Cornelia Dorfschmid (cdorfschmid@strategicm.com) is Executive Vice President & Managing Senior Consultant, and Alexis Rose (arose@strategicm.com) is Associate Consultant at Strategic Management Services LLC in Alexandria, VA.
The Patient Protection and Affordable Care Act (ACA) of 2010 mandated nursing facilities (NF) and skilled nursing facilities (SNF) adopt compliance and ethics programs.[1] On October 4, 2016, the Centers for Medicare & Medicaid Services (CMS) published a final rule, The Medicare and Medicaid Programs; Reform of Requirements for Long-Term Care Facilities(the 2016 final rule), which outlined the requirements for NF and SNF compliance and ethics programs.[2] As Requirements of Participation (RoP) with Medicare, the final rule required NFs and SNFs to have compliance and ethics programs in place on or before November 28, 2019. However, over the past several years, to reduce the regulatory burden for providers and suppliers following the original publication of the 2016 final rule, CMS has revised the Conditions of Participation (CoPs), the Conditions for Coverage (CfCs), and requirements for long-term care (LTC) facilities.
In response, CMS has proposed to delay the implementation of the Compliance and Ethics Program rule (42 C.F.R. § 483.85) and amend certain parts of Phase III requirements, including compliance programs. On July 16, 2019, CMS released a proposed rule regarding the Requirements for States and Long-Term Care Facilities (the 2019 proposed rule).[3] The revisions affected various sections including the Quality Assurance and Performance Improvement (QAPI) program ( 42 C.F.R. § 483.75 ) and the compliance and ethics program ( 42 C.F.R. § 483.80 ) requirements. Both the changed expectations in the 2019 proposed rule, including the proposed year-long delay, are now putting providers in a state of uncertainty as to what and how much they might have to do next. The comment period for the 2019 proposed rule closed on September 16, 2019, but the final rule is not likely to be published anytime soon. In late November, the 2019 proposed rule was moved from the “proposed rule” category to the “long-term action” category, which means the rule is “under development but for which the agency does not expect to have a regulation action within the 12 months after publication.”[4] Therefore, it is still important to revisit the 2016 final rule and stay proactive, putting in place an effective and sustainable compliance program.
Proposed changes
CMS proposed to reduce some of the compliance and ethics program requirements, particularly those applicable to SNFs and NFs with five or more facilities. CMS proposed to remove the requirements that SNFs with five or more facilities:
-
Conduct mandatory annual training,
-
Have a designated compliance liaison for each facility,
-
Conduct annual reviews and make the requirement periodic, and
-
Have a compliance officer who oversees all facilities (See Table 1).
Requirements |
Exact language in final regulation, 42 C.F.R. § 483.85 |
Effect of proposed rule |
---|---|---|
Compliance and ethics standards, policies, and procedures |
“Established written compliance and ethics standards, policies, and procedures to follow that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations under the Act and promote quality of care, which include, but are not limited to, the designation of an appropriate compliance and ethics program contact to which individuals may report suspected violations, as well as an alternate method of reporting suspected violations anonymously without fear of retribution; and disciplinary standards that set out the consequences for committing violations for the operating organization’s entire staff; individuals providing services under a contractual arrangement; and volunteers, consistent with the volunteers’ expected roles.” See 42 C.F.R. § 483.85(c)(1) . |
No change |
Assignment of high-level personnel to oversee and be responsible for the compliance program |
“Assignment of specific individuals within the high-level personnel of the operating organization with the overall responsibility to oversee compliance with the operating organization’s compliance and ethics program’s standards, policies, and procedures, such as, but not limited to, the chief executive officer (CEO), members of the board of directors, or directors of major divisions in the operating organization.” See 42 C.F.R. § 483.85(c)(2) . |
Changed definition of high-level personnel[5] |
Sufficient resources and authority |
“Sufficient resources and authority to the specific individuals designated in paragraph (c)(2) of this section to reasonably assure compliance with such standards, policies, and procedures.” See 42 C.F.R. § 483.85(c)(3) . |
No change |
No discretionary authority to individuals with propensity to engage in violations of the Act |
“Due care not to delegate substantial discretionary authority to individuals who the operating organization knew, or should have known through the exercise of due diligence, had a propensity to engage in criminal, civil, and administrative violations under the Social Security Act.” See 42 C.F.R. § 483.85(c)(4) . |
No change |
Communication of standards, policies, and procedures to staff, contractors, and volunteers via mandatory training, orientation programs, or disseminating information |
“The facility takes steps to effectively communicate the standards, policies, and procedures in the operating organization’s compliance and ethics program to the operating organization’s entire staff; individuals providing services under a contractual arrangement; and volunteers, consistent with the volunteers’ expected roles. Requirements include, but are not limited to, mandatory participation in training as set forth at § 483.95(f) or orientation programs, or disseminating information that explains in a practical manner what is required under the program.” See 42 C.F.R. § 483.85(c)(5) . |
No change |
Monitoring and auditing, and having an available reporting system. |
“The facility takes reasonable steps to achieve compliance with the program’s standards, policies, and procedures. Such steps include, but are not limited to, utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations under the Act by any of the operating organization’s staff, individuals providing services under a contractual arrangement, or volunteers, having in place and publicizing a reporting system whereby any of these individuals could report violations by others anonymously within the operating organization without fear of retribution, and having a process for ensuring the integrity of any reported data.” See 42 C.F.R. § 483.85(c)(6) . |
No change |
Consistent enforcement of standards, policies, and procedures |
“Consistent enforcement of the operating organization’s standards, policies, and procedures through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect and report a violation to the compliance and ethics program contact identified in the operating organization’s compliance and ethics program.” See 42 C.F.R. § 483.85(c)(7) . |
No change |
Response to detected violations and prevention of recurrence |
“After a violation is detected, the operating organization must ensure that all reasonable steps identified in its program are taken to respond appropriately to the violation and to prevent further similar violations, including any necessary modification to the operating organization’s program to prevent and detect criminal, civil, and administrative violations under the Act.” See 42 C.F.R. § 483.85(c)(8) . |
No change |
5+ Facilities | ||
Mandatory annual training |
“A mandatory annual training program on the operating organization’s compliance and ethics program that meets the requirements set forth in [ 42 C.F.R. § 483.95(f) ].” See 42 C.F.R. § 483.85(d)(1) . |
Removal of this requirement[6] |
Designated compliance officer |
“A designated compliance officer for whom the operating organization’s compliance and ethics program is a major responsibility. This individual must report directly to the operating organization’s governing body and not be subordinate to the general counsel, chief financial officer or chief operating officer.” See 42 C.F.R. § 483.85(d)(2) . |
Removal of this requirement[7] |
Compliance liaisons |
“Designated compliance liaisons located at each of the operating organization’s facilities.” See 42 C.F.R. § 483.85(d)(3) . |
Removal of this requirement[8] |
Annual review of compliance program |
“The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care.” See 42 C.F.R. § 483.85(d)(4) . |
Review does not have to be annual. Changed to periodic[9] |
Thoughts
Compliance officers may want to stay informed on the developments and, in the meantime, focus on strengthening or refreshing their compliance programs to keep them effective. Here are a few thoughts on what to do and consider as programs are revisited and updated.
Awareness
Compliance officers should be aware of the proposed changes and examine the revisions and the expectations that remain under the 2019 Proposed Rule. Despite the proposed changes, a SNF or NF compliance and ethics program of significant size and complexity should contain the noted elements regardless, especially since the proposed changes have not been finalized and they are best practices for having an effective compliance program.[10]
High-level personnel
The 2019 proposed rule retains the requirement that specific high-level personnel of the operating organization be assigned the overall responsibility to oversee compliance with the program’s standards, policies, and procedures. However, it removed language that states the high-level personnel is “such as, but not limited to, the chief executive officer (CEO), members of the board of directors, or directors of major divisions in the operating organization could be assigned to oversee compliance.”[11]
Although the 2019 proposed rule deemed the naming of specific positions as too prescriptive, it points to the OIG Compliance Program Guidance (CPG) for Nursing Facilities of 2000 for further guidance. According to OIG, “designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official with direct access to the nursing facility’s president or CEO, governing body, all other senior management, and legal counsel.”[12] This access to senior management and a compliance committee, which is the second recommendation for the assignment of responsibilities in the CPG, should be components of an effective program. Compliance committees are also mandated in numerous corporate integrity agreements (CIA) for larger entities. This is for good reason, because having a strong committee that includes operational personnel is a central piece to a successful compliance program. Reviewing and revisiting the committee’s effectiveness, attendance, topics, and corrective actions resulting from meetings is a worthwhile effort to refresh a program.
The compliance committee is also the right group (when appropriately structured and inclusive of major operational business units, legal, information technology, and human resources) to initiate and oversee centralized compliance risk assessments and remediation efforts resulting from these assessments. In summary, even if the 2019 proposed rule were to remove the specific list from the definition of high-level personnel, an effective compliance program would typically involve all these individuals in compliance conversations. That also includes buy-in and well-defined oversight from boards and/or owners. A strong culture of compliance usually starts from the top and has enough buy-in to implement important compliance changes.
Compliance officer/liaisons
The wisdom of the proposed removal of the requirement that each facility designate a compliance officer and a designated compliance liaison for five or more facilities is questionable. Although it is not unrealistic to assume that a corporate entity with five SNF facilities may have a full-time corporate compliance officer who is responsible for all facilities, there would still have to be a local liaison, that is, boots on the ground. The liaisons would work with the corporate or enterprise compliance officer, especially when the SNF facilities are geographically dispersed. Removing both compliance officer and liaison requirements does not seem to promote an effective compliance program infrastructure, especially one with decentralized operations. It shifts too much burden on a corporate compliance officer, who will need help from someone being their eyes and ears so they can stay abreast of what is going on locally.
When a compliance officer is responsible for all locations without that support, it may result in issues being missed or the compliance officer getting caught up in doing administrative activities (e.g., logging complaints, following up on training) and not having enough time to conduct the in-depth investigations and analyses necessary to really address serious compliance issues. Most compliance programs often fail because of two reasons: (1) weakness in assignment of responsibility for the program, and (2) ineffective auditing and monitoring. Instead, the 2019 proposed rule allows for more flexibility and expects that each facility will assign high-level personnel with the overall responsibility to oversee compliance; but it removes a critical aspect of compliance oversight—independence of operations. In organizations with more than five facilities, it is highly advisable to at least have designated liaisons who directly work with the corporate compliance officer on certain compliance matters and are part of the compliance team.
Even though SNFs and NFs often face staffing challenges with having a liaison in charge at each facility to work closely with the enterprise compliance officer, that can still make the compliance program much more effective. CMS made it clear in the 2016 final rule that a liaison does not have to be solely dedicated to compliance duties. Additionally, the liaison is not meant to be a compliance officer but, at minimum, should be responsible for assisting the compliance officer with their duties.[13] Facilities will have flexibility when it comes to the liaison role, but will have the important aspect of keeping the compliance officer informed of issues at all facility locations. Therefore, a system with five or more facilities and no designated compliance officer (or at least facility-specific help) is not a road map to an effective program.
Annual review
Although the 2019 proposed rule suggested that a SNF/NF with five or more facilities conduct a periodic review of the program, the 2016 final rule requirement for an annual review is still technically in place. CMS however, in the absence of an annual review requirement, still expects that the administrator and director of nursing would each annually spend five hours reviewing the program to ensure its compliance. Although the proposal would reduce burden on the entity (including the compliance officer), in light of the fast-paced changes in the regulatory and enforcement environment, conducting an annual review can still be considered a best practice for any compliance program. Additionally, NFs have become an enforcement focus of the OIG, so it is important to quickly identify risks or issues and mitigate them. Rather than having an off-and-on year cycle, a reduced scope in one year may be considered a useful alternative and be based on prior year results, current identified risks, and/or vulnerabilities. Also, one should not forget that OIG’s CPG recommends annual reviews for effective compliance programs. It is best practice to conduct annual reviews.[14]
If the seven well-known elements of an effective compliance program are discussed or receive status updates during quarterly compliance committee meetings, it may help make the annual reviews more efficient. There will be fewer surprises and review work when an annual review summary must be produced. Keeping the seven elements as standard agenda items for the committee meetings fosters that approach.
Annual training
CMS proposed to remove the mandatory annual compliance and ethics training requirements for the operating entities with more than five facilities.[15] However, mandatory compliance training for all employees who have patient interaction or access to protected health information (PHI) is well advised. Additionally, although volunteers or independent contractors are technically not workforce members and cannot be held accountable or sanctioned the same way as employees, it still makes sense to include them in some form of compliance and ethics training or orientation, or at least subject them to a compliance and ethics orientation and periodic refresher, including HIPAA training or orientation. Given the many technological advances in communicating and collaborating with workforce/staff and the teaching modes available to carry on a dialogue on compliance, the basic expectations about the program should be shared widely. Committing to annual training or orientation and refreshers remains a best practice. Waiting two or three years between trainings may just be too long for some individuals with high-risk duties in the fast-paced regulatory and enforcement environment.
Tips
Regardless of the specifics of any forthcoming final rule, here are a few tips to consider.
Get everyone involved
Compliance is not a spectator sport. Even though CMS proposed to make the high-level personnel definition less prescriptive, a compliance program should involve the oversight and input of the CEO, board of directors, and a compliance committee, as well as supervised staff. In the NF setting, the involvement and input from operational and quality of care personnel on a compliance committee and in compliance program discussions is something to strive for. Quality and patient care are an area of great focus for SNFs and NFs; therefore, it is important to have those individuals contribute to the conversations on compliance, report concerns, and share their ideas. The weakest link is the important message we did not get or bother to listen to. A periodic compliance questionnaire that asks what the workforce wants from the compliance office or program, or what could be done better, may be an eye-opener and facilitate program improvement.
Training should be applicable to everyone and ongoing
Empowering the workforce through training and education supports internal controls that guide operations. It is worthwhile to get feedback from staff on its helpfulness. Especially in the NF sector, where higher-than-average turnover is a challenge, effective training is critical. Two categories of individuals are probably the most difficult to capture in mandatory compliance training: volunteers and contractors. For volunteers, compliance training can be included in their volunteer on-boarding. If volunteers stay for more than a year, the facility could make it a condition of continued volunteering that they take the training again. For contractors, facilities can make it a contract condition to participate in the facility’s compliance training, or that the contractor provides reasonable assurance that its workforce members have taken compliance training. This may be more difficult if the contractor is not another healthcare provider or payer.
Consider compliance liaisons an opportunity and not a burden
Although not all SNFs or NFs would have to adopt a compliance liaison position for each facility, it is one of the most debated requirements. Many compliance officers who are responsible for a multi-location NF have their office at one location and may not be able to easily visit and observe issues at the remote facilities often enough. Therefore, compliance liaisons could be a great help for detecting issues at a faraway facility. A compliance liaison can also help with the “communication element” that is critical to an effective compliance program. The liaison may be able to better communicate compliance training and issues at the facility level, because they can do it in person or know the facility environment better.
Don’t try to address all risk areas every year
The risk assessment and the creation of audit and compliance plans following a risk assessment is another time- and resource-consuming aspect of a compliance program. However, it is one of the most critical elements of having an effective compliance program. A small or even medium-sized compliance program may not be able to include a majority of risk areas in the annual assessment or even address all risks identified every year. It is better to effectively and thoroughly address the high-risk areas, develop priorities, and manage a shorter-but-doable task list. Such a list can be agreed upon by the compliance officer, compliance committee, and the board, rather than trying to address too many topics and risk issues on a cursory level, or not getting any corrective action going and let outcomes of risk analyses remain unresolved.
Document, document, document
It is extremely important to document the compliance program policies, procedures, investigations, training completion, audit and monitoring efforts, and risk assessment efforts. These documents are critical to evidencing an effective compliance program to federal agencies, auditors, state surveyors, and even patients and industry. Documentation that shows not only what was done, but why, can also facilitate a defense if a mishap or violation still occurs, as long as proactive activities are part of reasonable risk management approach and can be evidenced. Document retention policies are important as well, although some compliance offices still don’t seem to have such a policy.
Conclusion
The proposed rule of 2019 created uncertainty as to what the final regulatory expectations would be for SNFs and NFs, but many best practices already include what is required in the 2016 final rule. With that in mind, compliance officers may simply want to stay aware of the future rule development and, in the meantime, use issued rules as part of their road map to self-assess and refresh their programs. Having at least compliance liaisons, and conducting annual compliance reviews and training, are clearly a strategy to consider.
Takeaways
-
The proposed rule is not likely to be finalized before 2020, and SNFs and NFs should implement all requirements from the 2016 final rule.
-
OIG compliance program guidance considers annual reviews part of an effective compliance program for SNFs and NFs.
-
Designating a compliance officer or liaison for the facility is worth implementing, because communication and collaboration are key aspects of an effective program.
-
Volunteers and contractors should be included in compliance training plans, even if they cannot be subject to the same enforcement as employees.
-
Compliance should communicate across facilities, up to management and the board, and with other operational areas and business units, including quality of care.