1. INTRODUCTION

The Office of Inspector General ("OIG") of the Department of Health and Human Services has issued its Compliance Program Guidance for Third-Party Medical Billing Companies ("Billing Company Compliance Guidance") on November 30, 1998 as part of the OIG’s continuing effort to encourage the health care industry to police itself. This is the fourth compliance program guidance document issued by the OIG this year. Additional compliance guidance for durable medical equipment companies and Medicare+Choice organizations is expected to be issued by the OIG early in 1999. The OIG also has solicited comments on the development of compliance program guidance for the nursing home industry and its providers and suppliers.

The various compliance program guidance documents are similar in many respects since all are based on the Federal Sentencing Guidelines, and also reflect the elements of the corporate integrity agreements generally imposed on health care providers during settlement negotiations with the government. However, the Billing Company Compliance Guidance is unique because it creates a bifurcated system of compliance responsibilities. According to the OIG, a billing company faces potential compliance liability both in connection with its own operations and in connection with the operations of its provider clients.

The compliance guidance documents are not legally binding, and the OIG continues to emphasize that these materials are designed to provide guidelines rather than a definitive blueprint. In this instance, the OIG notes that there is tremendous variation among billing companies in particular, both in terms of the types of services they provide and the manner in which these services are provided to clients. Therefore, the OIG encourages companies to adopt individualized compliance programs, taking account of the company’s specific risk areas as well as the resources available. The OIG further points out that a billing company may have an increased need for its own, effective compliance program since an ineffective program could expose the client to liability.

The OIG identifies seven elements which must, at a minimum, be present in all comprehensive compliance programs even if full implementation of all the elements may not be immediately feasible. The seven elements that are mandatory for all corporate compliance programs include:

• The development and distribution of written standards of conduct;
• The designation of a chief compliance officer and other appropriate bodies to operate the compliance program and report directly to the organization’s governing body;
• The development and implementation of effective education and training programs;
• The creation and maintenance of a process, such as a hotline, to receive complaints (and the adoption of procedures to protect complainants from retaliation);
• The development of a system to respond to allegations of improper/illegal activities, and the enforcement of appropriate disciplinary action;
• The use of audits and other risk evaluation techniques to monitor compliance; and
• The investigation and correction of identified systemic problems as well as the development of policies to address the non-employment of sanctioned individuals.

This Memorandum will highlight some of the more significant provisions in the Billing Company Compliance Guidance that specifically relate to billing companies. It is important to note, however, that many of these same provisions will be relevant to other providers who perform the billing function for themselves, and may be particularly helpful for those for whom the OIG has not yet issued any compliance program guidance, including physicians, group practices and skilled nursing facilities. In addition, this Memorandum will briefly refer to some additional compliance issues, covered in the Billing Company Compliance Guidance, which are broadly applicable to others in the health care industry.

1. COMPLIANCE ISSUES SPECIFIC TO BILLING COMPANIES

There are a number of provisions in the Billing Company Compliance Guidance which reflect the unique situation of billing companies in the context of corporate compliance. In essence, billing companies must monitor not only their own compliance with laws, regulations and private payor program requirements, but they must also address compliance issues raised by their provider/clients.

1. Risk Areas

As described above, one of the seven basic elements of a compliance program involves the development and implementation of written standards of conduct. In the Billing Company Compliance Guidance, the OIG also notes that a corporate compliance program should have written policies which articulate certain standards in more detail, e.g. those procedures personnel should follow when submitting claims to federal health care programs. The OIG recommends that all billing companies initially conduct a comprehensive risk analysis to identify and rank the various compliance business risks facing the company in its daily operations. This risk analysis, which may be self-administered or conducted by an independent, experienced risk analysis organization, should serve as a basis for the written policies the billing company subsequently develops.

1. Risk Areas Generally Applicable To All Billing Companies

In addition, the OIG provides a list of the following 17 "risk areas" to provide a starting point for all billing companies’ initial efforts to develop appropriate policies:

• Billing for items or services not actually documented;
• Unbundling;
• Upcoding, such as "DRG creep";
• Inappropriate balance billing;
• Inadequate resolution of overpayments;
• Lack of integrity in computer systems;
• Computer software programs that encourage billing personnel to enter data in fields indicating services were rendered even when not actually performed or documented;
• Failure to maintain the confidentiality of information/records;
• Knowing misuse of provider identification numbers;
• Outpatient services rendered in connection with inpatient stays;
• Duplicate billing;
• Billing for discharge in lieu of transfer;
• Failure to properly use modifiers;
• Billing company incentives that violate the anti-kickback statute or other similar laws or regulations;
• Joint ventures;
• Routine waiver of co-payments and billing third-party insurance only; and
• Discounts and professional courtesy.

The OIG notes that the list of high-risk areas identified in the Billing Company Compliance Guidance is not an exhaustive list for billing companies (or for their provider clients) who may well have additional risk issues that they must resolve. In particular, any history of non-compliance may indicate additional risk areas that should be addressed by the compliance program.

1. Additional Risks For Billing Companies Providing Coding Services

The OIG provides further specific guidance for those billing companies who provide coding services. In particular, the Billing Company Compliance Guidance identifies the following additional risk areas for such companies:

• Internal coding practices;
• "Assumption" coding (or the coding of a diagnosis or procedure without supporting clinical documentation);
• Alteration of documentation;
• Coding without proper documentation of all physician and other professional services;
• Billing for services provided by unqualified or unlicensed clinical personnel;
• Availability of all necessary documentation at the time of coding; and
• Employment of sanctioned individuals.

While noting that documentation is the responsibility of the provider, the OIG states that the coder must be aware of proper documentation requirements and should encourage providers to document appropriately. In addition, the OIG notes that billing company compliance policies should address the methodology for resolving ambiguities in the provider’s paperwork.

The OIG also provides substantial detail on procedures that should be followed by the coding staff. For example, if the staff finds the physician’s documentation to be ambiguous or conflicting, they are to ask the physician for clarification. If the coder does not know how to code a particular bill, he or she should consult their supervisor and, if the question remains, the supervisor should contact the carrier/intermediary. The billing company is also directed to contact an authoritative coding organization, such as the Central Office on ICD-9-CM maintained by the American Hospital Association or the National Center for Health Statistics, when necessary.

1. Safeguards For Billing Companies That Do Not Provide Coding Services

The Billing Company Compliance Guidance emphasizes that billing companies that do not code bills should adopt policies requiring notification to the provider who is coding to implement and follow compliance safeguards with respect to documentation. Moreover, the billing company’s contractual agreement with providers should incorporate the provider’s agreement to address these coding compliance safeguards.

1. Special Arrangements Between The Billing Company And The Provider

Due to the unique relationship between the billing company and its client in the context of compliance, the OIG suggests a number of special arrangements that should be implemented. First, the billing company’s chief compliance officer is directed to closely coordinate his or her compliance functions with the provider’s chief compliance officer. Billing companies are also directed to consult with their provider clients in developing their training programs in order to ensure that a consistent message is being delivered and avoid any potential conflicts. Perhaps most important, the OIG recommends a comprehensive division of compliance obligations between the billing company and its client. Once these responsibilities have been delineated, the arrangement should be formalized in a written contract, enumerating those functions which are shared and those which are the sole obligation of either party.

2. Billing Company Reporting Requirements
1. Billing Company Misconduct

One of the most important features of the Billing Company Compliance Guidance involves the two types of reporting obligations faced by billing companies. First, the OIG describes those reporting obligations which relate to the billing company’s own misconduct. The standard here is very similar to the standard in the prior compliance program guidance documents. If credible evidence of misconduct by the billing company is discovered, and if, after reasonable inquiry, there is reason to believe the misconduct may violate criminal, civil or administrative law, the billing company should report the misconduct to the appropriate government authority, no more then 60 days after determining the evidence of such a violation is credible.

2. Client Misconduct

A very distinct standard applies to the billing company’s obligation to report when it uncovers potential client misconduct. The OIG specifically notes the billing company’s allegiance to its provider/client but emphasizes the billing company’s parallel obligation to comply with applicable federal and state laws and private payor program requirements. As a result, if a billing company finds evidence of client misconduct, the billing company should not submit questionable claims, and should notify the provider in writing within 30 days of such a determination. The notification should include all claim-specific information and the rationale for the determination.

If the billing company discovers "credible evidence of the provider’s continued misconduct or flagrant, fraudulent or abusive conduct" the billing company must (i) not submit any false or inappropriate claims; (ii) terminate the contract; and/or (iii) report the misconduct to appropriate authorities no more then 60 days after determining there is credible evidence of a violation (emphasis added). Therefore, the OIG has created a mechanism whereby the billing company is not necessarily required to report its client’s misconduct to the government although it has that option. However, the billing company should always refrain from submitting false or inappropriate claims. Moreover, if the billing company chooses not to report the provider’s misconduct to government authorities, the Billing Company Compliance Guidance directs the billing company to terminate its contract with a provider engaged in such misconduct.

These obviously will be difficult judgments to make and will have to be resolved on a case-specific basis. Throughout the Billing Company Compliance Guidance, as is often the case in the compliance program guidance documents, the OIG encourages the health care industry to consult with counsel to help determine the appropriate way to resolve compliance issues.

3. Inadvertent Errors Or Mistakes

It is important to note that the Billing Company Compliance Guidance specifically states that "misconduct does not include inadvertent errors or mistakes. Such errors should be reported through the normal channels with the applicable carrier, intermediary or other HCFA-designated payor." With regard to overpayments, the billing company is directed to provide "timely and accurate" reports to both the provider and the health care program concerning any overpayments.

3. Integrity Of Data

The Billing Company Compliance Guidance contains a number of provisions specifically relating to the protection of data integrity. There is an expanded new section which stipulates that the billing company should have a complete and accurate audit trail available at all times as well as a system to prevent the contamination of data by outside parties. This system is to include regularly scheduled virus checks, and billing companies are to ensure that the confidentiality of electronic data is protected against unauthorized access or disclosure. The billing company is further directed to implement some type of back-up mechanism, either by disk, tape or system, to ensure that no data is lost. The Billing Company Compliance Guidance also emphasizes that the chief compliance officer of the billing company must have the authority to stop the processing of problematic claims until all issues are resolved.

1. BROADLY APPLICABLE COMPLIANCE ISSUES
1. Outsourcing The Compliance Function

The Billing Company Compliance Guidance contains several provisions that expand or further clarify issues addressed in previous compliance guidance documents. First, there is explicit recognition in the Billing Company Compliance Guidance that the compliance function may be outsourced. The OIG goes so far as to point out that multiple small billing and coding facilities might contract with an individual to job-share compliance responsibilities.

2. Record Retention

In addition, there is a new requirement in the record retention section of the Billing Company Compliance Guidance stipulating that three, rather than two, types of records should be retained as part of the corporate compliance program. Now, compliance programs should also retain records listing the persons responsible for implementing each part of the compliance plan. This is in addition to the continuing requirements that (i) all records and documentation required by law or by private payors should be retained and (ii) all records necessary to confirm the effectiveness of the compliance program should be maintained as part of an organization’s corporate compliance efforts.

3. Consultant Certifications

There is also a new requirement in the Billing Company Compliance Guidance that all contracted consultants, in addition to all employees, should sign certifications reflecting their knowledge of, and commitment to, the company’s standards of conduct as set forth in the corporate compliance program. The OIG also recommends that this certification become part of the contract between the consultant and the company.

4. Use Of Statistical Data In Connection With Implementation

There is also increasing emphasis on the use of statistical data to implement the compliance program. For example, note the suggestion that the baseline audit include the frequency and percentile levels of CPT and HCPSC codes. Future audits should compare subsequent statistics to this baseline. Billing companies are also directed to track statistical data on claim rejection by code. The OIG also specifically recommends that a valid statistical sample of claims be reviewed annually both before and after billing is submitted.

5. Compliance As An Obligation Of Corporate Leadership And As A Long Term Process

Finally, there is an increased recognition in this particular document that the compliance process is ultimately the responsibility of high level officials within the organization, and the obligation is a continuing one. The OIG reiterates at several points throughout the Billing Company Compliance Guidance that it is incumbent on the company’s corporate leadership to ensure that sufficient compliance systems are in place to facilitate legal and ethical conduct. Moreover, the government will focus specifically on the words and actions of the company’s leadership when assessing the organization’s commitment to compliance. The Billing Company Compliance Guidance has a new section on continuing education. In this connection, billing companies are urged to consider publishing a monthly newsletter.

2. CONCLUSION

Corporate compliance is becoming an increasingly complex field, and it is likely that compliance programs will continue to be an important part of participation in the health care industry for the foreseeable future. Meanwhile, the OIG has put all providers on notice that it is not safe to wait for compliance guidance specifically directed at their particular specialty. The government expects the industry to implement effective compliance programs based on the guidance documents that are already available. The OIG’s latest compliance program guidance contains a number of provisions that will be very helpful to billing companies trying to implement an effective compliance program. In addition, the Billing Company Compliance Guidance also can be very instructive for other types of providers who bill for services themselves, such as hospitals. Moreover, the Billing Company Compliance Guidance will be particularly helpful for those providers who bill for services, and for whom specific compliance program guidance has not yet been issued, including physicians, physician group practices and long-term care facilities.

Please do not hesitate to contact Linda Baumann (609/514-5945 or 202/414-9488) or any other member of the Reed Smith health care group with whom you work if you would like additional information or if you have any questions.