In a previous article I identified for you the Office of the Inspector General’s recommended core elements for establishing a compliance program. Let’s quickly review them and then we will take a closer look at what they mean for your dental practice.
- Conducting internal monitoring and auditing through the performance of periodic audits
- Implementing compliance and practice standards through the development of written standards and procedures.
- Designating a compliance officer or compliance contacts to monitor compliance efforts and enforce practice standards.
- Conducting appropriate training and education on practice standards and procedures.
- Responding appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate Government entities.
- Developing open lines of communication to keep practice employees updated regarding compliance activities. Non-retaliation policy.
- Enforcing disciplinary standards through well-publicized guidelines.
Internal monitoring and auditing means you will need to formally ‘police’ yourself or continually review every facet of your practice from Infection Control practices to clinical documentation to how, when and what you bill and even how you handle credit balances. You will need to verify what your practice is doing right and what you are doing wrong. If you have followed me for any length of time you know that one of my mantras is, “If it is not written, it did not happen.” Not only do you need to police your practice – you need to show that you did it and what you evaluated in order to demonstrate your efforts were “reasonably effective” (a concept will explore in another article).
Development of written standards and procedures means you need to have written ‘crime’ prevention or compliance plans that address the areas within your practice where there is a risk for rule breaking, whether intentional or unintentional. Your need to have a rule book for you and your staff to follow. Depending on your business model, patient population, and other factors this could mean that your practice will need a policy manual the size of a metropolitan phone book (those are large books of phone numbers that people used to look up phone numbers in a time before Google for you younger dentists).
The rule book(s) need to address everything from clinical documentation to billing practices, to how your office complies with Infection Control recommendations and OSHA mandates, how your practice complies with HIPAA, and, of course, how our practice fulfills each of these seven compliance elements.
These policies and procedures cannot be yet another three-ring binder of papers, policies you never read and do not maintain, rather these policies need to be the backbone or reference point for everything that happens in your practice. They can outline everything from how your office phone is answered to how payments are posted, how patients are admitted/ discharged (even terminated). This should be the holy book of your practice operation.
Designating a compliance officer means that someone high in your organization needs to bear the responsibility for overseeing compliance with state and federal regulations in your practice, someone who reports to the CEO directly. If you operate a small dental practice this may be you or your spouse. If you work in a larger dental organization this may be a full-time employee, even a full-time department of employees who oversee the organizations procedures to ensure everyone plays by the rules. The compliance officer must be someone in authority to make sure that non-compliant situations and activities are swiftly brought into compliance. The compliance officer is an organizations’ lifeguard, police officer and high school principal rolled in one.
The training and education element means that once you have compliance standard, policies and procedures in place you teach your employees what your practice does (or what the practice does not do) in order to ensure compliance with the law and run a lawful practice. Remember my mantra, “If it is not written, it did not happen.” You need to be able to demonstrate that you not only trained your employees, but that they understood the training.
To address the fifth element of responding appropriately to detected violations you must be able to demonstrate that someone did something swift and certain to correct something that was being done incorrectly, regardless of that persons intent (accidental or intentional). The act of breaking a rule or law can, itself, be bad, but knowing about it and failing to correct it (i.e. updating billing code sets, returning monies paid that you should not have been paid) are the point at which your liability increases dramatically. From the time violation of the law is detected providers generally have 60 days to refund overpayments (monies paid, but not earned) without incurring liability.
I can hear some of you thinking, “why should I bother to search for and actively attempt to uncover compliance issues if it will set a timer for me to incur liability?” My answer is quite simple, it is like being between a rock and a hard place, you are damned if you do and damned if you don't. However, you may be more damned if you don’t.
If you look at every criminal case where dentists went to prison for fraud it was because they stuck their heads in the sand (either knowingly or unknowingly) and never identified the issues that ultimately landed them in prison. If they had had effective compliance programs in their practices it is possible that they would have identified the issues and could have corrected them. Though they would likely have had to pay money back it would have looked better for them and it would have fulfilled the government’s expectation as outlined in element one.
The sixth element involves having open lines of communication to keep your employees ‘in-the-know’ about changes within your operation, changes to your policies and procedures and evolved expectations. This element also requires you to provide your employees a means to express concerns and bring to your attention compliance issues that may arise within your practice. Frankly, you want your employees to bring their concerns to you with the expectation that you will do something about it. It is always better employees express their concerns to you rather than regulatory and investigative agencies. You need to not only encourage them to come forward, but you need to motivate and even incentivize them to bring their concerns to your attention.
Lastly, you have completed a baseline audit of your compliance efforts and risk areas. You have created policies and procedures to address risk areas within your practice. You have appointed a compliance officer to oversee your dental operation. You trained your employees on your policies, procedures, Code of Conduct, and overall performance expectations. You corrected several compliance issues within your practice. You created a ‘safe’ mechanism for employees to voice their concerns, and you made your position of non-retaliation clear to everyone (internally and externally). Now, it is time to prove you mean business.
When someone brings a concern to your attention, you investigate the concern to see if there is any merit to it. You quickly realize there is merit. In fact, you even discover the problem has occurred for several months. For illustrative purposes we will say the concern is a HIPAA violation. One of your employees routinely realized she has been sending dental records to other dental offices without the patient’s written authorization to do so (outside situations where she is authorized).
In this situation you have to enforce your disciplinary standards. If you previously trained the employee that she is not allowed to send patient records (PHI) to other practices without a written authorization and she did so anyway you need to determine what information was sent, to whom the information sent, and whether it actually received by the intended receiver? Then, you need to determine whether there is “greater than a low probability” the unauthorized disclosure of information was harmful to the affected patient.
In this situation it may well be appropriate to require that the employee participate in remedial HIPAA training. If the violations were committed knowingly or intentionally then it may be correct to issue disciplinary action to the employee in addition to the remedial training. In any event you need a paper trail to show that you responded to the incident and reinforced your standards. Enforcing disciplinary standards does not necessarily need to be a punitive response.
A primary goal of any compliance program should be to foster a culture of compliance as a means to better the organization. When implemented and portrayed as a positive change from an organization’s top leadership a compliance program can be valuable asset. If portrayed as a punitive, negative change it will be received as such by your staff, so be careful and control any negative emotions you may have about constructing and implementing your compliance program.