Program Elements

The DWT Compliance Library Presents: OIG's Compliance Program Guidance for Hospitals

Compliance Program Elements

- Written Policies and Procedures
- Designation of a Compliance Officer and a Compliance Committee
- Conducting Effective Training and Education
- Developing Effective Lines of Communication
- Enforcing Standards Through Well-Publicized Disciplinary Guidelines
- Auditing and Monitoring
- Responding To Detected Offenses And Developing Corrective Action Initiatives

The elements proposed by these guidelines are similar to those of the clinical laboratory model compliance program published by the OIG in February 1997⁽⁴⁾ and our corporate integrity agreements.⁽⁵⁾ The elements represent a guide -- a process that can be used by hospitals, large or small, urban or rural, for-profit or not for-profit. Moreover, the elements can be incorporated into the managerial structure of multi-hospital and integrated delivery systems. As we stated in our clinical laboratory plan, these suggested guidelines can be tailored to fit the needs and financial realities of a particular hospital. The OIG is cognizant that with regard to compliance programs, one model is not suitable to every hospital. Nonetheless, the OIG believes that every hospital, regardless of size or structure, can benefit from the principles espoused in this guidance.

The OIG believes that every effective compliance program must begin with a formal commitment by the hospital’s governing body to include all of the applicable elements listed below. These elements are based on the seven steps of the Federal Sentencing Guidelines.⁽⁶⁾ Further, we believe that every hospital can implement most of our recommended elements that expand upon the seven steps of the Federal Sentencing Guidelines.⁽⁷⁾ We recognize that full implementation of all elements may not be immediately feasible for all hospitals. However, as a first step, a good faith and meaningful commitment on the part of the hospital administration, especially the governing body and the CEO, will substantially contribute to a program’s successful implementation.

At a minimum, comprehensive compliance programs should include the following seven elements:

(1) the development and distribution of written standards of conduct, as well as written policies and procedures that promote the hospital’s commitment to compliance (e.g., by including adherence to compliance as an element in evaluating managers and employees) and that address specific areas of potential fraud, such as claims development and submission processes, code gaming, and financial relationships with physicians and other health care professionals;

(2) the designation of a chief compliance officer and other appropriate bodies, e.g., a corporate compliance committee, charged with the responsibility of operating and monitoring the compliance program, and who report directly to the CEO and the governing body;

(3) the development and implementation of regular, effective education and training programs for all affected employees;

(4) the maintenance of a process, such as a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation;

(5) the development of a system to respond to allegations of improper/illegal activities and the enforcement of appropriate disciplinary action against employees who have violated internal compliance policies, applicable statutes, regulations or federal health care program requirements;

(6) the use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem areas; and

(7) the investigation and remediation of identified systemic problems and the development of policies addressing the non-employment or retention of sanctioned individuals.

A. Written Policies and Procedures

Every compliance program should require the development and distribution of written compliance policies that identify specific areas of risk to the hospital. These policies should be developed under the direction and supervision of the chief compliance officer and compliance committee, and, at a minimum, should be provided to all individuals who are affected by the particular policy at issue, including the hospital’s agents and independent contractors.

1. Standards of Conduct

Hospitals should develop standards of conduct for all affected employees that include a clearly delineated commitment to compliance by the hospital’s senior management⁽⁸⁾ and its divisions, including affiliated providers operating under the hospital’s control,⁽⁹⁾ hospital-based physicians and other health care professionals (e.g., utilization review managers, nurse anesthetists, physician assistants and physical therapists). Standards should articulate the hospital’s commitment to comply with all federal and state standards, with an emphasis on preventing fraud and abuse. They should state the organization’s mission, goals, and ethical requirements of compliance and reflect a carefully crafted, clear expression of expectations for all hospital governing body members, officers, managers, employees, physicians, and, where appropriate, contractors and other agents. Standards should be distributed to, and comprehensible by, all employees (e.g., translated into other languages and written at appropriate reading levels, where appropriate). Further, to assist in ensuring that employees continuously meet the expected high standards set forth in the code of conduct, any employee handbook delineating or expanding upon these standards of conduct should be regularly updated as applicable statutes, regulations and federal health care program requirements are modified.⁽¹⁰⁾

2. Risk Areas

The OIG believes that a hospital’s written policies and procedures should take into consideration the regulatory exposure for each function or department of the hospital. Consequently, we recommend that the individual policies and procedures be coordinated with the appropriate training and educational programs with an emphasis on areas of special concern that have been identified by the OIG through its investigative and audit functions.⁽¹¹⁾ Some of the special areas of OIG concern include:⁽¹²⁾

	Billing for items or services not actually rendered;⁽¹³⁾
	Providing medically unnecessary services;⁽¹⁴⁾
	Upcoding;⁽¹⁵⁾
	"DRG creep;"⁽¹⁶⁾
	Outpatient services rendered in connection with inpatient stays;⁽¹⁷⁾
	Teaching physician and resident requirements for teaching hospitals;
	Duplicate billing;⁽¹⁸⁾
	False cost reports;⁽¹⁹⁾
	Unbundling;⁽²⁰⁾
	Billing for discharge in lieu of transfer;⁽²¹⁾
	Patients’ freedom of choice;⁽²²⁾
	Credit balances - failure to refund;
	Hospital incentives that violate the anti-kickback statute or other similar federal or state statute or regulation;⁽²³⁾
	Joint ventures;⁽²⁴⁾
	Financial arrangements between hospitals and hospital-based physicians;⁽²⁵⁾
	Stark physician self-referral law;
	Knowing failure to provide covered services or necessary care to members of a health maintenance organization; and
	Patient dumping.⁽²⁶⁾

Additional risk areas should be assessed as well by hospitals and incorporated into the written policies and procedures and training elements developed as part of their compliance programs.

3. Claim Development and Submission Process

A number of the risk areas identified above, pertaining to the claim development and submission process, have been the subject of administrative proceedings, as well as investigations and prosecutions under the civil False Claims Act and criminal statutes. Settlement of these cases often has required the defendants to execute corporate integrity agreements, in addition to paying significant civil damages and/or criminal fines and penalties. These corporate integrity agreements have provided the OIG with a mechanism to advise hospitals concerning what it feels are acceptable practices to ensure compliance with applicable federal and state statutes, regulations, and program requirements. The following recommendations include a number of provisions from various corporate integrity agreements. While these recommendations include examples of effective policies, each hospital should develop its own specific policies tailored to fit its individual needs.

With respect to reimbursement claims, a hospital’s written policies and procedures should reflect and reinforce current federal and state statutes and regulations regarding the submission of claims and Medicare cost reports. The policies must create a mechanism for the billing or reimbursement staff to communicate effectively and accurately with the clinical staff. Policies and procedures should:

	provide for proper and timely documentation of all physician and other professional services prior to billing to ensure that only accurate and properly documented services are billed;
	emphasize that claims should be submitted only when appropriate documentation supports the claims and only when such documentation is maintained and available for audit and review. The documentation, which may include patient records, should record the length of time spent in conducting the activity leading to the record entry, and the identity of the individual providing the service. The hospital should consult with its medical staff to establish other appropriate documentation guidelines;
	state that, consistent with appropriate guidance from medical staff, physician and hospital records and medical notes used as a basis for a claim submission should be appropriately organized in a legible form so they can be audited and reviewed;
	indicate that the diagnosis and procedures reported on the reimbursement claim should be based on the medical record and other documentation, and that the documentation necessary for accurate code assignment should be available to coding staff; and
	provide that the compensation for billing department coders and billing consultants should not provide any financial incentive to improperly upcode claims.

The written policies and procedures concerning proper coding should reflect the current reimbursement principles set forth in applicable regulations⁽²⁷⁾ and should be developed in tandem with private payor and organizational standards. Particular attention should be paid to issues of medical necessity, appropriate diagnosis codes, DRG coding, individual Medicare Part B claims (including evaluation and management coding) and the use of patient discharge codes.⁽²⁸⁾

a. Outpatient services rendered in connection with an inpatient stay

Hospitals should implement measures designed to demonstrate their good faith efforts to comply with the Medicare billing rules for outpatient services rendered in connection with an inpatient stay. Although not a guard against intentional wrongdoing, the adoption of the following measures are advisable:

	installing and maintaining computer software that will identify those outpatient services that may not be billed separately from an inpatient stay; or
	implementing a periodic manual review to determine the appropriateness of billing each outpatient service claim, to be conducted by one or more appropriately trained individuals familiar with applicable billing rules; or
	with regard to each inpatient stay, scrutinizing the propriety of any potential bills for outpatient services rendered to that patient at the hospital, within the applicable time period.

In addition to the pre-submission undertakings described above, the hospital may implement a post-submission testing process, as follows:

	implement and maintain a periodic post-submission random testing process that examines or re-examines previously submitted claims for accuracy;
	inform the fiscal intermediary and any other appropriate government fiscal agents of the hospital’s testing process; and
	advise the fiscal intermediary and any other appropriate government fiscal agents in accordance with current regulations or program instructions with respect to return of overpayments of any incorrectly submitted or paid claims and, if the claim has already been paid, promptly reimburse the fiscal intermediary and the beneficiary for the amount of the claim paid by the government payor and any applicable deductibles or copayments, as appropriate.

b. Submission of claims for laboratory services

A hospital’s policies should take reasonable steps to ensure that all claims for clinical and diagnostic laboratory testing services are accurate and correctly identify the services ordered by the physician (or other authorized requestor) and performed by the laboratory. The hospital’s written policies and procedures should require, at a minimum,⁽²⁹⁾ that:

	the hospital bills for laboratory services only after they are performed;
	the hospital bills only for medically necessary services;
	the hospital bills only for those tests actually ordered by a physician and provided by the hospital laboratory;
	the CPT or HCPCS code used by the billing staff accurately describes the service that was ordered by the physician and performed by the hospital laboratory;
	the coding staff: 1) only submit diagnostic information obtained from qualified personnel; and 2) contact the appropriate personnel to obtain diagnostic information in the event that the individual who ordered the test has failed to provide such information; and
	where diagnostic information is obtained from a physician or the physician’s staff after receipt of the specimen and request for services, the receipt of such information is documented and maintained.

c. Physicians at teaching hospitals

Hospitals should ensure the following with respect to all claims submitted on behalf of teaching physicians:

	only services actually provided may be billed;
	every physician who provides or supervises the provision of services to a patient should be responsible for the correct documentation of the services that were rendered;
	the appropriate documentation must be placed in the patient record and signed by the physician who provided or supervised the provision of services to the patient;
	every physician is responsible for assuring that in cases where that physician provides evaluation and management (E&M) services, a patient’s medical record includes appropriate documentation of the applicable key components of the E&M service provided or supervised by the physician (e.g., patient history, physician examination, and medical decision making), as well as documentation to adequately reflect the procedure or portion of the service performed by the physician; and
	every physician should document his or her presence during the key portion of any service or procedure for which payment is sought.

d. Cost reports

With regard to cost report issues, the written policies should include procedures that seek to ensure full compliance with applicable statutes, regulations and program requirements and private payor plans. Among other things, the hospital’s procedures should ensure that:

	costs are not claimed unless based on appropriate and accurate documentation;
	allocations of costs to various cost centers are accurately made and supportable by verifiable and auditable data;
	unallowable costs are not claimed for reimbursement;
	accounts containing both allowable and unallowable costs are analyzed to determine the unallowable amount that should not be claimed for reimbursement;
	costs are properly classified;
	fiscal intermediary prior year audit adjustments are implemented and are either not claimed for reimbursement or claimed for reimbursement and clearly identified as protested amounts on the cost report;
	all related parties are identified on Form 339 submitted with the cost report and all related party charges are reduced to cost;
	requests for exceptions to TEFRA (Tax Equity and Fiscal Responsibility Act of 1982) limits and the Routine Cost Limits are properly documented and supported by verifiable and auditable data;
	the hospital’s procedures for reporting of bad debts on the cost report are in accordance with federal statutes, regulations, guidelines and policies;
	allocations from a hospital chain’s home office cost statement to individual hospital cost reports are accurately made and supportable by verifiable and auditable data; and
	procedures are in place and documented for notifying promptly the Medicare fiscal intermediary (or any other applicable payor, e.g., TRICARE (formerly CHAMPUS) and Medicaid) of errors discovered after the submission of the hospital cost report, and where applicable, after the submission of a hospital chain’s home office cost statement.

With regard to bad debts claimed on the Medicare cost report, see also section six, below, on Bad Debts.

4. Medical Necessity - - Reasonable and Necessary Services

A hospital’s compliance program should provide that claims should only be submitted for services that the hospital has reason to believe are medically necessary and that were ordered by a physician⁽³⁰⁾ or other appropriately licensed individual.

As a preliminary matter, the OIG recognizes that licensed health care professionals must be able to order any services that are appropriate for the treatment of their patients. However, Medicare and other government and private health care plans will only pay for those services that meet appropriate medical necessity standards (in the case of Medicare, i.e., "reasonable and necessary" services). Providers may not bill for services that do not meet the applicable standards. The hospital is in a unique position to deliver this information to the health care professionals on its staff. Upon request, a hospital should be able to provide documentation, such as patients’ medical records and physicians’ orders, to support the medical necessity of a service that the hospital has provided. The compliance officer should ensure that a clear, comprehensive summary of the "medical necessity" definitions and rules of the various government and private plans is prepared and disseminated appropriately.

5. Anti-Kickback and Self-Referral Concerns

The hospital should have policies and procedures in place with respect to compliance with federal and state anti-kickback statutes, as well as the Stark physician self-referral law.⁽³¹⁾ Such policies should provide that:

	all of the hospital's contracts and arrangements with referral sources comply with all applicable statutes and regulations;
	the hospital does not submit or cause to be submitted to the federal health care programs claims for patients who were referred to the hospital pursuant to contracts and financial arrangements that were designed to induce such referrals in violation of the anti-kickback statute, Stark physician self-referral law or similar federal or state statute or regulation; and
	the hospital does not enter into financial arrangements with hospital-based physicians that are designed to provide inappropriate remuneration to the hospital in return for the physician’s ability to provide services to federal health care program beneficiaries at that hospital.⁽³²⁾

Further, the policies and procedures should reference the OIG’s safe harbor regulations, clarifying those payment practices that would be immune from prosecution under the anti-kickback statute. See 42 C.F.R. § 1001.952.

6. Bad Debts

A hospital should develop a mechanism⁽³³⁾ to review, at least annually: 1) whether it is properly reporting bad debts to Medicare; and 2) all Medicare bad debt expenses claimed, to ensure that the hospital’s procedures are in accordance with applicable federal and state statutes, regulations, guidelines and policies. In addition, such a review should ensure that the hospital has appropriate and reasonable mechanisms in place regarding beneficiary deductible or co-payment collection efforts and has not claimed as bad debts any routinely waived Medicare copayments and deductibles, which waiver also constitutes a violation of the anti-kickback statute. Further, the hospital may consult with the appropriate fiscal intermediary as to bad debt reporting requirements, if questions arise.

7. Credit Balances

The Hospital should institute procedures to provide for the timely and accurate reporting of Medicare and other federal health care program credit balances. For example, a hospital may redesignate segments of its information system to allow for the segregation of patient accounts reflecting credit balances. The hospital could remove these accounts from the active accounts and place them in a holding account pending the processing of a reimbursement claim to the appropriate program. A hospital’s information system should have the ability to print out the individual patient accounts that reflect a credit balance in order to permit simplified tracking of credit balances.

In addition, a hospital should designate at least one person (e.g., in the Patient Accounts Department or reasonable equivalent thereof) as having the responsibility for the tracking, recording and reporting of credit balances. Further, a comptroller or an accountant in the hospital’s Accounting Department (or reasonable equivalent thereof) may review reports of credit balances and reimbursements or adjustments on a monthly basis as an additional safeguard.

8. Retention of Records

Hospital compliance programs should provide for the implementation of a records system. This system should establish policies and procedures regarding the creation, distribution, retention, storage, retrieval and destruction of documents. The two types of documents developed under this system should include: 1) all records and documentation, e.g., clinical and medical records and claims documentation, required either by federal or state law for participation in federal health care programs (e.g., Medicare’s conditions of participation requirement that hospital records regarding Medicare claims be retained for a minimum of five years, see 42 C.F.R. § 482.24(b)(1) and HCFA Hospital Manual § 413(C)(12-91); and 2) all records necessary to protect the integrity of the hospital’s compliance process and confirm the effectiveness of the program, e.g., documentation that employees were adequately trained; reports from the hospital’s hotline, including the nature and results of any investigation that was conducted; modifications to the compliance program; self-disclosures; and the results of the hospital’s auditing and monitoring efforts.⁽³⁴⁾

9. Compliance as an Element of a Performance Plan

Compliance programs should require that the promotion of, and adherence to, the elements of the compliance program be a factor in evaluating the performance of managers and supervisors. They, along with other employees, should be periodically trained in new compliance policies and procedures. In addition, all managers and supervisors involved in the coding, claims and cost report development and submission processes should:

	discuss with all supervised employees the compliance policies and legal requirements applicable to their function;
	inform all supervised personnel that strict compliance with these policies and requirements is a condition of employment; and
	disclose to all supervised personnel that the hospital will take disciplinary action up to and including termination or revocation of privileges for violation of these policies or requirements.

In addition to making performance of these duties an element in evaluations, the compliance officer or hospital management should include in the hospital’s compliance program a policy that managers and supervisors will be sanctioned for failure to instruct adequately their subordinates or for failing to detect noncompliance with applicable policies and legal requirements, where reasonable diligence on the part of the manager or supervisor would have led to the discovery of any problems or violations and given the hospital the opportunity to correct them earlier.

B. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer

Every hospital should designate a compliance officer to serve as the focal point for compliance activities. This responsibility may be the individual’s sole duty or added to other management responsibilities, depending upon the size and resources of the hospital and the complexity of the task. Designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official in the hospital with direct access to the hospital’s governing body and the CEO.⁽³⁵⁾ The officer should have sufficient funding and staff to perform his or her responsibilities fully. Coordination and communication are the key functions of the compliance officer with regard to planning, implementing, and monitoring the compliance program.

The compliance officer’s primary responsibilities should include:

	overseeing and monitoring the implementation of the compliance program;⁽³⁶⁾
	reporting on a regular basis to the hospital’s governing body, CEO and compliance committee on the progress of implementation, and assisting these components in establishing methods to improve the hospital’s efficiency and quality of services, and to reduce the hospital’s vulnerability to fraud, abuse and waste;
	periodically revising the program in light of changes in the needs of the organization, and in the law and policies and procedures of government and private payor health plans;
	developing, coordinating, and participating in a multifaceted educational and training program that focuses on the elements of the compliance program, and seeks to ensure that all appropriate employees and management are knowledgeable of, and comply with, pertinent federal and state standards;
	ensuring that independent contractors and agents who furnish medical services to the hospital are aware of the requirements of the hospital’s compliance program with respect to coding, billing, and marketing, among other things;
	coordinating personnel issues with the hospital’s Human Resources office (or its equivalent) to ensure that the National Practitioner Data Bank and Cumulative Sanction Report⁽³⁷⁾ have been checked with respect to all employees, medical staff and independent contractors;
	assisting the hospital’s financial management in coordinating internal compliance review and monitoring activities, including annual or periodic reviews of departments;
	independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action with all hospital departments, providers and sub-providers,⁽³⁸⁾ agents and, if appropriate, independent contractors; and
	developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation.

The compliance officer must have the authority to review all documents and other information that are relevant to compliance activities, including, but not limited to, patient records, billing records, and records concerning the marketing efforts of the facility and the hospital’s arrangements with other parties, including employees, professionals on staff, independent contractors, suppliers, agents, and hospital-based physicians, etc. This policy enables the compliance officer to review contracts and obligations (seeking the advice of legal counsel, where appropriate) that may contain referral and payment issues that could violate the anti-kickback statute, as well as the physician self-referral prohibition and other legal or regulatory requirements.

2. Compliance Committee

The OIG recommends that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.⁽³⁹⁾ The committee’s functions should include:

	analyzing the organization’s industry environment, the legal requirements with which it must comply, and specific risk areas;
	assessing existing policies and procedures that address these areas for possible incorporation into the compliance program;
	working with appropriate hospital departments to develop standards of conduct and policies and procedures to promote compliance with the institution’s program;
	recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization’s standards, policies and procedures as part of its daily operations;
	determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms; and
	developing a system to solicit, evaluate and respond to complaints and problems.

The committee may also address other functions as the compliance concept becomes part of the overall hospital operating structure and daily routine.

C. Conducting Effective Training and Education

The proper education and training of corporate officers, managers, employees, physicians and other health care professionals, and the continual retraining of current personnel at all levels, are significant elements of an effective compliance program. As part of their compliance programs, hospitals should require personnel to attend specific training on a periodic basis, including appropriate training in federal and state statutes, regulations and guidelines, and the policies of private payors, and training in corporate ethics, which emphasizes the organization’s commitment to compliance with these legal requirements and policies.

These training programs should include sessions highlighting the organization’s compliance program, summarizing fraud and abuse laws, coding requirements, claim development and submission processes and marketing practices that reflect current legal and program standards. The organization must take steps to communicate effectively its standards and procedures to all affected employees, physicians, independent contractors and other significant agents, e.g., by requiring participation in training programs and disseminating publications that explain in a practical manner specific requirements.⁽⁴⁰⁾ Managers of specific departments or groups can assist in identifying areas that require training and in carrying out such training. Training instructors may come from outside or inside the organization. New employees should be targeted for training early in their employment.⁽⁴¹⁾ Any formal training undertaken by the hospital as part of the compliance program should be documented by the compliance officer.

A variety of teaching methods, such as interactive training, and training in several different languages, particularly where a hospital has a culturally diverse staff, should be implemented so that all affected employees are knowledgeable of the institution’s standards of conduct and procedures for alerting senior management to problems and concerns. Targeted training should be provided to corporate officers, managers and other employees whose actions affect the accuracy of the claims submitted to the Government, such as employees involved in the coding, billing, cost reporting and marketing processes. Given the complexity and interdependent relationships of many departments, proper coordination and supervision of this process by the compliance officer is important. In addition to specific training in the risk areas identified in section II.A.2, above, primary training to appropriate corporate officers, managers and other hospital staff should include such topics as:

	Government and private payor reimbursement principles;
	general prohibitions on paying or receiving remuneration to induce referrals;
	proper confirmation of diagnoses;
	submitting a claim for physician services when rendered by a non-physician (i.e., the "incident to" rule and the physician physical presence requirement);
	signing a form for a physician without the physician’s authorization;
	alterations to medical records;
	prescribing medications and procedures without proper authorization;
	proper documentation of services rendered; and
	duty to report misconduct.

Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a hospital’s marketing and financial personnel, in that the pressure to meet business goals may render these employees vulnerable to engaging in prohibited practices.

The OIG suggests that all relevant levels of personnel be made part of various educational and training programs of the hospital. Employees should be required to have a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities.⁽⁴²⁾ For example, for certain employees involved in the billing and coding functions, periodic training in proper DRG coding and documentation of medical records should be required.⁽⁴³⁾ In hospitals with high employee turnover, periodic training updates are critical.

The OIG recommends that attendance and participation in training programs be made a condition of continued employment and that failure to comply with training requirements should result in disciplinary action, including possible termination, when such failure is serious. Adherence to the provisions of the compliance program, such as training requirements, should be a factor in the annual evaluation of each employee.⁽⁴⁴⁾ The hospital should retain adequate records of its training of employees, including attendance logs and material distributed at training sessions.

Finally, the OIG recommends that hospital compliance programs address the need for periodic professional education courses that may be required by statute and regulation for certain hospital personnel.

D. Developing Effective Lines of Commuication

1. Access to the Compliance Officer

An open line of communication between the compliance officer and hospital personnel is equally important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. Written confidentiality and non-retaliation policies should be developed and distributed to all employees to encourage communication and the reporting of incidents of potential fraud.⁽⁴⁵⁾ The compliance committee should also develop several independent reporting paths for an employee to report fraud, waste or abuse so that such reports cannot be diverted by supervisors or other personnel.

The OIG encourages the establishment of a procedure so that hospital personnel may seek clarification from the compliance officer or members of the compliance committee in the event of any confusion or question with regard to a hospital policy or procedure. Questions and responses should be documented and dated and, if appropriate, shared with other staff so that standards, policies and procedures can be updated and improved to reflect any necessary changes or clarifications. The compliance officer may want to solicit employee input in developing these communication and reporting systems.

2. Hotlines and Other Forms of Communication

The OIG encourages the use of hotlines (including anonymous hotlines), e-mails, written memoranda, newsletters, and other forms of information exchange to maintain these open lines of communication. If the hospital establishes a hotline, the telephone number should be made readily available to all employees and independent contractors, possibly by conspicuously posting the telephone number in common work areas.⁽⁴⁶⁾ Employees should be permitted to report matters on an anonymous basis. Matters reported through the hotline or other communication sources that suggest substantial violations of compliance policies, regulations or statutes should be documented and investigated promptly to determine their veracity. A log should be maintained by the compliance officer that records such calls, including the nature of any investigation and its results. Such information should be included in reports to the governing body, the CEO and compliance committee. Further, while the hospital should always strive to maintain the confidentiality of an employee’s identity, it should also explicitly communicate that there may be a point where the individual’s identity may become known or may have to be revealed in certain instances when governmental authorities become involved.

The OIG recognizes that assertions of fraud and abuse by employees who may have participated in illegal conduct or committed other malfeasance raise numerous complex legal and management issues that should be examined on a case-by-case basis. The compliance officer should work closely with legal counsel, who can provide guidance regarding such issues.

E. Enforcing Standards Through Well-Publicized Disciplinary Guideline

1. Discipline Policy and Actions

An effective compliance program should include guidance regarding disciplinary action for corporate officers, managers, employees, physicians and other health care professionals who have failed to comply with the hospital’s standards of conduct, policies and procedures, or federal and state laws, or those who have otherwise engaged in wrongdoing, which have the potential to impair the hospital’s status as a reliable, honest and trustworthy health care provider.

The OIG believes that the compliance program should include a written policy statement setting forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, employees, physicians and other health care professionals for failing to comply with the hospital’s standards and policies and applicable statutes and regulations. Intentional or reckless noncompliance should subject transgressors to significant sanctions. Such sanctions could range from oral warnings to suspension, privilege revocation (subject to any applicable peer review procedures), termination or financial penalties, as appropriate. The written standards of conduct should elaborate on the procedures for handling disciplinary problems and those who will be responsible for taking appropriate action. Some disciplinary actions can be handled by department managers, while others may have to be resolved by a senior hospital administrator. Disciplinary action may be appropriate where a responsible employee’s failure to detect a violation is attributable to his or her negligence or reckless conduct. Personnel should be advised by the hospital that disciplinary action will be taken on a fair and equitable basis. Managers and supervisors should be made aware that they have a responsibility to discipline employees in an appropriate and consistent manner.

It is vital to publish and disseminate the range of disciplinary standards for improper conduct and to educate officers and other hospital staff regarding these standards. The consequences of noncompliance should be consistently applied and enforced, in order for the disciplinary policy to have the required deterrent effect. All levels of employees should be subject to the same disciplinary action for the commission of similar offenses. The commitment to compliance applies to all personnel levels within a hospital. The OIG believes that corporate officers, managers, supervisors, medical staff and other health care professionals should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, laws, and procedures.

2. New Employee Policy

For all new employees who have discretionary authority to make decisions that may involve compliance with the law or compliance oversight, hospitals should conduct a reasonable and prudent background investigation, including a reference check, as part of every such employment application.⁽⁴⁷⁾ The application should specifically require the applicant to disclose any criminal conviction, as defined by 42 U.S.C. § 1320a-7(i), or exclusion action. Pursuant to the compliance program, hospital policies should prohibit the employment of individuals who have been recently convicted of a criminal offense related to health care or who are listed as debarred, excluded or otherwise ineligible for participation in federal health care programs (as defined in 42 U.S.C. § 1320a-7b(f).) ⁽⁴⁸⁾ In addition, pending the resolution of any criminal charges or proposed debarment or exclusion, the OIG recommends that such individuals should be removed from direct responsibility for or involvement in any federal health care program.⁽⁴⁹⁾ With regard to current employees or independent contractors, if resolution of the matter results in conviction, debarment or exclusion, the hospital should terminate its employment or other contract arrangement with the individual or contractor.

F. Auditing and Monitoring

An ongoing evaluation process is critical to a successful compliance program. The OIG believes that an effective program should incorporate thorough monitoring of its implementation and regular reporting to senior hospital or corporate officers.⁽⁵⁰⁾ Compliance reports created by this ongoing monitoring, including reports of suspected noncompliance, should be maintained by the compliance officer and shared with the hospital’s senior management and the compliance committee.

Although many monitoring techniques are available, one effective tool to promote and ensure compliance is the performance of regular, periodic compliance audits by internal or external auditors who have expertise in federal and state health care statutes, regulations and federal health care program requirements. The audits should focus on the hospital’s programs or divisions, including external relationships with third-party contractors, specifically those with substantive exposure to government enforcement actions. At a minimum, these audits should be designed to address the hospital’s compliance with laws governing kickback arrangements, the physician self-referral prohibition, CPT/HCPCS ICD-9 coding, claim development and submission, reimbursement, cost reporting and marketing. In addition, the audits and reviews should inquire into the hospital’s compliance with specific rules and polices that have been the focus of particular attention on the part of the Medicare fiscal intermediaries or carriers, and law enforcement, as evidenced by OIG Special Fraud Alerts, OIG audits and evaluations, and law enforcement’s initiatives. See section II.A.2, supra. In addition, the hospital should focus on any areas of concern that have been identified by any entity, i.e., federal, state, or internally, specific to the individual hospital.

Monitoring techniques may include sampling protocols that permit the compliance officer to identify and review variations from an established baseline.⁽⁵¹⁾ Significant variations from the baseline should trigger a reasonable inquiry to determine the cause of the deviation. If the inquiry determines that the deviation occurred for legitimate, explainable reasons, the compliance officer, hospital administrator or manager may want to limit any corrective action or take no action. If it is determined that the deviation was caused by improper procedures, misunderstanding of rules, including fraud and systemic problems, the hospital should take prompt steps to correct the problem. Any overpayments discovered as a result of such deviations should be returned promptly to the affected payor, with appropriate documentation and a thorough explanation of the reason for the refund.⁽⁵²⁾

Monitoring techniques may also include a review of any reserves the hospital has established for payments that it may owe to Medicare, Medicaid, TRICARE or other federal health care programs. Any reserves discovered that include funds that should have been paid to Medicare or another government program should be paid promptly, regardless of whether demand has been made for such payment.

An effective compliance program should also incorporate periodic (at least annual) reviews of whether the program’s compliance elements have been satisfied, e.g., whether there has been appropriate dissemination of the program’s standards, training, ongoing educational programs and disciplinary actions, among others. This process will verify actual conformance by all departments with the compliance program. Such reviews could support a determination that appropriate records have been created and maintained to document the implementation of an effective program. However, when monitoring discloses that deviations were not detected in a timely manner due to program deficiencies, appropriate modifications must be implemented. Such evaluations, when developed with the support of management, can help ensure compliance with the hospital’s policies and procedures.

As part of the review process, the compliance officer or reviewers should consider techniques such as:

	on-site visits;
	interviews with personnel involved in management, operations, coding, claim development and submission, patient care, and other related activities;
	questionnaires developed to solicit impressions of a broad cross-section of the hospital’s employees and staff;
	reviews of medical and financial records and other source documents that support claims for reimbursement and Medicare cost reports;
	reviews of written materials and documentation prepared by the different divisions of a hospital; and
	trend analyses, or longitudinal studies, that seek deviations, positive or negative, in specific areas over a given period.

The reviewers should:

	be independent of physicians and line management;
	have access to existing audit and health care resources, relevant personnel and all relevant areas of operation;
	present written evaluative reports on compliance activities to the CEO, governing body and members of the compliance committee on a regular basis, but no less than annually; and
	specifically identify areas where corrective actions are needed.

With these reports, hospital management can take whatever steps are necessary to correct past problems and prevent them from reoccurring. In certain cases, subsequent reviews or studies would be advisable to ensure that the recommended corrective actions have been implemented successfully.

The hospital should document its efforts to comply with applicable statutes, regulations and federal health care program requirements. For example, where a hospital, in its efforts to comply with a particular statute, regulation or program requirement, requests advice from a government agency (including a Medicare fiscal intermediary or carrier) charged with administering a federal health care program, the hospital should document and retain a record of the request and any written or oral response. This step is extremely important if the hospital intends to rely on that response to guide it in future decisions, actions or claim reimbursement requests or appeals. Maintaining a log of oral inquiries between the hospital and third parties represents an additional basis for establishing documentation on which the organization may rely to demonstrate attempts at compliance. Records should be maintained demonstrating reasonable reliance and due diligence in developing procedures that implement such advice.

G. Responding to Detected Offenses and Developing Corrective Action Initiatives

1. Violations and Investigations

Violations of a hospital’s compliance program, failures to comply with applicable federal or state law, and other types of misconduct threaten a hospital’s status as a reliable, honest and trustworthy provider capable of participating in federal health care programs. Detected but uncorrected misconduct can seriously endanger the mission, reputation, and legal status of the hospital. Consequently, upon reports or reasonable indications of suspected noncompliance, it is important that the chief compliance officer or other management officials initiate prompt steps to investigate the conduct in question to determine whether a material violation of applicable law or the requirements of the compliance program has occurred, and if so, take steps to correct the problem.⁽⁵³⁾ As appropriate, such steps may include an immediate referral to criminal and/or civil law enforcement authorities, a corrective action plan,⁽⁵⁴⁾ a report to the Government,⁽⁵⁵⁾ and the submission of any overpayments, if applicable.

Where potential fraud or False Claims Act liability is not involved, the OIG recognizes that HCFA regulations and contractor guidelines already include procedures for returning overpayments to the Government as they are discovered. However, even if the overpayment detection and return process is working and is being monitored by the hospital’s audit or coding divisions, the OIG still believes that the compliance officer needs to be made aware of these overpayments, violations or deviations and look for trends or patterns that may demonstrate a systemic problem.

Depending upon the nature of the alleged violations, an internal investigation will probably include interviews and a review of relevant documents. Some hospitals should consider engaging outside counsel, auditors, or health care experts to assist in an investigation. Records of the investigation should contain documentation of the alleged violation, a description of the investigative process, copies of interview notes and key documents, a log of the witnesses interviewed and the documents reviewed, the results of the investigation, e.g., any disciplinary action taken, and the corrective action implemented. While any action taken as the result of an investigation will necessarily vary depending upon the hospital and the situation, hospitals should strive for some consistency by utilizing sound practices and disciplinary protocols. Further, after a reasonable period, the compliance officer should review the circumstances that formed the basis for the investigation to determine whether similar problems have been uncovered.

If an investigation of an alleged violation is undertaken and the compliance officer believes the integrity of the investigation may be at stake because of the presence of employees under investigation, those subjects should be removed from their current work activity until the investigation is completed (unless an internal or Government-led undercover operation is in effect). In addition, the compliance officer should take appropriate steps to secure or prevent the destruction of documents or other evidence relevant to the investigation. If the hospital determines that disciplinary action is warranted, it should be prompt and imposed in accordance with the hospital’s written standards of disciplinary action.

2. Reporting

If the compliance officer, compliance committee or management official discovers credible evidence of misconduct from any source and, after a reasonable inquiry, has reason to believe that the misconduct may violate criminal, civil or administrative law, then the hospital promptly should report the existence of misconduct to the appropriate governmental authority⁽⁵⁶⁾ within a reasonable period, but not more than sixty (60) days⁽⁵⁷⁾ after determining that there is credible evidence of a violation.⁽⁵⁸⁾ Prompt reporting will demonstrate the hospital’s good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct will be considered a mitigating factor by the OIG in determining administrative sanctions (e.g., penalties, assessments, and exclusion), if the reporting provider becomes the target of an OIG investigation.⁽⁵⁹⁾

When reporting misconduct to the Government, a hospital should provide all evidence relevant to the alleged violation of applicable federal or state law(s) and potential cost impact. The compliance officer, under advice of counsel, and with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, the compliance officer should be required to notify the appropriate governmental authority of the outcome of the investigation, including a description of the impact of the alleged violation on the operation of the applicable health care programs or their beneficiaries. If the investigation ultimately reveals that criminal or civil violations have occurred, the appropriate federal and state officials⁽⁶⁰⁾ should be notified immediately.

As previously stated, the hospital should take appropriate corrective action, including prompt identification and restitution of any overpayment to the affected payor and the imposition of proper disciplinary action. Failure to repay overpayments within a reasonable period of time could be interpreted as an intentional attempt to conceal the overpayment from the Government, thereby establishing an independent basis for a criminal violation with respect to the hospital, as well as any individuals who may have been involved.⁽⁶¹⁾ For this reason, hospital compliance programs should emphasize that overpayments obtained from Medicare or other federal health care programs should be promptly returned to the payor that made the erroneous payment.⁽⁶²⁾

You can download the FREE Acrobat reader by clicking the 'Get Acrobat' button: