Health Care Compliance Program Development, Review & Implementation

Compliance Program Development is Mandatory for all Medicare / Medicaid Providers and Suppliers(July 18, 2014): Over the last decade, Compliance Programs have become an essential part of the way large and mid-sized health care providers conduct business.  In recent years, small health care providers have followed suit, and Compliance Program development, review and implementation has become a priority if the provider intends on staying within the four corners of the law.  Compliance Programs aimed at reducing, preventing, and deterring fraudulent and improper conduct are at the forefront of the health care industry’s goals.  These programs can also help providers avoid costly litigation and streamline their business operations.  While the federal government presents basic procedural and structural guidance for compliance programs, the Department of Health and Human Services, Office of Inspector General’s (OIG’s) guidelines do not represent a “one size fits all” compliance program which can be readily adopted by all providers.  There is no ‘‘one size fits all’’ compliance program, especially when it comes to small and mid-sized provider entities.

II.   Benefits of a Compliance Program:

Regardless of the nature of your health care organization, “quality patient care” likely remains at the top of the list of goals you are trying to achieve.  An organization’s focus on patient care can be enhanced by the adoption of an effective compliance program.[1] For example, the increased accuracy of your medical documentation that may result from your efforts to remain compliant, can actually assist in enhancing the quality of patient care your organization is providing.  Virtually all health care providers can realize a variety of benefits by implementing a compliance program.  These benefits include:

  • Proactive approach. A compliance program is a proactive way to make sure that your company is meeting all of its statutory and regulatory obligations.
  • Evidence of good faith A a compliance program can serve as evidence of a good faith effort to comply with the law should your practice becomes the subject of an investigation.
  • Sentencing guidelines. In the event of criminal prosecution, the existence of a Compliance Plan is favorably considered under the Sentencing Guidelines.            

III.  The Compliance Program Development Process:

The following seven steps are typically followed when a health care provider or supplier initiates compliance program development.  It is important to keep in mind that the extent to which an organization chooses to implement these compliance measures will vary from provider to provider.   HHS-OIG does not expect every organization to implement each aspect of these seven components to the same extent.   Rather, compliance programs and their associated  plans are "scalable." -“Compliance Program Guidance for Party Medical Billing Companies” covers a number of important program integrity concerns that are applicable to virtually all health care providers and suppliers, not merely the third-party billing companies with whom they work.

If your organization is small-to-mid sized, you may find it difficult to fully cover each and every aspect of the seven components discussed below. However, in most instances, both providers and suppliers can effectively implement each component in one fashion or another.  The seven basic components include:

Step One: Conducting internal monitoring and auditing through the performance of periodic audits:

An effective compliance program can also speed and optimize the payment of a practice's claims and reduce the likelihood of an Anti-Kickback or Stark violation.  A successful compliance initiative begins with a critical evaluation of an organization's current and past practices.  The evaluation process is normally two-pronged.  Not only are a provider’s policies and procedures evaluated to better ensure accuracy and relevance, but the actual practices derived from those policies and procedures must also be considered. Are employees properly carrying out their compliance duties and responsibilities? Through an internal audit, a provider may ascertain what problem areas exist and focus its compliance efforts on those areas. There are two general types of reviews that can be performed as part of this evaluation:

Standards and Procedures Review -- Each organization should designate an individual, usually the Compliance Officer (see below), to periodically review the policies and procedures of the organization and revise them if necessary. This review should consider both the current state of the law (taking into account any new regulations or changes to regulations) and the completeness of the policies and procedures. If the individual determines that the policies and procedures are ineffective or outdated, these policies and procedures should be updated to reflect any necessary changes in statutes and/or regulations.

Claims Submission Audit -- The appointed individual should also evaluate a sample of bills and medical records for compliance with applicable coding, billing, and documentation requirements. Other employees may be helpful in this process as well, include billing personnel (or third-party billers) and medical personnel, such as registered nurses or physicians (especially if they actually performed the services being evaluated). The provider also needs to decide whether to review claims retrospectively or concurrently with claims submissions. A provider’s self-audits can be used to determine whether claims have been accurately coded and properly reflect the services provided (as documented in the medical records).  A self-audit can also assist a provider in verifying whether the care and treatment services administered were reasonable, necessary and qualified for coverage and payment.

When conducting a self-audit,  it is often a challenge to determine whether your documentation practices are fully meeting a payer's expectations in terms of completeness and the scope of its content.  It is often quite helpful to review whether a specific payor has issued any guidance in this regard.  For example, when documenting Evaluation and Management (E/M) claims, a physician or physician extender should review and apply the guidance set out under the 1995 or 1997 Health Care Financing Administration (HCFA) E/M Guidelines (such as a Medicare contractor or an Administrative Law Judge (ALJ)) would conduct a review.  This approach can be quite helpful identifying any weaknesses and/or potential problems with a provider's documentation, coding and or billing practices.

A "GAP analysis" (sometimes referred to as a "baseline audit") examines the claims documentation, coding, billing and submission process, from patient intake through claim payment or denial.  A careful examination of a provider's practices can be invaluable in identifying any actions that can contribute to an organization's failure to fully comply with the law.  This process can also assist a provider in identifying employee training and education needs.

In auditing your facility’s records, establish a consistent methodology for selecting and examining records.  This method will then serve to expedite and improve future audits.

There are many ways to conduct a baseline audit. One way involves assessing claims for services submitted in the three months following the implementation of new education and training programs. This will provide a benchmark to evaluate the efficacy of future programs.

Following the baseline audit, a periodic audit should be conducted at least annually to ensure compliance with the organization’s policies and procedures. Optimally, the organization should select and review a randomly selected number of medical records to ensure compliance without an overwhelming administrative burden.[1] Although there is no set formula to how many medical records should be reviewed, a basic guide is five or more medical records per federal payor (i.e., Medicare, Medicaid), or five to ten medical records per physician or other billing provider. Most provider organizations receive reimbursement from a number of different payors, so a provider must ensure that its auditing and monitoring processes review claims from each applicable federal payor. Of course, the larger the sample size, the more confident the provider can be in the accuracy of the results.

Should significant problems be identified through the audit process, a provider should determine whether a focused review on the problem areas be conducted on a more frequent basis. When results of the audit reveal problems that require additional employee or provider education or training, the provider will need to analyze if and how these areas can to be incorporated into the provider’s training program. An organization may also assess potential risk areas by reviewing its individualized potential billing vulnerabilities. The codes associated with these risk areas may become the universal pool of claims from which a sample is selected. The employees conducting the audit should then evaluate this sample to determine if the billed codes were accurately ordered, performed, and reasonable and necessary for the treatment of the patient.

An especially important component of an effective compliance program is an appropriate response to any problems identified through the audit. The specific action a provider takes should depend on the circumstances presented by each situation. In some cases, the only necessary response may be to return identified overpayments back to the proper payor. In other situations, the provider may need to bring in a coding/billing expert for consultation regarding the appropriate steps to take. It is a good idea to develop a system for responding to problems identified. Keep in mind, however, that no single solution will be applicable in every instance for every problem. The Compliance Officer should use his or her training, skills, common sense and judgment in determining what needs to be done to best protect the interests of the organization.

Step Two: Implementing compliance and organizational standards through the development of written standards and procedures:

Upon completion of an initial audit and identification of entity-specific risk areas, you should begin to develop policies, standards, and procedures to address the identified areas.  The actual written policies are arguably the most important element of an effective Compliance Plan.  Implementation and enforcement of a standardized set of policies and procedures will establish firm internal control on risk areas which may otherwise result in fraud or billing errors.

A Compliance Plan with written policies and procedures is helpful for the operation of any organization, regardless of size, type or capability.  The notion of scalability again comes into play, along with an expectation that a larger health care provider or supplier will be expected to have a more comprehensive set of policies and procedures in place, while smaller providers will may only have just those policies that are mandated under various statutes, along with any specific guidance that has been drafted to address identified problem areas.

There are several standard steps to developing policies and procedures, including:

(1) Developing a written policies and procedures manual;

(2) Updating all medical and clinical forms used by the organization to ensure that they facilitate clear and   appropriate documentation of services provided by the provider. 

(3) Identifying relevant clinical protocols, pathways, and treatment guidelines used by the provider. 

When implementing this step, health care providers suppliers should develop a resource manual from “open-source” or public and governmental databases.  Relevant statutes, regulations, and medical guidance covering the services your organization provides should first be assembled.  A binder containing an organization's policies, procedures, important statutory information (such as Stark laws), CMS directives and guidance, Medicare contractor coverage guidance (LCDs), and important program integrity information published by HHS-OIG (such as Special Fraud Alerts, Advisory Opinions, etc.) must be consistently updated and available to all employees in an easily accessible location.

 During their initial training and orientation, new employees should be educated on the provider’s policies and procedures and made aware of their duties, obligations and responsibilities to comply with all applicable statutory and regulatory requirements.  Current employees should be informed of any changes, modifications, or additions to an organization's policies and procedures as soon as possible after implementation so that they may remain aware of any changes which occur.

  • General Risk Areas Impacting all Health Care Providers and Suppliers.

In order to develop an effective, relevant set of policies and procedures, a provider should conduct a review of any errors that have occurred and problem areas that have been previously been identified in provider organizations similar to yours.  There are four primary general risk areas which affect most health care providers.  These general risk areas include but are not limited to:

  • Coding, billing, and claims submission;
  • Reasonable and medically necessary services;
  • Documentation; and
  • Improper inducements, kickbacks, and self-referrals.

General risk areas should be taken into account by most health care providers and suppliers when developing and implementing an effective compliance plan that is reflective of that organization's needs.  As statutes are amended and regulatory requirements are revised, these areas of concern should be updated to take any new mandates into account.

  •  Specific Risk Areas Faced by Health Care Providers of Your Specialty, and Your Organization in Particular.

In contrast to the general risk areas discussed above, there are a number of risks that may be somewhat unique to your organization.  These entity-specific risks may be driven by the fact that your organization performs specialized care and treatment services, engages in business practices that are highly regulated or has a prior history of program integrity violations that now places the organization under the proverbial microscope by federal or state law enforcement or regulatory officials.

  • Retention of Records.

Your organization’s policies and procedures should include guidance covering the proper storage and retention of medical, business, and compliance records.  Medical record retention is especially important, due to both actual health care needs and possible audits and investigations for which this documentation will support the provider’s billing.  For business and compliance purposes, such as financial statements or employee training dates, you may want to keep a binder of the relevant information for easy access.  The compliance documents you may want to retain include records related to educational activities, internal investigations and internal audit results.  However, you need to weigh risk versus reward.  On the one hand, HHS-OIG recommends keeping all of these documents to demonstrate proper compliance activities and efforts should your entity ever be questioned on compliance.  On the other hand, should there be negative findings from your internal investigations without prompt and appropriate corrective action (e.g., terminations or major changes in vendor relations), these records may serve as a roadmap in a future government investigation.

Your policies and procedures should provide for a records retention system and associated protocols.  This includes establishing guidelines covering the creation, distribution, storage, and destruction of records (particularly medical records).  Providers should pay particular attention to the privacy requirements under both federal and state law when establishing these protocols.

Organization's should also document an entity’s efforts to comply with applicable federal health care program requirements.  For instance, if you seek guidance from your Medicare Administrative Contractor (MAC) on the issue of records retention, you should keep all records related to your request and any written or verbal responses from the MAC, or that no response was ever received.  Should the MAC respond with additional guidance or clarification, you should document how your office is modifying its approach to the provision of services and when those changes go into effect.  This is important if your organization intends to rely on these responses for future decision-making or billing purposes.

CMS has issued guidance in regard to the retention of medical records stating that providers are required to retain documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.  However, there have been instances in which CMS has requested medical records dating back ten years from the date of creation or when it was last in effect.  Providers should make sure that medical records are accurately written, promptly completed, readily accessible, properly filed, and retained.

In short, it is in the provider’s best interest, regardless of size, to have procedures in place related to document retention.  The following record retention guidelines may be helpful:

  • Policies should outline the amount of time each type of record should be retained (federal and state statutes, generally set at six years or six years from the date of majority for minors, should be consulted for specific time frames, if applicable);
  • Medical records (if in the possession of the provider) should be secured against loss, destruction, unauthorized access or reproduction, corruption, or damage;
  • Policies and procedures should indicate the proper disposition of records should the entity be closed or sold; and
  • Using a system of author identification and record maintenance that ensures integrity of the authentication is a good practice as it protects the security of all record entries.

 Step Three: Designation of a Compliance Officer

Before completing any audits or identifying risk areas, one member of the staff should be responsible for compliance-related activities, including developing a corrective action plan and enforcing adherence as necessary.  This person is known as the Compliance Officer, regardless of other clinical or ministerial duties they may also have.  In a typical institutional provider’s compliance program, there is a full-time Compliance Officer responsible for overseeing the implementation, establishment, and enforcement of the compliance program.  However, in a smaller organization, resources may be constrained so that an Office Manager or other employee may also be in charge of compliance functions.  In smaller organizations, compliance responsibilities are often coupled with those of Privacy Office and/or Security Officer.  However you choose to apportion these duties, you should ensure that the following duties are assigned:

  • Overseeing and monitoring the implementation of the compliance program;
  • Establishing methods, such as audits, to improve the practice’s efficiency and quality and to reduce the practice’s vulnerability and exposure to fraud, waste, and abuse;
  • Periodically revising the compliance program after reviewing changes or additions to law, needs of the practice, and requirements of federal and private payors;
  • Developing, coordinating, and leading a training program focused on the mission and objectives of the practice, and ensuring that training materials are appropriate and readily available;
  • Screening new and existing employees and independent contractors against federal exclusion databases to ensure they are authorized to participate in activities involving federal health care programs;
  • Investigating reports and allegations regarding possible unethical or inappropriate business practices; and
  • Monitoring subsequent corrective action and/or compliance.

Your organization needs to assess its own circumstances and determine what best suits its compliance needs and risks.

Step Four: Conducting Appropriate Training and Education:

Education and training are critical to the success of a compliance program.  Without the provider’s employees understanding how and why to comply with the established program, many compliance goals will go unrealized.  Your training program should be tailored to the size, needs and specialty of the organization.  There are three basic steps for setting up a training regimen:

  • Determining who needs training and in what areas (e.g., coding and billing or documentation requirements);
  • Determining the best types of training for the organization’s needs (e.g., seminars, in-service training, or other programs); and
  • Determining when and how often training is needed and how much training each employee should receive.

Training may be accomplished through several methods, including training sessions (such as on-site training, compliance meetings, or outside seminars), distribution of guidance and newsletters,or a centrally placed bulletin board.  Regardless of the training method used, a provider should make sure that appropriate education is effectively communicated and that employees understand their role in health care compliance.

  • Compliance Training.

Compliance training should be administered both upon an employee’s initial association with an organization and periodically for employees already employed.  This training should involve the provider’s Compliance Plan, its policies and procedures, and the underlying statutory and regulatory requirements.  You may want to include:

  • The importance of the compliance program and how it operates;
  • The consequences, both for the organization and employee, of violating the policies and procedures set forth in the program; and
  • The role of each employee in the proper functioning of the compliance program.

Compliance training should have two main purposes: to let each employee know that compliance is a condition of their continued employment and to train each employee on how to perform their designated jobs and duties in accordance with the program and the underlying law.  The training should emphasize that violating the compliance program may subject the employee to disciplinary measures, up to and including termination.  New employees should be trained as soon as possible after their starting date; all employees should receive training at least on an annual basis (and more often if necessary).

  • Coding and Billing Training.

Coding and billing training may also be necessary if your staff includes medical coders and billers.  In many instances, a billing provider may conduct his or her coding independently, and as such, should be trained on proper coding levels and other guidance.  If the provider employs coders or billers, they too should be trained on proper procedure.  Additionally, if your organization uses a third-party billing company, be sure to ask whether they conduct training on billing and coding issues .  It is in the provider’s best interest to ensure that employees or business associates who are directly involved with billing receive extensive training specific to the organization’s specialty and risk areas.  Examples of items that could be covered in coding and billing training include:

  • Coding requirements;
  • Claim development and submission processes;
  • Signing a form for a billing provider without the provider’s authorization;
  • Proper documentation of services rendered;
  • Proper billing policies and procedures and submission of accurate bills for all services or items rendered; and
  • The legal sanctions for submitting deliberately false claims or recklessly billing.
  • Format of the Training Program.

Training may be conducted either in-house or by a third-party, such as a consultant or attorney.  Instead of utilizing internal programs and in-service sessions, outside seminars may be useful for training purposes.  Consider asking your MAC for training (they may provide specialty-wide training programs through local associations).

If the provider uses a third-party billing company, you should ensure that documentation is complete so that claims submitted on the organization’s behalf accurately reflect the services provided.  If not, these areas should be covered in training.  In addition to training, you should purchase and maintain current reference sources for your coders and billers, including CPT, ICD-9 or 10 and Healthcare Procedure Coding System (HCPCS) code books (in addition to MAC interpretations of those manuals) and make them available to all employees involved in billing.  Moreover, you may put billing/coding and compliance training together.  All seminars or in-service training sessions may integrate core provider values, such as mission statements, compliance protocols and goals, into their curriculum.

  • Continuing Education on Compliance Issues.

At a minimum, employees should be trained annually on billing/coding compliance guidance.  However, there is no formula for determining how often to conduct training.  This should be based on the provider’s practical experience and overall employee compliance with policies and procedures.  Should you find that violations are occurring—more frequent training should be conducted.

Step Five: Responding To Detected Offenses and Developing Corrective Action Initiatives:

When a problem is detected, the next step is to develop and implement a corrective action plan.  Violations of the Compliance Plan or underlying federal or state law threaten the provider’s reputation and expose it to potential audits, investigations and penalties.  Consequently, when receiving reports or indications of likely noncompliance, it is the duty of the Compliance Officer to investigate the allegation and determine what, if any, violations have occurred.  The Compliance Officer must then work to resolve the problem and take other action as appropriate.  If a serious violation is identified, possible steps may include a corrective action plan,the return of any overpayments, disclosure to federal payors,and/or a referral to law enforcement authorities.  However, before taking any of these steps, consult your legal counsel for advice and guidance on the appropriate action to take.  Regardless, you should ensure that the rights of your organization and the employees are protected.

Your organization may develop its own set of warning signs, including changes to the number or type of claims denials, or patient complaints about billing.  However, policy non-compliance should be determined on a case-by-case basis.  An organization should seek advice from its legal counsel to determine the extent of the entity’s liability and to plan an appropriate course of action.

For potential criminal violations, an entity may want to include procedures for referral or disclosure to the appropriate authorities (often discussing the circumstances with legal counsel).  For mere overpayments, the organization should have procedures for identification and remittance of improper payments.

The Compliance Plan should include procedures for an investigation of all reports of detected violations.  A provider cannot ignore possible fraudulent activity.  In fact, this undermines the very purpose of the compliance program.  Moreover, your policies and procedures should have protocols to ensure that repeat or compounded violations do not occur.  This may include employee retraining or termination, or other appropriate responses to detected risk areas.  Should a violation occur and it is not detected promptly through the policies and procedures of the Compliance Plan, you should modify the plan accordingly.  You should consider what flaws in the plan missed the violation or why the violation occurred in the first place.  Regardless of rationale, it is important to review and update your Compliance Plan periodically.

Step Six: Developing Open Lines of Communication

Providers must maintain open lines of communication.  This will help prevent communication mix-ups and may help explain how mistakes occurred in the first place.  Because each employee is involved, at least to some degree, in a successful compliance program, communication about the goals, requirements, and expectations of a plan is necessary.  Communication may be maintained through several mediums, including e-mail messages, bulletin board postings, daily or weekly staff meetings, and educational sessions.  Moreover, an “open door” policy for the Compliance Officer and an anonymous tip line may foster greater communication, even regarding negative occurrences.

The “open door” policy should be enacted among billing providers, compliance personnel, and employees.  This policy can be implemented together with informal techniques, including notices, notes, and informal verbal guidance.  A system for meaningful and open communication requires that:

  • Employees must report conduct that a reasonable person would, in good faith, believe is erroneous or fraudulent;
  • The development of procedures to promptly process reports of erroneous or fraudulent conduct;
  • If a third-party billing company is used, communication between your organization and the Compliance Officer or contact at the billing company.  Communication may include any possible concerns, teamwork on internal audits, training needs or modifications, changes to applicable law and other operational or compliance matters;
  • The utilization of anonymous reporting methods, such as hotlines or suggestion boxes, which allow employees to report on suspected improper activity; and
  • Provisions in your policies and procedures that the organization will not utilize any retribution against employees who in good faith report suspected erroneous or fraudulent activities.

Protecting anonymity may not always be feasible.  However, all employees should know who to contact in compliance matters and should be able to report compliance issues without fear of retribution.  While your organization should strive to protect the anonymity of a reporting employee, you also need to stress that there may be a point where it is impossible to protect the employee’s identity any further.

Step Seven: Enforcing Disciplinary Standards through Well-Publicized Guidelines:

Finally, employees must understand the consequences of failing to adhere to their organization’s policies and procedures.  An effective Compliance Program includes procedures for enforcing and disciplining employees who violate the provider’s policies.  Provisions for enforcement and discipline are necessary to add credibility and reliability to the compliance program.

Disciplinary mechanisms must be consistently and appropriately enforced.  At the same time, the organization’s disciplinary procedures should be flexible enough to allow for mitigating or aggravating circumstances.  The procedures might also require that individuals who fail to report violations or actively cover up violations of the Compliance Program be subject to discipline. Disciplinary actions should be promulgated to employees and included in training sessions both for new employees and at annual training sessions intended to update all employees. As Compliance Officer, you should document any findings of non-compliance by including:

  • The date of incident;
  • The name of the reporting party;
  • The name of the person responsible for taking action; and
  • Any follow-up or remedial action taken.

IV.  Assessing an Effective Compliance Program:

The purpose of a Compliance Program is to avoid inactivity until an auditor shows up or a violation occurs.  Rather, the goal is active compliance, which can be achieved by following the policies and procedures defined in your Compliance Program on a daily basis.  This will streamline your organization’s business operations, reduce the likelihood of statutory violations, help to mitigate any damages resulting from a breach, and serve as evidence that your organization is doing its best to fully comply with applicable rules and regulations.  When compliance begins a part of the daily culture of your organization, you will achieve the maximum results and rewards.

Robert W. Liles defends health care providers in Medicare auditsRobert W. Liles, JD, MS, MBA serves as Managing Partner at Liles Parker, Attorneys and Counselors at Law. Robert represents health care professionals of all sizes around the country in connection with a full range of Medicare, Medicaid and private payor audits, investigations and fraud cases.  He also licensed professionals dentists in the defense of state board disciplinary actions. For a complimentary consultation, please call Robert at: 1 (800) 475-1906.

[1] While Compliance Programs were initially “voluntary,” they are now required by law if a provider or supplier participates in the Medicare and / or Medicaid program.

[2]Ethics Resource Center, Federal Sentencing Guidelines: Federal Policy, available at http://www.ethics.

org/resource/federal-sentencing-guidelines (December 31, 2005) (last accessed August 15, 2012).

[3]This is because they may result in a sentence based on facts not proven beyond a reasonable doubt to a jury, which would violate the Sixth Amendment.  See United States v. Booker, 543 U.S. 220 (2005); 125 S. Ct. 738; 160 L. Ed. 2d 621.

[4] Rita v. United States, 551 U.S. 338 (2007); 127 S. Ct. 2456.

[5]RAT-STATS, a simple computer program, is used by federal agencies and Medicare/Medicaid contractors to develop statistically relevant random samples.  You should utilize the same software for internal audits.  It is available free at:



Leave a Reply