The secrets to outsourcing your compliance program

The pros and cons of contracting these duties

Faced with the constant need to control costs, many providers are turning to outside contractors to manage their regulatory compliance efforts. Rather than sacrificing quality, many practices have found that leaving this function to an expert can also actually improve their compliance activities.

But there are still risks associated with contracting out your compliance management, and you need to factor these risks into the cost-benefit equation. The biggest risk is that you are still legally liable for anything that goes wrong.

According to a report by the Health Care Compliance Association (HCCA) in Washington, DC, the main benefit of outsourcing compliance is that it permits providers to "supplement scarce internal resources, verify internal compliance processes, and gain access to compliance best practices’ through the consultant’s broader exposure to the industry," says the HCCA.

On the downside, relying on outside vendors for compliance functions can mean you are not able to develop the kind of internal expertise that creates long-term cost and operational efficiencies.

You also run the risk of exposing yourself to fraud and abuse charges. The most likely problem area is creating "a compensation or risk-sharing mechanism that results in an illegal kickback violation under the federal anti-kickback statute" or similar state law, says Frank P. Fedor, an attorney with Murphy Austin Adams Schoenfeld in Sacramento, CA.

Kickback concerns

According to Fedor, the federal fraud and abuse cops are giving extra scrutiny to such items as physicians’ contractual relationships with hospitals that outsource their clinical services for possible kickbacks.

Another potential kickback problem area is marketing agreements in which providers compensate nonphysicians based on the volume of Medicare beneficiaries they refer for Medicare goods or services.

The advantage of an aggressive compliance program is that if the feds ever do have reason to question certain practice activities, the presence of a good-faith compliance effort on your part can minimize any legal fallout.

"But if you’re relying on advice from an outside source, you’d better know what advice was given and what you did to implement it if you hope to get any slack from regulators," says Stephen L. Hill Jr., a Kansas City, MO, lawyer and former U.S. attorney.

If a practice that outsources its compliance functions is questioned by compliance investigators, the worst-case scenario would be if all the practice has to point to is an off-the-shelf CD-ROM tutorial for compliance-related programs. "That just tells the government they’re dealing with someone who doesn’t want to meet their responsibilities," Hill says.

Use an outside auditor

When it comes to things like performing your own internal audits, government gumshoes tend to feel that the fox is guarding the hen house unless the practice is also periodically audited by outside professionals.

Tip: If you use an outside auditor, have him or her report the findings to your practice’s attorney, who then should pass the findings along to the group’s compliance officer, thus keeping the results under the umbrella of attorney-client privilege.

Practices that outsource their compliance officer function should maintain constant contact with the person or organization they contract with, the Office of the Inspector General (OIG) advised in its compliance guidance to small physician practices, issued Oct. 5, 2000.

To do this, the OIG suggested designating someone to serve as a liaison to help ensure a strong tie between the compliance officer and the group’s day-to-day operations.

The guidance also warned against outsourcing to a compliance officer who spends most of his or her time off-site, because this makes it hard for the compliance officer to know the inner workings of the practice due to reduced accessibility. The OIG also notes that possible conflicts of interest can arise when one compliance officer serves several different practices.

Providers who outsource must also be particularly careful about fulfilling their responsibility to protect patient confidentiality under the Health Insurance Portability and Accountability Act of 1996, notes the OIG.

Using confidentiality agreements and outsourcing only to reputable firms are ways to avoid such problems, recommend experts. Tip: Many compliance consultants warn against hiring compliance contractors who suggest they can increase your revenues by eliminating or reducing undercoding. This type of sales pitch can indicate an attitude that may create compliance problems rather than avoid them.

Also, once a compliance contractor gets on the radar of regulators because of questionable advice to one client, that firm’s other clients tend to be investigated as well.

Whether your compliance officer is an inside staffer or an outside contractor, "the buck stops at the top," says L. Stephan Vincze, president of Atlanta’s Vincze & Frazer consulting firm. "You may decide to delegate, but whether you outsource or keep it in-house, in the end, people report to somebody inside, and that is where the ultimate responsibility lies."

Whoever does the job, "you’re relying on that individual’s integrity and professionalism, because if the person doesn’t have that, your system will ultimately break down," Vincze points out.

Bottom line: "Get a true professional and an honest person, because that is really the most important credential of all."

Consider outsourcing hotline

Outsourcing a compliance telephone hotline is a good way to avoid many of the pitfalls associated with the compliance function, says William Tillett Jr., director of corporate compliance for Ernst & Young’s health care advisory services in Atlanta. "Basically, there are just a lot of things you can do wrong when you answer a hotline call that an outside professional will probably avoid," he notes.

According to Tillett, advantages to outsourcing this function include that you don’t have to worry about what hours the hotline will operate or what the protocols will be. You also don’t have to build a tracking system that gives you reports on the kinds of calls you receive.

Outsourcing also is a way of getting around the fear some workers will have of their voice being identified if they leave a voice-mail message. Plus, "You really need a two-way conversation to get the kind of information that will lead to effective compliance," Tillett notes.