With the government’s ever-increasing focus on health care fraud and abuse, and with whistleblower lawsuits at record levels, the need to ensure effective compliance with government health care laws and regulations has never been more crucial. Ambulatory surgery centers, in particular, are vulnerable to many fraud and abuse issues closely scrutinized by the government. The most effective way for a center to ensure that it complies with the current mass of health care laws and regulations is by constructing and implementing a compliance program. This article first explains what a compliance program is and why ambulatory surgery centers need them. It then explains how a center can design and implement an “effective compliance program,” as the federal government uses that term.

What is a Compliance Program?

A compliance program is a bundle of policies and procedures designed to identify legal and regulatory problems, correct identified deficiencies, and create a mechanism to prevent future problems. This program consists of two main parts: a compliance plan and standards of conduct. The compliance plan is the procedural element of the program discusses such procedural tasks as selecting a compliance officer or committee, designing corrective action procedures, training employees on the program, and monitoring its implementation. The standards of conduct are the substantive element of the program and consists of the regulatory “do’s and don’ts” for the center, describing appropriate conduct for the staff.

Why Do Ambulatory Surgery Centers Need Compliance Programs?

While it is disputed how much actual fraud and abuse exists in the health care industry, what is not questioned is the incredibly high priority the government places on this issue. One way to judge this is to look at government statistics on the number of current and pending fraud and abuse investigations. In 1999, the federal government won or negotiated more than $524 million in judgments and settlements in health care fraud and abuse cases and administrative proceedings. There were 2,278 civil matters pending in 1999, and Federal prosecutors also filed 371 criminal indictments in health care fraud and abuse cases — a 16% increase over 1998.

Whistleblower lawsuits are a specific category of fraud and abuse lawsuits under a federal statute called the Federal Civil False Claims Act. These whistleblower lawsuits, filed secretly under seal by individuals on behalf of the United States government, allege that government contractors (including Medicare, Medicaid, and other federal health care program providers) have filed “false claims” for payment with the United States. Once a whistleblower lawsuit is initiated, the government investigates the allegations. If it decides the case has merit, the government intervenes and prosecutes the case. The whistleblower gets a significant percentage of any total recovery – up to 30%, a fact that has led to an explosion in whistleblower False Claim Act cases. In a recent five year period, health care whistleblower lawsuits under the False Claims Act increased at a rate of 1,200 percent.

Whistleblower lawsuits traditionally were brought by disgruntled former employees. More and more, however, current employees and competitors are bringing these lawsuits. Ambulatory surgery centers are particularly vulnerable to whistleblower lawsuits in part because of the makeup of their employees. Nurses are the primary employees of an ambulatory surgery center. For a variety of reasons, nurses tend to be quite prominent among whistleblowers. One reason for this is the strong concept in nursing ethics about advocating for patients and reporting issues affecting them. Another is the historic tension between physicians and nurses, a tension which can lead to friction in ASC settings. Other times, staff members, whether nurses or other employees, have labor-related issues with an ASC, such as complaints of sexual harassment, discrimination, or worker safety, that motivate the filing of a whistleblower lawsuit.

Federal False Claims Act.

The Federal Civil False Claims Act is the primary law the government uses in fighting health care fraud and abuse. As indicated above, the False Claims Act makes it a civil violation to knowingly file a false claim in the federally funded health care programs. Every time a health care provider submits a claim for reimbursement under any of these programs, that provider is potentially within the ambit of the FCA. If the provider gives wrong or incomplete information on the reimbursement claim, the provider may be subject to penalties under this statute, even if the provider did not intend to give incorrect information and was simply reckless in completing it.

A strange feature of the FCA is that a provider does not even need to provide a false piece of information for the claim to be a false claim within the meaning of the FCA. Under an aggressive (and suspect) interpretation of the FCA, providers basically certify each time they file for reimbursement that they have done everything in connection with that service in compliance with all state and federal laws. Even issues that do not implicate the claim form itself, but that implicate a regulatory problem that somehow touched that service, can provide the government or a whistleblower with the opportunity to argue that the submission of the claim was inappropriate under the FCA.

What are the potential damages for FCA violations? The penalties for filing a false claim under the FCA are up to three times the claim amount. This can add up fast if a case involves dozens or hundreds of claims. But, in addition to this penalty, the FCA also provides for a hefty civil penalty of up to $10,000 per claim. The potential exposure for every $100 claim, then, is thus many multiples of that amount.

In addition to the monetary damages, a provider may be blacklisted – excluded from participating in the federally-funded health care programs, or being employed by or contracting with anyone who has anything to do with federally funded health care. You have a medical license but it’s essentially worthless; you have a certificate of need to operate an ambulatory surgery center, but you can’t use it in connection with a federal program.

Health Insurance Portability and Accountability Act.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), the largest single Congressional statement on health care fraud and abuse issues since the Medicare program was instituted in the early 1960s. The HIPAA is aimed at detecting and eliminating health care fraud and abuse. The HIPAA established the National Health Care Fraud and Abuse Control Program, which is designed to coordinate federal, state, and local law enforcement activities with respect to health care fraud and abuse. Under the HIPAA, Congress pledged a 15% annual increase in its fraud and abuse control budget from 1998 to 2003, taking the budget from $110 million to $335 million. This is a tremendous commitment on the part of the government. The HIPAA also indicated the government’s concern with all kinds of health care fraud and abuse issues, not only in terms of the federally-funded health care programs, but also in private plans.

Under the HIPAA, the government’s ability to exclude providers was extended in dramatic (and a scary) fashion. The HIPAA permits the government to exclude managers and officers of a health care entity based on the organization’s misconduct, even if they had no knowledge of and did not participate in the wrongdoing. Such an exclusion prevents these individuals from having any relationship with any health care entity that provides items or services to federally funded health care programs.

Areas of Vulnerability for Ambulatory Surgery Centers

So in what ways are ambulatory surgery centers susceptible to fraud and abuse issues? There are four broad areas of vulnerability for these centers:

(1) Billing and Coding. These issues are among the most important to the government. For example, the government is concerned with “unbundling of services” — submitting claims to federally-funded health care programs for several component services instead of one comprehensive service. Another area of concern is submitting a claim for non-covered services by claiming that they were covered services. A center may also be vulnerable when it submits claims for medical services not listed in the CPT system, for example, recently-developed surgical procedures, using codes for different services that have been assigned a CPT code. If the center submits the claim under the most closely-analogous CPT code (rather than an “unlisted” code), it might be accused of filling a false claim — even though close, the procedure provided is not exactly what is described by the CPT code used.

Many other billing or coding problems can occur. Procedures originally scheduled may be terminated or altered at the time of the surgery. If coding is performed on the basis of the scheduled procedure, errors are inevitable. Similarly, if a center bills on a surgeon’s charge sheet, instead of dictated operative reports, the accuracy of the center’s billing is dependent on the coding knowledge of the surgeon. Given how variable that knowledge is, a system that depends on the surgeon alone is ripe with coding risk.

(2) Anti-kickback Issues. Ambulatory surgery centers are also vulnerable to federal anti-kickback issues. A big anti-kickback area of concern for ambulatory surgery centers is physician investment interests. The government does not want the investment terms or any financial return based on the volume of past or future patient referrals. The physician and the center must separate up front their financial relationship from their referral relationship. The government wants physicians who have an investment interest in the center to receive most of their total income from the surgical services they perform.

Centers are also vulnerable to other, more ancillary financial arrangements that can become vehicles for kickbacks For example, the government may scrutinize situations where physicians rent equipment to the center or lease land to the center. Other situations may be where a center gives a physician free space for non-surgical services or loans staff members to the physician for non-surgical services. The fair market value of these services should be set in advance to avoid any potential anti-kickback violations and the relationships should be made to comply with the applicable anti-kickback safe harbors.

(3) Beneficiary Inducements. Ambulatory surgery centers are also vulnerable to beneficiary inducement issues. Under the HIPAA, a medical provider cannot give anything to a patient which the provider knew, or should have known, would effect the patient’s choice of federal program providers. This is particularly a problem if what is given to patients is part of a marketing strategy. Areas of vulnerability may include such seemingly innocent items as providing free transportation to and from the center, where the idea is to transport patients safely from outlying areas. Other possible issues include providing hotel rooms the night before a procedure for patients who live far from the center. Beneficiary inducements are particularly likely to be problems when the items are not of “nominal value,” a term not defined by the government.

Under HIPAA, the government is concerned with the effect the services or courtesy has on the patient, not with what the center intended by the offer. A center can innocently intend to provide such courtesies to patients, but the center will be in trouble if it knew or should have known that the offer would affect a patient’s choice of provider.

(4) Advertisements. Ambulatory surgery centers are also vulnerable in connection with any advertising they do, particularly when they advertise customer courtesies. Centers can be sure that their advertisements will be closely scrutinized by not only the government, but by competitors looking for potential kickback violations. The government may presume that the advertisement will affect a patent’s provider choice if the provider is advertising beneficiary inducements.

How Does an Ambulatory Surgery Center Implement a Compliance Program?

A compliance program will reduce the regulatory risks that stem from operating an ambulatory surgery center. Additionally, under the United States Sentencing Guidelines, the government will consider the implementation of an effective compliance program as a mitigating factor in sentencing defendant providers. These sentencing guidelines provide seven requirements for an effective compliance program. Those requirements are selecting a compliance officer or compliance committee, taking corrective action procedures, drafting standards of conduct, implementing a training program, having a disciplinary procedure, screening employees and contractors, and reauditing the center and monitoring the program.

Once an ambulatory surgery center has decided to construct and implement a compliance program, there are several practical steps the center should take in order to ensure effectiveness:

(1) Build support for the program. Before a center launches into a compliance program, it should make sure the staff is on board. This simple step often gets missed – someone in authority hears about all the terrible things the government is doing and feverishly writes a compliance plan. The staff’s response will be, “What is this? I have to read all this and change the way I’ve done everything?” This often leads to the program being ignored and falling by the wayside. There is a danger in implementing a compliance program and not following through: in the event of an audit, the center has essentially said, “We knew what the right thing to do was, but we didn’t do anything about it.” This is worse than having no plan at all.

(2) Select a compliance officer and/or compliance committee. As early as possible, the center should designate a compliance officer or compliance committee charged with the responsibility for managing and directing the compliance program. The best individuals to do this come from within the center itself. A center should avoid hiring third parties such as attorneys or consultants where it is essentially purchasing an end product. When third parties are used, the product seems to be more the attorneys’ or the consultants’ creation, and it may not accurately reflect the way the center operates. The center staff, who have to be comfortable with the compliance program, will also feel little sense of ownership in or involvement with the program.

Should the center pick a single compliance officer or designate a compliance committee? Both approaches have advantages; a good idea may be to use a compliance officer in conjunction with a compliance committee in support of the officer. One advantage of a compliance officer is that when one person is given clear responsibility, he or she can more readily take decisive action. Also, having one individual in charge of the program “puts a face” on the program.

On the other hand, where a compliance officer may be overwhelmed by the program’s responsibilities, a committee can spread out the commitments. Having a compliance committee also reduces the potential effect of any personality conflicts between the compliance officer and any particular staff member. Use of a committee approach also avoids the program being seen in a manner that reflects the singular perspective of this compliance officer. A committee also allows for representation from different elements and departments within the center, which will help ensure that the center does not ignore the issues or concerns of any particular group. Generally, a compliance committee should have no more than five members — more than five becomes unwieldy and makes it difficult for the committee to focus on the issues before it.

What traits does a good compliance officer have? The most important is good judgment. The compliance officer should also be approachable — part of what a center gets out of a compliance program is a reduced chance of internal whistleblowers, who often complain that no one wanted to hear their problems. The compliance officer should be diplomatic, but be able to take a stand. The compliance officer must be in the words of a good kindergarten teacher “able to work well and play well with others,” and should also represent and be respected by core constituencies within the center.

The compliance officer should be picked close to the beginning of the process to better take advantage of the unique learning and training experience that comes from the formative stages of the program. By seeing the process from planning to application, the compliance officer will better understand the product by having participated in the entire decision-making process. He or she will have taken the general requirements for an effective compliance program and turned them into meaningful and specific actions that fit the operational realities of the center. The longer compliance officers wait to get involved, the more training will be needed to get them up to speed.

(3) Conduct baseline audit. Once the center chooses a compliance officer, it should conduct a baseline audit. A baseline audit is a review of various center documents and policies with the goal of getting a factual basis for determining what its compliance problems are. A center cannot meaningfully address its problems in a compliance plan and standards of conduct until it knows what those problems are. Rather than write about things that are not problems, causing a waste of time and effort addressing non-issues that do not appreciably reduce the center’s compliance risk, the center should take a good hard look at itself, figure out where its problems are, and focus its efforts there.

There are several audit methods which a center should consider using when conducting a baseline audit. A good audit, like good government, should have “checks and balances” – the center should use several overlapping audit methods to avoid forming inaccurate or incomplete perceptions of its compliance in a given area. Taken together in combination, differing audit methods provide a result most calculated to get an accurate view.

One audit method is a desk audit, which is a paper review of the most important documents that address how the center operates. A desk audit should focus on documents that the government would likely ask for in an investigation of the center. In a desk audit, the auditor should look for organizational and operational problems in such records as profit/loss distributions, financial relationships such as buy/sell documents for investment interests, lease arrangements between physicians and the center, utilization reports, billing summaries, billing denials, incident reports, and quality assurance committee notes.

A second audit method is interviewing staff members to gather their thoughts on compliance problem areas. Interviews are an effective audit tool because they elicit input from those within the center often in the best position to identify problems. In addition, this method of communication will help remedy the most common complaint of staff members bringing whistleblower lawsuits, that no one wanted to hear their concerns.

A third audit method is a walk-through of the regular patient process. This audit follows the paper trail from check-in and completion of preliminary forms, through the procedure itself, to coding and billing, denial, and rebilling on denial. A walk-through looks to see if the center’s system, as expressed on paper, actually works in practice.

Another audit method is a chart audit, which is a comparison of the documentation of the service itself to the billing and coding of the service. Obviously, this is an important component of any compliance review and should capture the range of services provided by the center as well as the range of individual surgeons performing services there.

What types of issues should be addressed during the audit? An auditor should pay close attention to issues under the Federal False Claims Act, federal anti-kickback statutes, and the HIPAA. In addition, other important but less traditional issues to focus on include basic patient risk management/malpractice issues; employment law issues such as racial or sexual discrimination; OSHA, workmen’s compensation, advertising and marketing issues; and Controlled Substance Abuse Act restrictions.

(4) Take corrective action. Once the center has uncovered its problem areas in the baseline audit, it should take corrective actions to fix them. The first step is to determine solutions and prepare a list of actions to be taken to remedy the problems. The center should then commit those issues to specific individuals — there is a natural inclination among busy people with busy schedules to assume that if they do not have specific assignments, someone else will address the problems. The center should also set specific target completion deadlines. Otherwise, even if an individual has a specific assignment, the task may be pushed off or forgotten. A center does not want to have to explain to a government regulator that it knew about a problem, but just has not gotten around to fixing it.

Once the problems have been fixed, the center must explain the solution and new policy to the relevant people within the organization. This means publishing a written policy making the expectations clear, training on the policy, and monitoring its implementation. Remember – the only thing worse than not having a compliance program is having one but not following through on it.

(5) Write the standards of conduct. After the center has corrected its problem areas, it can now address the substantive part of the program — drafting the standards of conduct. The standards of conduct are the regulatory “do’s and don’ts” for the center staff. There are a few basic rule to keep in mind in writing the standards of conduct. The overall theme here is “keep it simple.” Hundreds of pages of narrative (or anything close to that) will be useless. The center should not begin writing its standards of conduct until it performs the baseline audit; otherwise, it will waste time and lose focus addressing issues that are simply not problems.

The standards should be clear and concise, should specifically target the problem areas, and should provide direction briefly and succinctly. The provisions on ethical and legal expectations should be written as mandatory requirements. The center should also keep its primary audience, the staff, in mind. The staff is likely very diverse in terms of knowledge and sophistication, and the standards must be useful to everyone.

And don’t forget the unseen audience – the government. The center should avoid simply putting its name on an off-the-shelf product; in the event of an investigation or audit, the government will think the center is not serious about compliance. The standards should also not be overly ambitious and promise more than they can deliver. The government can be critical of a center’s compliance efforts if it has made commitments it has not lived up to.

(6) Train employees. Once the standards of conduct have been written and distributed, the center should train its staff members on their obligations and duties under the standards of conduct and the compliance plan. They should be informed of any new policies that have been implemented as a result of the program. The staff also should be given information about any important regulatory issues that have developed.

(7) Monitor and reaudit. At this point, the compliance program is up and running. How does a center determine whether the program is working in practice? And how does a center ensure that it can identify, investigate, and correct new potentially unlawful or unethical practices? A mechanism to ensure that these items are addressed is conducting periodic reaudits.

How often should a center reaudit? This depends on the severity of the baseline findings – possibly every quarter, every six months, or every year. Generally, the best system provides for frequent but limited audits. This helps avoid the “out of sight, out of mind” mentality and keeps center staff attentive on compliance issues. This approach also avoids overwhelming the compliance officer or the committee. Depending on the size and resources of your center, the review of five or more services per month would be a very reasonable level of monitoring. In addition, the center should consider arranging for a periodic, independent audit to validate its internal audit findings. This two-tiered defense is strong in the event of a False Claims Act allegation.

There also should be a mechanism for staff, patients, and others to report concerns, and to do so anonymously, if they choose. This can be done easily with a “suggestion box” or with a voice mail telephone “hotline.” On-going feedback in the form of these kinds of tips is very important in identifying problems as they occur. Staff should be required to report any concerns immediately as part of the compliance program. It is absolutely essential that the program also state that the center will not tolerate any retaliatory action against a person making a report in good faith.

Conclusion

Implementing an effective compliance program is an excellent way for an ambulatory surgery center to manage the mounting regulatory and legal risks of operating such a center. It is well worth the time and effort.