Risk areas are the driving factor in the monitoring and auditing activities of a compliance program. When identifying risk, most organizations take into account a number of resources. Program assessment should also take into account various government and professional guidance and resources.
The OIG annual Work Plan, updated monthly, is one such often-used resource—but it should not be the only resource. Reviewing other program integrity and enforcement activities of any regulatory body with oversight for activities performed by the organization will be important. There can be a multitude of governing rules, regulations, and activities in addition to the OIG. Those of interest to the organization will depend on the nature of the organization and the laws and regulations it is subject to, but they may include the Office for Civil Rights (OCR), the Food and Drug Administration (FDA), the Office for Human Research Protections (OHRP), and the U.S. Department of Justice (DOJ), just to name a few.
The following provides an overview of some common government and professional resources healthcare organizations can use when planning their compliance monitoring, auditing, and program assessment activities.
OIG Work Plan
The U.S. Department of Health & Human Services (HHS) OIG periodically publishes the OIG Work Plan, a free tool accessible by the public that gives any savvy healthcare compliance program a blueprint for organizational success. Learning about the OIG Work Plan and monitoring every update can be crucial to keeping a healthcare organization fit, functional, and on the right side of the law. The Work Plan was created by HHS OIG as a way to organize and coordinate various audits and evaluations throughout the fiscal year and is updated monthly throughout the year. These audits and evaluations allow the OIG to monitor HHS programs via an “independent and objective oversight that promotes economy, efficiency, and effectiveness.”
The OIG Work Plan outlines the federal government’s perspective and expectations of upcoming major management and performance challenges and can therefore become an important resource and reference for healthcare compliance programs. Taking the time to understand the OIG Work Plan gives an organization the opportunity to map out the federal government’s most recent concerns. This map can then be used by the organization’s compliance program to determine which areas of compliance should be an area of short-term and/or long-term focus.
According to the OIG, the following factors are used to determine which potential projects should be undertaken during the fiscal year:
Mandatory requirements for OIG reviews, as set forth in laws, regulations, or other directives
Requests made or concerns raised by Congress, HHS management, or the Office of Management and Budget (OMB)
Top management and performance challenges facing HHS
Work performed by other oversight organizations
Management’s actions to implement OIG recommendations from previous reviews
Potential for positive impact
These projects work to protect more than 100 programs administered via HHS agencies, such as the National Institutes of Health (NIH), the FDA, the Centers for Disease Control and Prevention (CDC), the Administration for Children and Families (ACF), and the Centers for Medicare & Medicaid Services (CMS). It is highly feasible that any healthcare organization’s compliance program will be affected by the types of projects and items that the OIG adds into its Work Plan.
A list of active and archived Work Plan items can be easily found on the OIG’s Work Plan website. The active items generally cover OIG audits, evaluations, and inspections that are either planned or currently underway. The list is organized by the date that item was announced, revised, or completed, starting with the most recent items. The Work Plan additionally notes which agency is affected by the work item and includes a link to the audit report or brief upon completion of the project.
The monthly update schedule allows the OIG to treat the Work Plan as a constantly evolving document, meaning that relevant information and changes to the Work Plan itself can reach healthcare compliance programs at a fast pace.
More information on the OIG Work Plan can be found here: https://oig.hhs.gov/reports-and-publications/workplan/index.asp.
OIG List of Excluded Individuals/Entities
The HHS OIG has the authority to exclude individuals and entities from federally funded healthcare programs and maintains its List of Excluded Individuals/Entities (LEIE). Under the exclusion power, the OIG can mandate that no payment will be made by any federal healthcare program for any items or services furnished, ordered, or prescribed by an excluded individual or entity. This prohibition covers the excluded party along with any entity that employs the excluded party, any hospital at which the excluded party provides services, or anyone else with whom the excluded party contracts. Further, the exclusion applies regardless of how the claim is submitted or who submits it, and it applies to all administrative and management services as well.
The OIG is required to exclude certain individuals and entities convicted of criminal offenses such as Medicare or Medicaid fraud. Mandatory exclusions include the following: (1) felony conviction for substance or alcohol abuse; (2) felony conviction for patient abuse; (3) felony conviction for fraud and abuse; (4) felony conviction for sexual assault; and (5) license revocation due to any convictions listed.
The OIG also has discretional authority to exclude individuals and entities for other types of convictions, such as misdemeanor convictions related to healthcare fraud. These are known as permissive exclusions and include the following: (1) misdemeanor convictions for substance or alcohol abuse; (2) misdemeanor convictions for patient abuse; (3) misdemeanor convictions for fraud and abuse; (4) misdemeanor convictions sexual assault; (5) license revocation due to any of the above; and (6) default on a federal student loan.
When an individual or entity becomes excluded, they are placed on an exclusion list maintained by the OIG—the List of Excluded Individuals/Entities (LEIE). The OIG also provides information regarding its exclusionary powers and their scope with frequently asked questions and an instructional video. An exclusions staff is available to discuss any specific questions that users of the list may have. The website offers email updates and allows requests for the OIG to render an advisory opinion.
Because of the significant risk of contracting with an excluded individual, healthcare providers should consult the LEIE to determine whether a potential employee or party to a contract has been excluded. Compliance should assist other stakeholders in ensuring that the list is reviewed prior to employing or contracting with any individuals who will provide any items or services payable by a federal healthcare program. It is also advisable that healthcare providers check the LEIE on a periodic schedule to review for existing contractors and employees to ensure that their status has not changed.
Users can search the LEIE database online. Up to five names may be searched at one time. For those who frequently review the LEIE and prefer to consult a spreadsheet, the OIG has a downloadable version of the database that is also accessible through its website and can be maintained offline. The Privacy Act prohibits Social Security numbers from being included on a downloadable date file. The OIG updates both versions of the LEIE on a monthly basis, generally by the middle of the month. Those updates include all actions taken during the previous calendar month. The OIG uses the email notices referenced above to notify providers when the LEIE is updated.
Searchers should use care when searching for an entity or individual. Spelling and punctuation are important, but the database does not require capitalized letters. Checking multiple variations of a spelling is appropriate because of errors that could happen in input or in maintenance of the database itself. The list may reference providers with hyphenated names under either name or the hyphenated name. Former names and married names may also require multiple searches. For entities, it is important to check all corporate names and ensure that the name of the entity is proper. Healthcare providers also use doing-business-as names and assumed names, particularly in this time of frequent acquisitions and mergers. At least for the first pass, a search should be as simple and as inclusive as possible to see how many results are provided.
Verifying Positive Results
Verification of positive results is necessary. The online database has a field to verify Social Security numbers, but those numbers must be added. Users can verify identity by checking an individual’s Social Security number or an entity’s Employer Identification Number, which is a number provided by the Internal Revenue Service. Social Security numbers are a good way to confirm that the appropriate individual has been identified. Users input the Social Security numbers into the searchable database as one of the matching criteria, so those numbers are not provided by the OIG to the searcher.
Documenting the results is extremely important. The search results should be printed or saved electronically into the file that involves that contract. If there is a match, the page indicating whether the identity was verified should be printed as well. The database includes a unique physician identification number (UPIN) created by CMS as a provider identifier in lieu of a Social Security number. The database also includes national provider identifiers (NPIs), which have replaced the UPIN as unique numbers used for providers. CMS began assigning NPIs in 2006; thus, some of the individuals and entities that are excluded by the OIG do not have NPI numbers. If a search result does not contain a date of birth, a UPIN, an NPI, or a Social Security number, it is not available from the OIG. If contacted, the exclusion staff can determine if there is other identifying information available. A copy of the individual’s or entity’s exclusion notice can be obtained by submitting a written request with a printout from the LEIE to the OIG Exclusions Department. The OIG recommends using its LEIE as the primary search engine for exclusions because the LEIE contains more specific details and is updated more regularly.
Who performs the exclusion checks is not as important as ensuring they are performed. In some organizations, the human resources department performs the checks, some organizations outsource the function, and still others utilize the medical staff department. Compliance should perform routine monitoring to ensure the checks are being performed and the process is documented.