Creating an effective process to identify and address regulatory risk in dental and orthodontic practices

John Fisher, JD, CHC, CCEP, discusses the elements needed to implement an effective compliance program

Systematic compliance programs have become a necessary mechanism to reduce the risk of potential regulatory penalties. Providers are putting more and more resources into formal programs and processes aimed at proactively identifying areas of regulatory risk and using self-audits to self-police for overpayments, potential abuse, and even health care fraud. This article identifies the importance of creating and operating effective internal compliance programs in dental and orthodontic practices and identifies the basic elements that should be present to assure that a compliance program is effective.

Reimbursement risks and compliance focus

The primary force necessitating pro-active compliance efforts are the potentially serious penalties for health care reimbursement fraud and abuse.¹ Providers are subject to potential program exclusion, civil monetary penalties, False Claims Act penalties, and even criminal exposure for failure to follow complicated reimbursement rules.² Dental and orthodontic practices receive significant governmental reimbursement, especially through the Medicaid program. In fact, the Affordable Care Act resulted in an expansion in orthodontic coverage for children whose medical necessity criteria are met in situations involving medical issues such as malocclusions that are caused by trauma. As reimbursement opportunities have expanded, we have seen an upswing in fraud enforcement actions in the dental area. Claims audits, overpayment demands, governmental investigations, and even fraud prosecutions are becoming more common in the dental industry.

Recent dental fraud cases

You can open virtually any dental industry trade publication and find current examples of fraud prosecutions involving providers in the dental industry. A few recent fraud cases illustrate that dentistry is not immune from fraud and abuse scrutiny.

• In 2014, a large national pediatric dental chain was excluded from participation in the Medicare and Medicaid programs following allegations of overbilling resulting from the provision of medically unnecessary services.³
• In 2019, North Carolina prosecutors reached a $728,450 settlement with a dentist following allegations that the provider performed and billed for medically unnecessary services.⁴
• A New York dentist, office manager, and dental assistant were accused of paying Medicaid recipients $25.00 to undergo minimal dental procedures and billing Medicaid for additional dental services that were not provided. According to the DOJ press release, the dentist was sentenced to a prison term of up to 10 years.⁵
• A West Virginian dentist was sentenced to 5 years in jail and agreed to repay $2.2 million for falsely billing Medicaid more than $700,000 for services that were improperly upcoded from simple extractions to extractions of impacted teeth.⁶

More typical compliance issues

While the reported cases are illustrative, the typical dentist does not normally engage in systematic health care fraud. Yet even the most honest provider can fail to adequately document a service in a manner that supports the code under which the service is billed. The more common situation occurs, for example, when a provider knows that he/she actually provided a medically necessary service, but the documentation does not sufficiently support the medical necessity of the service or a more complex service. For example, a dentist might extract a wisdom tooth, but not properly document that a more complex extraction was necessary because the tooth was impacted. Documentation deficiencies tend to be repeated if they are not monitored or audited. The end result can be a significant overpayment obligation over time. Although these cases might not amount to intentional fraud, they can still result in significant penalties if not handled appropriately.

In the worst circumstance, the resulting overpayment is not discovered by the provider but is investigated by the government when it is identified by a government audit, by whistleblower complaint, or through statistical analysis of the provider’s claims data. The more favorable set of circumstances occurs when the provider discovers the pattern of mistaken documentation and resulting incorrect billing through self-auditing performed as part of an effective compliance program. Discovering the problem internally permits the provider to correct the situation going forward and repay the overpayment that occurred through past incorrect billing. Self-disclosure never permits the provider to avoid the obligation to repay the overpaid amount. In fact, failing to promptly repay a discovered overpayment can result in very serious penalties or even criminal charges for deliberate fraud.⁷  However, providers will normally not incur serious penalties if they bring the error to the attention of regulators and promptly repay any resulting overpayment. This is where a systematic compliance program comes into play. The compliance program operates to identify the most critical areas of risk to the provider and focuses resources on identifying and preventing regulatory violations in the identified risk areas. Where past infractions are discovered, the compliance program requires prompt identification, repayment, and possible use of the self-disclosure protocols when necessary to mitigate further regulatory exposure.

Compliance program structure

Consistently operated compliance programs are the single best way to minimize potential regulatory risk. A compliance program creates a living and breathing process to continually assess the risks that are present in a specific organization. Large organizations will have broad compliance program coverage to reflect the risk profile of a large and diversified organization. A smaller and more operationally focused organization will have a smaller risk profile, and the scope and depth of compliance coverage will necessarily be more modest. What is important is that each organization focuses on the specific risk that applies to the nature and scope of its operations. Each organization should have a process to identify and rank the most significant areas of risk. Based on a prioritized list of compliance risks, the organization can make decisions about allocation of resources in furtherance of proactive auditing, monitoring, or other processes to determine compliance and to take corrective action where necessary. That is a compliance program in a nutshell.

The seven elements of a compliance program

There are numerous details that should be present to assure compliance effectiveness, many of which should be reflected in policy and in practice. The compliance industry has developed standard compliance program elements and the detailed requirements within each of these requirements.⁸ For the most part, these compliance program elements emanated from the Federal Sentencing Guidelines, which give cooperation credit based on the existence of an effectively operated compliance program.⁹ Seven core elements of compliance can be distilled from the sentencing guidelines. These basic elements have been brought forward into more recent regulations that mandate compliance program operation in certain areas of health care, as well as compliance program guidance documents that have been issued by the Office of Inspector General and the United States Department of Justice over the years.¹⁰ Every compliance program, large or small, should contain each of the following core seven elements of compliance.

1. Compliance officer

A high-ranking member of management must be appointed to act as compliance officer. In a smaller practice, a compliance-responsible individual can be used rather than a full-blown compliance officer. Compliance program structure can be scalable to the size and resources of the provider and the nature and complexity of the business. Larger organizations will require a dedicated compliance officer and even a developed compliance department with a range of compliance support staff. Smaller organizations can get by with a compliance individual who holds other roles within the organization. Be careful about relying too much on concepts of scalability. The central requirement is that the individual who is responsible for compliance has sufficient time and resources to properly conduct the necessary compliance activities at a level that is appropriate for the size and nature of the provider organization.

2. Compliance policies

Compliance policies should be put in place that describe the process to be used to conduct ongoing compliance activities.  Compliance policies will define compliance operations and will also outline requirements in risk areas that are specific to the nature of the practice. Every program should have certain core areas of policy coverage such as establishment of a continually functioning process, definition of the seven key elements, and other areas that are central to the core requirements of compliance. Each organization should also develop specific policies covering areas of identified risk within the organization. For example, an organization that takes government reimbursement will want to have reimbursement policies. There can be general reimbursement policies, but there should also be policies covering the requirements for common areas of billing that take place within the organization. For example, an orthodontic practice that provides medically necessary services to children and receives Medicaid reimbursement should have a specific policy addressing the requirements for receiving reimbursement, including appropriate documentation of medical necessity.

3. Compliance training

Employees, contractors, and others must be trained on basic compliance program elements and risk areas that are applicable to their job functions. Compliance training requirements should be described in training policies. All staff should be required by policy to take core compliance training and periodic refresher training. Staff should also be required to take more detailed or specialized training in areas required by the nature of their position. For example, billing staff will need to undergo more detailed and specific training on the billing process and rules that they are likely to encounter. Health information staff may require more detailed training on HIPAA and patient privacy issues. The bottom line is that each employee should receive the training that they need to assure that they perform their job tasks without running afoul of regulatory requirements.  All training must be adequately documented with employee rosters, coverage material, employee training acknowledgment, and other details. Assume that you will be in the position in the future to have to prove that your employees received the training that they need. You should also be certain to follow up to assure that employees comply with training requirements. Discipline should be issued if necessary to assure compliance.

4. Compliance reporting and nonretaliation

A compliance reporting system and protection of individuals reporting potential compliance issues is a critical element of any compliance program. It is much better to learn about potential problems internally before they ripen into situations that are difficult or expensive to solve. Your compliance program must continually emphasize the importance of reporting potential issues.  Systems should be set up to encourage reporting, protect confidentiality, and assure that those reporting potential issues are protected from retribution. Every employee must know that they are encouraged to report concerns without fear of retaliation. Protection against retaliation must be enforced even if the report turns out to be incorrect, as long as the report is made in good faith.

5. Disciplinary standards

Policies mean very little if employees think that nothing will happen to them if they do not follow them. There needs to be policy coverage that ties compliance requirements to the employee discipline process. The discipline process should be used where appropriate to enforce standards. There cannot be selective enforcement. It should be clear that everyone in the organization — from the newest, lowest level support worker through the most productive licensed provider, owner, and most senior executive — is subject to discipline if they fail to abide by the compliance program.

6. Compliance risk identification

A compliance program must include a system to continually identify areas of potential compliance risk. The areas of most significant risk should be ranked by priority.  Prioritized risk should be integrated into regular compliance work plans. Even if a risk area is not scheduled for auditing, a record should be created to indicate that it was considered, and a reasonable judgment was made that other issues were higher priorities. Although resources must be allocated to compliance in order to make an effective program, the level of available resources will not be infinite. Reasonable choices about relative importance of compliance risk areas are appropriate. Even if a compliance infraction occurs in an area of less critical risk, the documentation of a reasonable risk identification and prioritization process will help reduce the risk of penalties.

7. Systematic investigation and response to detected violations

A compliance program must include a system of appropriately responding to identified compliance problems through creation of appropriate corrective action. Policies should include requirements for investigating and addressing reported compliance issues. Where appropriate, repayment, self-disclosure, and other appropriate corrective action should be mandated by compliance policies. These policies define the standards and requirements to audit against to assure that standard processes are followed when issues are reported. Based on your assessment of adherence to investigation and corrective action standards, enhancements can be identified and implemented through additional policies or revision of current policy.

The “living and breathing” ongoing process of compliance

Perhaps most importantly, a compliance program should create a “living and breathing” process of continual operation of improvement. It is not adequate to adopt a set of compliance policies, put them on the shelf, and watch them collect dust over the years.  In order to mean anything, a compliance program must be effectively operated to detect and address compliance issues.  In order to meet effectiveness requirements, a compliance program must continually operate to identify new risk areas, address these areas in policy, continually assess compliance and operational requirements, identify enhancements, and integrate those enhancements by adopting new or revised standards. The compliance system is cyclical in nature, always assessing itself, always improving, always detecting new risks, and always measuring ongoing performance. If you are able to create this type of “living and breathing” compliance organism, you can be rest assured that you have an effective compliance program.or-patient-relationship.