Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Basic Compliance Policies and Procedures

Download PDF
Basic Compliance Policies

Basic Compliance Policies

(January 5, 2016): Now that you have appointed an individual to be responsible for the compliance program and created a compliance committee to help the compliance officer, the focus should turn to basic compliance policies and procedures. If an effective compliance program is like a house with a solid roof to protect the inhabitants from bad weather, policies and procedures function as the studs and support structure. Like walls, policies and procedures establish the outlines of a program, delineating areas of focus. Another way of looking at this is that the basic policies and procedures serve as the constitution of your compliance program. Accordingly, every compliance program should have certain policies at a minimum. The most important ones are (in no particular order):

  1. Code of Conduct. This is the basic commitment to comply with federal, state and local applicable rules and regulations applicable to healthcare and your practice. The importance of this policy cannot be overstated. To put it very simply, this policy must say you will not lie, cheat or steal.

  2. Appointment of a compliance officer and description of duties and powers. If the compliance officer is like the president, then this policy describes what executive powers that individual has.

  3. Ineligible persons and sanctions screening. This policy state that you will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals or entities that are sanctioned, excluded or debarred from federal and state health care programs.

  4. Licensure status. Like the ineligible persons policy, this policy should address which individuals must maintain licensure and state that the practice will not employ, contract with, accept referrals or prescriptions from, or make referrals to individuals and entities that are not properly licensed. The policy should also indicate how you will verify licensure status and what actions will be taken if you cannot validate proper licensure status.

  5. Hotlines and reporting methods for employees, patients and others. This policy should clearly establish how individuals can report concerns and ask questions or request guidance. A key component must be a statement that the reporter may remain anonymous and will not face retaliation for good faith reports.

  6. Document internal corrective actions taken. This policy should outline the general steps that will be taken to investigate a report of possible problems. The policy should include direction for how to document the results of the investigation and what, if any, corrective actions were required and implemented.

  7. Training.  We all know how much the rules and regulations in health care are changing. This policy should indicate how you will be training staff, general topics, frequency of training, and how you will document completion of the training. This policy should also include the repercussions for failure to complete the training as required.

  8. Internal auditing and monitoring. This policy should outline your process for conducting audits. If you are billing any insurer, whether federal OR private, you should be conducting audits routinely. Identify what the risk areas are for your practice. The risk areas could be related to particular services, CPT codes, or a particular insurer. As with the Investigations policy, this policy should also detail what actions you will take in response to results that reveal a possible issue.

  9. Conflicts of interest. It is not possible to eliminate potential conflicts of interest unless you live on a desert island, isolated from contact with the rest of the world. Accordingly, the first step is identify possible conflicts of interest (for example, family or business relationships, outside employment, ownership interests, etc.). The policy should require that all potential conflicts of interest be disclosed. Once disclosed, the policy should provide a method for addressing the potential conflict of interest. Some conflicts of interest are so significant or impact the practice in such a way that the underlying situation must be unwound. For example, a contract might have to be terminated or a relationship ended. Other conflicts of interest can be managed. Again, the policy should provide for documentation of the disclosure and what actions are taken to end or manage the conflict of interest.

  10. Waivers of copayments and deductibles, discounts, charity care, and beneficiary inducement. One of the fastest ways to get in trouble is to inconsistently apply and collect copayments and deductibles or offer discounts, as insurers will take the position that this is an improper beneficiary inducement of the federal and state anti-kickback laws. There are ways to provide free or discounted care, but it must be done thoughtfully and following established procedures. In addition, this is a key area to develop documentation demonstrating adherence to the requirements.

  11. Returning overpayments. Since audits are likely to result in overpayments, you must commit to promptly returning any identified overpayments. A good place to start are the Medicare policy manuals, particularly those of the Medicare Administrative Contractor (MAC). Likewise, private insurers often have policies on refunding overpayments. Don’t forget that the Affordable Care Act requires that Medicare and Medicaid overpayments be returned within 60 days from the identification of the overpayment.

  12. HIPAA requirements must be met. Actually, the HIPAA policies are more an entire set of policies that address compliance with the Privacy Rule, the Security Rule, and the Breach Notification Rule. I will address HIPPA policies in more detail in a future article.

  13. Document retention. This policy should outline what your document retention and destruction policy and procedures are. Not every document needs to be kept forever, and you should create retention time periods for different kinds of documents (including patient medical records). Don’t forget to include electronically maintained documents. One provision the policy absolutely must contain is a requirement that if the practice is under audit, investigation or any other form of scrutiny, that no documents relating to that matter be destroyed, including deletion of emails.

This baker’s dozen of basic compliance policies is only a starting point. A practice’s book of policies should include additional policies that address its particular needs or risks. In fact, I would be extremely worried if I walked into a practice and did not find at least half a dozen more policies specific to the practice. Also, the policies book need not be limited to compliance policies. The practice should also have HR policies, finance policies, patient care policies and OSHA policies

All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.

And finally, policies should not be like the recipe for Coca Cola, kept in a vault and only known to a few. All staff members should have access to and understand the policies, so a best practice is to place the policies in a binder in a common area, easily accessible by all staff members. If you have an intranet, post them on the intranet. Post them on a bulletin board in the staff break room. Make them widely available. Train on them, repeatedly. Never be in a situation where a staff member can say, “Oh, I didn’t know that was our policy!”

Next month we’ll examine exclusions and why they are so important in more depth.

H-Kocher-photo-2-199x300Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

Does Your Practice Have a Compliance Officer or Compliance Committee?

Download PDF

Team of Doctors(October 29, 2015): Last month we discussed why having a functioning, effective compliance program is important. If done correctly, a compliance program that is functional, effective, and well-documented is as important as your medical malpractice liability insurance. Indeed, the Affordable Care Act now requires compliance programs and many private payers now explicitly require compliance programs in their physician contracts.

But compliance programs don’t just materialize out of thin air. I have yet to be able to wave a wand or say an incantation that will bring a compliance program into being. In order to implement a functioning, effective compliance program, somebody has to perform specific tasks. In many practices, a physician (or the physician in a solo practice) is named the compliance officer. In other practices, it is a senior staff member, often the office manager. And sometimes the compliance officer does not have any other duties in the organization, particularly in large practices. All of these models can work. However, where the compliance officer or manager also has other duties, it is critical that those duties do not cause a conflict of interest with the compliance duties. If the compliance officer or manager has other duties in the practice, care must be taken that the individual is permitted enough time to carry out his or her compliance duties. I have seen numerous practices where being the compliance officer takes a back seat to being the office manager or the head of accounting. Those are practices that often run into compliance problems on down the line.

Even more importantly than having the appropriate amount of time, the compliance officer or manager must be given the authority to implement required policies, procedures and practices. All too often, the compliance manager or office is given the responsibility for implementing a compliance program, but not the needed authority. Particularly in solo and small practices, it is not uncommon for the physician to name him or herself as chief compliance officer and then delegate the day-to-day compliance duties to another individual, while the physician remains chief compliance officer on paper. Regardless of whether the individual conducting the day-to-day compliance activities is the actual chief compliance officer or a subordinate performing delegated duties, the most important aspect here is that the compliance staffer not find himself or herself constantly overruled or second-guessed by the physician(s). Unfortunately, I have seen too many cases where a compliance officer is not given the required authority to do what needs to be done or where a physician or group of physicians discounts the sound advice given by the compliance officer.

A physician practice should also implement a compliance committee. A compliance committee has two main functions. First, the compliance committee serves as an oversight body. Second, the compliance committee can be a tremendous help in carrying out compliance duties. In a small practice, the compliance committee might end up consisting of most of the staff members. Conversely, in a large practice, the compliance committee often consists of senior physicians and staff members, such as the head of human resources, the chief financial officer and representatives of other key departments. The composition of the committee and the number of members is not as important as the committee members’ ability to provide oversight and additional resources and manpower in implementing a compliance program.

In terms of oversight, the compliance committee should meet periodically and receive reports from the compliance officer about the steps he or she has taken implement the compliance program.   Quarterly meetings are typical. The compliance officer or manager should chair the meetings. The compliance officer can and should report on implementation of policies and procedures, status of training, any incidents, payer audits and other related matters. The quarterly meetings should be documented and maintained among the practice’s key documents.

In terms of providing additional resources for implementing the compliance program, the compliance officer may have to depend on the representatives of other functions to actually perform or carry out specific duties. For example, the human resources department may be tasked with actually conducting background and sanctions screening or employee training, while the finance or accounting department may help with responding to payer audits or performing internal audits. In addition, other departments and functions can often smooth the way for the compliance officer to implement specific tasks, often by providing input into an initiative or suggesting more cost-effective means of achieving a goal. Finally, these other individuals can help a compliance officer by spreading the compliance message throughout an organization.

In summary, empowering a compliance officer and creating a functioning compliance committee are key to implementing an effective compliance program.

Next month: Basic policies and procedures

H-Kocher-photo-2-199x300Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Our attorneys represent dentists, orthodontists and other health care professionals around the country in connection with government audits of Medicaid and Medicare claims, licensure matters and transactional projects.  Need assistance?  For a free consultation, please call: 1 (800) 475-1906.

How to Implement a Compliance Plan in Your Practice

Download PDF

Confused-Doctor(September 17, 2015): Despite the fact that Medicare and Medicaid requires that participating providers implement a compliance plan, most small providers have yet to complete the necessary steps to accomplish this requirement.  “My office manager went to a continuing education program, and she’s come back telling me we need a compliance program. I don’t know about that. I know I need to be in compliance with all those rules and regulations, but it seems to be complex and confusing. Do I really need one? How do I put a program into place without spending enormous sums? We’re a small practice and we don’t have a lot of extra time and money to spend on compliance activities.”

This is how my clients often approach me with questions about compliance programs. Or, they have been the recipient of an audit letter from either Medicare or a private insurer. Let’s face it, the requirements for compliance programs are here to stay. Not only are compliance programs now required by the federal government for any provider who receives Medicare or Medicaid reimbursement (see section 6401 of the Affordable Care Act), they are also required by many private insurance companies. Within the last year, I have seen increasing numbers of network provider contracts from private insurance companies include a requirement that the provider have a compliance program. So, having a functional compliance program is no longer an option but a requirement.

To that end, over the next year, we will be exploring the basic elements of an effective compliance program, as well as topics related to a solid compliance program. Let’s start with what a compliance program is and is not. A compliance program is not a document that is placed in a binder on a high shelf in your office, to be dusted off only annually or when faced with scrutiny by insurance companies or, God forbid, state or federal regulators. Instead, a compliance program should become part of the fabric of doing business in your practice. When implemented correctly, a compliance program can help identify potential trouble spots in your practice and give you a framework for addressing those trouble spots. Of course, a functioning and effective compliance program can also help minimize fines and, if things go south, could keep a civil matter from turning into a criminal matter.

A compliance program is also not a mumu – one size does NOT fit all. Just as there are differences between patients, there are differences between practices, the risks they face and the best methods of addressing those risks. An effective compliance program recognizes that while the structure of most compliance programs is similar, it takes into account the practice’s size and sophistication, the medical specialty, and the patient population. For this reason, compliance programs in a box or purchased off the Internet really are not desirable and often cost a practice more money in customization and sometimes tears down the road. A perfect example is the recent settlement by Anchorage Community Mental Health Services in relation to a HIPAA breach, where the government noted the ineffectiveness of the “sample” compliance policies and documents the provider put forward as its compliance program.

The basic elements of an effective compliance program are not complicated. They are:

  1. Designating an individual to serve as compliance officer and creating a compliance committee, particularly for larger organizations.
  2. Implementing a standard of conduct and policies and procedures relevant to the practice’s operations.
  3. Conducting effective training and education.
  4. Instituting effective methods of communication
  5. Conducting internal monitoring and auditing
  6. Enforcing the policies and standards through well-publicized disciplinary guidelines
  7. Responding promptly to violations and taking appropriate corrective action.

Each month we will explore each of these topics, discussing how to implement a compliance plan, and how to do so in a cost-effective fashion. Along the way, we will also discuss various forms of guidance available to practices when you implement a compliance plan that is tailored for the specific needs and risks of your individual practice. Let’s start with one right away – the federal government itself. The Office of Inspector General of the U.S. Department of Health and Human Services (“OIG”) has published a number of “Compliance Program Guidances”, intended to help different provider types understand and implement compliance practices specific to and appropriate for their particular branch. One of the guidances is specifically written for individual and small group physician practices and published in October 2000. It’s available here: In fact, this document is so basic to a physician practice’s compliance program that I strongly recommend that every compliance program have this document printed off, included among the compliance program documents, and readily available for staff member review. Although this document was published in 2000 (and therefore refers to CMS as HCFA and doesn’t make reference to the Affordable Care Act), it can be considered a bit like the U.S. Constitution – a document that creates the foundation for what comes after and points to a better future.

H-Kocher-photo-2-199x300Heidi Kocher, Esq. is a health law attorney with the firm, Liles Parker, Attorneys & Counselors at Law.  Liles Parker has offices in Washington DC, Houston TX, McAllen TX and Baton Rouge LA.  Do you need to implement a complaince plan?  Call one of our experienced health care attorneys for assistance. For a free consultation, please call: 1 (800) 475-1906.

There are Seven Compliance Plan Elements – Is Your Healthcare Company Compliant?

Download PDF

Seven Compliance Plan Elements(August 2, 2012): Under the Affordable Care Act (ACA), which was recently upheld by the Supreme Court, the Secretary of the Department of Health and Human Services (currently Kathleen Sebelius) may require that all providers participating in federal health care programs implement an effective compliance plan. While regulations covering this issue have not yet been released, compliance will more than likely be mandatory in the near future. As a result, it is important that your organization begin to implement a compliance plan that will protect your business and comply with the requirements of the law. What, then, are the elements of a compliance plan?


I.  Seven Compliance Plan Elements — A Refresher:

The elements of a compliance plan include:

  1. Conducting internal monitoring and auditing;
  2. Implementing compliance and organizational standards;
  3. Designating a Compliance Officer or contact;
  4. Conducting appropriate training and education;
  5. Responding appropriately to detected offenses and developing corrective action;
  6. Developing open lines of communication; and
  7. Enforcing disciplinary standards through well-publicized guidelines.

II.  Internal Monitoring and Auditing:

Before engaging in any of the other steps, except perhaps designating an officer to do all of this work, it is important to conduct a baseline audit of your practice’s current operations so that you can ascertain areas that need improvement, or “risk areas.” The first element of a compliance plan – at least, this initial audit – is known as a “gap analysis” and should be conducted by a qualified individual (either an attorney, experienced compliance professional, or a Certified Medical Compliance Officer). Nevertheless, a single initial audit should not be all you do. Instead, audits should be conducted on an ongoing basis, either at a set date (i.e. annually, bi-annually) or in the event of an identified problem, and preferably both.

III. Implementing Standards:

The second element of a compliance plan is to implement standards that effectively convey to your staff and third-parties your goals and expectations with regard to the business. More specifically, you should have written policies and procedures which inform your staff on their own duties and responsibilities, and how your office will conduct its business operations, and coding and billing functions. Standards may vary from practice to practice, but they should all include a code of conduct, mission statement, and policies that demonstrate your effort and commitment to following the law.

IV.  Designated a Compliance Officer:

As discussed above, one of the first things to do is designate an appropriately-qualified individual to be your compliance officer. While smaller organizations may require the compliance officer to wear multiple hats (such as also being the office manager), larger organizations should dedicate an individual, or even multiple individuals, solely to compliance-related tasks. We recommend the use of either a Certified Medical Compliance Officer or even an outside Compliance Officer (for example, friend of the firm D.K. Everett).

V.  Training your Staff:

You can be as thorough as possible in attempting to remain compliant with applicable laws and rules, but if you staff doesn’t have that same vision and makes a mistake, the entire organization will still likely be held liable. That is why it is so important to provide ongoing, comprehensive training and education to your staff – the third element of a compliance plan. They, ultimately, are the eyes, ears, and hands of your organization, and they need to know their responsibilities not only to your practice, but to the requirements of laws like HIPAA, OSHA, and Stark, and other billing requirements. The method of training may vary, but all training sessions should be documented and signed off on by your employees.

VI. Responding to Detected Offenses:

When something occurs at an office, a natural response may be to cover it up or “fix it and forget it.” The healthcare industry is different. In most cases, covering up a detected problem can lead to severe penalties, up to and including criminal prosecution (i.e. jail time). As a result, the fifth element of a compliance plan – responding to detected offenses – is in many ways what the compliance program is all about. The other elements are there to make sure nothing happens, but if it does, this element guides you in making it right, so that you and/or your practice can limit the future liability of such acts.

VII: Developing Open Lines of Communication:

This element of a compliance plan is all about making sure everyone not only knows the rules, but can report any problems to you so that they can be properly addressed (either by management or corporate counsel). You need to establish effective lines of communication, such as anonymous reporting mechanisms, exit interviews, and an open-door policy, so that you actually find out about any problems and attempt to resolve them. While there are a number of ways to implement these mechanisms, be sure that they will reasonably allow an employee, patient, or family member of a patient to make a complaint or report without the consequences of retribution.

VIII.  Enforcing Disciplinary Standards:

No one likes this, but the final element of a compliance plan is enforcing discipline in your office. Correcting the actions of your staff and colleagues can be difficult and uncomfortable, but it has the potential to save your practice. You need to have written guidelines which set out both prohibited conduct and the penalties for engaging in such conduct. Moreover, you should use a sliding scale of discipline – start with a verbal warning, but become progressively more strict as the number or severity of incidents goes up. This needs to include termination of employment.

IX. Conclusion:

The seven compliance plan elements serve as a framework and a model. They themselves will not form a complete and effective compliance plan, but they will give you sufficient guidance to being working on a plan yourself. In addition, consider using qualified health law attorneys to conduct a gap analysis, implement an effective compliance plan, and/or provide compliance training to your staff. While a compliance plan, and compliance in general, can seem like a burdensome exercise, it is the ultimate insurance policy considering the myriad statutory and regulatory problems a healthcare provider can run into. As the government and private enforcers increase their funding, skills, and sophistication, you need to keep pace to ensure your business will continue to thrive.

Robert LilesHealthcare Lawyer represents providers in Medicare post-payment audits and appeals, and similar appeals under Medicaid. In addition, Robert counsels clients on regulatory compliance issues, performs gap analyses and internal reviews, and trains healthcare professionals on various legal issues. For a free consultation, call Robert today at 1 (800) 475-1906.

Medicare Fraud Strike Force Operation Leads to Charges against 94 Defendants, including 4 in South Texas

Download PDF

Medicare Fraud Strike Force(July 17, 2010): Yesterday, the Department of Justice (DOJ) announced charges against 94 physicians, medical assistants, and health care company owners and executives in connection with alleged false Medicare claims amounting to more than $251 million.  24 defendants from Miami account for approximately $103 million of that amount.  Four defendants were charged in Houston for their alleged roles in a $3 million scheme to submit fraudulent claims for durable medical equipment (DME).  Other arrests were made in Baton Rouge, Brooklyn, and Detroit.

The offenses charged include conspiracy to defraud the Medicare program, criminal false claims, violations of the anti-kickback statutes, and money laundering.  The charges are based on a variety of fraud schemes, including physical therapy and occupational therapy schemes, home health care schemes, HIV infusion fraud schemes and durable medical equipment (DME) schemes.

Announcing the arrests, Attorney General Eric Holder said, “With today’s arrests, we’re putting would-be criminals on notice: Health care fraud is no longer a safe bet.  It’s no longer easy money.  If you choose to engage in health care fraud, you will be found; you will be stopped; and you will be brought to justice.”

The operation was conducted by the joint DOJ-HHS Medicare Fraud Strike Force, multi-agency teams of federal, state, and local investigators designed to combat Medicare fraud through the use of Medicare data analysis techniques and an increased focus on community policing.  Strike Force teams are operating in seven cities in the United States: the five aforementioned cities, Los Angeles, and Tampa.  AG Holder noted that the ongoing Strike Force initiative in South Florida has resulted in the indictments of 810 organizations and individuals since March 2007 and uncovered $1.85 billion in improperly billed claims.

The Strike Forces are a part of Health Care Fraud Prevention and Enforcement Action Team (HEAT), which is made up of top level law enforcement and professional staff from the DOJ and HHS and their operating divisions.  HEAT is dedicated to joint efforts across government to both prevent fraud and enforce current anti-fraud laws around the country.

Should you have any questions regarding these issues, don’t hesitate to contact us.  For a complementary consultation, you may call Robert W. Liles or one  of our other attorneys at: 1 (800) 475-1906.