In 1999, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) estimated that erroneous and fraudulent claims cost Medicare $13.5 billion (7.97 percent of total Medicare fee-for-service benefit payments). Although this was significantly less than the OIG’s 1996 estimate of $23.2 billion, it showed that improper payments are still a major problem for Medicare and provided the government with ample reason to continue its well-publicized fight against fraud.¹ Recently the OIG has adopted a new strategy, deputizing you, the physician, to stop the erroneous and fraudulent claims in your practice before they occur.

The OIG has issued final voluntary compliance program guidance that advises solo and small group physician practices how to prevent inaccurate claims. The final guidance came after the OIG sought recommendations and comments from outside sources by publishing a solicitation notice and draft guidance and consulting with the Health Care Financing Administration (HCFA) and the Department of Justice. According to the guidelines, it’s the physician’s duty to reasonably ensure that claims submitted to government health care programs are true and accurate. The government is no longer concentrating solely on detecting wrongdoing after it occurs. These and other compliance guidelines aim to change behavior before any criminal conduct or violation of the law occurs. [A copy of the report, Compliance Program Guidance for Individual and Small Group Physician Practices, is available on the OIG’s Web site at www.oig.hhs.gov/modcomp/index.htm.]

Why should you comply?

Physicians are not prosecuted under the False Claims Act for innocent billing errors when submitting claims for payment in government health care programs. In fact, the OIG guidance acknowledges the difference between innocent, “erroneous” claims and reckless or intentional, “fraudulent” claims. Unfortunately, the determination of “erroneous” or “fraudulent” is made by the government, and despite your best efforts to follow the rules, you may still run afoul of the laws governing Medicare, Medicaid or other government health care programs. A compliance program helps demonstrate your practice’s good-faith effort to comply with the laws and is designed to help you identify and prevent erroneous and fraudulent claims, eliminate billing mistakes, reduce the chance of audit and avoid arrangements that might be scrutinized by the government as self-referral or anti-kickback violations.

The penalties for submitting fraudulent claims are significant: criminal prosecution and civil and administrative enforcement that can result in huge monetary penalties and sanctions that exclude the physician from Medicare and Medicaid. However, penalties for violating the law may not be as severe for those with a compliance program in place. Of course, establishing compliance duties and failing to live up to them may serve as evidence of intentional disregard of the law and may therefore enhance penalties.

While the desire to avoid criminal prosecution, civil monetary penalties and administrative sanctions may motivate compliance, it should not be the principal goal. Doing things right, which ultimately results in better patient care, should be the driving force behind a compliance program.

How can you comply?

Although a cottage industry of experts who sell “packaged” compliance plans at exorbitant prices has emerged, there’s no “one-size-fits-all” formula for thwarting criminal wrongdoing or cultivating a culture of compliance within a practice. An off-the-shelf compliance plan that does not adequately address the risk areas for which your particular practice may be vulnerable is of little value. With this in mind, the OIG published a set of guidelines to consider when creating your own compliance program rather than a model compliance plan.

The OIG acknowledges that solo and small group practices may not have sufficient resources to fully implement all of the guidelines and advises physicians in such situations to address each element in the manner that best suits their practices. A compliance program doesn’t have to be perfect, but it must be effective — and each practice has the burden of demonstrating its effectiveness to obtain the benefit of reduced culpability.

Seven steps to compliance

Here are the seven steps the OIG suggests solo and small group practices use to create an effective compliance program as well as practical tips for incorporating each of them.

Develop standards of conduct. The first step to building your compliance program is to determine the types of fraud-and-abuse issues that might arise in your practice. The OIG guidance identifies risk areas that can serve as a starting point for an internal review of potential vulnerabilities. (See “Identifying risk areas” on page 43.) The OIG also suggests reviewing its current work plan and semiannual reports to identify additional risk areas. This information is available on the OIG’s Web site at www.oig.hhs.gov/readrm/index.htm.

Once you’ve pinpointed your risk areas, identify employee responsibilities and expectations for each area and clearly state them in a code of conduct. The code should set forth your practice’s commitment to compliance, and it should be supported by written policies and procedures that clearly explain how the compliance measures will be incorporated into your practice.

Establish a method of oversight. An elaborate set of rules is impractical if there’s no mechanism for making sure the rules are followed. Since solo and small group practices may not have sufficient resources to appoint a full-time “compliance officer,” the OIG guidance identifies some less expensive alternatives considered to be equally effective.

One alternative is to distribute the oversight responsibilities among several employees designated as “compliance contacts.” For example, this responsibility could be shared between the office manager, who might be responsible for the written standards and procedures, and the primary biller, who might handle the arrangement of audits. Another alternative is to have a third party, such as a consultant or billing company, act as the compliance officer.

If a practice chooses to have one person or one group handle the oversight of the compliance program, the OIG suggests assigning the following duties to that person(s):

• Monitoring the compliance program implementation,

• Improving the efficiency and quality of services through auditing and other methods,

• Periodically revising the compliance program,

• Coordinating a compliance training program,

• Checking to see if any of the practice staff are excluded from participation in federal health care programs,

• Investigating allegations of improper conduct and monitoring corrective action.

No matter which method you choose, it’s critical that all those involved in performing the compliance-officer function be sufficiently independent, free from conflicts of interest and not swayed by their other operational duties.

Conduct staff training. The written compliance standards should be effectively communicated to your staff. This can’t be accomplished through the mere distribution of instructional literature. At a minimum, all employees must be made aware of the basic risk areas. All employees should understand how to properly do their jobs and realize that their compliance is a condition of employment. They must also understand how the compliance program works, their role in ensuring compliance and the consequences for violating the standards of conduct.

Specifically, those employees involved in coding and billing should receive extensive instructions on their responsibilities. The OIG suggests that coding and billing training cover the following: coding requirements, claim development and submission processes, the signing of physician forms without the physician’s authorization, proper billing and documentation of services, and the legal sanctions for fraudulent billing.

The OIG guidance is flexible as to how training of other employees should be conducted. It encourages the use of the most effective educational tools to communicate what is required of employees in the performance of their jobs. All training should be current, continuous, personalized to the needs of each employee and documented in each employee’s personnel file.

Create lines of communication. A compliance program relies on enabling employees to report fraud and other improper conduct without fear of retribution. Because formal, high-tech communication procedures, such as hotlines, may not be practical for solo or small group practices, the OIG guidance suggests using simple and readily available procedures, such as an anonymous “drop box,” to report instances of questionable conduct. In some cases, establishing an “open-door” policy between physicians, compliance personnel and employees may be adequate.

Although confidentiality should be protected as much as possible to encourage the reporting of questionable conduct, employees must understand that their identity and the information they report may need to be disclosed to law enforcement authorities in certain instances.

Perform auditing and monitoring functions. A compliance program should continuously evaluate the standards to which it holds employees accountable. It should also assess whether employees carry out their responsibilities and whether claims for payment are proper and accurate. This should be done at least once a year by reviewing your practice’s policies and procedures to ensure accuracy, timeliness and completeness, and conducting self-audits to determine if claims are accurately coded and services billed are reasonable, necessary and adequately documented. As a guide, the OIG suggests reviewing five or more medical records per federal payer or five to 10 records per physician. [For more information about self-audits, see “Using Peer Review for Self-Audits of Medical Record Documentation,”FPM, April 2000, page 28.]

Enforce standards and apply discipline. Enforcement of standards and disciplinary actions are the “teeth” of a compliance program. Your practice should use consistent and appropriate sanctions and, at the same time, be sufficiently flexible to account for mitigating or aggravating circumstances. Employees who fail to detect or report violations should also be subject to disciplinary action. The range of disciplinary actions taken may include warnings, reprimands, probation, demotion, temporary suspension, discharge, restitution and referral for criminal or civil prosecution. All disciplinary actions should be well documented.

Respond appropriately to detected offenses. According to the Healthcare Disclosure Statute, a provider can be prosecuted for his or her failure to disclose a known overpayment to the Medicare carrier even if the payment was not fraudulently obtained. Overpayments or errors that are not believed to be fraudulent should be reported directly to the entity responsible for handling those claims. However, fraudulent claims that have occurred in a provider’s own organization can be disclosed to the OIG through its Provider Self-Disclosure Protocol. Instructions on how to submit a voluntary disclosure under this protocol can be downloaded from the OIG’s Web site at www.hhs.gov/oig/oigreg/selfdisclosure.pdf. The OIG points out that providers may want to consult an attorney prior to disclosing information.

Although voluntarily disclosing fraud and abuse does not preclude prosecution, the OIG considers the act of doing so a “mitigating factor in [its] recommendations to prosecuting agencies.” Expect closer scrutiny by the government if you refund a large overpayment. A May 2000 program memorandum from HHS to intermediaries and carriers indicated that any repayment equal to or greater than 20 percent of a practice’s total annual Medicare payments would prompt further inquiry.

Your compliance program should require that detected misconduct be corrected promptly. Although the final OIG guidance didn’t specify a timeframe, the draft guidance suggested that misconduct be corrected within 90 days of detection, so you may want to think of that as a guideline. And your program should also provide for an internal investigation of all reported violations. When problems are detected, determine whether a flaw in the compliance program failed to anticipate the problem or whether the program’s self-policing procedures failed to prevent the violation. In addition to the repaying of money wrongfully received, the range of corrective action may also include entering into a corrective-action plan, voluntarily disclosing an incident to the OIG or referring employee wrongdoing to law enforcement authorities.

The benefits of compliance

Although the compliance guidance is not mandatory, any physician would be well advised to consider the OIG’s suggestions. A well-designed compliance program will not only help you carry out your duty to submit proper claims and prevent fraud, it will also result in a better-run practice and higher quality care for your patients.

© 2001 Mark S. Kennedy. Adapted with permission.