Managed Care Fraud and Abuse Compliance Guidelines I. Introduction The United States spends more than $1 trillion each year on healthcare representing approximately 15 percent of the gross national product. The proportion of annual health care expenditures lost to fraud and abuse remains unknown because such losses have not been systemically measured. However, recent Medicare studies under taken by the Office of Inspector General, U. S. Department of Health and Human Services, estimates that losses to fraud and abuse may exceed 10 percent of annual health care spending. Since 1992,when health care reform emerged as a matter of national debate, the issue of fraud control has received much attention. Today, health care fraud prevention and detection remains a top priority of the U.S. Department of Justice, with criminal convictions in 1997 increasing threefold over the 1992 total (Sparrow, 1998). In Texas, the Comptroller of Public Accounts conducted a measurement of fraud, abuse, and waste in three publicly funded health programs: the Texas Medicaid program, the workers’ compensation program, and the Employee Retirement System. The study, which covered acute care services to Medicaid recipients in Texas, was completed in December 1998. The State Auditor’s Office and the Comptroller’s Office collectively agreed that, as a result of the study, questionable claims in the acute care program of Medicaid amount to between 6% and 6.8% of all claims filed. These percentages translate to between $143 million and $162 million in Medicaid spending when applied to estimated fiscal year 1996 spending levels. The issue of preventing and detecting fraud and abuse in health care is a top priority for the state of Texas. In June 1997, Governor George Bush signed into law Senate Bill 30 an Act relating to fraud and improper payments under the state Medicaid program and to the creation of a criminal offense; providing penalties. Some of the provisions of Senate Bill 30 are as follows: The creation of the Office of Investigation and Enforcement; Mandated Medicaid fraud and abuse training for all Medicaid providers; The development and implementation of a fraud detection computer network, i.e., the Medicaid Fraud and Abuse Detection System (MFADS). The Senate Bill, at section 2.05, section 16A, article 4413 (502), included specific requirements for managed care organizations to read as follows1 A managed care organization that contracts with the state to provide or arrange to provide healthcare benefits or services to Medicaid eligible individuals shall: Report to the commission or the state’s Medicaid claims administrator, as appropriate, all information required by commission rule, including information to set rates, detect fraud, neglect, and physical abuse, and ensure quality of care; Not later than 30 days after execution of the contract, develop and submit to the operating agency for approval by the commission a plan for preventing, detecting, and reporting fraud and abuse that conforms to guidelines developed by the operating agency with assistance from the commission and the office of the attorney general; 1 This does not include all the subsections of Senate Bill 30, please review the final enrolled version of the Senate Bill for a complete review. Require the managed care organization to report any known or suspected act of fraud and abuse to the operating agency for referral to the commission for investigation; Require that each contract between the managed care organization and the state contain provisions: Stating that the information provided by a managed care organization under this section may be used as necessary to detect fraud and abuse; Specifying the responsibilities of the managed care organization in reducing fraud and abuse; and Authorizing specific penalties for failure to provide information required by commission rules. The signing into law of Senate Bill 30 was a continuing effort to control the costs, improve the quality and the access to healthcare services in the State. In 1995, the Texas Legislature passed Senate Bill 10 to enact a comprehensive restructuring of Medicaid, incorporating a managed care delivery system (HHSC, 1999). In 1995 it was common to hear government and industry commentators predict that the implementation of managed care would control or eliminate fraud and abuse in the health care industry. The assumption was that the managed care payment arrangements, such as capitation, would eliminate the incentive to bill for services that were not delivered or not necessary. In 1993, Texas implemented two Medicaid managed cared pilot programs and has continued an ongoing statewide expansion of Medicaid managed care. In spite of the expansion of managed care, Texas spent $10 billion for Medicaid payments and, for the same period, the Comptroller of Public Accounts and the State Auditor estimated losses to fraud, abuse, or waste between $143 million and $162 million. The 76th Texas Legislature also enacted anti-fraud and abuse language as part of the SB 445, the enabling statute for the Children’s Health Insurance Program (CHIP). Section 62.058 requires HHSC to develop and implement rules for the prevention and detection of fraud in the CHIP program. In anticipation of those rules, HHSC is providing these compliance guidelines as well as an accompanying template for use by health plans that contract to provide health care coverage to CHIP-eligible children. The compliance guidelines outlined in this document are designed to assist the managed care organization in the establishment of a culture within the organization that promotes the prevention, the detection, and the resolution of instances of conduct that do not conform to Federal and State law or healthcare program requirements. It is the responsibility of the managed care organization’s officers and managers to provide ethical leadership to the organization and to ensure adequate resources are available and in place to facilitate and promote ethical and legal conduct. Implementing an effective compliance program requires a substantial commitment of time, energy and resources by the senior management and the managed care organization’s governing body. Superficial programs that simply purport to comply with the compliance guidance discussed in this document, or programs quickly developed and implemented without appropriate ongoing monitoring, will likely be ineffective and could expose the organization to greater liability than not having a program. Although an effective compliance program may require significant additional resources or a reallocation of existing resources, the long term benefits of implementing such a program significantly outweigh the costs (OIG, 1999). II. Benefits of a Compliance Program The Texas Health and Human Services Commission believes an effective compliance program provides a mechanism that brings the public and private sectors together to reach the mutual goals of reducing healthcare fraud and abuse, improving operational quality, improving the quality of healthcare, while reducing healthcare costs. Furthermore, in addition to fulfilling its legal duty to ensure that it is not submitting false or inaccurate information to the State or providing substandard care to Children’s Health Insurance Program (CHIP) beneficiaries, a CHIP organization may gain additional benefits by implementing an effective compliance program. These benefits may include: The development of effective internal controls to ensure compliance with Federal and State regulations and internal guidelines; Improved collaboration, communication and cooperation between healthcare providers and the CHIP managed care organization; Improved communication with and satisfaction of CHIP managed care enrollees; The ability to react promptly and accurately to employees’ compliance concerns and the capability to effectively use resources to address those concerns; A demonstration to the employees and the community of the organization’s strong commitment to honest and responsible corporate conduct; The ability to obtain an accurate assessment of employee and contractor behavior relating to fraud and abuse; Improved clinical and non-clinical quality of care and service; Improved auditing and monitoring tools that could have a positive effect on many or all of the organization’s divisions or departments; Increased likelihood of identification and prevention of illegal and unethical conduct; A centralized source for distributing information on healthcare statutes, regulations and other program directives related to fraud and abuse; A corporate environment that encourages employees and healthcare providers to report potential problems; Procedures that allow the prompt, responsible and thorough investigation of possible misconduct by corporate officers, managers, employees and independent contractors. In summary, the State believes that an effective compliance program is a prudent business investment that has the potential of enhancing the efficiency and effectiveness of the CHIP managed care organization. It may also improve the organization’s financial structure by identifying not only fraud and abuse concerns, but also efficiency and productivity concerns in other operational areas. The HHSC recognizes the implementation of an effective compliance program may not completely eliminate fraud, abuse and waste from an organization. However, a sincere effort by the organization to comply with applicable Federal and State standards, through the establishment of an effective compliance program, significantly reduces the probability of unlawful and/or unethical conduct. III. Application of Compliance Program Guidelines Before outlining the specific elements of a compliance program, it is important to emphasize several aspects of this document. First, it should be understood that this program development guidance is voluntary. Although this document provides a basic structural design for a compliance program, it is not in itself a compliance program. Rather, it is a set of guidelines for consideration by a CHIP managed care organization interested in obtaining specific information on implementing a compliance program. This guidance represent the OIG’s and HHSC’s suggestions on how an organization can establish internal controls and monitor company conduct to detect, correct and prevent fraudulent activities. It is important for the organization to assess its own organization and determine its needs concerning compliance with applicable Federal and State statutes, and Federal and State healthcare program requirements. The OIG and the HHSC strongly encourage organizations to develop and implement compliance components that uniquely address the individual organization’s risk areas. As appropriate, this guidance may be modified and expanded as more information and knowledge is obtained by the HHSC and the OIG, and as changes in the law, and in the rules, policies and procedures of the Federal and State plans occur2. IV. Compliance Program Guidelines 1. Development and distribution of written standards of conduct and written policies and procedures that promote the organization's commitment to compliance and that address specific risk areas. This is to include, but is not limited to the following recommendations : Identify specific areas of organizational concern-conduct a comprehensive self-administrated risk analysis or contract for an independent risk analysis by an experienced health care professional; Policies and procedures are to be distributed to all affected individuals. The organization's compliance manual is to be distributed to its health care providers; The organization's standard of conduct must clearly delineate senior management's commitment to compliance. 2 Source: The OIG’s draft compliance plan guidance for Medicare+Choice organizations. Policies and procedures in the following risk areas: Benefits & beneficiary protections; Quality assurance; Solvency, licensure, and other state regulatory issues; Claims processing; Appeals & grievance procedures Marketing materials & personnel; Underutilization and quality of care; Data collection & submission; Anti-kickback statue & other financial inducements; Enrollment & disenrollment; Distribution, retention, storage, retrieval and destruction of documents; Corporate compliance programs should require that the promotion of, and adherence to, the elements the organization’s compliance program be a factor in the evaluation of the performance of all employees. 2. Designation of a chief compliance officer and/or other appropriate individual or individuals, e.g., a corporate compliance committee, charged with the responsibility of operating and monitoring the compliance program and who report directly to the CEO and/or governing body. The compliance officer should have direct access to the organization's governing body, the CEO and all other senior management, and legal counsel; The compliance officer must have the authority to review all documents and other information that are relevant to compliance activities; The compliance officer should have sufficient funding and staff to fully perform His/her duties; A compliance committee should be established to advise the compliance officer and to assist in implementation of the compliance program. 3. Development and implementation of regular effective education and training programs for all effected employees. All employees should be required to attend annual training that emphasizes the organization's commitment to Federal and State statues and requirements; Individuals involved in risk areas should have additional specialized training; Employees should be required to have a minimum number of hours of educational training as deemed appropriate to their employment responsibilities; All training materials should be designed to include the skills, knowledge, experience and cultural diversity of the individual trainees; An evaluation method should be used to determine the success of the training; The organization should disseminate compliance information on an ongoing basis, e.g., a monthly newsletter or website. 4. The organization should develop effective lines of communication between the compliance officer and all employees. An organization should have in place a hotline or another mechanism for employees, enrollees, or other parties to report potential or suspected violations of the Federal or the State health care program or contractual requirements or of the organization's compliance policies; The compliance officer should maintain a log to record calls, nature of the investigation, and the outcome; The compliance officer should develop and encourage routine communication with his/her employees, with the organization's enrollees, and with healthcare providers; The organization should develop and distribute to all employees, enrollees, and providers, written confidentiality and non- retaliation policies that encourage the communication and reporting of suspected or potential violations. The policies should explicitly communicate that there may be a point in the investigation where an individual's identity may become known or may have to be revealed. 5. The organization should implement and use audits or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas. The compliance officer should develop and maintain reports of suspected noncompliance and an evaluation of the compliance program. The reports should be reviewed by the senior management and the compliance committee on a regular basis; The organization should perform regular, periodic compliance audits by internal or external auditors. Develop monitoring techniques that allow for review of variations from an established baseline or control chart parameter. 6. There should be development and implementation of disciplinary mechanisms that consistently enforce the standards and the development of policies addressing dealings with sanctioned and other specified individuals. The organization should have policies regarding disciplinary action for all employees who have failed to comply with the organization's standard of conduct, policies and procedures, contract requirements, Federal and/or State laws, or those who have engaged in otherwise illegal or unethical conduct; The organization should have a policy that prohibits the employment of or contracting with individuals or entities who have been convicted of a criminal offense related to healthcare or who are listed as ineligible to participate in Federally or State funded healthcare programs. 7. Policies and procedures should be developed to respond to detected offenses and to initiate corrective action to prevent similar offenses. The organization has a specific and detailed procedure for the compliance officer, senior management, and employees to follow when reporting and investigating program violations to include, but not limited to the following: Internal investigation procedures for interviews and review of relevant documents; Investigation documentation that includes the alleged violation, a description of the investigative process, copies of interview notes, a log of witnesses interviewed and documents reviewed, and the results of the investigation, e.g., any disciplinary action taken and any corrective action implemented. The organization has a policy to report any confirmed or suspected violations to the Provider Sanctions Unit of the Texas Health and Human Services Commission within a reasonable period, but not more than 60 days after determining that there is credible evidence of a violation (OIG, 1999); The organization has a policy and procedure to report all fraud and abuse enforcement actions or investigations involving the organization and/or any of its subcontractors by any state or federal agency. See Title XVIII or Title XIX of the Social Security Act or any Texas State law or regulation.