A corporate compliance plan is a good start, but compliance obligations do not end with implementation.

HME suppliers are currently facing a significant number of legislative and regulatory initiatives that will require more and more sophistication. As a part of these legislative and regulatory changes, companies will be required to become accredited facilities, submit competitive bidding proposals, follow new quality standards, and adjust to new product documentation guidelines. As a result, HME providers are responding and becoming more sophisticated entities as these changes are implemented.

This increased complexity has spurred companies to adopt formal corporate compliance plans to address the large number of legal issues impacting the industry. It is important to remember, however, that implementing a corporate compliance plan is only the beginning. Once the plan is in place, you must continue to ensure that the compliance plan remains effective.

Continually monitor the compliance program to ensure that it does not need updating to reflect new laws or regulations, and to ensure that it contains up-to-date policies and procedures for compliance and HIPAA privacy and security guidelines. Perform routine self-audits to track the effectiveness of your compliance plan in preventing regulatory and legislative violations.

Compliance Plan Updating
For a corporate compliance plan to be effective, it must be updated on a regular basis. Therefore, depending on when a corporate compliance plan was implemented, you may need to review the terms of the plan and update certain provisions to reflect changes in the government’s position concerning fraud and abuse issues, reimbursement methodology, claims submission, and other compliance matters. In reviewing a corporate compliance plan to determine if it requires updating, a supplier should take note of:

• What was the implementation date of the corporate compliance plan? If the plan is more than 3 years old, review it to reflect changes in laws and regulations.

• Has your scope of practice changed since implementation of the compliance plan? Adding new product lines and/or specialties can trigger the need to change the corporate compliance plan. For example, adding pharmacy services to an existing DME company significantly increases the number of laws and regulations.  

• Are you following obligations under the corporate compliance plan to continually train employees? Most  plans contain an element requiring the staff to be trained on new compliance initiatives and developments in federal law. For this reason, you should aggressively pursue employee education and verify that the educational plans contain the most up-to-date information. In addition, all training efforts should be documented. If it is not documented, it did not happen.

• Is the corporate compliance officer in tune with regulatory changes in the health care industry? The officer’s role should include being proactive in tracking changes in the health care industry and to the compliance obligations of the entity. When the compliance officer identifies needed changes, make appropriate revisions to the corporate compliance manual and provide staff members with new pages for their manual—and educate them on the impact of these changes.

HIPAA Compliance Plan
After an initial push for health care providers to become HIPAA compliant, many companies have allowed HIPAA to fall off the radar. Be diligent in monitoring HIPAA compliance and in ensuring that employees continue to follow procedures set forth in your HIPAA compliance plan. Many companies fall into a trap of providing patients with a notice of privacy practices and having the patients sign an acknowledgment, but do little else to ensure compliance with the privacy regulations. The company privacy officer should be aware of HIPAA enforcement initiatives, changes to the HIPAA regulations, and the need to implement additional HIPAA procedures to comply with such changes.

Facility Policies and Procedures
Many suppliers do not have comprehensive policy and procedure manuals. Therefore, it is important to continually monitor matters related to employment practices, company harassment policies, confidentiality, and other day-to-day operational issues.

Designate an individual who will be responsible for monitoring legislative and regulatory changes that are relevant to the business’ operation. For example, changes to the Fair Labor Standards Act may impact what types of employees are exempt from overtime pay. Suppliers who do not monitor these changes run the risk of violating these regulations and could face stiff penalties if they do not adapt.

Self-Audits
Self-auditing and monitoring has many advantages and few disadvantages. The primary reason to conduct a self-audit is to illustrate the effectiveness of your corporate compliance program. In fact, the program guidance for DME companies issued by the Office of Inspector General strongly recommends that companies engage in regular auditing as part of their compliance programs.  

An effective internal audit process will become part of what the company does. It will become as much of a routine as filing or working denials.  

An effective audit procedure takes place periodically. The exact period is not crucial, but audits should occur at defined time intervals. Those intervals may be a week, a month, a quarter, or any other interval that makes sense for the company. At the very least, audits should be done annually.  

Also note that audit frequency is influenced by the scope of the audit. If the company audits only once per year, the audit will most likely have a large sample size. On the other hand, if audits are performed monthly, the number of items audited each month may be smaller.

More frequent audits have the advantage of allowing a company to quickly find and correct problems. This leads to earlier adoption of preventive measures that can help avoid a pattern of continued problems.

Whether audits are monthly, quarterly, or annually, be sure to address all risk areas. For example, if you are auditing monthly, the first month may audit completeness of physician’s orders. The second month’s audit may check for the existence of properly completed delivery tickets. The third month’s audit may investigate the proper use of modifiers. One way to ensure that all risk areas are audited is to develop checklists for the audit topics addressed in each audit.

Individuals Held Accountable
Individuals should be held accountable both for the performance of the audits and for the implementation of  any changes that result from the audits. In other words, performing audits should be a part of a manager’s job description, and should be an element in the manager’s annual review. Likewise, individual staff members should have as an element of their job descriptions and performance reviews the timely and thorough completion of any audits assigned to them.

Proper documentation of any audit must be maintained. Include the specific risk areas the audit addressed, the individuals performing the audit, the time frame of the audit, a description of the sample selected for auditing, a copy of the audit tool, the results of the audit, recommendations for changes to policies and procedures, specific changes that were in fact implemented as a result of the audit, and finally a subsequent reaudit to verify that the changes in policies and procedures were implemented.

In case of government scrutiny in the future, the government will assess whether the supplier developed a comprehensive audit based on identified risk areas and resources. If the supplier failed to develop an adequate audit program, favorable treatment will be less likely under its various enforcement authorities.

Clay Stribling, JD, is an attorney with the Health Care Group of Brown & Fortunato PC, an Amarillo, Tex-based law firm. Stribling represents DME companies, pharmacies, and other health care providers throughout the United States and Puerto Rico. He can be reached via e-mail: cstribling@bf-law.com.