I. INTRODUCTION

In June 2000, the Office of Inspector General ("OIG") of the U. S. Department of Health and Human Services ("HHS") released a draft of its Compliance Program Guidance for Individual and Small Group Physician Practices. The final compliance program guidance was published in the Federal Register on October 5, 2000. (65 Fed. Reg. 59434). Comprehensive in scope, the final document (the "Guidance") summarizes the OIG’s current view as to what physicians should know and can do to prevent fraud and abuse in government health programs. Changes from the draft to the final Guidance result from physicians’ concerns about the possible sanctions resulting from a formal compliance process. Generally, the overall tone of the final document has been refocused to note the voluntary nature of the Guidance. Rather than suggest the development of an "effective" compliance program, the Guidance recommends the "active application of compliance principles" in a physician practice.

Physicians expressed fears about the potential regulatory burdens found in the draft guidance. In response, the OIG states explicitly that the compliance guidelines are not mandatory. Nor do they, according to the OIG, represent an all-inclusive document containing all components of a compliance program. Other OIG outreach efforts, as well as other federal agency efforts to promote compliance, can also be used in developing a compliance program. However, the Guidance does indicate that a physician practice’s adoption of a voluntary and active compliance program may be quite beneficial.

Responding to "significant misunderstandings among physicians" who feel "maligned" by federal law enforcement agencies because of a "perceived focus on innocent ‘erroneous’ claims," the Guidance makes assurances that the OIG does "not disparage physicians," and that physicians are not subject to civil or criminal penalties for innocent errors or negligence. The OIG emphasizes, however, that all health care providers have a duty reasonably to ensure that claims submitted to the federal health care programs are accurate.

The Guidance is part of the OIG’s continuing effort to encourage self-policing within the health care industry. It is the ninth compliance program guidance document issued by the OIG to date. Again, we emphasize that the guidelines are not mandatory.

Intended to assist individual and small group physician practices in developing and implementing internal controls that will promote adherence to rules governing the federal health care programs and to private insurance requirements, the Guidance identifies the basic elements of a physician practice compliance program. As with other guidance already issued by the OIG, the elements of such a compliance program are based on the seven elements set forth in the Federal Sentencing Guidelines.

The Guidance is a virtual compendium of the risk areas where physician practices may be vulnerable. The main risk areas for all physicians include coding and billing, billing only for services that are "reasonable and necessary," medical record documentation, improper inducements and self-referrals, and retention of records.

An appendix to the Guidance identifies still other risk areas that physicians should evaluate when constructing a compliance program suitable for their practice. Included in the additional risk areas are physician relationships with hospitals, various physician billing practices, physician certifications for medical equipment, and supplies and home health services.

A second appendix contains a summary of frequently-cited criminal statutes related to fraud and abuse in the context of health care. The summary identifies the penalties for unlawful conduct and gives examples of the kinds of conduct prohibited by the various statutes.

A third appendix summarizes civil and administrative statutes related to health care fraud and abuse. In this section the OIG describes its "primary enforcement tool," the civil False Claims Act. This appendix also discusses the civil monetary penalties law, the federal anti-referral law ("Stark II law"), and the laws governing exclusion of individuals and entities from participation in the federal health care programs.

A fourth appendix provides OIG/HHS "contact information," including numbers for the OIG telephone hotline and a description of the OIG’s recommended method for a physician to self-report fraud and abuse issues that may exist in his or her own practice. This section also explains the kinds of questions to which the OIG will respond when a health care professional requests an advisory opinion from OIG and where to find the procedures for requesting an advisory opinion.

A fifth appendix provides carrier contact information. Finally, a sixth appendix lists internet resources relating to federal health care programs.

According to the OIG, an effective compliance program can help physicians identify both erroneous and fraudulent claims, ensure that submitted claims are true and accurate, and improve quality of care. The OIG acknowledges that patient care is, and should be, the first priority of a physician practice. However, the finalized document suggests that focus on patient care can be enhanced by the adoption of a voluntary compliance program. For example, the increased accuracy of documentation that may result from a compliance program will actually assist in enhancing patient care. The OIG believes that physician practices can realize numerous other benefits by implementing a compliance program. A well-designed compliance program can:

• Speed and optimize proper payment of claims;
• Minimize billing mistakes;
• Reduce the chances that an audit will be conducted by the Health Care Financing Administration ("HCFA") or the OIG; and
• Avoid conflicts with the self-referral and anti-kickback statutes.

The OIG believes that incorporation of compliance measures into a physician practice should not be at the expense of patient care, but instead should augment the ability of the physician practice to provide quality patient care.

Voluntary compliance programs provide other benefits, according to the Guidance, by not only helping to prevent erroneous or fraudulent claims, but also by showing that the physician practice is making additional good faith efforts to submit claims appropriately. Physicians should view compliance programs as analogous to practicing preventive medicine for their practice. Practices that embrace the active application of compliance principles in their practice culture and make efforts towards compliance on a continued basis can help to prevent problems from occurring in the future.

The OIG states that compliance programs send important messages to a physician practice’s employees that while the practice recognizes that mistakes will occur, employees have an affirmative, ethical duty to come forward and report erroneous or fraudulent conduct, so that it may be corrected.

III. APPLICATION OF VOLUNTARY COMPLIANCE PROGRAM GUIDANCE

To further underscore the voluntary nature of the Guidance, the document states that the applicability of these recommendations will depend on the circumstances and resources of the particular physician practice. Each physician practice can undertake reasonable steps to implement compliance measures, depending on the size and resources of that practice. Physician practices can rely, at least in part, upon standard protocols and current practice procedures to develop an appropriate compliance program for that practice. In fact, notes the OIG, many physician practices already have established the framework of a compliance program without referring to it as such.

IV. DEVELOPING A VOLUNTARY COMPLIANCE PROGRAM

A. The Seven Basic Components Of A Voluntary Compliance Program

As a slight deviation from the previous eight compliance guidances, the Guidance identifies seven basic "components" of an effective compliance program. Although the OIG acknowledges that full implementation of all components may not be feasible for all physician practices, the OIG encourages physicians to address each of the elements in a manner that best suits the physician’s practice. As a first step, physician practices can begin by adopting only those components which, based on a practice’s specific history with billing problems and other compliance issues, are most likely to provide an identifiable benefit.

The extent of implementation will depend on the size and resources of the practice. Smaller physician practices may incorporate each of the components in a manner that best suits the practice. By contrast, larger physician practices often have the means to incorporate the components in a more systematic manner. For example, larger physician practices can use both this Guidance and the Third-Party Medical Billing Compliance Program Guidance, which provides a more detailed compliance program structure, to create a compliance program unique to the practice.

The OIG recognizes that physician practices need to find the best way to achieve compliance in light of their particular circumstances. Specifically, the OIG encourages physician practices to participate in other providers’ compliance programs, such as the compliance programs of the hospitals or other settings in which the physicians practice. Physician practice management companies also may serve as a source of compliance program guidance.

The Guidance suggests that the following components can form the basis of a voluntary compliance program for a physician practice:

• Conducting internal monitoring and auditing through the performance of periodic audits;
• Implementing compliance and practice standards through the development of written standards and procedures;
• Designating a compliance officer or contact(s) to monitor compliance efforts and enforce practice standards;
• Conducting appropriate training and education on practice standards and procedures;
• Responding appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate government entities;
• Developing open lines of communication, such as (1) discussions at staff meetings regarding how to avoid erroneous or fraudulent conduct and (2) community bulletin boards, to keep practice employees updated regarding compliance activities; and
• Enforcing disciplinary standards through well-publicized guidelines.

B. Steps For Implementing A Voluntary Compliance Program

A major new section in the final Guidance includes recommendations for implementing a voluntary compliance program under a multi-tiered process. As noted above, the OIG suggests that initial development of the compliance program can be focused on practice risk areas that have been problematic for the practice, such as coding and billing. Physicians are encouraged to examine their claims denial history or claims that have resulted in repeated overpayments in an effort to identify and correct the most frequent sources of those denials or overpayments. A review of claim denials will help the practice scrutinize a significant risk area and improve its cash flow by submitting correct claims that will be paid the first time they are submitted. Appealing to the reason of physicians, the Guidance contends that a compliance program for a physician practice makes "sound business sense."

The Guidance describes a series of steps a practice may take to begin the development of a compliance program. Physician practices are reassured that it is up to each "practice to determine the manner in which and the extent to which the practice chooses to implement these voluntary measures." As described below, the steps incorporate all seven components of a compliance program and offer suggestions for implementation within each component.

1. Step One: Auditing And Monitoring

An ongoing evaluation process includes not only whether the physician practice’s standards and procedures are in fact current and accurate, but also whether the compliance program is working, i.e., if individuals are properly performing their responsibilities and if claims are submitted appropriately. Therefore, an audit is recommended to help the physician practice ascertain what, if any, problem areas exist and focus on the risk areas that are associated with those problems. There are two types of reviews: (a) a standards and procedures review; and (b) a claims submission audit.

Individual(s) in the physician practice could have the responsibility of periodically reviewing the practice’s standards and procedures to determine if they are current and complete. If the standards and procedures are found to be ineffective or outdated, they should be updated to reflect changes in government regulations or compendiums generally relied upon by physicians and insurers (i.e., changes in Current Procedural Terminology (CPT) and ICD-9-CM codes).

(b) Claims Submission Audit

The individuals from the physician practice involved in self-audits might ideally include the person in charge of billing (if the practice has such a person) and a medically trained person (e.g., registered nurse or preferably a physician). As with the previous OIG compliance guidance documents, the OIG recommends that a baseline, or "snapshot," be used to enable a practice to judge over time its progress in reducing or eliminating potential areas of vulnerability. This practice, known as "benchmarking," allows a practice to chart its compliance efforts by showing a reduction or increase in the number of claims paid and denied.

The Guidance suggests that the practice’s self-audits can be used to determine whether:

• Bills are accurately coded and accurately reflect the services provided (as documented in the medical records);
• Documentation is being completed correctly;
• Services or items provided are reasonable and necessary; and
• Any incentives for unnecessary services exist.

Following the baseline audit, a general recommendation is that periodic audits be conducted at least once each year to ensure that the compliance program is being followed. The OIG realizes that physician practices receive reimbursement from a number of different payors, and it encourages a physician practice’s auditing/monitoring process to consist of a review of claims from all payors from which the practice receives reimbursement. Once again addressing concerns regarding the Guidance’s regulatory burden, the OIG states that it is aware that these audits may be burdensome for some physician practices and, as an alternative, encourages the review of claims that have been reimbursed by federal health care programs.

If problems are identified, the physician practice will need to determine whether a focused review should be conducted on a more frequent basis or whether education of employees is required.

The Guidance makes the point that one of the most important components of a successful compliance audit protocol is an appropriate response when the physician practice identifies a problem. This action should be taken as soon as possible after the date the problem is identified. The specific action a physician practice takes should depend on the circumstances of the situation.

After the internal audit identifies the practice’s risk areas, the next step, according to the Guidance, is to develop a method for dealing with those risk areas through the practice’s standards and procedures. The OIG believes that written standards and procedures can be helpful to all physician practices, regardless of size and capability. If a lack of resources to develop such standards and procedures is genuinely an issue, the OIG recommends that a physician practice focus first on those risk areas most likely to arise in its particular practice. Additionally, if the physician practice works with a physician practice management company ("PPMC"), independent practice association ("IPA"), physician-hospital organization ("PHO"), management services organization ("MSO"), or third-party billing company, the practice can incorporate the compliance standards and procedures of those entities, if appropriate, into its own standards and procedures. According to the OIG, many physician practices have found that the adoption of a third party’s compliance standards and procedures, as appropriate, has many benefits and the result is a consistent set of standards and procedures for a community of physicians as well as having just one entity that can then monitor and refine the process as needed.

The OIG suggests that a resource manual from publicly available information may be a cost-effective approach for developing additional standards and procedures. Examples of such documents offered are relevant HCFA directives and carrier bulletins and summaries of informative OIG documents (e.g., Special Fraud Alerts, Advisory Opinions, and inspection and audit reports). If the practice chooses to adopt this idea, their collection of such resource material should be updated as appropriate and located in a readily-accessible location.

New employees can be made aware of the standards and procedures when hired and can be trained on their contents as part of their orientation to the practice. The OIG recommends that the communication of updates and training of new employees occur as soon as possible after either the issuance of a new update or the hiring of a new employee.

The OIG presents a list of potential risk areas that it describes as a "starting point" for evaluating potential vulnerabilities within a physician practice.

According to the OIG, coding and billing should be a major part of any physician compliance program. The OIG lists the problems that most frequently result in OIG audits and investigations:

• Billing for items or services not rendered or not provided as claimed;
• Submitting claims for equipment, medical supplies, and services that are not reasonable and necessary (seeking reimbursement for a service that is not warranted by a patient’s documented medical condition);
• Double billing;
• Billing for non-covered services as if covered;
• Knowing misuse of provider identification numbers, which results in improper billings (the OIG specifically notes that physician practices should be aware of the provisions of the reassignment rules);
• Billing for unbundled services (the practice of a physician billing for multiple components of a service that must be included in a single fee);
• Failure properly to use coding modifiers (inadequate justification that a service or procedure that has been performed has been altered by some specific circumstance, but not changed in its definition or code);
• "Clustering," or the practice of merging one or two middle level codes (i.e., overcharging some patients while undercharging other), and
• Upcoding the level of services provided (billing for a more expensive service than the one actually performed, which is a major focus of the OIG’s law enforcement efforts).

Appendix A provides additional guidance regarding the practice of submitting a claim for services in order to receive a denial from the Medicare carrier, thereby enabling the patient to submit the denied claim for payment to a secondary payer. The OIG states that it would not consider such submissions to be fraudulent. However, in these instances the physician should indicate on the claim submission that the claim is being submitted for the purpose of receiving a denial.

(2) Reasonable And Necessary Services

The OIG acknowledges that a physician should be able to order any test, including screening tests, that the physician believes is appropriate for the treatment of his or her patient, but cautions that there may be a difference between what the physician believes is clinically appropriate and the payor’s definition of reasonable and necessary. According to the OIG, the physician practice should only bill for those services the physician believes and can document are reasonable and necessary for the diagnosis and treatment of a patient.

Appendix A lists additional risks associated with the determination of reasonable and necessary services. For example, the OIG advises physicians to be familiar with local medical review policies which indicate whether an item or service will be covered by Medicare. The OIG also reminds physicians that they are required to provide advanced beneficiary notices ("ABN") before providing a patient with services that the physicians knows or believes Medicare will not consider reasonable and necessary. The Guidance explains the requirements for a properly executed ABN.

Appendix A also cautions physicians regarding their liability for inappropriate certifications for the provision of medical equipment and supplies and home health services. The OIG warns against signing blank certificates of medical necessity ("CMN"), and signing CMNs without seeing the patient to verify that the item or service is reasonable and necessary.

(3) Documentation

The Guidance articulates the OIG’s view of the minimum standards for medical record documentation. Explaining that the medical record is used to validate the appropriateness of the service and the accuracy of the billing, the OIG asserts that medical records should comply with the following principles:

• The medical record should be complete and legible;
• The documentation of each patient encounter should include the reason for the encounter, any relevant history, physical examination findings, prior diagnostic test results, assessment, clinical impression or diagnosis, plan of care, and date and legible identify of the observer (emphasis added);
• If not documented, a reviewer should be able "easily" to infer the rationale for ordering diagnostic and other ancillary services. Past and present diagnoses should be accessible to the treating and/or consulting physician;
• CPT and ICD-9-CM codes used for claims submission should be supported by documentation and the medical record; and
• Appropriate health risk factors should be identified. The patient’s progress, response to and any changes in treatment, and any revision in diagnosis should be documented.

The OIG also encourages physicians to monitor whether the HCFA 1500 form is properly completed.

The OIG advises physicians to develop procedures that address arrangements with other health care providers and suppliers. On a practical level, the OIG makes two recommendations: (1) business arrangements involving a physician referral of business to an outside entity should be made on a fair market value basis; and (2) business arrangements that involve a physician making referrals should be reviewed by counsel familiar with the anti-kickback statute and the physician self-referral laws.

The OIG urges physicians to exercise particular care with respect to:

• Financial arrangements with outside entities to whom the practice may refer federal health care program business;
• Joint ventures with entities supplying goods or services to the physician practice or its patients;
• Consulting contracts or medical directorships;
• Office and equipment leases with entities to which the physician refers; and
• Soliciting, accepting, or offering any gift or gratuity of more than nominal value to or from those who may benefit from a physician practice’s referral of federal health care program business.

The OIG notes that its definition of "fair market value" in the context of anti-kickback scrutiny excludes any value attributable to referrals of federal program beneficiaries or the ability to influence the flow of such business.

(5) Retention Of Records

The OIG states that all physician practices, regardless of size, should have procedures to create and retain appropriate documentation. The OIG suggests that physicians consider:

• The length of time that a physician’s medical record documentation is to be retained, taking into account federal and state requirements;
• The need to secure medical records against loss, destruction, unauthorized access, unauthorized reproduction, corruption, or damage; and
• The disposition of medical records in the event the practice is sold or closed.

After the audits have been completed and the risk areas identified, ideally one member of the physician practice staff needs to accept responsibility for the plan. This person can either be in charge of all compliance activities for the practice or play a limited role merely to resolve current issues. The Guidance acknowledges that resource constraints of physician practices may prevent the designation of one person to be in charge of compliance functions. Accordingly, it is acceptable for a physician practice to designate more than one employee with compliance monitoring responsibility.

Another possibility suggested by the Guidance is that one individual could serve as compliance officer for more than one entity. In situations where staffing limitations mandate that the practice cannot afford to designate a person(s) to oversee compliance activities, the practice could outsource all or part of the functions of a compliance officer to a third party, such as a consultant, PPMC, MSO, IPA, or third-party billing company. However, if this role is outsourced, it is beneficial for the compliance officer to have sufficient interaction with the physician practice to be able to effectively understand the inner workings of the practice. For example, consultants that are not in close geographic proximity to a practice may not be effective compliance officers for the practice.

If the physician practice decides to designate a particular person(s) to oversee all compliance activities, not just those in conjunction with the audit-related issue, suggested duties for that individual are as follows:

• Overseeing and monitoring the implementation of the compliance program;
• Establishing methods, such as periodic audits, to improve the practice’s efficiency and quality of services, and to reduce the practice’s vulnerability to fraud and abuse;
• Periodically revising the compliance program in light of changes in the needs of the practice or changes in the law and in the standards and procedures of government and private payor health plans;
• Developing, coordinating and participating in a training program that focuses on the components of the compliance program, and seeks to ensure that training materials are appropriate;
• Ensuring that the HHS-OIG’s List of Excluded Individuals and Entities, and the General Services Administration’s ("GSA’s") List of Parties Debarred from Federal Programs have been checked with respect to all employees, medical staff, and independent contractors; and
• Investigating any report or allegation concerning possible unethical or improper business practices, and monitoring subsequent corrective action and/or compliance.

Each physician practice is advised to assess its own practice situation and determine what best suits that practice in terms of compliance oversight.

There are three basic steps for setting up educational objectives:

• Determining who needs training (both in coding and billing and in compliance);
• Determining the type of training that best suits the practice’s needs (e.g., seminars, in-service training, self-study or other programs); and
• Determining when and how often education is needed and how much each person should receive.

Training may be accomplished through a variety of means, including in-person training sessions (i.e., either on site or at outside seminars), distribution of newsletters, or even a readily-accessible office bulletin board. Regardless of the training modality used, a physician practice should ensure that the necessary education is communicated effectively and that employees come away from the training with a better understanding of the issues covered.

Compliance training focuses on explaining why the practice is developing and establishing a compliance program. The OIG suggests that compliance training address: the operation and importance of the compliance program; the consequences of violating the standards and procedures set forth in the program; and the role of each employee in the operation of the compliance program.

There are two goals a practice should strive for when conducting compliance training: (1) all employees will receive training on how to perform their jobs in compliance with the standards of the practice and any applicable regulations; a