Compliance Program Guidance for Healthcare Providers – Implement Now or Pay Later!

Our law firm assists healthcare practices, no matter their size, in creating and implementing effective compliance programs. We create individualized programs for each client to help prevent potential violations of the law and limit the potential criminal and civil liability of the company, its owners, and management. Failure to have a compliance program in place at your practice could potentially result in substantial criminal and civil penalties if a violation of the law occurs. Therefore, we recommend acting now!

Our firm has decades of experience in healthcare law. We have helped numerous providers achieve greater compliance by creating and implementing robust and effective compliance programs at their respective practices. If you need any assistance or further information concerning how to implement, maintain, or update a compliance program at your practice, please do not hesitate to contact Barney Cohen at barney@conciergehealthcareattorneysllc.com or (312) 804-1739 today.

To learn more about this vital subject matter, below is an in-depth summary of compliance programs, the elements of an effective program, and how it can benefit you and your practice.

Definition of a Compliance Program

At its most basic level, a compliance program is a set of internal policies and procedures that your organization implements to help it comply with the law.1 An effective compliance program can enhance your organization’s operations, improve the quality of care, and reduce overall costs.

It can help an organization identify problems upfront and do something about them before they become systemic and costly.[1]

To further elaborate, the effective creation and implementation of a compliance program involves the following: (1) establishing the company’s commitment to comply with the law; (2) establishing standards of conduct; (3) creating an ongoing program of training and educating employees (including owners and management) on the requirements of adhering to the law; and (4) establishing an ongoing oversight process that is designed to help the company detect and report wrongdoing. A well-structured compliance program has a written document, termed a compliance plan, that details how an organization will conform to specific regulations to achieve and maintain compliance.[2] The compliance plan defines standards, describes the methods for monitoring standards, and identifies corrective action processes.[3]

Implementing an effective compliance program can help prevent violations of the law and protect the practice, its owners, and its management from potential criminal and/or civil penalties, including those arising from allegations that they were participants in civil or criminal wrongdoing.

The Requirement to have a Compliance Program

The US Department of Health and Human Services, Office of Inspector General (“HHS-OIG”) has recommended since the 1990s that healthcare providers of all types establish voluntary compliance programs to prevent and mitigate violations of federal healthcare program rules and regulations.[4] During this period, the HHS-OIG released compliance program guidelines for various practice types, including for Individual and Small Group Physician Practices, for use as a resource in designing and implementing compliance programs.[5] However, such guidance was voluntary until 2010.[6]

In 2010, the U.S. Patient Protection and Affordable Care Act (“PPACA” or the “Act”) amended the US Social Security Act to give the Secretary of Health and Human Services (“Secretary”) the authority to require Medicare and Medicaid providers, as a condition for enrollment, to establish compliance programs. Specifically, section 6401(a) of PPACA requires enrolled providers and suppliers, Medicare Advantage Organizations, and Medicare Prescription Drug Plans to adopt and implement an effective compliance program that includes seven core elements, as discussed below.[7]

Thus, if your practice accepts Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP), your training is mandated by law to have a compliance program in place! Many commercial payers and some states require healthcare providers to have a compliance program, so organizations need to know their state and individual payer guidelines.

Benefits of a Compliance Program for Individual or Small Group Practices

The HHS-OIG acknowledges that patient care is, and should be, the priority of a physician’s practice.[8] However, adopting a compliance program can enhance a practice’s focus on patient care. For example, the increased accuracy of documentation that may result from a compliance program will assist in enhancing patient care.[9] The HHS-OIG believes that physician practices can realize numerous other benefits by implementing a compliance program. A well-designed compliance program can:

• Speed and optimize proper payment of claims;
• Minimize billing mistakes;
• Reduce the chances that HCFA or the OIG will conduct an audit; and
• Avoid conflicts with the self-referral and anti-kickback statutes.[10]

Incorporating compliance measures into a physician’s practice should not be at the expense of patient care. Instead, it should augment the ability of the physician practice to provide quality patient care.[11]

Compliance programs also provide benefits by helping prevent erroneous or fraudulent claims and showing that the physician practice is making additional good faith efforts to submit claims appropriately.[12] Physicians should view compliance programs as analogous to practicing preventive medicine for their practice. Practices that embrace the active application of compliance principles in their practice culture and put efforts towards compliance on a continued basis can help to prevent problems from occurring in the future. A compliance program also sends an important message to a physician practice’s employees that while the practice recognizes that mistakes will happen, employees have an affirmative, ethical duty to come forward and report erroneous or fraudulent conduct so that it may be corrected.[13]

Numerous other benefits exist to having a compliance program in place, which our firm would be more than happy to discuss during an initial consultation.

Adopting a Compliance Program

Even if your practice is optional by law to have a compliance program in place, we strongly recommend adopting one at your healthcare practice. At a minimum, a compliance program creates an ethical environment promoting adherence to state and federal law and payor requirements, and such a program can help protect against fraud, waste, abuse, and other potential liabilities.

To reinforce the importance of adopting compliance programs, the Criminal Division of the U.S. Department of Justice (“DOJ”) released a guide to effective compliance programs in 2017 entitled “Evaluation of Effective Compliance Programs” (“EECP”). This document, which was last updated in March 2023, is meant to assist prosecutors in making informed decisions as to whether and to what extent the corporation’s compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).[14]

What does this mean? If there is any potential fraud, waste, abuse, or violation of the law that occurs at your practice, one of the first questions that a federal prosecutor may ask in a criminal case is whether your practice has a compliance program in place and if it does, whether that compliance program is effective. Whether you do or not will significantly affect the resolution, prosecution, or monetary penalties!

The EECP further states:

“Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. There are, however, common questions that we may ask when making an individualized determination. As the Justice Manual notes, there are three “fundamental questions” a prosecutor should ask:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?[15]

In answering these three “fundamental questions,“ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.”[16]

As stated above, you and your practice risk exposing yourself to potential penalties, reputational harm, and criminal exposure if you choose not to implement an effective compliance program. Based on our experience, we have found that through the successful implementation of compliance programs, we have protected our clients and their practices when an employee violates the law. A correctly implemented and enforced compliance program can provide a strong defense for the owners and management of the practice because the compliance program standards provide clear instructions that every employee is expected to adhere to the law and the standards of conduct that must be followed.

Recent Comments from the Federal Government Concerning Compliance Programs

Over the past few years, the U.S. Department of Justice (DOJ) has repeatedly touted the benefits of compliance programs in terms of preventing violations of the law and shielding companies from substantial financial risks and penalties. Importantly, however, it is also the expectation that companies have compliance programs in place that are effective, adequately resourced, and in place before any misconduct occurs.

The following quotes from U.S. DOJ officials help summarize their stance on compliance programs in recent years:

• “Corporate accountability is the other side of our white-collar work because companies are the first line of defense against misconduct. A strong compliance program is key to preventing corporate crime before it occurs and addressing misconduct when it occurs. Our corporate enforcement policies are designed to encourage companies to invest in strong compliance functions and to step up and own up when misconduct occurs. [O] Your corporate enforcement actions show our policies’ industry-wide impact. We have brought cases against some of their sectors’ largest and most significant companies. Cases that send a clear message to industry about the importance of — and the benefits from — strong compliance programs, and in so doing, will transform those industries.”[17]
• “If your company has had a recent brush with the law, now is the time to invest — and reinvest — in your compliance programs. So, we’ve implemented policies to incentivize investing in a culture of compliance — before misconduct happens.”[18]
• “It bears repeating that we not only prosecute crimes after they occur. We strive to prevent crime. That is why, for years, the Criminal Division has had public, transparent policies to encourage companies to invest in effective compliance programs and provide incentives for companies that voluntarily self-disclose misconduct. [I]t’s never too late to do the right thing. Help guide your clients. Be a force for good inside your organization. Empower your compliance team. The department and the sentencing guidelines have long recognized that no compliance program can prevent all criminal activity; determining whether a compliance program is effective is all about what systems are in place that enable a company to respond successfully when misconduct occurs. An ounce of prevention is worth a pound of cure. An ethical culture drives an effective compliance program, and a compliance program cannot be effective without the full support and buy-in from the business. Companies that prioritize embedding ethical values throughout their operations are more successful at implementing and sustaining effective compliance programs. Whether or not a company self-discloses, the key point is that companies fare far better when they show that they’re serious about compliance, cooperation, and remediation.”[19]
• “Companies cannot wait to enact compliance-promoting policies until they are in the government’s crosshairs. Compliance should no longer be viewed as just a cost center for companies. Good corporate governance and effective compliance programs can shield companies from enormous financial risks and penalties. DOJ’s recent corporate enforcement actions […] illustrate the enormous gulf between outcomes for companies that do the right thing – that step up and own up – and companies that do the opposite.”[20]
• “As our Evaluation of Corporate Compliance Programs guidance clarifies, we expect an effective corporate compliance program to be much more than a company’s policies, procedures, and internal controls. We expect companies to implement compliance programs that (1) are well designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice. When asked about your compliance program and whether it’s adequately creating, maintaining, and supporting an ethical culture, the question again goes to individual accountability. We want to know about your investment in compliance, not simply because we want you to hire more consultants or buy more sophisticated training software. No, as a former Chief Compliance Officer who now serves as the head of the Criminal Division, I want to know whether you are doing everything you can to ensure that when that individual employee is facing a singular ethical challenge, he has been informed, trained, and empowered to choose right over wrong. Or if he makes the wrong choice, you have a system that immediately detects, remediates, disciplines, and then adapts to ensure that others do not follow suit. That is how powerful a role you have in improving our world. Embracing that calling, today and every day.”[21]
• “When we see criminality, we will not just ask what happened. We want to understand the root causes — why and whether it will happen again. That distinguishes a community problem-solver from someone who files criminal charges. That is why the presence (or absence) of a functioning compliance program during the misconduct and resolution is crucial to our decision-making in corporate matters. Our prosecutors apply the publicly available criteria outlined in the Evaluation of Corporate Compliance Programs, or ECCP, to make expectations clear to the public and companies. Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, we do not use any one formula to assess the effectiveness of corporate compliance programs. We disclaim any “box-checking” exercise. We recognize that each company’s risk profile and solutions to reduce risks warrant particularized evaluation.”[22]

As you can see from the above U.S. DOJ speeches, the federal government expects companies to implement and maintain effective compliance programs. Simply put, it is best practice to put one in place at your healthcare practice. If you have any questions concerning how you and your practice can create, implement, or update your company’s compliance program, please get in touch with us today at Concierge Healthcare Attorneys, LLC, (312) 804-1739.

Seven Elements of an Effective Compliance Program

Seven core elements should be included in every healthcare compliance program, which is derived, in part, from the seven elements of an effective compliance and ethics program as described in Chapter 8 of the U.S. Federal Sentencing Guidelines Manual.[23] The seven elements are as follows:

1. Written Policies and Procedures
2. Compliance Leadership and Oversight
3. Training and Education
4. Effective Lines of Communication with the Compliance Officer and Disclosure Program
5. Enforcing Standards: Consequences and Incentives
6. Risk Assessment, Auditing, and Monitoring
7. Responding to Detected Offenses and Developing Corrective Action Initiatives[24]

Before moving on to a more detailed breakdown of these elements, it is essential to remember that a healthcare organization has no one-size-fits-all compliance program and that it should tailor its compliance program to fit its unique needs. Compliance programs may be structured differently depending on the entity’s size. Small entities and large organizations should think about how to right-size their compliance program to meet their entity’s needs.[25]

Notably, the federal government will evaluate whether the entity has a “paper program” in place (e.g., one that gathers dust on a shelf) or one that is effective and aligns with the organization’s available resources.[26] The US Centers for Medicare and Medicaid Services (“CMS”) has defined adequate resources as those that are sufficient to (i) promote and enforce the organization’s standards of conduct and compliance program; (ii) effectively train and educate the organization’s governing body members and staff; (iii) effectively establish lines of communication; (iv) establish and implement an effective system for routine auditing and monitoring; and (v)  identify and promptly respond to risks and findings.[27] Thus, no matter the entity’s size, it must ensure that appropriate and adequate resources are utilized to implement its compliance program.

Below is a further breakdown of these elements:

1. Written Policies and Procedures

Compliance policies and procedures should encompass at least two areas: (1) the implementation and operation of the entity’s compliance program and (2) processes to reduce risks caused by noncompliance with Federal and State laws.[28] Entities should assess how their operations may present risk areas specific to them and design policies and procedures that address these risks.

Some common compliance risk areas are:

• Billing and coding;
• Documentation;
• Sales and marketing;
• Reasonable and necessary services (i.e., quality of care);
• Patient incentives; and
• Arrangements with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business.[29]

This list of risk areas is not exhaustive or all-encompassing. Instead, it should be viewed as a starting point for an internal review of potential vulnerabilities within the physician practice.[30]

Important Note: Compliance policies and procedures should be reviewed at least annually and need to be kept up to date!

Additionally, the practice should have a code of conduct. A code of conduct is vital to communicate an organization’s mission, goals, and ethical requirements central to its operations.[31] The code articulates the entity’s commitment to comply with all Federal and State laws and regulations. It defines the entity’s ethical standards necessary to fulfill its mission and govern the conduct of its officers, employees, contractors, medical staff, and others who work with or on behalf of the organization.[32] We recommend that the code be written at a 6^th-grade reading level to ensure that all staff can easily understand it.

If you or your practice needs assistance drafting or developing a compliance plan or code of conduct, please get in touch with us immediately.

2. Compliance Leadership and Oversight

Larger entities: Designating a compliance officer with appropriate authority is essential to the success of the compliance program.[33] Every entity should designate a leader as the entity’s compliance officer. A vital indicator of the board and senior leadership’s commitment to compliance is the appointment and support of a compliance officer with the authority, stature, access, and resources necessary to lead an effective and successful compliance program.[34] To fulfill their duties, the compliance officer should be empowered, and independent of other duties to the entity that might impair their ability, to identify and raise compliance risks and advise on how to mitigate risks, achieve and maintain compliance with Federal health care program requirements, and succeed as a compliant entity. Thus, the compliance officer should not lead or report to the entity’s legal or financial functions and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles.[35]

Smaller Entities: For smaller or individually owned practices, the HHS-OIG provides the following guidance:

“It is acceptable for a physician practice to designate more than one employee with compliance monitoring responsibility. In lieu of having a designated compliance officer, the physician practice could instead describe in its standards and procedures the compliance functions for which designated employees, known as ‘‘compliance contacts,’’ would be responsible. For example, one employee could prepare written standards and procedures. At the same time, another could be responsible for conducting or arranging periodic audits and ensuring that billing questions are answered. Therefore, the designated person’s compliance-related responsibilities may be only a portion of their duties. Another possibility is that one individual could serve as compliance officer for more than one entity. In situations where staffing limitations mandate that the practice cannot afford to designate a person(s) to oversee compliance activities, the practice could outsource all or part of the functions of a compliance officer to a third party, such as a consultant, PPMC, MSO, IPA or third-party billing company. However, if this role is outsourced, it is beneficial for the compliance officer to interact sufficiently with the physician practice to understand its inner workings effectively. For example, consultants not close to a practice may not be effective compliance officers.”[36]

3. Training and Education

Appropriate education and training are vital to an effective compliance program. With the support and aid of the Compliance Committee (or an appropriately designated individual for smaller practices), the compliance officer should develop and coordinate a multifaceted education and training program specific to the entity’s needs and risks.[37] Specific training topics should include and describe, for example:

• The entity’s commitment to complying with Federal and State standards;
• A review of the applicable fraud and abuse laws (e.g., the Federal False Claims Act, the Federal anti-kickback statute, PSL, and any applicable State fraud and abuse laws);
• An explanation of the elements of the entity’s compliance program;
• Compliance risks for the practice;[38]
• The identity and role of the compliance officer;
• The role of the Compliance Committee, if applicable;
• The importance of open communication with the compliance officer;
• The various ways individuals can raise compliance questions and concerns with the compliance officer;
• Nonretaliation for disclosing or raising compliance concerns; and
• The means through which the entity enforces its written policies and procedures equitably and impartially.[39]

Training materials should be accessible to all members of the designated audience.[40] Participation in required compliance training programs should also be made a condition of continued employment or engagement by the entity. Failure to comply with training requirements should result in consequences, including possible termination of employment or engagement when warranted. Completing mandatory training should be essential for each employee’s annual performance evaluation.[41]

Note: If you require any assistance with compliance training and education, please do not hesitate to contact our firm. We have decades of experience providing this training, whether in-person or remotely!

4. Effective Lines of Communication with the Compliance Officer and Disclosure Program

An open line of communication between the compliance officer and entity personnel (including contractors and agents) is critical to successfully implementing a compliance program and reducing any potential for fraud, waste, and abuse.[42] Entity personnel should be informed about how to reach the compliance officer directly (e.g., via email, telephone, or messaging). This information also should be posted in commonly frequented physical and virtual spaces. The compliance officer may occasionally poll entity personnel to reach the compliance officer to ensure that diverse personnel (including personnel of different generations and communication preferences) have familiar means of communicating with the compliance officer.[43]

For this element, we recommend the following:

• Written confidentiality and nonretaliation policies should be developed and distributed to all employees to encourage communication with the compliance officer and the reporting of incidents of potential fraud and other compliance concerns.
• Allow employees to report concerns anonymously. This could be through a hotline, a website, an email address, or a mailbox. Options for anonymous reporting should be publicly posted and communicated to employees during training sessions.
• Keep an inventory/log of all disclosures of compliance concerns, including potential violations of entity policies or Federal or State requirements. This list should be kept by the compliance officer or other appropriate personnel in a smaller entity.[44]

Note: Numerous third-party hotline services can be utilized online for anonymity purposes. If you have any questions concerning effective lines of communication, please let us know.

5. Enforcing Standards: Consequences and Incentives

The organization should establish and publicize its procedures for identifying, investigating, and remediating (including re-training or discipline for the involved individuals) actions that do not comply with the entity’s standards of conduct, policies, and procedures, or Federal and State laws.[45] Simply put, if an employee violates the compliance program, he/she should be disciplined accordingly. To deter noncompliant conduct, discipline should also be enforced consistently across all levels of the organization (e.g., fair and equitable discipline for similar offenses, no matter the individual’s position at the organization).

The compliance policies and procedures should identify the consequences that may be imposed under specific circumstances involving noncompliance and who will make decisions regarding appropriate consequences. The compliance officer or relevant personnel should monitor investigations and resulting discipline to ensure consistency. Further, the HHS-OIG believes that corporate officers, managers, supervisors, health care professionals, and medical staff should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, laws, policies, and procedures.[46]

In terms of incentives, the HHS-OIG offers the following examples of conduct that a healthcare entity may want to incentivize:

• the achievement of compliance goals that are specific to a department or a specific position description;
• achievements that reduce compliance risk (e.g., a team that develops a process that reduces compliance risk or enhances compliant outcomes, or an individual who suggests a method of attaining a strategic goal with less risk); or
• performance of compliance activities outside of the individual’s job description (e.g., mentoring of colleagues in compliant performance or performing as a compliance representative within their department or team).[47]

The HHS-OIG encourages the compliance officer and the Compliance Committee to devote time, thought, and creativity to the compliance activities and contributions that the entity would like to incentivize.

Discipline and incentive policies should be written and articulate expectations and consequences for noncompliant and compliant conduct. As with all other policies, they should be widely publicized, readily available, and reviewed at least annually with staff.

6. Risk Assessment, Auditing, and Monitoring

Risk assessment is a process for identifying, analyzing, and responding to risk. A compliance risk assessment is a process that looks at risks to the organization, such as violations of law, regulations, or other legal requirements.[48]

For healthcare practices, a formal compliance risk assessment process should pull information about risks from various external and internal sources, evaluate and prioritize them, and then decide which risks to address and how to address them.[49] The Compliance Officer/Committee, or other appropriate personnel at a smaller entity, should be responsible for creating a risk assessment tailored to cover the risk areas of the specific practice and conduct appropriate auditing and monitoring of these risk areas. These risk assessments should be conducted annually, at a minimum.

With regards to auditing and monitoring, the Compliance Officer or other appropriate personnel should also continuously scan for unidentified or new risks by, for example, monitoring for legal and regulatory changes, enforcement actions and OIG work plan developments, and new entity acquisitions, strategies, or initiatives, and evaluating audits and investigation results.[50] There should be a schedule of audits based on risks identified by the annual risk assessment, which may be conducted by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal health care program requirements. Routine monitoring of known risks should include (i) monthly screening of the LEIE and State Medicaid exclusion lists, (ii) regular screening of State licensure and certification databases, and (iii) annual review of the entity’s policies and procedures.[51]

Entities also should periodically assess the compliance program’s effectiveness, which reviews the effectiveness of each element of the compliance program. OIG has published a toolkit, Measuring Compliance Program Effectiveness, which may assist with this assessment.[52] It is intended to be a set of tools that any health care organization, regardless of size or health care industry segment, can use. If you have any questions concerning how to utilize this tool or conduct an initial compliance program assessment of your practice, please get in touch with our firm, and we can walk you through the document with step-by-step instructions.

7. Responding to Detected Offenses and Developing Corrective Action Initiatives[53]

Compliance programs should include processes and resources to investigate compliance concerns thoroughly, take the steps necessary to remediate any legal or policy violations that are found, including reporting to any Government program agencies or law enforcement where appropriate, and analyze the root cause(s) of any identified impropriety to prevent a recurrence.[54]

What sets an entity apart from a robust compliance program from a paper program is how it responds when it finds a violation resulting in a substantial overpayment or severe misconduct. Breaches of an entity’s compliance program, failures to comply with applicable Federal or State law, and other types of misconduct threaten an entity’s status as a trustworthy organization capable of participating in Federal healthcare programs and the healthcare industry.[55] Detected but uncorrected misconduct can seriously endanger the mission, reputation, and legal status of the entity.[56] Consequently, it is essential to promptly notify appropriate personnel/leaders at the entity and coordinate with entity counsel as needed upon receipt of reports or reasonable indications of suspected noncompliance to determine whether a material violation of applicable law has occurred.[57]

Once a potential incident of non-compliance has been identified, the entity must conduct an immediate investigation into the matter. Depending on the size or severity of the non-compliance, we may recommend engaging the entity’s counsel, whether in-house or outside, to conduct the investigation.  Most internal investigations will require interviews and a review of relevant documents.[58] Regardless of the size or severity of the violation being investigated, a contemporaneous record of the investigation should be maintained to compile a record of the investigation. The record should include, at a minimum:

• documentation of the alleged violation;
• a description of the investigative process;
• copies of interview notes and key documents;
• a log of the witnesses interviewed and the documents reviewed;
• the results of the investigation, and
• any disciplinary action taken or corrective action implemented.[59]

Generally, if credible evidence of misconduct from any source is discovered and, after a reasonable inquiry, there is reason to believe that the misconduct may violate criminal, civil, or administrative law. The entity should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate Government authority[60] of the misconduct. Prompt reporting will demonstrate the entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.[61]

Once the entity has gathered sufficient credible information to determine the nature of the misconduct, it should take prompt corrective action, including (i) refunding overpayments[62]; (ii) enforcing disciplinary policies and procedures, and (iii) making any policy or procedure changes necessary to prevent a recurrence of the misconduct.[63] The entity should follow and enforce its policies and procedures against responsible individuals, including those in leadership or supervisory roles whose neglect or reckless disregard of their duties made the misconduct unchecked or prevented the entity from identifying the misconduct earlier.[64]

Whether you need to conduct an investigation or potentially report or disclose a violation of the law to a government agency, it is essential to seek legal counsel to determine the appropriate action. We have conducted compliance investigations for years involving various types of misconduct and improper violations of the law. Please do not hesitate to contact our firm if you need legal assistance in this area.

Conclusion

Our firm can help create and implement a compliance program tailored to your practice’s needs. For any legal assistance regarding compliance programs, policies, procedures, or any other compliance issue, you can contact our firm today at the following:

Email: Barney@conciergehealthcareattorneysllc.com

Phone: (312) 804-1739

Don’t wait until there has been a potential compliance violation at your practice. As they say, an ounce of prevention is worth a pound of cure!

[1] Id.

[2] https://www.cms.gov/Medicare-Medicaid-Coordination/Fraud-Prevention/FraudAbuseforProfs/Downloads/mccomplan.pdf

[3] Id.

[4] HHS-OIG’s recommendation regarding such programs can be found at https://oig.hhs.gov/compliance/.

[5] https://oig.hhs.gov/documents/compliance-guidance/801/physician.pdf. These guidances concerning compliance programs are for use as a resource by the health care community. They are not intended to be one-size-fits-all, completely comprehensive, or all-inclusive of compliance considerations and fraud and abuse risks for every organization. Rather, the goal of these documents has been, and will continue to be, to set forth voluntary compliance guidelines and tips and to identify some risk areas that OIG believes individuals and entities engaged in the health care industry should consider when developing and implementing a new compliance program or evaluating and updating an existing one. https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf

[6] HHS-OIG’s recommendation regarding such programs can be found at https://oig.hhs.gov/compliance/.

[7] Section 6401 of Public Law 111-148 (PPACA). The Affordable Care Act further required the Secretary of Health and Human Services (HHS), in consultation with the HHS Office of Inspector General (OIG), to establish “core elements” for provider and supplier compliance programs within a particular industry or sector. In doing so, HHS has the discretion to determine both the timeline for implementation of the core elements and the requirement to have a compliance program. An enforcement date for provider compliance plans as mandated in the Affordable Care Act is yet to be issued. See also, https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNEdWebGuide/Downloads/MLN-Compliance-Webinar.pdf.

[8] https://oig.hhs.gov/documents/compliance-guidance/801/physician.pdf

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] https://oig.hhs.gov/documents/compliance-guidance/801/physician.pdf

[14] https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.

[15] See JM 9-28.800.

[16] https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl.

[17] Speech by U.S. DOJ Acting Assistant Attorney General, Nicole M. Argentieri (March 8, 2024), available at https://www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-keynote-speech-american.

[18] Speech by U.S. DOJ Deputy Attorney General, Lisa O. Monaco (March 7, 2024), available at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-keynote-remarks-american-bar-associations.

[19] Speech by Deputy Assistant Attorney General, Lisa H. Miller (May 4, 2023), available at https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-lisa-h-miller-delivers-remarks-american-bar-association.

[20] Speech by U.S. Deputy Attorney General, Lisa O. Monaco (October 4, 2023), available at

https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-announces-new-safe-harbor-policy-voluntary-self.

[21] Speech by U.S. DOJ Assistant Attorney General, Kenneth A. Polite Jr (March 25, 2022), available at https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate

[22] Speech by U.S. DOJ Assistant Attorney General, Kenneth A. Polite Jr. (March 3, 2023), available at https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-keynote-aba-s-38th-annual-national.

[23] https://www.ussc.gov/guidelines/2018-guidelines-manual/2018-chapter-8.

[24] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[25] Id.

[26] See generally, JM 9-28.800 and https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[27] See Chapter 21 of the Medicare Managed Care Manual, available at https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/mc86c21.pdf

[28] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[29] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[30] https://oig.hhs.gov/documents/compliance-guidance/801/physician.pdf.

[31] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[32] Id.

[33] Id.

[34] Id.

[35] Id.

[36] https://oig.hhs.gov/documents/compliance-guidance/801/physician.pdf.

[37] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[38] The training sessions should cover any compliance risks specific to the learners’ roles and responsibilities. Depending on the learners’ roles, these may include, for example, billing, coding, documentation, medical necessity, beneficiary inducements, gifts, interactions with physicians and other sources or recipients of referrals of Federal health care program business, and sales and marketing practices. The education and training program also should include a requirement that licensed personnel must complete all education and training mandated by the licensing board that governs their license. Id.

[39] Id.

[40] For example, if an entity has a culturally diverse staff, training materials may need to be available in several languages. Id.

[41] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[42] Id.

[43] Id.

[44] Id.

[45] Id.

[46] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[47] Id.

[48] Id.

[49] Id.

[50] Id.

[51] Id.

[52] https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf.

[53] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[54] Id.

[55] Id.

[56] Id.

[57] Id.

[58] Id.

[59] Id.

[60] Depending on the nature of the violation and the Government program involved, appropriate Government authorities may include: (i) the Criminal or Civil Divisions of DOJ; (ii) the United States Attorney’s Office for the entity’s district; (iii) OIG; (iv) CMS; (v) the State Medicaid Fraud Control Units; (vi) the Defense Criminal Investigative Service; (vii) the Office of Inspector General for the Department of Veterans Affairs; and (viii) the Office of Personnel Management (which administers the Federal Employees Health Benefits Program).

[61] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[62] If the entity determines that the misconduct resulted in an overpayment, it should promptly repay the overpayment to affected government agencies. Federal law requires entities repay any overpayments received from Medicare or a State Medicaid program within 60 days after identification. Section 1128J of the Act, 42 U.S.C. § 1320a-7k(d).

[63] https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.

[64] Id.