Compliance Officer… A Strategic Partner?

By Mary R. Daulong, PT, CHC, CHP*
We often look at compliance endeavors and our compliance officers as necessary evils, but what if we regard our compliance program and compliance officer as a strategic partner?
I believe it would be accurate to define this type of arrangement as one that enables two parties to work together sharing resources so that they can achieve common objectives for success. Some common objectives could be:
- Establish and maintain a legal and ethical corporate culture.
- Bolster goodwill and foster a positive reputation within the community or industry.
- Identify risk areas that could compromise the business.
- Establish programs to address areas in need of improvement and risk reduction.
- Mitigate the chance of costly fines and penalties due to adverse or criminal conduct through communication, education, and enforcement.
Having a compliance program can give you the competitive edge when it comes to recruiting top talent, attaining coveted payer network levels, and winning a favorable market share of business in your community. People are attracted to businesses that do what is right because it is the right thing to do.
Let’s put some numbers on the table so you can weigh the risks and rewards of having a compliance program that is specific to your clinic and customized to fit the services you offer as well as the setting in which you work. According to IntelliCentrics, “While the cost of a compliance program is significant, the cost of noncompliance is now estimated to be five times as great.”1
Assuming that most clinics cannot support a full-time compliance officer, I will use a .50 full-time equivalent (FTE) for calculation purposes and an average of all salaries on a per hour basis (9 employees: 4 licensees averaging $45/hour and 5 support and billing personnel averaging $25/hour).
Compliance officer (.50 FTE) $40,000Compliance program (attorney or consultant) development $5,000
Compliance program implementation (est. 30 hours) $1,200
Employee education 4 hours each/year (9 employees) $1,400
Total $47,400
Now that you have a general estimate of what it should cost to get a compliance program up and working, let’s look at what it might cost if you inadvertently committed some of the most common violations that occur in the field.
HIPAA Violations and Penalties
Penalties can include millions of dollars in fines, loss of patients, credit-monitoring costs, lost productivity, civil and criminal investigations, and damage to institutional and professional reputations. In many cases the repercussions from patient data breaches are difficult, if not impossible, to recover from. Please note the various categories and penalty levels per the Office for Civil Rights (OCR).

A physical therapy clinic posted photos of and testimonials from patients on their website without authorization. A complaint made to the OCR in 2012 resulted in a fine of $25,000 in 2016. As part of the settlement the provider was required to develop and implement a corrective action plan and report its compliance status to the OCR.
According to OCR Director Jocelyn Samuels, “The HIPAA Privacy Rule gives individuals important controls over whether and how their protected health information is used and disclosed for marketing purposes. With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing. All covered entities, including physical therapy providers, must ensure that they have adequate policies and procedures to obtain an individual’s authorization for such purposes, including for posting on a website and/or social media pages, and make certain that it is a valid authorization form.”2
Now let’s jump to yet another frequently violated statute.
False Claims Act (FCA) Violations and Penalties
The civil penalties for an FCA violation are:
- Triple the damages (value of the claims)
- Per claim penalty of $11,191 to $22,363 (adjusted annually)
- Potential criminal penalties—federal criminal laws
- Potential administrative penalty—federal program exclusion
Examples:
- Billing with deficient documentation per Centers for Medicare and Medicaid Services (CMS) Benefits Policy Manual, Chapter 15, Sections 220–232
- Billing with disregard of code definition compared to actual intervention
- Billing for services by unlicensed personnel and/or students
- Billing for services provided by non-enrolled therapist(s): Part B Private Practice
- Billing for PTA/OTA services without direct supervision: Part B Private Practice
- Billing with coding deficiencies: 1:1 vs. Group, 8 Minute Rule, Modifiers, etc.
- Billing for services provided without a certified/recertified Plan of Care
- Billing under another provider’s # (Metropolitan Statistical Area/Rural Exception)
- Billing when Conditions of Coverage/Participation are deficient
- Failing to return and report overpayments to the federal government within 60 days
So let’s set the scene…
Medicare requests a copy of 40 charts from a physical therapy clinic. The auditor discovers that the therapist bills Medicare, consistently, for three therapeutic exercises and one therapeutic activity for each date of service audited. The auditor also discovers that documentation only supports two therapeutic exercises and that the billed therapeutic activity should have actually been billed as gait training.
The best possible outcome would be that the clinic only has to refund Medicare one unit of exercise and one unit of therapeutic activities for all dates of service audited (the provider could resubmit claims for gait training if the dates of service fall within the billing time frame limits).
The numbers:
- Using an estimate of 12 dates of service per chart times 40 charts = 480 dates of service
- Calculating two units per 480 dates of service yields 960 units to be refunded
- Using $30 as the average rate per unit times 960 units equals $28,800
The average amount of administrative time to respond to a request for records (e.g., pulling charts, copying charts, tracking Plan of Care certifications, signature attestations, packaging of charts, shipping), conservatively, takes about 40 minutes per chart, which at $25/hour = $1,000. This does not include the time to establish a corrective action plan which will, minimally, require staff education; this also has a price tag of about $1,400 nor does it include attorney or consultant fees.
Another harsh fact to take into consideration is that the FCA requires providers to refund all monies paid by Medicare in error within 60 days of discovery. So this would mean that the clinic must promptly do its due diligence to ascertain if the erroneous billing practice occurred on other claims and make a concerted effort to determine the extent of the problem and refund accordingly. Would you like to calculate those refunds?
So the best scenario results in a cost of about $30,000 for this single episode of improper documentation.
The best of the worst scenarios (i.e., using the minimum fee penalty versus the maximum fee penalty) would be the activation of the False Claims Act penalty:
- Billed $100/visit (CMS allowable $80/visit)
- 1 visit (date of service) per claim
- Billed $38,400 of claims at Medicare’s allowable 80 percent portion
- Billed 480 claims to Medicare
Triple the damages: 3 times $38,400 equals $115,200
Apply the minimum penalty fine of $11,191: $11,191 times 480 claims equals $5,371,680. Yes, that is seven digits.
Add up the totals for damages and minimum penalty fine.
So, the best of the worst scenarios results in a cost of $5,486,880 for improperly billing $38,400 worth of claims. Just imagine if we used the $22,363 penalty for our calculations. My final example of what a good compliance program could avoid is OSHA violations and penalties.
OSHA Violations and Penalties
- The most common violations per OSHA are:
- Failure to train on the Bloodborne Pathogens Standard
- Failure to implement and maintain the Bloodborne Pathogens Standard and the Hazard Communication Plan
- Failure to keep training records
- Failure to keep a Sharps Injury Log
- Failure to provide Safety Data Sheets
- Failure to train on the Hazard Communication Standard
OSHA uses four classifications for penalty administration. The de minimus classification is for technical violations that result in the agency being required to document a minor infraction of the business or entity. However, the following three categories carry significant penalties per violation:
Willful. A willful violation exists under the OSHA Act where an employer has demonstrated either an intentional disregard for the requirements of the Act or a plain indifference to employee safety and health. Penalties range from $5,000 to $70,000 per willful violation. If an employer is convicted of a willful violation of a standard that has resulted in the death of an employee, the offense is punishable by a court-imposed fine or by imprisonment for up to 6 months, or both. A fine of up to $250,000 for an individual, or $500,000 for a corporation, may be imposed for a criminal conviction.
Serious. Section 17(k) of the OSHA Act provides that “a serious violation shall be deemed to exist in a place of employment if there is a substantial probability that death or serious physical harm could result from a condition which exists, or from one or more practices, means, methods, operations, or processes which have been adopted or are in use, in such place of employment unless the employer did not, and could not with the exercise of reasonable diligence, know of the presence of the violation.” OSHA may propose a penalty of up to $7,000 for each violation.
Other-Than-Serious. This type of violation is cited in situations where the accident/incident or illness that would be most likely to result from a hazardous condition would probably not cause death or serious physical harm but would have a direct and immediate relationship to the safety and health of employees. OSHA may impose a penalty of up to $7,000 for each violation. OSHA will also create press releases to “shame” businesses that have violations, letting the public know about their wrongdoing.
How many of the violations described occur in your facility? If you start calculating the penalties as if you were cited, you will probably arrive at the conclusion that investing in a compliance officer and a healthy compliance program is one of the best options for a strategic partner.
References:
1.IntelliCentrics. intellicentrics.com/wp-content/uploads/2018/02/Cost-of-Not-Credentialing.pdf. Accessed February 2019.
2.Office for Civil Rights. Physical therapy provider settles violations that it impermissibly disclosed patient information. 2016. www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/complete-pt/index.html. Accessed February 2019.
Additional References:
United States Department of Health & Human Services, the Office of Attorney General-Compliance Resource Portal: • Fraud Statutes • Exclusion Program
United States Department of Labor: Occupational Safety & Health Administration: • Regulations • Enforcements
United States Department of Health & Human Services: HIPAA for Professionals: • HIPAA Security Rule
Healthcare Compliance Pros. Types of OSHA citations and fines. January 17, 2012.
ProPractice. Most common OSHA violations in healthcare. 2017.
HCCA Clinical Practice Compliance Conference. Security risk assessment for small practices: Tools & Case Studies. Joette Derricks. September 7, 2015.
Brown M. What is the penalty for a HIPAA violation? TrueVault. January 9, 2014.

Mary R. Daulong, PT, CHC, CHP, is a PPS member and is the CEO/President of Business & Clinical Management Services, Inc., a compliance consulting firm. She may be reached at daulongm@bcmscomp.com.
*The author has a vested interest in this subject