BY: GORDON BURNSIDE
Fraud used to be a minor problem in hospital administration. But as healthcare organizations have grown large and complex, employing thousands of employees and contracting for services with hundreds of vendors, opportunities for cheating have grown as well.
As a result, healthcare has become, like banking and aerospace, a field closely regulated by the federal government. This is especially true for healthcare organizations that offer managed care to Medicare and Medicaid recipients. But federal regulation of healthcare is so new that few such organizations have experience in dealing with it. To help unwary organizations avoid possible prosecution for fraud, the Healthcare Financial Management Association included in its October 1998 Managed Care Institute a panel discussion on corporate compliance.
Joseph N. Steakley, vice president, internal audit, Columbia/HCA, Nashville, TN, set the discussion's tone by reminding the audience that several of his company's organizations are currently defending themselves against federal fraud charges. "But this is just the beginning," he said. "I assure you that the government is only now scratching the surface so far as compliance issues are concerned."
"Government now sees healthcare fraud and abuse as second only to violent crime as an enforcement problem," added J. Frank Nitto, a principal of LN & Associates, a Lafayette, CA, consulting firm that specializes in compliance problems. Government's heightened interest in healthcare flows from the fact that Medicare and Medicaid now provide health insurance for 25 percent of the U.S. population and involve billions of taxpayer dollars, Nitto said. "In 1997 the government found that 14 percent of Medicare and Medicaid claims had errors," he continued. "The trouble is that the government tends not to believe in 'errors' — it sees this as a criminal problem."
What Is the Government Looking For?
Bryan D. Daly, a former federal prosecutor, said the coming of managed care has changed the nature of healthcare fraud. Under fee-for-service care, fraud usually involved charging the payer for unneeded services, said Daly, now a partner in Beck, DeCordo, Daly, Barrera, & Oh, a Los Angeles law firm. Under managed care, however, fraud typically involves withholding needed services. Along with underutilization of services, Daly said, federal investigators are on the lookout for:
- Marketing violations (e.g., a managed care organization's sales force misrepresents the availability of services)
- Cherry picking (e.g., an organization encourages only healthy people to enroll in its plan)
- Undercapitalization (e.g., an organization knowingly has insufficient money with which to pay its providers)
- Kickbacks (e.g., a provider pays the organization to avoid referrals of unhealthy patients)
- False encounter data (e.g., a provider claims payment from the organization for treating fictitious patients)
- Subcontractor fraud issues (e.g., an organization defrauded by a subcontractor tries to dodge bad publicity by refusing to report the fraud, sweeping it under the rug and making it possible for the subcontractor to cheat others)
- Long-term care issues (e.g., an organization, having offered long-term care as part of a capitated plan, then makes it difficult for beneficiaries to actually get the care)
Necessity of Compliance Programs
Steakley, Nitto, and Daly agreed that all healthcare organizations should develop corporate compliance programs, if only to serve as "firewalls" against possible fraud charges. Daly urged them to adapt the model program published in February 1998 by the Department of Health and Human Services' Office of Inspector General (OIG). Nitto reminded the audience that the OIG's model program, though voluntary for fee-for-service organizations, is mandatory for managed care ones.
Kimberley A. Dunne, assistant U.S. attorney, central California district, Los Angeles, warned, however, that simply having a compliance program will not "insulate" a healthcare organization from possible federal investigations. "But an organization that actually follows its program will stay within the law. You can't ask for better legal protection than that," she said.
Daly, who used to work with Dunne in the U.S. attorney's Los Angeles office, offered healthcare administrators seven guidelines for an effective compliance program:
- Fashion your program as a set of clearly written rules and make them available to every employee and subcontractor. You may want to require your employees and subcontractors to sign certificates saying they received copies of the program.
- Put someone with clout in charge of the program. The compliance officer must have credibility both with people inside the organization and with government investigators.
- Conduct background checks of employees in a position to affect compliance issues. Do not hire someone on the OIG's list of people excluded from Medicare and other federal healthcare programs.
- Teach employees and subcontractors about the program's practical aspects. It is not enough to publish the program. Hold training sessions.
- Create a system whereby employees and subcontractors can report possible cases of fraud without fearing retribution. Do not punish whistleblowers.
- Enforce standards consistently. Do not, for example, discipline an offending vice president less harshly than you would someone at a lower level.
- Respond quickly and appropriately to reported cases of fraud. The government gives organizations credit for reporting fraud voluntarily.
Nitto offered an eighth suggestion: "Make sure subcontractors have compliance programs of their own. If they don't, don't contract with them."
Credibility with the Government
A strong compliance program, one that prevents and detects fraud, will protect both the organization's money and its reputation, Daly said. "The whole point of the program is to bring potential problems to the boss's attention.
"But," he continued, "the bottom line is that such a program gives you credibility with the government. Remember, the government has tremendous power. If it sees you as a good corporate citizen, it will leave you alone. If it doesn't see you as a good citizen — if, for example, it thinks your compliance program is mostly for show — you'll have troubles."
Dunne agreed that, in a fraud investigation, the government's agents would take the effectiveness of the organization's compliance program into account. When she is assigned to such cases, Dunne said, she automatically asks of a program:
- Did employees understand it?
- Was its monitoring system effective?
- Did it compel an effective response?
Dunne said that executives responsible for corporate compliance should document everything they do. "Try to think about what a prosecutor might look for, including possible patterns of wrongdoing. And be prepared to educate a prosecutor about how your compliance program actually works."
—Gordon Burnside