliance officers (COs), and she tells Healthcare Risk Management that there is a great disparity in how they are going about it. She says risk managers play an integral role but are not likely to be given the entire project.

"I’ve yet to hear of a risk manager becoming the compliance officer," she says. "It’s usually someone out of finance, or maybe the legal counsel. But this is a whole new field and providers are still finding their way. I saw one client where the hospital’s marketing director was appointed as compliance officer, but he quit as soon as he saw what the job entailed."

Compliance officer full-time job

Health care organizations will get a major boost when the federal government releases its model hospital compliance plan, which is expected to be released in December or January 1998. The plan is being developed by the federal Office of the Inspector General of the Department of Health and Human Services in Washington, DC, and will serve as a template for providers to follow in setting up a system that keeps them on the straight and narrow of federal regulations. The plan is expected to detail how a facility should develop compliance plans with each department, train staff on the proper methods of billing and documentation, and conduct concurrent reviews of records. The OIG plan also will require facilities to review and revise policies that concern billing, coding, and documentation. (See the story on p. 135 for why you need a corporate compliance program.)

Even with the OIG plan, health care organizations will have to do a lot of work to create their own compliance programs, says John C. West, JD, MHA, assistant legal counsel with the American Hospital Association in Chicago. He has been monitoring the federal government’s increasingly aggressive crackdown on fraud, and he cautions that the OIG plan is only going to be a tool, not a solution.

The OIG plan will provide a good look at what the federal government wants to see in your corporate compliance plan, but you will have to take it from there, he told attendees of the recent meeting of the American Society for Healthcare Risk Management in Atlanta. The details of how you set up the corporate compliance program may be far less important than the simple fact that you have one.

"Just having a corporate compliance program is a very, very good thing," he says. "If it looks like you’re trying, the government will be much nicer to you when they come in to investigate you."

(See the story on p. 139 for West’s tips on how to avoid an investigation, and the story on p. 136 for the basic elements of the OIG plan.)

The installation of a CO is a major part of the compliance plan, and Johnson says she expects the OIG’s model plan to make a few things clear about how the CO position should work.

"The plan will clearly indicate that the CO’s major job is corporate compliance. It won’t be an ancillary activity," she says. "I’ve seen many organizations give that title as a secondary title to someone and tell them they can do compliance for five minutes every other week. The OIG is going to say that doesn’t work. It’s got to be a complete position, not part of someone’s job."

Even though she has not seen it, Johnson says there is no reason not to appoint a risk manager as the CO. But she also notes that the CO, whoever it is, must report directly to the organization’s board of directors, with no one in between.

"It is very important that the CO report directly to the board without having to go through a chief financial officer or any other superior," she says. "That could be one reason risk managers are not top candidates for taking the CO position. In a lot of organizations, it would be difficult to have the risk manager report directly to the board without a wholesale change in the hospital administration."

The AHA’s West also stresses that the compliance officer must have substantial authority within the organization. "The CO has to have the authority to go in and shut down a process that is potentially fraudulent," he says. "It is not sufficient for the CO to just criticize it and urge someone else to shut it down."

(See the story on p. 137 for the views of ASHRM leaders.)

Major role for risk manager

Even if you are not tapped as the CO, don’t think the risk manager’s role is minor in any compliance plan, cautions Denny Thomas, director of risk management at St. Joseph’s Hospital in Marshfield, WI. His organization has been working for 18 months to develop a compliance plan for the St. Joseph’s system, and he stresses that the risk manager must collaborate closely with other leaders.

"You have to be actively involved because this is a tremendous collaboration between human resources staff, the chief financial officer, and other senior executives," Thomas says. "On our team, we’re looking to our financial leadership to make sure we’re in compliance and see what strategy we have in place. My involvement as the risk manager is overseeing areas such as managed care, conflict of interest, environmental concerns, and other regulatory practices."

There is a lot of overlap in duties within a compliance plan, Thomas says. Especially since risk managers wear so many hats these days, your exact role in any compliance plan will depend a lot on your job description within the organization. If you already are heavily involved in financial matters, you are more likely to take on many of those duties within the compliance plan. If your background is more clinical, on the other hand, you may play a more ancillary role.

"I had a real learning curve because my background is clinical, but I felt it was important for my career to get involved as much as I could," Thomas says. "Everyone will bring their strengths to a compliance plan, and that makes it a much smaller burden. When you take smaller bites, a compliance plan seems much more doable."

Johnson suggests that the role of a risk manager in any compliance plan is just an outgrowth of the basic, traditional role of the risk manager in health care. Since the compliance plan is designed to make sure the health care provider is not in violating the letter or spirit of any federal laws, the risk manager can play a vital role in spotting possible transgressions.

"The risk manager’s role can be to work with the compliance officer and identify risky practices, risky policies, and so forth that put the organization at risk of serious penalties," she says. "There may be other mechanisms in the compliance plan that try to prevent those transgressions and deal with them once they’re found, but the risk manager can be very important in watching for them."

She compares the role of a risk manager in a compliance program to the way risk managers always have worked with other hospital departments to address problems that are not entirely within their control. If the risk manager spots a problem in clinical treatment procedures that could lead to malpractice lawsuits, he or she can raise the issue with the appropriate department heads and explain the potential liabilities if the problem is not addressed. The same thing can happen with the coding and billing problems, for instance, that will make up some of the biggest demons in any compliance plan.

"The risk manager also might want to get involved with anything that could cause an internal problem to blow up and come to the attention of outside investigators," she says. "If a patient calls to complain about a billing problem and it can’t be resolved, your staff might get frustrated and become a whistleblower. These are things that might need your attention much earlier than you would have been involved before."

Many facilities don’t have compliance plans

St. Joseph’s is just beginning to roll out its corporatewide compliance plan to its hospitals in Wisconsin and Minnesota. Senior executives are personally going to each hospital and giving a presentation to managers about how the compliance plan works. The chief financial officer leads a three-person team making each presentation, also providing educational materials that can be used to explain the compliance plan to department heads and other staff. The senior executive’s personal delivery of the plan is an example of what Thomas calls the crucial commitment of management to the compliance plan. Though it is almost a cliche that any meaningful project requires "commitment by top management," he stresses that an effective compliance plan requires the active participation of senior executives, not just a memo declaring that the president or vice president supports the idea.

"The message our executives deliver to employees is that this compliance plan is a proactive approach," he says. "We haven’t done anything wrong, but with the complexity of today’s laws, we will deliver better health care when we’re all better educated."

In developing the plan, St. Joseph’s concentrated on billing practices, Stark anti-referral regulations, and fraud, the three big targets for the federal government’s recent crackdown on the health care industry. But the plan also is wide-ranging, covering many federal regulations that are not strictly health care-oriented. The plan includes rules from the Environmental Protection Agency and the Occupational Safety and Health Association, both in Washington, DC.

If St. Joseph’s experience is any indication, and there is every reason to believe it is, many health care providers are dragging their feet about developing compliance plans. St. Joseph’s consulted with many other facilities outside their own corporate structure to see if anyone had tips they could incorporate in their own plan.

Hospitals dragging their feet

"When we started developing this and even as recently as this summer, we found facilities telling us that ‘it’s on our to-do list, but give us a call when you have yours in place,’" Thomas recalls. "They’re waiting for the OIG’s canned package and hoping they can just put it to use in their facility."

Thomas and Johnson both caution that you must not depend on the OIG to do all the work for you. It is true that the OIG’s plan, once it is released, will provide an excellent starting point for any facility that has not yet developed a compliance plan. But a truly effective compliance plan must be tailored to your own institution, taking into account your organization’s own culture, goals, and past history of any problems that would be addressed in a compliance plan. The OIG plan can be a template, but it cannot be your compliance plan.

"The OIG is quantifying the important points that probably better be there in your own plan," Johnson explains. "It will serve as a template for the OIG to come in and see what you have done and judge the effectiveness of your plan. It also will be the model plan that the government forces on you after you’ve violated federal law and have an integrity program forced down your throat."

With the OIG’s plan in hand, health care providers who are not far along in developing their own plan should have an easier go of it. The OIG model should make it possible to develop a specific compliance plan for your organization in much less than the 18 months it took for St. Joseph’s, Thomas says.

"We were struggling at first with just how to get started," he says. "The OIG plan will give you a good boost, but you will need to do more work on your own. There are some good educational seminars out there that can help, and other facilities can share the lessons they’ve learned. If you’re at square one, don’t be afraid ask someone else what they went through."

Thomas says he and the other leaders in St. Joseph’s compliance plan will take a good look at the OIG’s model plan, hoping there is a lot of similarity. Most likely, some modifications will be needed to make sure the St. Joseph’s plan adequately addresses each of the important points in the OIG’s plan. He predicts that most health providers who already have prepared a compliance plan have nothing to fear from the OIG’s plan. Instead, it probably will confirm that most of your plan is valid and highlight the spots where you need to do more work, he says.

But the AHA’s West has words of advice that are a bit more cautious and skeptical. The built-in flexibility of the OIG’s model compliance plan could be a curse, he says.

"Beware of ambiguities in anything the government tells you," he says. "You never know with the government whether they’re giving you latitude or just withholding definitions so they can come back later and say, ‘Gotcha!’"