Blog, Chirosecure Live Event November 23, 2023

Chiropractic Malpractice Insurance – Revised OIG Compliance Guidance

Click here to download the transcript.

Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors.  We suggest you watch the video while reading the transcript.

Welcome everyone. My name is Michael Miscoe with Miscoe Health Law and this, installment of the ChiroSecure Growth Without Risk Program is gonna focus on recently released OIG compliance Program guidance. Now this guidance has existed for many years, well over a decade, and it has caused some confusion and has led.

Click here for the best Chiropractic Malpractice Insurance?

Doctors into the belief that they need formal compliance programs and whatnot. So what I’m gonna do is start out with the old guidance for small physician practices, and then talk about what the general guidance is. They have not yet published the new provider specific or entity specific guidance yet, but we’re gonna.

From the general guidance, what I anticipate that will include. Now, the good news is that I don’t see any meteoric changes in the OIG guidance. Fundamentally, they lay out the seven, same the seven same principles of a compliance program. And I anticipate with respect to small physician practices, like many of you, when I say small, like less than 25 providers.

If you have one to five providers in your office or maybe multiple offices then you’re still considered small, but based upon your size, it will determine how deliberate you get with your compliance program efforts. Specifically with respect to formal compliance plans. Now under the old guidance for small physician practices, the OIG stress that

Get a Quick Quote and See What You Can Save

Formal written policies and procedures were not required. And the reason for that was very simple is because small practices usually don’t have the resources to effectively implement a formal written plan. For providers that bought formal written plans, most of them ended up as door stops. And fundamentally, I always argued against.

Small practices adopting formal plans for a couple of reasons. One, the lack of a trained compliance officer, which is, about a, high five figure, low six figure job classification in the industry. And most practices don’t have the resources to afford a formal compliance officer.

So the compliance officer was either the doctor or the office manager who had no formal training in compliance and therefore didn’t really know what to do. So you have a figurehead compliance officer. The other problem with formal written plans is that they become more of a liability. Than they are an asset because if you’re not following or implementing the mandates of your compliance.

And that leads to an error. You’re pretty much handing the government intent on a silver platter because you imposed upon yourself these policies and procedures, you didn’t follow them. That’s somewhat reckless. And where that led to an overpayment then that hands the intent element.

Under the False Claims Act to the government. So I think it creates more liability than it solves. Now, certainly if you have a formal compliance plan, policies and procedures, and you implement them effectively, then yes, it can be a big asset demonstrating your. Attempts at what I like to call good citizenship.

And by the way I’m dressed a little bit differently today. We’re starting the army, Navy I went to West Point, so we’re in army, Navy preparation mode. So go Army beat Navy. Now back to our topic. So whether you have a formal compliance plan or not you need to understand what.

That is gonna require of you. Under the the seven elements that of a compliance program and a program is different than a formal written plan, but a formal written plan just formally imposes policies and procedures to implement these elements. And they include, first of all, the written policies and procedures, your code of conduct and policy maintenance requirements, meaning how often you’re gonna review them compliance, leadership, and oversight.

That is the designation of your compliance officer, maybe a compliance committee training and education, how you’re gonna handle training and education, your staff on compliance issues. And that includes provider training as well, documentation, coding and whatnot. That training is gonna be a byproduct of another element, which is called risk assessment.

A compliance program has enforcement. For people who are non-compliant up to and including termination. It can also have incentives. So when I look at physician compensation arrangements, most times they’re built on RVU worked, or number of patients seen or number of services performed or value of services.

And that unfortunately incentivizes people to do more services rather than follow the rules. So I like to build into physician compensation agreements some compliance metrics by which you balance the desire. To do more services, which may lead to allegations of medically unnecessary care.

There’s too many services. Documentation usually suffers which then creates compliance risk. So when you balance that with compliance metrics, which are. Evaluated under another element, which is compliance program, auditing and monitoring, where you’re doing internal audits, validating whether providers are complying with the payer specific requirements for documentation and coding.

Then, and building that as part of their compensation. You’re actually incentivizing. Compliance in your practice and then responding to detected offenses. And that has to do with what I like to call the mandatory voluntary refund and disclosure rule. It’s a component of the False Claims Act, but when anything puts you on notice, an internal audit, an external audit a query, a denial that you may have similar error.

For healthcare plans that are funded directly, indirectly in whole or in part by Federal healthcare program dollars. So think about Medicare state, Medicaid Medicare Part C federal employee health benefits, federal workers’ comp I. Any of those any of those programs, because they’re funded with Federal healthcare program dollars, you have what’s called Reverse False Claims Act liability.

And in those cases when you have the potential or know, or should know. If anybody in your practice knows or should know that there’s a potential for error in claims out, out that you’ve been paid for and it goes back six years, you have an obligation to initiate an investigation. And this is part of the detected detecting overpayments and offenses provisions of the.

The program initiated an investigation, identifying claims that don’t meet standards and then voluntarily disclose them and refund the money associated with them. Messing around for those of you that are still on the billing hamster wheel and you’re messing around with federal healthcare programs, and you may not even know it because federal employee health benefits plans usually

Are administered by the blues, so you think it’s regular commercial insurance, but if you look to who the patient’s employer is, it’ll probably tell you or look at the group. It’ll tell you that it’s a federal Employee Health Benefits Act program and it is in fact funded by federal dollars.

Even if you’re not billing Medicare, Medicaid. Watch out for those federal employees and federal workers’ comp. Va if you’re participating in the community care program, tricare, those are all federal dollars and to which the voluntary disclosure and refund rule applies, and it can have some significant impacts.

Certainly be cautious there. Now one of the things, even if you don’t have a formal written policies and procedures as a small practice, which I recommend, I nonetheless recommend having a compliance program, meaning things that you routinely do. To identify whether you’re complying with the rules or not.

And first and foremost, you don’t know if you’re complying with the rules or not. If you haven’t read the rules. What the guidance describes as risk assessment and monitoring. The risk assessment is where you go out and you look at every payer that you submit claims to and that you participate with.

And I would even do this for cl payers that you don’t participate with. Pull their medical policies. Read your contracts. Your contracts will usually incorporate their medical policies, but pull the policies relative to the services that you provide and make sure that you understand their documentation, content requirements and comply with those expressly.

And they will be different with respect to certain services from one payer to another. So be very careful. Records are signed, they’re legible. Those are the common things for time-based services. You’re documenting time and contact and all that stuff. And even though that may not be in the policies, it’s definitely something that’ll come up.

So those are things, good habits that you want to get into and internally monitor not only. If you’re the primary provider, monitor your own records, monitor your associates records things like delegation, how does a payer feel about that? I’m dealing with two termination cases right now over delegation where the providers are being terminated from the networks and unfortunately, those networks are a big part of the provider’s practices, and it was just one of those.

They never knew and the reason that they didn’t know is because they never went through and did the risk assessment. So formal compliance plan or not risk assessment is critical. And everybody that bills third party payers should be doing that. Once you have those policies pulled, you’ve read them, this is where the education piece comes in, where now we need to get that information out to providers and staff, your internal auditors, whoever’s gonna be checking your stuff to make sure.

That you are in fact in compliance from a content perspective. Take Medicare for example. Those of you still billing Medicare. When you pull the Medicare benefit policy manual, which is Pub 100 dash two, chapter 15, and you look at section two 40 0.1, 0.2 in that they have requirements for initial and subsequent visits.

You better have every one of those things covered. In your initial visit documentation and then your subsequent visit documentation. ’cause if you do not, it’s a guaranteed denial and it’s very hard to get overturned and where that documentation error shows up predictably, then that’s what’s triggering, the voluntary disclosure and refund.

So even a small audit may trigger an internal audit that has . Huge implications from a financial perspective that are very damaging. Be very careful when you’re dealing with federal healthcare programs, especially to download those requirements for commercial payers, especially a large commercial payer that’s important to your practice.

The time to figure out that you should have done a risk analysis is not when you get a post-payment audit result and they’re asking for a boatload of money back or threatening to terminate you from their network. Because at that point, it’s a little too late to get the wheels back on the train sometimes.

A little bit of advanced work, and this is what this guidance is advising you to do, go ahead and do that risk assessment. And if you need help, I mean use Google. It’s not hard. When I’m doing policy research for a plan that I don’t have the policies already pulled. I get on Google and it’s a Blue Cross Blue Shield of Nebraska medical policies or

Aetna medical policies for whatever state you’re in. It’s really not hard. And when you go look through the links on what it comes back with, you’ll find a link from the payer that’ll take you right to their medical policy page. And then once you’re there, you can search by procedure code by name like chiropractic or therapy or something of that.

Or by code as I mentioned and find the policies that are relevant to you. And so it’s not difficult to find these things. Payers have made it much easier than when I got started in compliance in the nineties where they didn’t publish any of this stuff at all. Now. They freely publish it and you’re expected to have looked at it and read it.

Whether you do or you don’t, your contract makes you responsible for knowledge of those policies and compliance with them. So that’s probably, if you have one takeaway from today’s presentation. If you’re billing third party plans, meaning. You’re the first party, the patient’s, the second party, the insurance company that’s paying the bills, the third party.

So when you’re sending bills to an insurance company on behalf of a patient for reimbursement assigned or unassigned, it would behoove you to make sure that you understand that, that payer’s requirements with respect to documentation, content, coding, modifier, usage, unbundling, all of those things so that you don’t get your self image.

In a jam down the road now. So that was the old guidance. And as I mentioned, for small practices, the the compliance program didn’t have to be, boiled down to specific written policies and procedures, and I expect that will not change. Just this month in, in November the OIG published their new general compliance program guidance, and it hits all of the same themes.

So I don’t really see anything changing. The elements are the same in the emphasis on risk assessment, auditing and monitoring. Of course it goes through. The litany, the big update is all the litany of things that healthcare enforcement actions that you could be subject to, the false claims Act, civil money penalties exclusion authorities, criminal healthcare, fraud statutes and it even adds in the HIPAA privacy and security, which was always a separate component of compliance because that was a separately

The Office of Civil Rights oversees HIPAA privacy and security. So from that perspective, that was always separately. Now they’ve included it in the OIGs general recommendations for compliance programs. If you’re having a written plan and you do have to have written policies and procedures for privacy and security, but you don’t need them for compliance.

But nonetheless, here’s what you need to do. One risk assessment. Okay, so get yourself a binder and put all the policies and procedures that apply to you. Two, set up a schedule. Whether you have a tickler on your calendar or something to remind you, go back and re-look at those policies to see if they changed, because payers don’t send you little letters.

Hey, we changed our policies and here’s a new policy. They just changed them and they post it on their website and you’re supposed to know about it. So you have to periodically re-look at those policies, and I would recommend at least every six months. To validate whether anything had changed. When there’s a change, pull the new policy.

Okay? And then when we get into the education, I’ll show you how that all fits in. But certainly you want to get that policy, what changed, get that out to the providers as well as your internal audits, staff, coders, billers, whatever. And if you use outside billing, don’t assume. They’re the experts on all this, on your particular payers, and that they know what that, that payer’s requirements are.

They probably have never read those policies either. Most third party outside billing services do, work on what I call the everybody knows, or the universal truth rule when it comes to coding. They may or may not be responsible for evaluating your documentation. Usually they’re not. They just bill and they bill what you tell ’em to bill.

So don’t rely on them to tell you what you need to do to comply with any particular payer’s policies. Look that stuff up for yourself. You need to make sure that you. Open up lines of communication, so that if someone thinks there’s a problem, you wanna make sure that they feel comfortable about bringing that to your attention.

If anybody leaves, you wanna do exit interviews, make sure, hey, is there have been any compliance related issues, concerns, whatever, and if they say no, great. But if they say yes, you gotta look into it. And do an investigation. You may or may not need help from qualified healthcare counsel.

But especially when you’re dealing with federal healthcare program dollars, that is where I would especially get healthcare counsel involved so that you can have privileged . Conversations as you’re conducting your investigation and make rational decisions about whether to disclose, not disclose is an appealable issue or not.

I wouldn’t necessarily rely on compliance consultants to help you necessarily make those decisions because they have legal ramifications.

You want to implement some type of internal auditing program. And when I say internal auditing, you pull claims as they’re going out. You wanna catch this stuff before it leaves. Retrospective auditing is fine other than you’re finding errors that on claims that have likely already been paid, in which case those errors may be the basis for triggering an investigation under the voluntary disclosure and refund rule.

If you’re catching. Claims contemporaneous and you’re fixing errors before they go out. Then depending on the type of error, if it’s a one-off, we got the wrong date of service, we listed the wrong provider we’re missing the time or something, then you can get that corrected and it doesn’t necessarily trigger anything.

Under the voluntary refund and disclosure rule. It might, but it usually does not. You want to catch those as one-off errors that don’t necessarily have any likelihood that those errors are gonna show up in other claims. That is what I would recommend once they come out with a small physician guidance to the extent that it’s any different than before.

I doubt they’re gonna require formal written plans for small physician practices simply because, again, resources you just don’t have the resources because you need a dedicated person to do compliance. If the compliance officer has any other. Responsibility in, in the office wiping the dust off of doorknobs the compliance is not gonna get done.

And you definitely don’t wanna put the compliance responsibility on the doctor or the practice manager because they’re conflicted. It’s very difficult to audit your own work. So with that just something to. Definitely do the risk assessment, education, internal auditing, and you’ll be leaps and bounds ahead of your peers as far as mitigating your post-payment risk.

And then if you look at some of the pre, previous sessions that we’ve done, diff, code pairs that are problematic, like CMT and manual therapy or massage delegation, things of that nature too much extremity, CMT, too many and s those are things that are really getting payers attention these days.

You wanna stay away from and if you do your risk assessment, you’ll understand why they’re concerned about those things. That’s all we have time for today. I apologize for going a little bit long, but it’s a overly broad topic and we’ll see you next time. Go Army Beat Navy.


Click here for the best Chiropractic Malpractice Insurance?

Get a Quick Quote and See What You Can Save