Several government agencies have issued guidance to aid healthcare organizations in building their compliance programs. The Department of Health & Human Services (HHS) Office of Inspector General (OIG) began issuing voluntary compliance program guidance for a variety of healthcare organizations beginning in 1998. The first compliance program guidance was issued in February 1998 for hospitals. The various compliance program guidance documents are outlined in accordance with the elements the OIG has deemed essential for running an effective program. The OIG guidance has come to be considered the cornerstone of government guidance.
Recently, the Department of Justice (DOJ) revised its Evaluation of Corporate Compliance Programs guidance, first issued in 2017. The guidance is used by federal prosecutors as potential mitigation when evaluating corporate compliance programs and deciding whether to prosecute an organization and what potential penalties and compliance obligations to impose. The revised guidance focuses particularly on whether the organization’s compliance program is well designed in relation to the organization, is being applied in good faith, and works effectively in application and practice by the organization. The guidance offers helpful insight into how the government measures the effectiveness of an organization’s compliance program.
In addition, the following guidance documents and resources listed can help organizations in relation to building their compliance program and identifying and addressing risks that affect their organizations.
The US Federal Sentencing Guidelines
The United States Sentencing Commission (USSC) guidelines, first effective on November 1, 1991, set out a uniform policy for sentencing individuals and organizations that have been convicted of a federal crime. The guidelines set forth factors for prosecutors to consider when determining the appropriate form of resolution or prosecution, monetary penalty, and potential compliance obligations under a corporate criminal resolution. Chapter 8 describes sentencing guidelines applicable to organizations. Introductory comments to the chapter explain that the government looks at whether the organization attempted to remedy any harm caused by the offense, the culpability of the organization, and the seriousness of the offense as factors in determining the appropriate punishment.
Through Amendment 673 to Chapter 8 of the guidelines, issued on November 1, 2004, the USSC specified two factors serving as mitigation to the ultimate punishment of an organization: “(i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.” Further, under United States Sentencing Guidelines Manual (USSG) § 8C2.5(g), an effective compliance and ethics program is one of the mitigating factors that can reduce an organization’s penalty under the “Culpability Score.” Conversely, under USSG § 8D1.4(c), the absence of an effective program may be a reason for the court to place an organization on probation, and implementation of an effective compliance program may be a condition of probation for organizations. To be effective, the guidelines further elaborate that a compliance program “shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.” The guidelines further articulate seven elements for establishing an effective compliance program, which have since been further parsed out in great detail in the OIG’s various compliance program guidance documents.
Amendment 744 to the guidelines, issued on November 1, 2010, further provides commentary related to forms of remediation after criminal conduct has been detected. The commentary notes that necessary assessment and modifications to the organization’s compliance program may need to be made to correct and prevent further misconduct, which may include the use of an outside professional adviser to ensure adequate assessment and implementation of any modifications. This amendment is also articulated in the OIG compliance program guidance documents as a recommendation that organizations periodically evaluate their compliance program for effectiveness, urging the assistance of an outside reviewer to ensure objectivity.
HHS OIG Guidance
The OIG, in conjunction with the DOJ, is responsible for enforcing the rules and regulations under the Medicare and Medicaid laws outlined as part of the Social Security Act and administered by the Centers for Medicare & Medicaid Services (CMS). One of the primary goals of the HHS OIG is to fight fraud, waste, and abuse. Specifically, the office works to:
“Prevent, detect, and deter fraud, waste, and abuse
“Foster sound financial stewardship and reduction of improper payments
“Hold wrongdoers accountable and recover misspent public funds”
The OIG comprises six components, three of which are responsible for investigating, evaluating, and auditing HHS programs, grantees, and contractors for fraud, waste, and abuse. Two of those components have investigative and audit responsibilities. The Office of Audit Services is responsible for conducting audits of HHS programs and/or grantees and contractors. The audits are designed to assess the performance of HHS programs and/or grantees in carrying out their responsibilities. The Office of Evaluation and Inspections (OEI) conducts broad, issue-based evaluations of HHS programs to prevent fraud, waste, and abuse and encourage efficiency and effectiveness in HHS programs. The OEI also oversees the state Medicaid Fraud Control Units (MFCUs), which investigate and prosecute Medicaid providers for fraud, patient abuse, and neglect. The Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and misconduct tied to HHS programs, operations, and beneficiaries.
Over more than two decades, the HHS OIG has also issued a series of voluntary guidance documents setting forth guidelines for the development and implementation of effective compliance programs. Guidance materials are offered for several sectors of the healthcare industry, including specifically:
Hospitals (guidance and supplemental guidance)
Home Health Agencies
Third-Party Medical Billing Companies
Durable Medical Equipment, Prosthetics, Orthotics, and Supply Industry
Nursing Facilities (guidance and supplemental guidance)
Individual and Small Group Physician Practices
Recipients of PHS Research Awards
The guidance documents are structured in accordance with the seven elements designated by the OIG as fundamental for developing an effective compliance program, as first set forth in the USSC guidelines.
While the mechanisms for applying the elements vary based on the type of healthcare organization applying them, the overall purposes are the same. While no two compliance programs are the same, the elements are designed to serve as a backbone to establishing an effective program. The elements, if implemented appropriately, are designed to enable an organization to prevent, detect, and correct violations of law, policies, and guidance.
Reports and Publications
The HHS OIG office regularly issues various reports and publications important to compliance programs, which are published on the OIG website. Some of the more important reports and publications compliance professionals need to closely monitor include the OIG Work Plan, the Health Care Fraud and Abuse Control Program Report, and the OIG semiannual reports to Congress.
The OIG Work Plan is updated on a monthly basis on the OIG’s website, and “sets forth various projects including OIG audits and evaluations that are underway or planned to be addressed during the fiscal year and beyond by OIG’s Office of Audit Services and Office of Evaluation and Inspections.” The office lists both active and archived Work Plan items. The active items describe audits, evaluations, and inspections that are currently in process or planned to begin soon. Items that are added are those that are found to present “relative risks in HHS programs and operations” and include projects, including, but not limited to, those that are mandatorily required for review by the OIG in accordance with law or regulation based on requests from Congress, HHS management, or the Office of Management and Budget, or that represent top management and performance challenges facing HHS. These items are searchable on the website or can be downloaded as a spreadsheet, which can be used for compliance activity planning at a healthcare organization. For more information on the work plan, see Chapter 4, “Evaluation Processes, Investigations, and Noncompliance Response.”
The Health Care Fraud and Abuse Control Program was established through the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and was created to coordinate federal, state, and local law enforcement activities concerning healthcare fraud and abuse. The program produces an annual report detailing the monetary results of the federal government’s healthcare fraud judgments and settlements, in addition to other healthcare administrative impositions that are deposited to the Medicare Trust Funds. These amounts include:
Gifts and bequests made unconditionally to the Trust Funds, for the benefit of the Account or any activity financed through the Account;
Criminal fines recovered in cases involving a federal health care offense, including collections under section 24(a) of Title 18, United States Code (relating to health care fraud);
Civil monetary penalties in cases involving a federal health care offense;
Amounts resulting from the forfeiture of property by reason of a federal health care offense, including collections under section 982(a)(7) of Title 18, United States Code; and
Penalties and damages obtained and otherwise creditable to miscellaneous receipts of the general fund of the Treasury obtained under sections 3729 through 3733 of Title 31, United States Code (known as the False Claims Act, or FCA), in cases involving claims related to the provision of health care items and services (other than funds awarded to a relator, for restitution, or otherwise authorized by law).
The OIG also produces a semiannual report to Congress, which highlights the OIG’s work over the semiannual period. The report is focused on risk areas audited by the OIG, with a summary of significant findings and recommendations. The report also includes statistics on recoveries, exclusions, and investigative outcomes related to fraud. Finally, the report highlights the OIG’s work over the semiannual period, focused by risk area.
Organizations can review these OIG reports to understand the topics the OIG is focused on auditing and to understand areas of risk where the agency may focus their efforts in the future. An understanding of the OIG’s focus areas will aid organizations when assessing their own operational risks, prioritizing their monitoring and auditing efforts, and evaluating the internal controls they have in place to address such risks.
One of the key functions of the OIG is to detect, investigate, and punish fraudulent misconduct by healthcare providers. The OIG publishes updates to its website on its efforts to curb fraud, including its investigative efforts in relation to criminal, civil, and administrative violations; the imposition of program exclusions and civil monetary penalties on healthcare providers to punish fraud or other wrongdoing; and announcement of settlement agreements and corporate integrity agreements imposed from misconduct arising under the civil False Claims Act.
The OIG posts figures related to its False Claims Act settlements on its Risk Spectrum. At the highest end of the spectrum are the parties that have been excluded by the OIG from participating in federal healthcare programs. The second-highest category of settlements on the spectrum reflect individuals or entities that are subject to “heightened scrutiny.” Individuals and entities under this category refused to enter into a corporate integrity agreement (CIA), “although OIG determined that these parties needed additional oversight.” Parties deemed medium risk are those that entered into a CIA with the OIG. The lower-risk category consists of parties against whom the OIG took no further action. Finally, the lowest-risk category consists of parties that voluntarily disclosed violations to the OIG. The OIG updates its Risk Spectrum on a quarterly basis.
The OIG also describes on its fraud website recent actions by the Medicaid Fraud Strike Force teams. The Strike Force teams are interagency teams focused on investigating and combating fraud. The teams are made up of government officials from the OIG, DOJ, the United States attorneys offices, the Federal Bureau of Investigation (FBI), and local law enforcement. The Strike Force teams focus on widespread fraud schemes that often involve providers and entities in several geographic areas. These teams are strategically located in geographic areas where fraudulent activity is prevalent, including Tampa; Orlando; Miami; Los Angeles; Detroit; Dallas; Houston; Brooklyn; Baton Rouge; New Orleans; Chicago; Washington, DC; Newark; Philadelphia; and the Appalachian Region. Strike Force teams have focused on rampant fraud schemes, including substance abuse treatment fraud, diversion schemes, and kickback schemes.
Compliance Resource Portal
The HHS OIG offers a variety of compliance tools on their website, including special alerts, podcasts, advisory opinions, and guidance documents. They can all be found through the Compliance Resource Portal. Their toolkits provide resources to improve organizations’ compliance programs, from toolkits for measuring a compliance program’s effectiveness to specialized toolkits to aid healthcare board members in understanding their compliance oversight obligations. Videos and webcasts can be used as general compliance training, exclusions screening, fraud and abuse laws, and more.
The Compliance Resource Portal also contains OIG advisory opinions, which are legal opinions the OIG issues to one or more requesting parties that address the application of the OIG’s fraud and abuse authorities on an existing or proposed business arrangement. A favorable advisory opinion protects the requesting party from OIG administrative sanctions, provided that the arrangement at issue is conducted in accordance with the particular facts submitted with the request to the OIG. However, an issued advisory opinion can be relied on only by the party that requested it. While advisory opinions are only valid for the requesting party, providers can use advisory opinions as a reference to understand the OIG’s viewpoint in relation to particular business arrangements. Advisory opinions may offer guidance as to types of business arrangements the OIG views as high risk versus those that would not trigger the OIG’s radar.
The HHS OIG can exclude organizations found to have committed healthcare fraud and abuse from participating in federally funded healthcare programs. Excluded entities are not entitled to government reimbursement from federal healthcare programs. Organizations that hire an individual or entity that has been excluded can face civil monetary penalties.
The OIG maintains a list of excluded individuals and entities called the List of Excluded Individuals/Entities (LEIE). Organizations can search this list online or download the database from the website. It is up to organizations to ensure that the individuals and entities they work with are not on this list in order to avoid paying significant penalties. All compliance officers should be familiar with the list and screening the list to maintain an effective compliance program. For more information on using the LEIE, see Chapter 4, “Evaluation Processes, Investigations, and Noncompliance Response.”
The OIG’s newsroom publishes news releases, speeches, podcasts, videos, and more to keep the public updated on the office’s latest initiatives and actions. Its “What’s New” section provides a snapshot of what’s been updated on the site, from the latest CIAs to completed audits to new OIG Work Plan items. Compliance professionals can use these resources to monitor the issues that the OIG is concerned with and looking for when investigating claims of healthcare fraud and abuse.
The “What’s New” section also includes the OIG’s most recent audit reports as well as compliance reviews of healthcare organizations. Audit reports focus on areas identified by the OIG as high risk. The reports include detailed findings and recommendations for correcting identified issues. For example, in an audit report evaluating an identified billing issue, the OIG might recommend that the CMS contractors make efforts to identify overpayments made to providers within the reopening period for identified billing issues and that CMS implement processes to correct the underlying issues. In the compliance reviews, the OIG focuses on a particular healthcare provider or organization, and pulls claims submitted by the provider that are at risk for noncompliance with Medicare billing requirements through computer matching, data mining, and data analysis techniques. In its reviews, the OIG selects risk areas to audit based on prior OIG audits at other organizations, and evaluates compliance with selected billing requirements. In the compliance review reports, the OIG lists detailed findings in relation to identified billing errors and makes recommendations to the targeted providers on controls to implement to correct the identified errors; refund identified and extrapolated overpayments to CMS contractors for errors identified from the audit period; and to further expand the results of the audit by exercising reasonable diligence to identify, report, and return overpayments outside of the audit period in accordance with the 60-day rule.
Monitoring these audit and compliance review reports can help healthcare providers identify areas of high risk identified by the OIG for comparison against their own billing and documentation practices. The detailed findings also provide an in-depth analysis of how the OIG interprets various billing rules, allowing providers to modify their policies and processes in accordance with the OIG’s interpretation.