Compliance Program Development and Implementation

Medicare and Medicaid are required by law to have an effective Compliance Program in place.An effective Compliance Program is a living, breathing document.  In order to be effective, it must become an integral part of your organization.  It cannot simply lay dormant until an auditor shows up or a violation occurs. Rather, through the active application of the plan’s policies and procedures on a daily basis, active compliance can be achieved. This will streamline your organization’s business operations, reduce the likelihood of statutory violations, help to mitigate any damages resulting from a breach, and serve as evidence that your organization is doing its best to fully comply with applicable rules and regulations. When compliance begins to be a part of the daily culture of your organization, you will achieve the maximum results and rewards.  Should you choose to retain Liles Parker to assist with your compliance needs, we will likely proceed in the fashion outlined below.

I.   Overview of the Compliance Program Development Process:

Liles Parker attorneys have the necessary background and experience to assist health care providers with the development and implementation of an effective Compliance Plan and their overall Compliance Program.

Although many of our attorneys have extensive experience assisting large provider organizations with their regulatory compliance needs, our primary focus includes individual physicians (both MDs and DOs), dentists, small to mid-sized physician group practices, home health agencies, skilled nursing facilities, durable medical equipment suppliers, ambulance providers, physical therapists, pain management clinics and behavioral health groups.  Our attorneys have worked on a wide variety of internal audits, investigations, compliance and regulatory matters and cases. Additionally, we have represented providers in connection with outside reviews and investigations conducted by law enforcement, government contractors and private payors.  Several examples of the specific projects we have completed include:

  • (a) Handling the initial development, monitoring and subsequent revision of an effective, practice-specific Compliance Plan.
  • (b) Conducting a “Gap Analysis” of an organization’s business and operational activities, operational practices, documentation practices, coding and billing functions. 
  • (c) Performing internal audits and assessments of business practices to better ensure statutory and regulatory compliance.
  • (d) Serving as outside Compliance Counsel, providing regular compliance guidance to Compliance Officers and Compliance Contacts working in a practice, clinic or organization.
  • (e) Providing guidance to entities regarding human resource issues, employee privacy, protection of company information, conflicts of interests and self-dealing.
  • (f) Providing guidance to entities regarding the self-disclosure of certain conduct to governmental agencies.

Over the last decade, Compliance Plans have become an essential part of the way health care providers conduct business. Compliance programs aimed at reducing, preventing and deterring fraudulent and improper conduct are at the forefront of the health care industry’s goals. These programs can also benefit small to mid-sized provider organizations by helping them avoid costly litigation and by streamlining their business operations. While the Federal government presents basic procedural and structural guidance for Compliance Programs, the Department of Health and Human Services, Office of Inspector General’s (OIG’s) guidelines do not represent an all-inclusive set of steps which can be readily adopted by all providers. Providers are expected to know and adhere to There is no ‘‘one size fits all’’ compliance program, especially when it comes to small and mid-sized provider entities.

II.   Components / Elements of an Effective Compliance Program:

Regardless of the nature of the organization, it is generally recognized that there are seven main components which must be addressed when assembling an effective Compliance Plan.  Once an organization’s seven components have been properly assessed, a tailored version of these issues can be assembled into a draft Compliance Plan.  An organization’s “Mission Statement” and “Honor Code” are often folded into the draft Compliance Plan.  Any previously drafted written policies and procedures utilized by an office will likely need to be reviewed to ensure that the directives outlined are fully consistent with the newly assembled Compliance Plan.  An office’s safety manual, including materials mandated by the Occupational Safety and Health Administrative (OSHA) will also be reviewed to help ensure that the information contained therein is both complete and accurate.  Collectively, these documents, reference manuals and other materials (including the organization’s Compliance Plan), along with a provider’s in-house training program constitute an office’s overall "Compliance Program."

III.   Benefits of an Effective Compliance Program:

Virtually all health care providers can realize tangible, lasting benefits by implementing an effective Compliance Program.  These benefits include, but are not limited to:

(1) Proactive approach.  Your organization’s adherence to the provisions of an effective Compliance Plan is a proactive way to make sure that your company is meeting all of its statutory and regulatory obligations.

(2) Evidence of a good faith effort to follow the rules.  The existence of, and adherence to, an effective Compliance Plan serves as evidence of a good faith effort to comply with applicable laws and regulations.

(3) Sentencing guidelines.  Should the government ultimately choose to pursue criminal charges against you or your organization, your use of an effective Compliance Plan will be favorably credited under the points system set out under the Federal Sentencing Guidelines.

When evaluating a practice and developing an appropriate Compliance Program, we are sometimes asked -- "Is there a downside to having a Compliance Plan in place?"  To be clear, the establishment of a Compliance Plan invariably puts a provider on “notice” of what the rules actually entail. As a result, a provider’s failure to adhere to the plan’s provisions and / a provider’s lack of follow-through on an issue can subject a provider to liability.  As we regularly advise providers,the only thing worse than not having an effective Compliance Plan in place, is having a Plan and not following its provisions. In such a situation, the risk areas identified in your Plan will essentially serve as a “roadmap” of possible statutory breaches to be examined by OIG investigators, FBI agents, Federal and State prosecutors.   Therefore, it is imperative that your organization comply with and diligently follow-through on all aspects of your Compliance Plan.   As OIG has noted, an effective Compliance Program can:

  • (a) Speed and optimize the proper payment of claims.
  • (b) Minimize billing mistakes.
  • (c) Reduce the chances that an audit will be conducted by CMS, its contractors or the OIG.
  • (d) Avoid conflicts with the Stark laws (which prohibit improper self-referrals) and the Federal Anti-Kickback statute.

IV.   The Anticipated Impact on Patient Care:

The incorporation of compliance measures into a health care organization’s everyday business practices will likely augment, rather than adversely impact, patient care. Regardless of the nature of your provider organization, “quality patient care” likely remains at the top of your list of goals to be achieved.  Overall, our clients have generally found that their organization’s focus on patient care has been enhanced by the development, implementation and adherence to the provisions set out in an organization’s Compliance Program. For example, the quality and completeness of documentation included in your patients’ medical records often significantly improves as clinicians refamiliarize themselves with the rules required by Medicare and its contractors.  Additionally, an effective Compliance Program may also reduce the likelihood that erroneous or fraudulent claims are being submitted to the government for payment. Finally, your commitment to the rules and your diligence in following-through on any changes needed will serve to highlight the fact that your organization is making good faith efforts to comply with the law.  Your documentation of these remedial efforts will likely prove beneficial if the organization is subjected to a government audit or investigation.

Just how "effective" will a Compliance Plan be in terms of its ability to prevent regulatory / statutory lapses by a provider?  No one is perfect, despite their best efforts at complying with applicable rules and regulations.  Unfortunately, not even the best Compliance Plans are 100% effective in keeping a provider on track.  Rather than think of a Compliance Program as a panacea, it would be more accurate to think of an effective Compliance Program as analogous with a “flu shot.”  As such, it is preventative in nature. When you take a flu shot, there is still a possibility that you will come down with the flu.  Nevertheless, even if you do contract the flu, it will hopefully be less serious than it might otherwise have been.  Compliance Plans can help in preventing possible future problems from ever occurring, if they are developed, implemented and actively embraced by the organization and its staff.  The adoption of such a program also lets employees know that the organization does not tolerate fraud, waste or abuse, and requires every employee to take steps to ensure their business conduct is proper.

V.    The Performance of a GAP Analysis:

"GAP analyses" are routinely used in practically every industry to assist Compliance Officers and others in identifying corrective actions that need to be taken in order to bring an entity to an acceptable baseline of compliant operations.  While there are various ways to conduct a gap analysis of a provider’s business practices, documentation, coding and billing activities, we recommend that the analysis is conducted by qualified health lawyers and claims analysts.  While many portions of a gap analysis may be conducted by the affected provider, it has been our experience that many small and mid-sized providers do not have the time and / or trained staff to properly complete such a review.   Once a baseline assessment of an organization’s operations and business activities is completed, the next step would be for our claims review staff to work through each area and determine whether the activities fully comply with applicable regulatory, legal and ethical requirements.  As you will find, the process of performing a gap analysis can serve as an excellent measurement tool for determining the extent to which a provider’s actions fully track applicable documentation requirements, medical necessity guidelines, and coding and billing mandates identified by the Centers for Medicare and Medicaid Services (CMS) and its contractors (typically in the form of Local Coverage Determination (LCD) provisions).  Once the various legal, statutory and regulatory “measuring sticks” applicable to the services provided are examined, your current practices may be appropriately assessed. It is essential that any defiencies identified are remedied and any overpayments noted are promptly returned within 60 days of identification and reconciliation.

VI.   Seven Elements to Include in any Compliance Program, Regardless of the Size of the Provider Organization:

Since 1998, HHS-OIG has diligently worked to analyze the different, and often unique, business models of various health care provider practices, groups and organizations, ranging from third-party billing companies to ambulance suppliers.  Since initiating these reviews, HHS-OIG has published “Compliance Program Guidance” covering the following provider types:

  • (a) “OIG Compliance Program Guidance for Clinical Laboratories”  (Published in the Federal Register, 1998)
  • (b) “OIG Compliance Program Guidance for Home Health Agencies”  (Published in the Federal Register, 1998)
  • (c) “OIG Compliance Program Guidance for Hospitals”  (Published in the Federal Register, 1998)
  • (d) “OIG Compliance Program Guidance for Third-Party Medical Billing Companies”  (Published in the Federal Register, 1998)
  • (e) “OIG Compliance Program Guidance for Hospices”  (Published in the Federal Register, 1999)
  • (f) “OIG Compliance Program Guidance for Durable Medical Equipment, Prosthetics, Orthotics” (Published in the Federal Register, 1999)
  • (g) “OIG Compliance Program Guidance for Small Group Physician Practices”  (Published in the Federal Register, 2000)
  • (h) “OIG Compliance Program Guidance for Nursing Facilities”  (Published in the Federal Register, 2000)
  • (i) “OIG Compliance Program Guidance for Ambulance Suppliers” (Published in the Federal Register, 2003)
  • (j) “OIG Compliance Program Guidance for Pharmaceutical Manufacturers”  (Published in the Federal Register, 2003)
  • (k) “OIG Supplemental Compliance Program Guidance for Hospitals”  (Published in the Federal Register, 2005)
  • (l) “OIG Compliance Program Guidance for Nursing Facilities”  (Published in the Federal Register, 2008)

Copies of these guides can be found on OIG's website. These guides serve as an invaluable resource for providers when assembling an effective Compliance Program and identifying general operational, coverage, coding and billing “risks” which must be assessed.  Nevertheless, OIG expects providers to supplement these provisions with provider-specific risks identified during the gap analysis initially conducted.  To be clear, “one size does not fit all.” Working closely with our clients, we will work to identify and address each of the general and provider-specific risks currently faced by a provider.

In January of 2017, a roundtable discussion that included Department of Health and Human Services, Office of Inspector General personnel and focused specifically on evaluating compliance programs resulted in the publication of “Measuring Compliance Program Utilization – A Resource Guide.”  The guide, which is 52 pages in length, provides a checklist of questions broken down into seven standards based on the standard seven elements of an effective compliance program and further broken down into various subcategories under each element.

The principal goals of the January 2017 round table discussion were to identify markers or characteristics of effective compliance programs and to try and create ways of measuring their effectiveness. Among other things, this resulted in changes to the original “7 Elements” of compliance.  For example, “Screening and the Evaluation of Employees and Physicians” became an element unto itself. The updated list of elements is set out below:

  • 1. Standards, Policies, and Procedures.
  • 2. Compliance Program Administration.
  • 3. Screening and Evaluation of Employees, Physicians, Vendors and other Agents.
  • 4. Communication, Education, and Training on Compliance Issues.
  • 5. Monitoring, Auditing, and Internal Reporting Systems.
  • 6. Discipline for Non?Compliance.
  • 7. Investigations and Remedial Measures.

Importantly, as we assess your organization and work to develop and implement an effective Compliance Program, we will diligently work to address each and every aspect of these seven components.  Over the years, we have found that a tailored version of each of these seven elements can be crafted and individualized to address the unique risks presented.  When crafting an individualized Compliance Program for your practice or organization, we will adjust the plan, taking into consideration the size (both in terms of the number of staff, the number of locations and the breadth of health care related services provided).  An organization’s resources, the nature of care provided, the general risks, and an organization’s provider-specific “risks” must be carefully considered when drafting a provider’s Compliance Program.  These steps must also be taken when updating an existing Compliance Program.  The OIG has readily recognized the concept of “scalability" when creating, modifying and / or applying a plan.  While the government does not expect smaller providers to develop and adhere to highly complex, resource-heavy plans, they are expected to incorporate basic versions of each of the seven components in a way which effectively applies a scaled-down version of these concepts, reflective of the fact that staffing, space and financial resources are likely limited.  In a small to mid-sized group practice, the Compliance Officer is typically required to assume a number of other duties and responsibilities.  In contrast, larger organizations may be significantly more complex, thereby requiring that the organization develop and adopt a more comprehensive set of compliance provisions and safeguards.

VII.   Steps for Implementing an Effective Compliance Program:

Step One: Implementing Written Policies, Procedures and Standards of Conduct.

The development of written policies, procedures and standards that are tailored to your organization are arguably the most important element of an effective compliance plan.  Implementation and enforcement of a standardized set of policies and procedures will establish firm internal control on risk areas that may otherwise result in fraud or billing errors if left unaddressed.

A compliance plan with written policies and procedures is helpful for the operation of any organization, regardless of size, type or capability.  The notion of scalability comes into play again, offering larger providers a more comprehensive set of policies and procedures and small providers just those policies needed to address likely problem areas. There are several standard steps to developing policies and procedures, including:

  • (a) Developing a written policies and procedures manual;
  • (b) Updating all medical and clinical forms used by the organization to ensure that they facilitate clear and appropriate documentation of services provided by the provider;
  • (c) Identifying relevant clinical protocols, pathways and treatment guidelines used by the provider.

Health care providers and suppliers can create a resource manual from “open-source” or public and governmental information regarding relevant statutes, regulations and medical guidance (much of this information is contained in the exhibits to this manual).  This is a cost-effective approach to developing your facility’s policies.  For example, a provider can assemble a manual that contains written policies and procedures, important statutory information (such as Stark laws), CMS directives and guidance, Medicare contractor coverage guidance (LCDs) and relevant OIG information (e.g., Special Fraud Alerts, Advisory Opinions).  Any manuals created should be consistently updated and available to all employees in an easily accessible location.

During their training and orientation, new employees should be educated on the provider’s policies and procedures and made aware of their duties, obligations and responsibilities to comply with them.  Employees should be informed of changes, modifications or additions to the provider’s policies and procedures as soon as possible after implementation in order to keep them apprised of changes and office operations running smoothly.

Your organization’s policies and procedures should include guidance covering the proper storage and retention of medical, business and compliance records.  Medical record retention is especially important due to both actual health care needs and possible audits and investigations for which this documentation will support the provider’s billing.  For business and compliance purposes, such as financial statements or employee training dates, you may want to keep a binder of the relevant information for easy access.  The compliance documents you may want to retain include records related to educational activities, internal investigations and internal audit results.  However, you need to weigh risk versus reward.  On the one hand, OIG recommends keeping all of these documents to demonstrate proper compliance activities and efforts should your entity ever be questioned on compliance.  On the other hand, should there be negative findings from your internal investigations without prompt and appropriate corrective action (e.g., terminations or major changes in vendor relations), these records may serve as a roadmap for government investigations.  These possibilities must be weighed based on your facility’s compliance needs and results.

Your policies and procedures should provide for a records retention system and associated protocols.  This includes establishing guidelines on creation, distribution, storage and destruction of records (particularly medical records).  It is important that you pay particular attention to HIPAA’s privacy and security requirements when establishing these protocols.

You should also document your entity’s efforts to comply with applicable federal health care program requirements.  For instance, if your office requests guidance from your Medicare Administrative Contractor (MAC) on the issue of records retention, you should keep all records related to your request and any written or verbal responses from the MAC or that no response was given. Should the MAC respond with additional guidance or clarification, you should document how your office is modifying its approach to the provision of services and when those changes go into effect.  This is important if your organization intends to rely on these responses for future decision-making or billing purposes.

CMS has issued guidance regarding the retention of medical records stating that providers are required to retain documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.  However, there have been instances in which CMS has requested medical records dating back ten years from the date of creation or when it was last in effect.  Providers should make sure that medical records are accurately written, promptly completed, readily accessible, properly filed and retained.

In short, it is in the provider’s best interest, to have procedures in place related to document retention.  The following record retention guidelines may be helpful:

  • (a) Policies should outline the amount of time each type of record should be retained (federal and state statutes should be consulted for specific time frames, if applicable – they generally provide for six years or six years from the date of majority for minors);
  • (b) Medical records (if in the possession of the provider) should be secured against loss, destruction, unauthorized access or reproduction, corruption or damage;
  • (c) Policies and procedures should indicate the proper disposition of records should the entity be closed or sold; and
  • (d) Using a system of author identification and record maintenance that ensures integrity of the authentication is a good practice as it protects the security of all record entries.

Step Two:  Compliance Program Administration.

Before completing any audits or identifying risk areas, one member of the staff should be responsible for compliance-related activities, including developing a corrective action plan and enforcing adherence as necessary. This person is known as the Compliance Officer, regardless of other clinical or ministerial duties they may also have.  In a typical institutional provider’s compliance program, there is a full-time Compliance Officer responsible for overseeing the implementation, establishment and enforcement of the compliance program.  However, in a smaller organization, resources may be constrained so that an Office Manager or other employee may also be in charge of compliance functions.  In smaller organizations, compliance responsibilities are often coupled with those of Privacy Officer and/or Security Officer.  Regardless of how you choose to apportion these duties, you should ensure that the following duties are assigned:

  • (a) Overseeing and monitoring the implementation of the compliance program;
  • (b) Establishing methods, such as audits, to improve the practice’s efficiency and quality and to reduce the practice’s vulnerability and exposure to fraud, waste and abuse;
  • (c) Periodically revising the compliance program after reviewing changes or additions to law, needs of the practice and requirements of federal and private payors;
  • (d) Developing, coordinating and leading a training program focused on the mission and objectives of the practice and ensuring that training materials are appropriate and readily available;
  • (e) Screening new and existing employees and independent contractors against federal exclusion databases to ensure they are authorized to participate in activities involving federal health care programs;
  • (f) Investigating reports and allegations regarding possible unethical or inappropriate business practices; and
  • (g) Monitoring subsequent corrective action and/or compliance.

As Compliance Officer, you will be responsible for monitoring your organization’s ongoing business practices to determine whether preventative measures must be implemented to address risks that have been identified.

Step Three:  Screening and Evaluation of Employees, Physicians, Vendors and other Agents

Your employees and the entities you work with are your organization’s most important resource. However, they also represent your organization’s greatest costs and are the direct source of your organization’s greatest risks. Thus, the proper screening and evaluation of the people who work for or with, your organization and of the entities that your organization works with, is a critical building block of any compliance plan.

The chart below demonstrates this point.  It identifies the major risk areas a compliance officer must contend with and as can be seen, virtually every risk is directly connected to an employee, physician, agent or vendor.[1]

Major Risk Areas Principle Risks Within the Risk Area

OIG, Corporate Integrity Programs, Stark, AKS, NPDB, Compliance mandates, EMTALA, Hazardous Waste Disposal, Fraud and Abuse

Patient Safety

Infection control, Clinical competency, Safety events, Medication errors, Culture, Elopement, Failure to follow physician orders


Credentialing, Staffing, Failure to follow chain of command, failure to implement policies and procedures, Adverse event management

Human Capital (Human Relations

Selection, Retention, Turnover, Absenteeism, Productivity, Compensation, Sexual Harassment, Disruptive behavior, Diversity, Staffing, Ergonomics, Hiring practices


EHR/EMR, Security, HIPAA Privacy, Bar Coding, Robotics, Simulation, Tele-health, Patient portals


Facility management, plant age, security of access, patient valuables, emergency management failures (flood, fire, earthquakes, etc.)


Billing and collections, AR; MSP Statutes; Fraud and Abuse, Credit and Interest rate fluctuations, Cash on Hand, Bundled Payments, Risk Financing, Partner relationships, Conflicts of Interest

The obligation to evaluate and screen starts with the hiring process. While that process will vary depending upon the position, is recommended that a formal checklist be established to avoid concerns about consistency and fairness.  The list may include public and private information such as reference checks, criminal background checks, credit reports, financial records and verification of work history.  The availability of information (such as criminal information) will vary from State to State and it should be remembered that in that event that third party background checks must comply with the Fair Credit Reporting Act.

While there are often pressures to fill positions quickly, the evaluation process is most productively approached as an opportunity to further build and retain a committed and talented work force.  In addition to determining whether applicant meets the minimum qualifications for a position, the evaluation process should seek to consider whether the applicant might be a long-term asset and add value to the organization. In other words, the evaluation process should be structured to not only seek if an applicant can be hired, but also if the organization wants to hire the applicant.

However, evaluating prospective employees can often be tricky.  The hiring process should consider that employment applications are often “fudged” and often contain outright falsehoods.  Indeed, it has been estimated that 50% of all applications contain false information and there are several companies that provide fictitious resumes complete with fake references who will answer your call and respond appropriately. 

Screening for Exclusions, Licensing Issues and Other Misadventures

While the evaluation process is susceptible to interpretation and some trickery, screening is not.  A person is either on the Office of Inspector General’s List of Excluded Individuals and Entities (LEIE) or he isn’t; a doctor either has a license or he doesn’t; and it is the responsibility of the compliance officer to:

  • (a) Monitor government sanction lists for excluded individuals/entities;
  • (b) Verify background/sanction checks are conducted in accordance with applicable rules and laws (e.g., employment, promotions, credentialing);
  • (c) Verify due diligence is conducted on third parties (e.g., consultants, vendors, acquisitions);
  • (d) Assure compliance with position specific qualifications;
  • (e) Assure compliance-sensitive exit interviews occur and that corrective is action based on background/sanction check findings.

The Resource Guide emphasizes the importance of monitoring government exclusion lists for excluded individuals/entities for good reason.  Indeed, except for the permanent revocation of one’s professional license, there is perhaps no administrative sanction that may be taken against a health care provider that is more serious than an exclusion action. Almost all exclusions are imposed as a result of convictions or licensing disciplinary actions connected to fraud, patient abuse or neglect or the sale or abuse of drugs or fraud – or a combination of these factors. Further, regardless of “why” an OIG Exclusion is imposed, persons or entities excluded from Federal Health Care Programs are deemed as a matter of administrative law to “pose unacceptable risks to patient safety and/or to the financial integrity of government programs.”  As a result, the OIG requires that exclusion screening be performed upon hire and monthly thereafter.

Federal health care programs will not pay for any items or services furnished or provided, directly or indirectly, by an excluded individual or entity. This broad “payment prohibition,” which can extend even to volunteers, renders anyone who is excluded “radioactive” when it comes to health care. Any claim connected to an excluded person is a potential overpayment, employing or contracting with an excluded person can result in the imposition of civil money penalties and there have even been False Claims Act cases brought against providers that have used excluded persons. The OIG signaled that enforcement of exclusion violation was going to be an agency priority in 2013 when it issued its “Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs” and revised the “Self-Disclosure Protocol.” Since that time, it has created a special unit tasked with exclusion enforcement as a priority and sought to expand its exclusion authority on several occasions.

Exclusion issues also extend to State health care programs. Medicaid Programs also have exclusion authority and do not pay for services furnished by excluded individuals and entities.  In addition, all States impose some form of exclusion screening requirements, which often are more onerous than those of the Federal OIG.

Screening also extends to ensuring compliance with professional licensing requirements (for physicians, other direct billers, nurses and so on) and position or service specific licenses or certifications.  While physician and direct biller licensure is checked as part of the credentialing process, it is insufficient to only check these licenses as required by re-credentialing and some process for regular screening should be put in place. In addition, attention should be paid to licensing or certification requirements that are position or service specific – for example, an ultrasound or sonogram performed by an individual who’s certification is not up to date may not be payable, similarly, the person performing CT or magnetic resonance imaging must have certain credentials that are up to date for those services to be payable.

Step Four:  Communication, Education and Training on Compliance.

Education and training are critical to the success of a compliance program.  Without the provider’s employees understanding how and why to comply with the established program, many compliance goals will go unrealized.  Your training program should be tailored to the size, needs and specialty of the organization.  There are three basic steps for setting up a training regimen:

  • (a) Determining who needs training and in what areas (e.g., coding and billing or documentation requirements);
  • (b) Determining the best types of training for the organization’s needs (g., seminars, in-service training or other programs); and
  • (c) Determining when and how often training is needed and how much training each employee should receive.

Training may be accomplished through several methods, including training sessions (such as on-site training, compliance meetings or outside seminars), distribution of guidance and newsletters or a centrally placed bulletin board.  Regardless of the training method used, a provider should make sure that appropriate education is effectively communicated and that employees understand their role in health care compliance.

1.  Compliance Training.

Compliance training should be administered both upon an employee’s initial association with an organization and periodically for employees already employed.  This training should involve the provider’s compliance plan, its policies and procedures and the underlying statutory and regulatory requirements.  You may want to include:

  • (a) The importance of the compliance program and how it operates;
  • (b) The consequences, both for the organization and employee, of violating the policies and procedures set forth in the program; and
  • (c) The role of each employee in the proper functioning of the compliance program.

Compliance training will let each employee know that compliance is a condition of their continued employment.  It will also train each employee on how to perform their designated jobs and duties in accordance with program requirements and the underlying law.  The training should emphasize that violating the compliance program may subject the employee to disciplinary measures, up to and including termination.  New employees should be trained as soon as possible after their starting date.  All employees should receive training at least on an annual basis (and more often if necessary).

2.   Coding and Billing Training.

Coding and billing training may also be necessary if your staff includes medical coders and billers.  In many instances, a billing provider may conduct his or her coding independently and as such, should be trained on proper coding levels and other guidance.  If the provider employs coders or billers, they too should be trained on proper procedure.  Additionally, if your organization uses a third-party billing company, be sure to ask whether they conduct training on billing and coding issues.  It is in the provider’s best interest to ensure that employees or business associates who are directly involved with billing receive extensive training specific to the organization’s specialty and risk areas.  Examples of items that could be covered in coding and billing training include:

  • (a) Coding requirements;
  • (b) Claim development and submission processes;
  • (c) Signing a form for a billing provider without the provider’s authorization;
  • (d) Proper documentation of services rendered;
  • (e) Proper billing policies and procedures and submission of accurate bills for all services or items rendered; and
  • (f) The legal sanctions for submitting deliberately false claims or recklessly billing.

3.   Format of the Training Program.

Training may be conducted either in-house or by a third party, such as a consultant or attorney.  Instead of utilizing internal programs and in-service sessions, outside seminars may be useful for training purposes.  Consider asking your MAC for training (they may provide specialty-wide training programs through local associations).

If the provider uses a third-party billing company, you should ensure that documentation is complete so that claims submitted on the organization’s behalf accurately reflect the services provided.  If not, these areas should be covered in training.  In addition to training, you should purchase and maintain current reference sources for your coders and billers, including CPT, ICD-s10 and Healthcare Procedure Coding System (HCPCS) code books (in addition to MAC interpretations of those manuals) and make them available to all employees involved in billing.  Moreover, you may put billing/coding and compliance training together.  All seminars or in-service training sessions may integrate core provider values, such as mission statements, compliance protocols and goals, into their curriculum.

4.   Continuing Education on Compliance Issues.

At a minimum, employees should be trained annually on billing/coding compliance guidance.  However, there is no formula for determining how often to conduct training.  This should be based on the provider’s practical experience and overall employee compliance with policies and procedures.  Should you find that violations are occurring, more frequent training should be conducted.

Step Five: Monitoring, Auditing and Internal Reporting Systems.

A successful compliance initiative must include an ongoing evaluation process.  A Compliance Officer must critically examine an organization’s practices on an ongoing basis.  The evaluation process should be two-pronged: not only should the provider’s policies and procedures be evaluated to ensure accuracy and relevance, but the actual practices derived from those policies and procedures must also be considered.  Are employees properly carrying out their compliance duties and responsibilities?  Through an internal audit, a provider may ascertain what problem areas exist and focus its compliance efforts on those areas.

As an initial step, you will need to conduct a review of the various statutes, regulations, guidelines and contractual provisions associated with the care and treatment services being provided.  With an overview of these applicable statutory and regulatory provisions completed, you will be better equipped to conduct a baseline assessment of a practice’s or company’s coding, billing, operations and business practices.  Next, you will assess the care and treatment services being provided and determine whether the activities fully comply with applicable legal and ethical requirements.  To the extent that your practices do not fully comply with applicable legal, regulatory or contractual requirements, steps will need to be taken to bring an organization’s practices into compliance.  This procedure is known as a “gap” analysis.  The gap analysis process is described in greater detail later in this course.

Once a gap analysis is completed and a baseline is established, an organization will still need to perform periodic follow-up audits, at least annually, to assist the organization in remaining compliant.  Optimally, the organization should select and review a randomly selected number of medical records to ensure compliance without imposing an overwhelming administrative burden.[1]  Although there is no set formula dictating how many medical records should be reviewed, a basic guide is five or more medical records per federal payor (i.e., Medicare, Medicaid) or five to ten medical records per physician or other billing provider.  Most provider organizations receive reimbursement from a number of different payors, so a provider must ensure that its auditing and monitoring processes review claims from each applicable federal payor.  Of course, the larger the sample size, the more confident the provider can be in the accuracy of the results.

Importantly, if significant problems are identified either through an organization’s initial gap analysis or during a subsequent follow-up audit, a Compliance Officer will need to determine whether a more focused review of the problem areas will be needed.  The specific actions taken would depend on the circumstances presented.  In the case of most deficiencies, the only response necessary would be to return any identified overpayments back to their proper payor.  When faced with a complex coding or billing problem, an organization may need to bring in an expert for guidance on the appropriate steps to take.  While it is a good idea to develop a system for responding to identified deficiencies, you should keep in mind that no single solution will be applicable to every problem that may arise.  As Compliance Officer, you will need to rely on your training, skills, common sense and good judgment to determine the proper steps to take.

Through the auditing and monitoring process, providers can more readily identify vulnerable risk areas that need to be addressed.  “General” risks are those faced by all health care organizations.  An example of this type of risk would include HIPAA privacy concerns.  General risks also include problem areas typically encountered by other providers and suppliers working within a specific specialty area.  We will discuss general risks in more detail later in the course.  Four common general risk areas faced by health care providers include:

  • (a) Coding, billing and claims submission;
  • (b) Reasonable and medically necessary services;
  • (c) Documentation; and
  • (d) Improper inducements, kickbacks and self-referrals.

In contrast, “specific” risks are those unique areas of regulatory or operational concern that your particular organization faces.  It is imperative that every health care provider carefully review their practices to identify organization-specific risks so that preventative measures can be put into place to avoid potential regulatory violations.  As with general risks, we will be discussing organization-specific risks in more detail later in the course.

All health care providers must diligently work to maintain open lines of communication with members of their staff, their patients and other parties with whom they interact.  This will help prevent communication mix-ups and may help explain how mistakes occurred in the first place.  Because each employee is involved, at least to some degree, in a successful compliance program, communication about the goals, requirements and expectations of a plan is necessary.  Communication may be maintained through several mediums, including e-mail messages, bulletin board postings, daily or weekly staff meetings and educational sessions.  Moreover, an “open door” policy for the Compliance Officer and an anonymous tip line may foster greater communication, even regarding negative occurrences.

The open-door policy should be enacted among billing providers, compliance personnel and employees.  This policy can be implemented together with informal techniques, including notices, notes and informal verbal guidance.  A system for meaningful and open communication requires:

  • (a) Employees to report conduct that a reasonable person would, in good faith, believe is erroneous or fraudulent;
  • (b) The development of procedures to promptly process reports of erroneous or fraudulent conduct;
  • (c) If a third-party billing company is used, communication between your organization and the Compliance Officer or contact at the billing company. Communication may include any possible concerns, teamwork on internal audits, training needs or modifications, changes to applicable law and other operational or compliance matters;
  • (d) The utilization of anonymous reporting methods, such as hotlines or suggestion boxes, which allow employees to report on suspected improper activity; and
  • (e) Provisions in your policies and procedures that the organization will not utilize any retribution against employees who in good faith report suspected erroneous or fraudulent activities.

Hotlines with anonymous reporting mechanisms make an important contribution to this element. When their use is openly encouraged, hotlines can assist in the early detection of problems – and it has been demonstrated that the earlier an issue is detected, the less costly fixing the problem will be.  However, all employees should know who to contact in compliance matters and should be able to report compliance issues without fear of retribution.  While your organization should strive to protect the anonymity of a reporting employee, you also need to stress that there may be a point where it is impossible to protect the employee’s identity any further.

Step Six: Enforcing Standards Through Well-Publicized Disciplinary Guidelines.

Finally, employees must understand the consequences of failing to adhere to their organization’s policies and procedures.  An effective compliance plan includes procedures for enforcing and disciplining employees who violate the provider’s policies.  Provisions for enforcement and discipline are necessary to add credibility and reliability to the compliance program.

Disciplinary mechanisms must be consistently and appropriately enforced.  At the same time, the organization’s disciplinary procedures should be flexible enough to allow for mitigating or aggravating circumstances.  The procedures might also require that individuals who fail to report violations or actively cover up violations of the compliance plan be subject to discipline.  Disciplinary actions may include:

  • (a) Warnings (oral/written);
  • (b) Reprimands (oral/written);
  • (c) Probation;
  • (d) Demotion;
  • (e) Temporary suspension;
  • (f) Termination;
  • (f) Restitution of damages; and
  • (g) Referral for criminal prosecution.

These disciplinary actions should be promulgated to employees and included in training sessions both for new employees and at annual training sessions intended to update all employees.  As Compliance Officer, you should document any findings of non-compliance by including:

  • (a) The date of incident;
  • (b) The name of the reporting party;
  • (c) The name of the person responsible for taking action; and
  • (d) Any follow-up or remedial action taken.

Step Seven: Responding Promptly to Detected Offenses and Undertaking Corrective Action.

When a problem is detected, the next step is to develop and implement a corrective action plan.  Violations of the compliance plan or underlying federal or state law threaten the provider’s reputation and expose it to potential audits, investigations and penalties.  Consequently, when receiving reports or indications of likely non-compliance, it is the duty of the Compliance Officer to investigate the allegation and determine what, if any, violations have occurred.  The Compliance Officer must then work to resolve the problem and take other action as appropriate.  If a serious violation is identified, possible steps may include a corrective action plan, the return of any overpayments, disclosure to federal payors and/or a referral to law enforcement authorities.  However, before taking any of these steps, consult your legal counsel for advice and guidance on the appropriate action to take.  Regardless, you should ensure that the rights of your organization and the employees are protected.

Your organization may develop its own set of warning signs, including changes to the number or type of claims denials or patient complaints about billing.  However, policy non-compliance should be determined on a case-by-case basis.  An organization should seek advice from its legal counsel to determine the extent of the entity’s liability and to plan an appropriate course of action.

For potential criminal violations, an entity may want to include procedures for referral or disclosure to the appropriate authorities.  For mere overpayments, the organization should have procedures for identification and remittance of improper payments.

The compliance plan should include procedures for an investigation of all reports of detected violations.  A provider cannot ignore possible fraudulent activity.  In fact, this undermines the very purpose of the compliance program.  Moreover, your policies and procedures should have protocols to ensure that repeat or compounded violations do not occur.  This may include employee retraining or termination or other appropriate responses to detected risk areas.  If a violation that occurs is not promptly detected through the policies and procedures of the compliance plan, the compliance plan should be modified accordingly.  You should consider what flaws in the plan missed the violation or why the violation occurred in the first place.  Regardless of rationale, it is important to review and update your compliance plan regularly.

NATIONWIDE REPRESENTATION: Call For a Free Consultation:  1 (800) 475-1906   

The steps set out above set out a typical approach used when setting up a small to mid-sized provider's Compliance Program.  As the outline reflects, each of the seven elements repeatedly cited by OIG as necessary for a program to be effective, have been addressed.  Ultimately, it is up to each specific provider to decide both the manner and the extent to which they will choose to implement these compliance measures.  Liles Parker attorneys and staff have extensive experience developing, specific provider-tailored, effective, Compliance Programs.  Should you have questions regarding your practice's compliance needs, please feel free call us for a complimentary initial consultation.  We can be reached at: 1 (800) 475-1906.

[1] While compliance programs were “voluntary” in the past, legislative changes now mandate that Medicare and Medicaid providers and suppliers develop and implement an effective compliance program.  The writing is on the wall – compliance is no longer voluntary – it is the first place a prosecutor will look if your health care organization is accused of fraud.

[2] RAT-STATS, a simple computer program, is used by Federal agencies and Medicare/Medicaid contractors to develop statistically relevant random samples. You should utilize the same software for internal audits. It is available free at:

Leave a Reply