Keep an Eye on Exclusion Monitoring
By Donna Thiel
For The Record
Vol. 29 No. 7 P. 10
Smart health care organizations stay on top of risk management processes to ensure compliance with OIG standards.
Building an exclusion monitoring process—whether it be in a hospital or another health care setting—seems like it should be straightforward, right? Unfortunately, that's not the case. Those who have already implemented a monitoring process know it isn't as easy as it seems.
Some may think a monthly check of the Office of Inspector General's (OIG) List of Excluded Individuals and Entities (LEIE) and the System for Award Management (SAM) list is all it takes. However, it isn't that simple anymore. Now, there are 40 state exclusion lists to consider, plus license sanctions need to be monitored. And what about vendors and other contractors? Should they be monitored for possible exclusions? The answer is yes, yes, and yes.
This article offers an in-depth look at the basics of exclusion and sanction monitoring, some of the challenges associated with implementing a monitoring program, and helpful hints on how to overcome potential hurdles.
What Is an Exclusion?
There is quite a bit of confusion around the actual definition of an exclusion, in particular the difference between an exclusion and a sanction.
By definition, an exclusion is an administrative action taken against an individual or an entity (aka a vendor) by the OIG.
On the other hand, a sanction may be an early indicator of a potential exclusion, but it actually refers to a license issue. There is confusion in the marketplace because the OIG and SAM federal data sets refer to an exclusion as a sanction. For the purpose of this article, a sanction means a disciplinary action taken against a person's license by a state professional license board, and an exclusion is an administrative action taken by the OIG.
Who Must Be Monitored?
The easy answer is, everyone—all employees, vendors, and contractors. According to the OIG Special Advisory Bulletin of May 8, 2013, "OIG recommends that to determine which persons should be screened against the LEIE, the provider review each job category or contractual relationship to determine whether the item or service being provided is directly or indirectly, in whole or in part, payable by a federal health care program. If the answer is yes, then the best mechanism for limiting CMP [civil monetary penalty] liability is to screen all persons that perform under that contract or that are in that job category. Providers should determine whether or not to screen contractors, subcontractors, and the employees of contractors using the same analysis that they would for their own employees."
Based on that information, it is now agreed upon that health care organizations are required to monitor all employees, contractors, and subcontractors. It's important to screen referring physicians and providers as well, even if there isn't a contractual relationship, because these groups fit into the definition of providing a service that is payable by a federal health care program. Keep in mind that the OIG has stated that this ruling applies not only to those licensed and working with patients but also to those involved indirectly with patients, including everyone from cooks and janitors to employees in human resources and financial positions.
What Lists Should Be Monitored?
The LEIE is the industry's most familiar monitoring database, which, along with the other federal datasets, informs health care professionals of currently excluded individuals who likely have earned this distinction because of an offense related to fraud or abuse.
Excluded individuals and entities can be found on federal and state exclusion lists. The current exclusion lists include the following:
• SAM and the Excluded Parties List System, both of which fall under the General Services Administration; and
• 40 state Medicaid lists.
A person or entity that becomes excluded or sanctioned is placed on the LEIE. This list, which has been in existence since the early 1990s, is a compilation of those persons and entities that have been excluded from participation in federal health care programs.
The LEIE was designed to include exclusions from across the country. However, the list contains the exclusion actions taken by the OIG only. Currently, the LEIE lists approximately 67,000 excluded individuals and entities.
According to Performance Standard 8, all state Medicaid Fraud Control Units are required to report any action involving terminations and/or exclusions to the OIG within 30 days. Unfortunately, audits of the LEIE indicate this is often not the case. For example, the OIG 2014 audit found that 22% of Texas' reporting occurred after 90 days while California reported 65% of its convictions after 90 days.
The 40 state Medicaid exclusion sources add approximately another 60,000 state exclusions. In total, between all federal and state exclusion sources, there are more than 200,000 excluded individuals and entities. Monitoring of these state-specific exclusion lists is critical for 100% compliance.
How to Monitor
There are many different ways a health care provider can address monitoring activities. The OIG created a website where health care organizations can search individual providers and vendors one at a time or as many as five at once. If there is a possible match, health care organizations can add additional information to try to determine or confirm the findings. The OIG also has a downloadable file that organizations with IT support can use to create a tool to compare in-house databases with the LEIE list. The file is updated monthly.
As chief compliance officer at Extendicare, I chose to hire a third-party vendor to manage the exclusion monitoring process. At the time, Extendicare, which operated in 12 states, had more than 25,000 employees, approximately 200 skilled nursing facilities, and a therapy company. While coordinating the risk management program, the concern was that the amount of lists to be reviewed would raise the risk of staff missing an exclusion or a sanction. Automating this process proved to be much more efficient and effective for my department.
When establishing a monitoring process, it's important that health care organizations monitor all available lists, not just those in the state in which they operate. Don't forget to consider the significant lag time for states reporting their information to the OIG and other states. Because so many employees may have previously worked in a different state, make sure the most up-to-date information is on hand. Failing to do so could result in a missed exclusion and a heavy fine.
Dealing With Exclusions
The government forbids federal reimbursement, whether direct or indirect, for goods provided or services rendered by an excluded individual or entity. This includes reimbursement for salaries, benefits, and items claimed or billed by licensed health care providers and administrative personnel. Also, health care organizations can't purchase goods or services from an excluded entity or vendor.
Health care organizations that submit a claim for or receive federal health care reimbursements either directly or indirectly from an excluded individual or entity are subject to civil fines and monetary penalties.
Civil fines and monetary penalties assessed by the OIG include the following:
• $10,000 per each item claimed or services provided;
• treble (three times the amounts claimed to the Centers for Medicare & Medicaid Services [CMS] for reimbursement) damages;
• possible program exclusion of the company;
• possible loss of right to bill CMS for services rendered;
• possible additional fines for filing false claims under False Claims Act (Penalties up to $11,000 per claim, and possible placement in a Corporate Integrity Agreement with the OIG); and
• possible criminal fines and/or jail time.
The silver lining lies in the recommended self-disclosure process, which, in most cases, reduces the multiplier to 1.5 times the amount of all damages. Health care organizations that elect to use the OIG's Self-Disclosure Protocol will have their penalties reduced and the matter resolved much more quickly. The OIG has stated several times recently that one of the ways it measures an effective compliance program is whether or not the provider has used the Self-Disclosure Protocol.
As of May, there have been five cases published on the OIG's self-disclosure settlement page involving seven excluded or unlicensed staff. The net result is $751,398 in penalties and an average fine of $107,342 per excluded/unlicensed individual. This demonstrates how quickly penalties can add up.
Sanction monitoring is another essential component of an effective compliance program. Sanction refers to a disciplinary action taken against a professional license by the licensing board.
One of the most critical areas that may be overlooked when putting together a monitoring program is tracking licenses. Most health care organizations do a good job in the prehire process of confirming a prospective candidate owns a valid license in the state in which the organization operates. However, it would be wise to conduct ongoing monitoring and monitoring of other states, particularly when considering license sanctions.
Take the case of a nurse working at a Wisconsin hospital who recently moved from Minnesota. How does her new organization confirm whether there was a sanction against her license that precipitated her move to Wisconsin? State licensing boards do not operate in real time and may not post or communicate their findings to the OIG for several months.
Given these circumstances, how are health care organizations protecting themselves against the nurse who is "running" from an inevitable sanction or exclusion? The answer is to monitor applicable licensing boards throughout the country on a monthly basis. This can be difficult for organizations handling the monitoring process themselves, but nevertheless it must be a consideration.
Health care organizations are liable not only for the inherent risk associated with its employees and services but also for monitoring their third-party vendors—who supply everything from medical equipment to kitchen supplies—to ensure none are excluded from federal or state health care programs.
Make It a Team Effort
A collaborative, vigilant approach to compliance risk management is essential for an organization's overall success. With health care regulations seemingly in a constant state of flux, compliance now takes more effort than ever. To avoid the potentially crippling fines associated with paying Medicaid or Medicare money to an excluded vendor, organizations must stay up to date with the latest rules and regulations.
As the OIG continues to broaden and expand its exclusion authority, an organization not actively seeking updates to regulatory requirements and exclusion lists can go from compliant to at risk overnight. Check all employees and entities against available exclusion lists on a monthly basis and self-disclose any exclusions to the OIG to reduce penalties.
There's no time like the present to review your current risk management program to ascertain whether it's up to speed or in need of enhancements.
— Donna Thiel is director of the compliance integrity division at ProviderTrust. Prior to joining ProviderTrust, Thiel worked in the postacute industry for more than 30 years and was chief compliance officer at Extendicare Health Services and Fortis Management Group.