The Basics of Practice Compliance: Are You Ready For An Audit?

Audits are a source of concern for many podiatrists. However, proper preparation and compliance policies may help a practice mitigate the challenges of such an inquiry and thrive. Accordingly, these authors review the building blocks of a good compliance plan including manuals, training, internal audits and security risk assessments.

Large or small, every podiatry practice needs to care about compliance and take the matter seriously. Many doctors do not like to deal with anything related to compliance but ignoring it or sweeping it under the rug is a huge mistake. 

Compliance covers many important aspects of podiatric practice management including, but not limited to:

1. Health Insurance Portability and Accountability Act (HIPAA) 
2. Occupational Safety and Health Administration (OSHA)
3. internal chart auditing
4. infection control
5. medical record requests
6. non-discrimination and disability rights
7. Stark law
8. Fraud, Waste and Abuse (FWA) 
9. monitoring of the Office of Inspector General’s List of Excluded Individuals/Entities (LEIE) from federal health care programs, and much more.

If you own or manage a small podiatry practice or a large podiatry group, you need to know about all of these compliance elements. One does not have to be an expert in all of the aforementioned areas but it is important to have a solid grasp of each topic and which legitimate resources to turn to if assistance is necessary.

Manuals, Training and Employee Screenings: What You Need To Know

Every practice needs a compliance program. A written set of compliance policies sets the tone and standards for your practice. Compliance policies will establish the governing body (which could be the physician, the office manager or a board of directors) and will set forth the elements of compliance as enforced by the Office of Inspector General (OIG). The OIG enforces compliance and we must do the same in our daily practices. 

One of the most important aspects of any compliance program is training. A well-trained staff can go a long way to reduce patient and practice risk. If anyone on your team grumbles about completing compliance training, we recommend having a formal talk with them. How can you trust someone to comply with federal and state regulations if he or she disagrees with annual compliance training? This yearly training is important to remind your team about tasks and regulations that we encounter every day and to retrain for those events that we do not encounter every day. Your compliance program should outline training expectations and requirements.  

Some podiatry practices use software programs to assist in providing robust training by tracking and automatically reassigning training-related tasks to employees each year. Compliance software can be beneficial, especially if you have multiple offices, since team members are able to complete the training online and at their own pace. Training can help prevent HIPAA breaches, sharps injuries, OSHA violations, fraud, waste and abuse along with many other concerning scenarios. 

If your company is contacted by OSHA or the OIG for an audit, one of the first questions they will ask you will be about your training program. How do you teach your team and help them understand these regulations? Hopefully, you have a thorough and up-to-date training program in place. 

The compliance program should also cover background screenings of employees and checking to make sure employees are not on the aforementioned Exclusion List. The OIG’s List of Excluded Individuals/Entities (LEIE) provides information to the health-care industry, patients and the public regarding individuals and entities currently excluded from participation in Medicare, Medicaid and all other Federal health care programs. Individuals and entities who have been reinstated are removed from the LEIE. Any physician who contracts with the federal government (Medicare and/or Medicaid) must verify that all current and prospective employees and contractors are not excluded or ineligible from providing services covered or reimbursed by Medicare or Medicaid. In the past, there was a perception that this eligibility requirement only applied to physicians. In fact, one needs to check all employees, no matter what level, against this list. There are several ways to check it but the OIG’s website is the easiest place to start. 

After you check an employee once, you have to continue to verify their status at least once a year thereafter. There are software programs that will do this for you automatically but the OIG website is free. Your safest bet would be to set a reminder in your calendar to do this for all employees every six to 12 months, and then document your findings. You will want to have this report handy if your practice is ever audited. 

Creating An Effective Monitoring And Auditing Program For Medical Records

Another important aspect of any compliance program is medical record and billing monitoring and internal auditing. One should ensure regular chart and billing audits. In an effort to be more collaborative, a compliance committee may be beneficial for larger groups. This committee could consist of the compliance manager, the Director of Operations or office manager, the billing manager and several physicians. This group should meet at least biannually to discuss the codes that are being audited and the results of the completed audits. It is best to choose a variety of codes based on frequency of usage or denials, the OIG Audit report, and various other factors. Larger companies tend to audit five charts per physician per code. Depending on how many codes a practice is auditing and how many physicians a group has, this can be a lot of auditing. 

If you have one to five physicians in your group, auditing at least 10 charts per physician every quarter is recommended. Auditing and monitoring can help ensure that documentation is up to the specific standards of insurance companies, there is no duplicate billing, and there are no inaccurate or incomplete descriptions of the nature of services or products provided. Additionally, the practice can ensure there was no incorrect or excessive billing, and that proper forms were signed when appropriate (like an Advance Beneficiary Notice or proof of delivery for durable medical equipment (DME) items (among other things).

Chart auditing can help make you aware of possible glitches or problems within your electronic health record system. For instance, perhaps documentation is not showing up in the finalized visit note even though the physician is entering it into his or her part of the record. Reports with audit results should be sent to each physician electronically and securely. Audit goals are typically set by a compliance committee or the physician in charge of the practice. If a physician does not meet an audit goal, the practice can provide education and schedule another audit of the physician’s charts within the next three to four months to ensure improvement. One can track results to see that each physician is improving and is in compliance with the compliance officer’s recommendations, and the specifications listed in the compliance manual. 

Implementing A Security Risk Assessment In Your Practice

The last thing that we will point out is the fundamental importance of performing a security risk assessment (SRA). Your practice must identify risks, document those risks and then figure out ways to mitigate those risks.

Think of the security risk assessment as a crucial tool to keep your patients and your business safe. Many doctors do not want to deal with this issue and will put the responsibility on their office managers. Just make sure that somebody motivated and competent gets the job.  

Identifying the risks in your practice can be tedious but a thoughtful security risk assessment will help identify gaps and weaknesses that could put your patients or your business at risk. These risks could be seemingly small (e.g. the risk of faxing records to the wrong fax number or the risk of overfilled sharps containers) but may have potentially major repercussions. Another possible risk in your practice could be if all the electronic devices are not properly encrypted. What could happen if an unauthorized person with bad intentions obtains access to the unencrypted device? Your job with the security risk assessment is to figure out how to lessen these risks and take actions to make that happen.

In Conclusion

Compliance is part prevention (looking forward) and part reaction (looking back). Whether you are preventing risks or reacting to risks, make sure that you and your team make compliance fundamental to the practice’s daily operations. Failure to do so could have devastating consequences for everyone involved.

Ms. LeClear is the Compliance Manager for InStride Foot and Ankle Specialists. She is a Certified Professional Coder through the American Academy of Professional Coders and a Certified Medical Practice Executive through the Medical Group Management Association. 

Dr. McDonald is a Diplomate of the American Board of Podiatric Surgery and President of InStride Foot and Ankle Specialists, based in Concord, NC. 

Resources

1. U.S. Department of Health and Human Services. Guidance on Risk Analysis. Available at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.htmlprofessionals/privacy/guidance/access/index.html . Accessed August 31, 2020.
2. Office of Inspector General. Exclusions Database. Available at: https://exclusions.oig.hhs.gov/. Accessed August 31, 2020.  
3. American Academy of Professional Coders. Audit to promote revenue integrity. Available at https://www.aapc.com/blog/45893-audit-to-promote-revenue-integrity/. Published March 4, 2019. Accessed August 31, 2020. 
4. Centers for Disease Control and Prevention. Guide to Infection Prevention for Outpatient Podiatry Settings. Available at https://www.cdc.gov/infectioncontrol/pdf/Podiatry-Guide_508.pdf. Accessed August 31, 2020.