A four-step approach to a risk management plan
PRINT This Page  RETURN To Article 

Published August 01, 2008

In an attempt to reduce government spending, state and federal agencies are taking a fine-tooth comb to organizations that receive Medicaid funding. That means having an effective compliance policy is more important than ever.

The escalation of Medicaid costs—an expected $204 billion in fiscal year (FY) 2008 and $400 billion in 2009—raised red flags in Congress, said Michael F. Mangano, a former principal deputy and acting inspector general in the OIG and senior vice president at Strategic Management in Alexandria, VA.

Mangano spoke during the February 20 HCPro audioconference, “Medicaid Enforcement: Prepare Your Compliance Program for Government Scrutiny.” (For information, visit www.hcmarketplace.com/prod-6185.html.)

To address that concern, the federal government promised CMS millions for the enforcement of Medicaid regulations.

In FY 2008, CMS received $50 million from the federal government and will get $75 million for each subsequent year to complete its five-year plan of eliminating fraud and abuse of the Medicare and Medicaid programs. So far, CMS has spent money to hire 100 additional staff members in order to complete its goal.

How the DRA changed Medicaid enforcement

“The biggest change for Medicaid enforcement has been the Deficit Reduction Act of 2005 [DRA],” Mangano said.

The DRA gave CMS the authority to audit healthcare providers suspected of abuses. Under its supervision, CMS formed the Medicaid Integrity Group (MIG) to find potential targets for audits and hire contractors to conduct those audits.

The DRA also gave states a bigger incentive to implement their own false claims acts (FCA).

Prior to the DRA, any monies recovered due to fraud or abuse of a state Medicaid program were shared between the state and federal governments, each according to its share of the program’s cost. For example, if a state pays 40% of the Medicaid program costs, it will receive 40% of the recovery.

Now, states that adopt their own FCA and have it approved by the OIG receive an additional 10% of the recovered money. So far, Hawaii, Illinois, Massachusetts, New York, Nevada, Tennessee, Texas, and Virginia have OIG-approved FCAs.

The DRA also enacted the 60-day rule, which requires states to pay the federal government for any abuses within 60 days, regardless of whether they recovered the money.

“That will put a great incentive on the states to go back and recover this money,” Mangano said. “There will be many state and federal agencies looking over your shoulder with data mining resources for both Medicaid and Medicare services. The need to be careful is important.”

What the government looks for

The first thing the OIG examines is the facility’s compliance program. Often, the organization’s policy looks good on paper. But staff members rarely follow the policy, Mangano said.

A good compliance policy includes:

  • Executive involvement in oversight
  • Clear, written guidance
  • A well-developed and attended education and training program
  • Employees who bring potential compliance issues to the compliance officer
  • Coordination with other departments (e.g., legal and HR)
  • Annual auditing/monitoring of compliance risks
  • Evidence of identification, follow-up, and resolution
  • Effective internal communication

How to approach a Medicaid risk management program

A structured, four-step approach involving the entire hospital is the best way to identify and reduce potential compliance risks, said Dave Butler, president of Strategic Management, who also spoke at the audioconference. These steps are:

1. Risk identification. To start, have all departments attend a meeting to identify the probability and the effect of risks, ranging from low to high, in every possible department. Identify the risks based on OIG, MIG, CMS, and other government agency–targeted items.

High-risk areas include:

  • Lack of written guidance for staff members
  • Enrollment abuses
  • Doctored birth certificates
  • Giving bad information to beneficiaries
  • Billing errors
  • Denying services through rationing of services

2. Risk assessment. Next, narrow down your facility’s greatest potential risks to 15. Base this on the newness of the policy, any recent training, internal controls, and other factors. Use key players in each department to assess and prioritize the risk list, Butler said.

3. Risk strategy plan. Determine a plan for when and how you will address each risk area. Start with the most critical risk and work down. Develop a chart to organize when each risk will be addressed. List each risk area down the left side of the chart with a calendar across the top. Use color-coded boxes to show when each risk area will be reviewed. “I think [a work plan] communicates well to the executives that will be overseeing this process as to where you are and how this process works,” Butler said.

4. Risk remediation. Review existing policies and procedures and develop new ones where needed.

To help visualize your organization’s deficiencies, make a matrix comparing FCA regulations and your organization’s current policy. This makes it easy to determine whether your organization effectively meets your top risks.

If changes to policy must be made, train and test your staff members based on the new compliance criteria. All training should be documented in HR records.

After training, conduct an internal audit to see whether the new policies and procedures effectively address the risk areas. If not, make the appropriate changes and reassess your success.

How to keep up with changes

All compliance policies and procedures should remain active and should always include the most recent information. Your organization should keep an eye on any changes to the FCA.

To make sure the organization is up to date on all the most recent regulations, it’s a good idea to do an annual internal audit, as well as an external review of your compliance procedures every three years.

Since the DRA encourages each state to develop its own FCA, it is important that your organization’s attorneys understand the legal landscape for your particular area, said Sarah Kay Wheeler, a partner specializing in health and hospital law at King & Spaulding, LLP, in Atlanta, who also spoke during the audioconference.

For example, some states require that providers certify compliance with employee education provisions in order to get reimbursement. In those states, a person of appropriate authority needs to attest to the fact that employees received adequate education.
© Healthcare Audit Resource Center, a division of HCPro, Inc.