II. Developing a Voluntary Compliance Program

A. The Seven Basic Components of a Voluntary Compliance Program

The OIG believes that a basic framework for any voluntary compliance program begins with a review of the seven basic components of an effective compliance program. A review of these components provides physician practices with an overview of the scope of a fully developed and implemented compliance program. The following list of components, as set forth in previous OIG compliance program guidances, can form the basis of a voluntary compliance program for a physician practice:

Conducting internal monitoring and auditing through the performance of periodic audits;

Implementing compliance and practice standards through the development of written standards and procedures;

Designating a compliance officer or contact(s) to monitor compliance efforts and enforce practice standards;

Conducting appropriate training and education on practice standards and procedures;

Responding appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate Government entities;

Developing open lines of communication, such as (1) discussions at staff meetings regarding how to avoid erroneous or fraudulent conduct and (2) community bulletin boards, to keep practice employees updated regarding compliance activities; and

Enforcing disciplinary standards through well-publicized guidelines.

These seven components provide a solid basis upon which a physician practice can create a compliance program. The OIG acknowledges that full implementation of all components may not be feasible for all physician practices. Some physician practices may never fully implement all of the components. However, as a first step, physician practices can begin by adopting only those components which, based on a practice's specific history with billing problems and other compliance issues, are most likely to provide an identifiable benefit.

The extent of implementation will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner. For example, larger physician practices can use both this guidance and the Third-Party Medical Billing Compliance Program Guidance, which provides a more detailed compliance program structure, to create a compliance program unique to the practice.

The OIG recognizes that physician practices need to find the best way to achieve compliance for their given circumstances. Specifically, the OIG encourages physician practices to participate in other provider's compliance programs, such as the compliance programs of the hospitals or other settings in which the physicians practice. Physician Practice Management companies also may serve as a source of compliance program guidance. A physician practice's participation in such compliance programs could be a way, at least partly, to augment the practice's own compliance efforts.

The opportunities for collaborative compliance efforts could include participating in training and education programs or using another entity's policies and procedures as a template from which the physician practice creates its own version. The OIG encourages this type of collaborative effort, where the content is appropriate to the setting involved (i.e., the training is relevant to physician practices as well as the sponsoring provider), because it provides a means to promote the desired objective without imposing excessive burdens on the practice or requiring physicians to undertake duplicative action. However, to prevent possible anti-kickback or self-referral issues, the OIG recommends that physicians consider limiting their participation in a sponsoring provider's compliance program to the areas of training and education or policies and procedures.

The key to avoiding possible conflicts is to ensure that the entity providing compliance services to a physician practice (its referral source) is not perceived as nor is it operating the practice compliance program at no charge. For example, if the sponsoring entity conducted claims review for the physician practice as part of a compliance program or provided compliance oversight without charging the practice fair market value for those services, the anti-kickback and Stark self-referral laws would be implicated. The payment of fair market value by referral sources for compliance services will generally address these concerns.

B. Steps for Implementing a Voluntary Compliance Program

As previously discussed, implementing a voluntary compliance program can be a multi-tiered process. Initial development of the compliance program can be focused on practice risk areas that have been problematic for the practice such as coding and billing. Within this area, the practice should examine its claims denial history or claims that have resulted in repeated overpayments, and identify and correct the most frequent sources of those denials or overpayments. A review of claim denials will help the practice scrutinize a significant risk area and improve its cash flow by submitting correct claims that will be paid the first time they are submitted. As this example illustrates, a compliance program for a physician practice often makes sound business sense.

The following is a suggested order of the steps a practice could take to begin the development of a compliance program. The steps outlined below articulate all seven components of a compliance program and there are numerous suggestions for implementation within each component. Physician practices should keep in mind, as stated earlier, that it is up to the practice to determine the manner in which and the extent to which the practice chooses to implement these voluntary measures.

Step One: Auditing and Monitoring

An ongoing evaluation process is important to a successful compliance program. This ongoing evaluation includes not only whether the physician practice's standards and procedures are in fact current and accurate, but also whether the compliance program is working, i.e., whether individuals are properly carrying out their responsibilities and claims are submitted appropriately. Therefore, an audit is an excellent way for a physician practice to ascertain what, if any, problem areas exist and focus on the risk areas that are associated with those problems. There are two types of reviews that can be performed as part of this evaluation: (1) A standards and procedures review; and (2) a claims submission audit.

1. Standards and Procedures

It is recommended that an individual(s) in the physician practice be charged with the responsibility of periodically reviewing the practice's standards and procedures to determine if they are current and complete. If the standards and procedures are found to be ineffective or outdated, they should be updated to reflect changes in Government regulations or compendiums generally relied upon by physicians and insurers (i.e., changes in Current Procedural Terminology (CPT) and ICD-9-CM codes).

2. Claims Submission Audit

In addition to the standards and procedures themselves, it is advisable that bills and medical records be reviewed for compliance with applicable coding, billing and documentation requirements. The individuals from the physician practice involved in these self-audits would ideally include the person in charge of billing (if the practice has such a person) and a medically trained person (e.g., registered nurse or preferably a physician (physicians can rotate in this position)). Each physician practice needs to decide for itself whether to review claims retrospectively or concurrently with the claims submission. In the Third-Party Medical Billing Compliance Program Guidance, the OIG recommended that a baseline, or "snapshot," be used to enable a practice to judge over time its progress in reducing or eliminating potential areas of vulnerability. This practice, known as "benchmarking," allows a practice to chart its compliance efforts by showing a reduction or increase in the number of claims paid and denied.

The practice's self-audits can be used to determine whether:

Bills are accurately coded and accurately reflect the services provided (as documented in the medical records);

Documentation is being completed correctly;

Services or items provided are reasonable and necessary; and

Any incentives for unnecessary services exist.

A baseline audit examines the claim development and submission process, from patient intake through claim submission and payment, and identifies elements within this process that may contribute to non-compliance or that may need to be the focus for improving execution.(7) This audit will establish a consistent methodology for selecting and examining records, and this methodology will then serve as a basis for future audits.

There are many ways to conduct a baseline audit. The OIG recommends that claims/services that were submitted and paid during the initial three months after implementation of the education and training program be examined, so as to give the physician practice a benchmark against which to measure future compliance effectiveness.

Following the baseline audit, a general recommendation is that periodic audits be conducted at least once each year to ensure that the compliance program is being followed. Optimally, a randomly selected number of medical records could be reviewed to ensure that the coding was performed accurately. Although there is no set formula to how many medical records should be reviewed, a basic guide is five or more medical records per Federal payor (i.e., Medicare, Medicaid), or five to ten medical records per physician. The OIG realizes that physician practices receive reimbursement from a number of different payors, and we would encourage a physician practice's auditing/monitoring process to consist of a review of claims from all Federal payors from which the practice receives reimbursement. Of course, the larger the sample size, the larger the comfort level the physician practice will have about the results. However, the OIG is aware that this may be burdensome for some physician practices, so, at a minimum, we would encourage the physician practice to conduct a review of claims that have been reimbursed by Federal health care programs.

If problems are identified, the physician practice will need to determine whether a focused review should be conducted on a more frequent basis. When audit results reveal areas needing additional information or education of employees and physicians, the physician practice will need to analyze whether these areas should be incorporated into the training and educational system.

There are many ways to identify the claims/services from which to draw the random sample of claims to be audited. One methodology is to choose a random sample of claims/services from either all of the claims/services a physician has received reimbursement for or all claims/services from a particular payor. Another method is to identify risk areas or potential billing vulnerabilities. The codes associated with these risk areas may become the universe of claims/services from which to select the sample. The OIG recommends that the physician practice evaluate claims/services selected to determine if the codes billed and reimbursed were accurately ordered, performed, and reasonable and necessary for the treatment of the patient.

One of the most important components of a successful compliance audit protocol is an appropriate response when the physician practice identifies a problem. This action should be taken as soon as possible after the date the problem is identified. The specific action a physician practice takes should depend on the circumstances of the situation. In some cases, the response can be as straight forward as generating a repayment with appropriate explanation to Medicare or the appropriate payor from which the overpayment was received. In others, the physician practice may want to consult with a coding/billing expert to determine the next best course of action. There is no boilerplate solution to how to handle problems that are identified.

It is a good business practice to create a system to address how physician practices will respond to and report potential problems. In addition, preserving information relating to identification of the problem is as important as preserving information that tracks the physician practice's reaction to, and solution for, the issue.

Step Two: Establish Practice Standards and Procedures

After the internal audit identifies the practice's risk areas, the next step is to develop a method for dealing with those risk areas through the practice's standards and procedures. Written standards and procedures are a central component of any compliance program. Those standards and procedures help to reduce the prospect of erroneous claims and fraudulent activity by identifying risk areas for the practice and establishing tighter internal controls to counter those risks, while also helping to identify any aberrant billing practices. Many physician practices already have something similar to this called "practice standards" that include practice policy statements regarding patient care, personnel matters and practice standards and procedures on complying with Federal and State law.

The OIG believes that written standards and procedures can be helpful to all physician practices, regardless of size and capability. If a lack of resources to develop such standards and procedures is genuinely an issue, the OIG recommends that a physician practice focus first on those risk areas most likely to arise in its particular practice.(8) Additionally, if the physician practice works with a physician practice management company (PPMC), independent practice association (IPA), physician-hospital organization, management services organization (MSO) or third-party billing company, the practice can incorporate the compliance standards and procedures of those entities, if appropriate, into its own standards and procedures. Many physician practices have found that the adoption of a third party's compliance standards and procedures, as appropriate, has many benefits and the result is a consistent set of standards and procedures for a community of physicians as well as having just one entity that can then monitor and refine the process as needed. This sharing of compliance responsibilities assists physician practices in rural areas that do not have the staff to perform these functions, but do belong to a group that does have the resources. Physician practices using another entity's compliance materials will need to tailor those materials to the physician practice where they will be applied.
Physician practices that do not have standards or procedures in place can develop them by: (1) Developing a written standards and procedures manual; and (2) updating clinical forms periodically to make sure they facilitate and encourage clear and complete documentation of patient care. A practice's standards could also identify the clinical protocol(s), pathway(s), and other treatment guidelines followed by the practice.

Creating a resource manual from publicly available information may be a cost-effective approach for developing additional standards and procedures. For example, the practice can develop a "binder" that contains the practice's written standards and procedures, relevant HCFA directives and carrier bulletins, and summaries of informative OIG documents (e.g., Special Fraud Alerts, Advisory Opinions, inspection and audit reports)(9) If the practice chooses to adopt this idea, the binder should be updated as appropriate and located in a readily accessible location.

If updates to the standards and procedures are necessary, those updates should be communicated to employees to keep them informed regarding the practice's operations. New employees can be made aware of the standards and procedures when hired and can be trained on their contents as part of their orientation to the practice. The OIG recommends that the communication of updates and training of new employees occur as soon as possible after either the issuance of a new update or the hiring of a new employee.

1. Specific Risk Areas

The OIG recognizes that many physician practices may not have in place standards and procedures to prevent erroneous or fraudulent conduct in their practices. In order to develop standards and procedures, the physician practice may consider what types of fraud and abuse related topics need to be addressed based on its specific needs. One of the most important things in making that determination is a listing of risk areas where the practice may be vulnerable.

To assist physician practices in performing this initial assessment, the OIG has developed a list of four potential risk areas affecting physician practices. These risk areas include: (a) Coding and billing; (b) reasonable and necessary services; (c) documentation; and (d) improper inducements, kickbacks and self-referrals. This list of risk areas is not exhaustive, or all-encompassing. Rather, it should be viewed as a starting point for an internal review of potential vulnerabilities within the physician practice.(10) The objective of such an assessment is to ensure that key personnel in the physician practice are aware of these major risk areas and that steps are taken to minimize, to the extent possible, the types of problems identified. While there are many ways to accomplish this objective, clear written standards and procedures that are communicated to all employees are important to ensure the effectiveness of a compliance program. Specifically, the following are discussions of risk areas for physician practices:(11)

a. Coding and Billing. A major part of any physician practice's compliance program is the identification of risk areas associated with coding and billing. The following risk areas associated with billing have been among the most frequent subjects of investigations and audits by the OIG:

Billing for items or services not rendered or not provided as claimed;(12)

Submitting claims for equipment, medical supplies and services that are not reasonable and necessary;(13)

Double billing resulting in duplicate payment;(14)

Billing for non-covered services as if covered;(15)

Knowing misuse of provider identification numbers, which results in improper billing;(16)

Unbundling (billing for each component of the service instead of billing or using an all inclusive code);(17)

Failure to properly use coding modifiers;(18)

Clustering;(19) and

Upcoding the level of service provided.(20)

The physician practice written standards and procedures concerning proper coding reflect the current reimbursement principles set forth in applicable statutes, regulations(21) and Federal, State or private payor health care program requirements and should be developed in tandem with coding and billing standards used in the physician practice. Furthermore, written standards and procedures should ensure that coding and billing are based on medical record documentation. Particular attention should be paid to issues of appropriate diagnosis codes and individual Medicare Part B claims (including documentation guidelines for evaluation and management services).(22) A physician practice can also institute a policy that the coder and/or physician review all rejected claims pertaining to diagnosis and procedure codes. This step can facilitate a reduction in similar errors.

b. Reasonable and Necessary Services. A practice's compliance program may provide guidance that claims are to be submitted only for services that the physician practice finds to be reasonable and necessary in the particular case. The OIG recognizes that physicians should be able to order any tests, including screening tests, they believe are appropriate for the treatment of their patients. However, a physician practice should be aware that Medicare will only pay for services that meet the Medicare definition of reasonable and necessary.(23)

Medicare (and many insurance plans) may deny payment for a service that is not reasonable and necessary according to the Medicare reimbursement rules. Thus, when a physician provides services to a Medicare beneficiary, he or she should only bill those services that meet the Medicare standard of being reasonable and necessary for the diagnosis and treatment of a patient. A physician practice can bill in order to receive a denial for services, but only if the denial is needed for reimbursement from the secondary payor. Upon request, the physician practice should be able to provide documentation, such as a patient's medical records and physician's orders, to support the appropriateness of a service that the physician has provided.

c. Documentation. Timely, accurate and complete documentation is important to clinical patient care. This same documentation serves as a second function when a bill is submitted for payment, namely, as verification that the bill is accurate as submitted. Therefore, one of the most important physician practice compliance issues is the appropriate documentation of diagnosis and treatment. Physician documentation is necessary to determine the appropriate medical treatment for the patient and is the basis for coding and billing determinations. Thorough and accurate documentation also helps to ensure accurate recording and timely transmission of information.

i. Medical Record Documentation. In addition to facilitating high quality patient care, a properly documented medical record verifies and documents precisely what services were actually provided. The medical record may be used to validate: (a) The site of the service; (b) the appropriateness of the services provided; (c) the accuracy of the billing; and (d) the identity of the care giver (service provider). Examples of internal documentation guidelines a practice might use to ensure accurate medical record documentation include the following:(24)

The medical record is complete and legible;

The documentation of each patient encounter includes the reason for the encounter; any relevant history; physical examination findings; prior diagnostic test results; assessment, clinical impression, or diagnosis; plan of care; and date and legible identity of the observer;

If not documented, the rationale for ordering diagnostic and other ancillary services can be easily inferred by an independent reviewer or third party who has appropriate medical training;

CPT and ICD-9-CM codes used for claims submission are supported by documentation and the medical record; and

Appropriate health risk factors are identified. The patient's progress, his or her response to, and any changes in, treatment, and any revision in diagnosis is documented.

The CPT and ICD-9-CM codes reported on the health insurance claims form should be supported by documentation in the medical record and the medical chart should contain all necessary information. Additionally, HCFA and the local carriers should be able to determine the person who provided the services. These issues can be the root of investigations of inappropriate or erroneous conduct, and have been identified by HCFA and the OIG as a leading cause of improper payments.

One method for improving quality in documentation is for a physician practice to compare the practice's claim denial rate to the rates of other practices in the same specialty to the extent that the practice can obtain that information from the carrier. Physician coding and diagnosis distribution can be compared for each physician within the same specialty to identify variances.

ii. HCFA 1500 Form. Another documentation area for physician practices to monitor closely is the proper completion of the HCFA 1500 form. The following practices will help ensure that the form has been properly completed:

Link the diagnosis code with the reason for the visit or service;
Use modifiers appropriately;

Provide Medicare with all information about a beneficiary's other insurance coverage under the Medicare Secondary Payor (MSP) policy, if the practice is aware of a beneficiary's additional coverage.

d. Improper Inducements, Kickbacks and Self-Referrals. A physician practice would be well advised to have standards and procedures that encourage compliance with the anti-kickback statute(25) and the physician self-referral law.(26) Remuneration for referrals is illegal because it can distort medical decision-making, cause overutilization of services or supplies, increase costs to Federal health care programs, and result in unfair competition by shutting out competitors who are unwilling to pay for referrals. Remuneration for referrals can also affect the quality of patient care by encouraging physicians to order services or supplies based on profit rather than the patients' best medical interests.(27)

In particular, arrangements with hospitals, hospices, nursing facilities, home health agencies, durable medical equipment suppliers, pharmaceutical manufacturers and vendors are areas of potential concern. In general the anti-kickback statute prohibits knowingly and willfully giving or receiving anything of value to induce referrals of Federal health care program business. It is generally recommended that all business arrangements wherein physician practices refer business to, or order services or items from, an outside entity should be on a fair market value basis.(28) Whenever a physician practice intends to enter into a business arrangement that involves making referrals, the arrangement should be reviewed by legal counsel familiar with the anti-kickback statute and physician self-referral statute.

In addition to developing standards and procedures to address arrangements with other health care providers and suppliers, physician practices should also consider implementing measures to avoid offering inappropriate inducements to patients.(29) Examples of such inducements include routinely waiving coinsurance or deductible amounts without a good faith determination that the patient is in financial need or failing to make reasonable efforts to collect the cost-sharing amount.(30)

Possible risk factors relating to this risk area that could be addressed in the practice's standards and procedures include:

Financial arrangements with outside entities to whom the practice may refer Federal health care program business;(31)

Joint ventures with entities supplying goods or services to the physician practice or its patients;(32)

Consulting contracts or medical directorships;

Office and equipment leases with entities to which the physician refers; and

Soliciting, accepting or offering any gift or gratuity of more than nominal value to or from those who may benefit from a physician practice's referral of Federal health care program business.(33)

In order to keep current with this area of the law, a physician practice may obtain copies, available on the OIG web site or in hard copy from the OIG, of all relevant OIG Special Fraud Alerts and Advisory Opinions that address the application of the anti-kickback and physician self-referral laws to ensure that the standards and procedures reflect current positions and opinions.

2. Retention of Records

In light of the documentation requirements faced by physician practices, it would be to the practice's benefit if its standards and procedures contained a section on the retention of compliance, business and medical records. These records primarily include documents relating to patient care and the practice's business activities. A physician practice's designated compliance contact could keep an updated binder or record of these documents, including information relating to compliance activities. The primary compliance documents that a practice would want to retain are those that relate to educational activities, internal investigations and internal audit results. We suggest that particular attention should be paid to documenting investigations of potential violations uncovered by the compliance program and the resulting remedial action. Although there is no requirement that the practice retain its compliance records, having all the relevant documentation relating to the practice's compliance efforts or handling of a particular problem can benefit the practice should it ever be questioned regarding those activities.

Physician practices that implement a compliance program might also want to provide for the development and implementation of a records retention system. This system would establish standards and procedures regarding the creation, distribution, retention, and destruction of documents. If the practice decides to design a record system, privacy concerns and Federal or State regulatory requirements should be taken into consideration.(34)

While conducting its compliance activities, as well as its daily operations, a physician practice would be well advised, to the extent it is possible, to document its efforts to comply with applicable Federal health care program requirements. For example, if a physician practice requests advice from a Government agency (including a Medicare carrier) charged with administering a Federal health care program, it is to the benefit of the practice to document and retain a record of the request and any written or oral response (or nonresponse). This step is extremely important if the practice intends to rely on that response to guide it in future decisions, actions, or claim reimbursement requests or appeals.

In short, it is in the best interest of all physician practices, regardless of size, to have procedures to create and retain appropriate documentation. The following record retention guidelines are suggested:

The length of time that a practice's records are to be retained can be specified in the physician practice's standards and procedures (Federal and State statutes should be consulted for specific time frames, if applicable);

Medical records (if in the possession of the physician practice) need to be secured against loss, destruction, unauthorized access, unauthorized reproduction, corruption, or damage; and

Standards and procedures can stipulate the disposition of medical records in the event the practice is sold or closed.

Step Three: Designation of a Compliance Officer/Contact(s)

After the audits have been completed and the risk areas identified, ideally one member of the physician practice staff needs to accept the responsibility of developing a corrective action plan, if necessary, and oversee the practice's adherence to that plan. This person can either be in charge of all compliance activities for the practice or play a limited role merely to resolve the current issue. In a formalized institutional compliance program there is a compliance officer who is responsible for overseeing the implementation and day-to-day operations of the compliance program. However, the resource constraints of physician practices make it so that it is often impossible to designate one person to be in charge of compliance functions.

It is acceptable for a physician practice to designate more than one employee with compliance monitoring responsibility. In lieu of having a designated compliance officer, the physician practice could instead describe in its standards and procedures the compliance functions for which designated employees, known as "compliance contacts," would be responsible. For example, one employee could be responsible for preparing written standards and procedures, while another could be responsible for conducting or arranging for periodic audits and ensuring that billing questions are answered. Therefore, the compliance-related responsibilities of the designated person or persons may be only a portion of his or her duties.

Another possibility is that one individual could serve as compliance officer for more than one entity. In situations where staffing limitations mandate that the practice cannot afford to designate a person(s) to oversee compliance activities, the practice could outsource all or part of the functions of a compliance officer to a third party, such as a consultant, PPMC, MSO, IPA or third-party billing company. However, if this role is outsourced, it is beneficial for the compliance officer to have sufficient interaction with the physician practice to be able to effectively understand the inner workings of the practice. For example, consultants that are not in close geographic proximity to a practice may not be effective compliance officers for the practice.
One suggestion for how to maintain continual interaction is for the practice to designate someone to serve as a liaison with the outsourced compliance officer. This would help ensure a strong tie between the compliance officer and the practice's daily operations. Outsourced compliance officers, who spend most of their time offsite, have certain limitations that a physician practice should consider before making such a critical decision. These limitations can include lack of understanding as to the inner workings of the practice, accessibility and possible conflicts of interest when one compliance officer is serving several practices.

If the physician practice decides to designate a particular person(s) to oversee all compliance activities, not just those in conjunction with the audit-related issue, the following is a list of suggested duties that the practice may want to assign to that person(s):

Overseeing and monitoring the implementation of the compliance program;

Establishing methods, such as periodic audits, to improve the practice's efficiency and quality of services, and to reduce the practice's vulnerability to fraud and abuse;

Periodically revising the compliance program in light of changes in the needs of the practice or changes in the law and in the standards and procedures of Government and private payor health plans;

Developing, coordinating and participating in a training program that focuses on the components of the compliance program, and seeks to ensure that training materials are appropriate;

Ensuring that the HHS-OIG's List of Excluded Individuals and Entities, and the General Services Administration's (GSA's) List of Parties Debarred from Federal Programs have been checked with respect to all employees, medical staff and independent contractors;(35) and

Investigating any report or allegation concerning possible unethical or improper business practices, and monitoring subsequent corrective action and/or compliance.
Each physician practice needs to assess its own practice situation and determine what best suits that practice in terms of compliance oversight.

Step Four: Conducting Appropriate Training and Education

Education is an important part of any compliance program and is the logical next step after problems have been identified and the practice has designated a person to oversee educational training. Ideally, education programs will be tailored to the physician practice's needs, specialty and size and will include both compliance and specific training.

There are three basic steps for setting up educational objectives:

Determining who needs training (both in coding and billing and in compliance);

Determining the type of training that best suits the practice's needs (e.g., seminars, in-service training, self-study or other programs); and

Determining when and how often education is needed and how much each person should receive.

Training may be accomplished through a variety of means, including in-person training sessions (i.e., either on site or at outside seminars), distribution of newsletters,(36) or even a readily accessible office bulletin board. Regardless of the training modality used, a physician practice should ensure that the necessary education is communicated effectively and that the practice's employees come away from the training with a better understanding of the issues covered.

1. Compliance Training

Under the direction of the designated compliance officer/contact, both initial and recurrent training in compliance is advisable, both with respect to the compliance program itself and applicable statutes and regulations. Suggestions for items to include in compliance training are: The operation and importance of the compliance program; the consequences of violating the standards and procedures set forth in the program; and the role of each employee in the operation of the compliance program.
There are two goals a practice should strive for when conducting compliance training: (1) All employees will receive training on how to perform their jobs in compliance with the standards of the practice and any applicable regulations; and (2) each employee will understand that compliance is a condition of continued employment. Compliance training focuses on explaining why the practice is developing and establishing a compliance program. The training should emphasize that following the standards and procedures will not get a practice employee in trouble, but violating the standards and procedures may subject the employee to disciplinary measures. It is advisable that new employees be trained on the compliance program as soon as possible after their start date and employees should receive refresher training on an annual basis or as appropriate.

2. Coding and Billing Training

Coding and billing training on the Federal health care program requirements may be necessary for certain members of the physician practice staff depending on their respective responsibilities. The OIG understands that most physician practices do not employ a professional coder and that the physician is often primarily responsible for all coding and billing. However, it is in the practice's best interest to ensure that individuals who are directly involved with billing, coding or other aspects of the Federal health care programs receive extensive education specific to that individual's responsibilities. Some examples of items that could be covered in coding and billing training include:

Coding requirements;

Claim development and submission processes;

Signing a form for a physician without the physician's authorization;
Proper documentation of services rendered;

Proper billing standards and procedures and submission of accurate bills for services or items rendered to Federal health care program beneficiaries; and

The legal sanctions for submitting deliberately false or reckless billings.

3. Format of the Training Program

Training may be conducted either in-house or by an outside source.(37) Training at outside seminars, instead of internal programs and in-service sessions, may be an effective way to achieve the practice's training goals. In fact, many community colleges offer certificate or associate degree programs in billing and coding, and professional associations provide various kinds of continuing education and certification programs. Many carriers also offer billing training.

The physician practice may work with its third-party billing company, if one is used, to ensure that documentation is of a level that is adequate for the billing company to submit accurate claims on behalf of the physician practice. If it is not, these problem areas should also be covered in the training. In addition to the billing training, it is advisable for physician practices to maintain updated ICD-9, HCPCS and CPT manuals (in addition to the carrier bulletins construing those sources) and make them available to all employees involved in the billing process. Physician practices can also provide a source of continuous updates on current billing standards and procedures by making publications or Government documents that describe current billing policies available to its employees.(38)

Physician practices do not have to provide separate education and training programs for the compliance and coding and billing training. All in-service training and continuing education can integrate compliance issues, as well as other core values adopted by the practice, such as quality improvement and improved patient service, into their curriculum.

4. Continuing Education on Compliance Issues

There is no set formula for determining how often training sessions should occur. The OIG recommends that there be at least an annual training program for all individuals involved in the coding and billing aspects of the practice.(39) Ideally, new billing and coding employees will be trained as soon as possible after assuming their duties and will work under an experienced employee until their training has been completed.

Step Five: Responding To Detected Offenses and Developing Corrective Action Initiatives

When a practice determines it has detected a possible violation, the next step is to develop a corrective action plan and determine how to respond to the problem. Violations of a physician practice's compliance program, significant failures to comply with applicable Federal or State law, and other types of misconduct threaten a practice's status as a reliable, honest, and trustworthy provider of health care. Consequently, upon receipt of reports or reasonable indications of suspected noncompliance, it is important that the compliance contact or other practice employee look into the allegations to determine whether a significant violation of applicable law or the requirements of the compliance program has indeed occurred, and, if so, take decisive steps to correct the problem.(40) As appropriate, such steps may involve a corrective action plan,(41) the return of any overpayments, a report to the Government,(42) and/or a referral to law enforcement authorities.

One suggestion is that the practice, in developing its compliance program, develop its own set of monitors and warning indicators. These might include: Significant changes in the number and/or types of claim rejections and/or reductions; correspondence from the carriers and insurers challenging the medical necessity or validity of claims; illogical patterns or unusual changes in the pattern of CPT-4, HCPCS or ICD-9 code utilization; and high volumes of unusual charge or payment adjustment transactions. If any of these warning indicators become apparent, then it is recommended that the practice follow up on the issues. Subsequently, as appropriate, the compliance procedures of the practice may need to be changed to prevent the problem from recurring.

For potential criminal violations, a physician practice would be well advised in its compliance program procedures to include steps for prompt referral or disclosure to an appropriate Government authority or law enforcement agency. In regard to overpayment issues, it is advised that the physician practice take appropriate corrective action, including prompt identification and repayment of any overpayment to the affected payor.

It is also recommended that the compliance program provide for a full internal assessment of all reports of detected violations. If the physician practice ignores reports of possible fraudulent activity, it is undermining the very purpose it hoped to achieve by implementing a compliance program.

It is advised that the compliance program standards and procedures include provisions to ensure that a violation is not compounded once discovered. In instances involving individual misconduct, the standards and procedures might also advise as to whether the individuals involved in the violation either be retrained, disciplined, or, if appropriate, terminated. The physician practice may also prevent the compounding of the violation by conducting a review of all confirmed violations, and, if appropriate, self-reporting the violations to the applicable authority.

The physician practice may consider the fact that if a violation occurred and was not detected, its compliance program may require modification. Physician practices that detect violations could analyze the situation to determine whether a flaw in their compliance program failed to anticipate the detected problem, or whether the compliance program's procedures failed to prevent the violation. In any event, it is prudent, even absent the detection of any violations, for physician practices to periodically review and modify their compliance programs.

Step Six: Developing Open Lines of Communication

In order to prevent problems from occurring and to have a frank discussion of why the problem happened in the first place, physician practices need to have open lines of communication. Especially in a smaller practice, an open line of communication is an integral part of implementing a compliance program. Guidance previously issued by the OIG has encouraged the use of several forms of communication between the compliance officer/committee and provider personnel, many of which focus on formal processes and are more costly to implement (e.g., hotlines and e-mail). However, the OIG recognizes that the nature of some physician practices is not as conducive to implementing these types of measures. The nature of a small physician practice dictates that such communication and information exchanges need to be conducted through a less formalized process than that which has been envisioned by prior OIG guidance.

In the small physician practice setting, the communication element may be met by implementing a clear "open door" policy between the physicians and compliance personnel and practice employees. This policy can be implemented in conjunction with less formal communication techniques, such as conspicuous notices posted in common areas and/or the development and placement of a compliance bulletin board where everyone in the practice can receive up-to-date compliance information.(43)
A compliance program's system for meaningful and open communication can include the following:

The requirement that employees report conduct that a reasonable person would, in good faith, believe to be erroneous or fraudulent;

The creation of a user-friendly process (such as an anonymous drop box for larger practices) for effectively reporting erroneous or fraudulent conduct;
Provisions in the standards and procedures that state that a failure to report erroneous or fraudulent conduct is a violation of the compliance program;
The development of a simple and readily accessible procedure to process reports of erroneous or fraudulent conduct;

If a billing company is used, communication to and from the billing company's compliance officer/contact and other responsible staff to coordinate billing and compliance activities of the practice and the billing company, respectively. Communication can include, as appropriate, lists of reported or identified concerns, initiation and the results of internal assessments, training needs, regulatory changes, and other operational and compliance matters;

The utilization of a process that maintains the anonymity of the persons involved in the reported possible erroneous or fraudulent conduct and the person reporting the concern; and

Provisions in the standards and procedures that there will be no retribution for reporting conduct that a reasonable person acting in good faith would have believed to be erroneous or fraudulent.

The OIG recognizes that protecting anonymity may not be feasible for small physician practices. However, the OIG believes all practice employees, when seeking answers to questions or reporting potential instances of erroneous or fraudulent conduct, should know to whom to turn for assistance in these matters and should be able to do so without fear of retribution. While the physician practice may strive to maintain the anonymity of an employee's identity, it also needs to make clear that there may be a point at which the individual's identity may become known or may have to be revealed in certain instances.

Step Seven: Enforcing Disciplinary Standards Through Well-Publicized Guidelines
Finally, the last step that a physician practice may wish to take is to incorporate measures into its practice to ensure that practice employees understand the consequences if they behave in a non-compliant manner. An effective physician practice compliance program includes procedures for enforcing and disciplining individuals who violate the practice's compliance or other practice standards. Enforcement and disciplinary provisions are necessary to add credibility and integrity to a compliance program.

The OIG recommends that a physician practice's enforcement and disciplinary mechanisms ensure that violations of the practice's compliance policies will result in consistent and appropriate sanctions, including the possibility of termination, against the offending individual. At the same time, it is advisable that the practice's enforcement and disciplinary procedures be flexible enough to account for mitigating or aggravating circumstances. The procedures might also stipulate that individuals who fail to detect or report violations of the compliance program may also be subject to discipline. Disciplinary actions could include: Warnings (oral); reprimands (written); probation; demotion; temporary suspension; termination; restitution of damages; and referral for criminal prosecution. Inclusion of disciplinary guidelines in in-house training and procedure manuals is sufficient to meet the "well publicized" standard of this element.

It is suggested that any communication resulting in the finding of non-compliant conduct be documented in the compliance files by including the date of incident, name of the reporting party, name of the person responsible for taking action, and the follow-up action taken. Another suggestion is for physician practices to conduct checks to make sure all current and potential practice employees are not listed on the OIG or GSA lists of individuals excluded from participation in Federal health care or Government procurement programs.(44)

C. Assessing A Voluntary Compliance Program

A practice's commitment to compliance can best be assessed by the active application of compliance principles in the day-to-day operations of the practice. Compliance programs are not just written standards and procedures that sit on a shelf in the main office of a practice, but are an everyday part of the practice operations. It is by integrating the compliance program into the practice culture that the practice can best achieve maximum benefit from its compliance program.