Skip to main content
Find a Lawyer

OIG Publishes Draft Compliance Guidance for Individual and Small Group Physician Practices

This article was edited and reviewed by FindLaw Attorney Writers | Last reviewed May 17, 2016

This article has been written and reviewed for legal accuracy, clarity, and style by FindLaw’s team of legal writers and attorneys and in accordance with our editorial standards.

The last updated date refers to the last time this article was reviewed by FindLaw or one of our contributing authors. We make every effort to keep our articles updated. For information regarding a specific legal issue affecting you, please contact an attorney in your area.

On June 7, 2000, the HHS Office of Inspector General ("OIG") published a draft compliance program guidance for individual and small group physician practices. The draft guidance appeared in the Federal Register in Volume 65 at page 36,818. The OIG's stated objective was to provide meaningful, practical, and manageable guidance for small physician practices. While the document is imposing in content, in our view, the OIG generally succeeds in providing reasonable guidance for physician compliance programs. While some fine tuning may be in order, the draft compliance guidance should be of great assistance to the physician community.

The draft guidance describes the OIG's position on a wide range of compliance issues and is intended to promote voluntary implementation of compliance programs. A compliance program is designed to demonstrate to government authorities that a physician practice has made a commitment to follow all relevant laws in the course of its everyday activities. The OIG notes that the Guidelines are not intended to be a substitute for each practice developing and implementing a compliance program that is tailored to its individual circumstances.

The draft guidelines are directed toward individual and small group physician practices. While the OIG does not provide a definition of what constitutes a small group physician practice, and, therefore, there is no clear-cut method of determining whether the guidelines apply to a particular practice, the OIG recommends that larger group practices consult this guidance in conjunction with the previous guidance it issued for third-party medical billing entities in a effort to develop a compliance plan tailored to the needs of larger group practices. This might suggest that "large practices" are limited to major multi-specialty practices, which have internal resources such as medical billing facilities. More guidance on the point would be helpful.

Although implementation of a compliance program is voluntary, the lack of a compliance program can be costly. Each year we see an increase in government enforcement activity which carries the threat of criminal prosecution and exposure under the False Claims Act to treble damages and penalties of up to $10,000 per claim. A compliance program that conforms to an OIG model establishes a strong basis for minimizing criminal and civil penalties should a violation occur, despite the organization's best efforts to comply with the law.

I. Elements of an Effective Compliance Program

Consistent with the requirements of the Federal Sentence Guidelines, which is the source for the Compliance Plan concept, the government has said in the past that every compliance program
must address the seven elements outlined below. In a welcome demonstration of flexibility, the OIG acknowledges that physician practices are not equivalent to large institutional providers of care and that imposition of the seven elements may result in an unreasonable administrative burden. As a result, the OIG notes that each physician practice must determine the level at which it will be able to implement each element. The specific level of implementation will depend on the size and resources of the practice, but it is essential that all practices show a "good faith meaningful commitment to compliance" in each of these areas.

The OIG also notes that by participating in the compliance programs of other organizations with which the practice works (for example, hospitals), physicians may partly satisfy the recommended elements of a compliance plan. The OIG guidelines consider this type of collaborative effort helpful in meeting the recommended elements of the compliance program. The guidelines make clear, however, that participation in other compliance programs is not sufficient on its own.

A. Written Policies and Procedures

An effective compliance program requires the development of standards of conduct for the practice. The OIG recommends that physician practices look to the standards of conduct implemented by other practices or recommended by professional associations for ideas. Nevertheless, standards of conduct should be tailored to the individual practice, addressing its specific structure, needs, and risk areas; standards of conduct should not simply be copied from another source. An overarching mission statement for the physician practice should summarize the practice's expectations regarding billing and coding, patient care, documentation, and payer relationships.

Written policies and procedures are considered essential, regardless of the size of the practice. For smaller practices with a genuine lack of resources, the OIG suggests that the practice focus first on the risks most likely to arise in that particular practice. If the practice relies on a physician practice management company ("PPMC") or management services organization ("MSO"), the compliance policies of those entities can be integrated into the policies of the practice.

Fundamental to the development of standards of conduct is identification of those areas in which the particular practice is most at risk. This is typically done by performing a baseline audit of key potential risk areas. An overview of the most common risk areas is discussed in Section III. The OIG also notes that the standards of conduct should be reinforced by a practice's policies and procedures, which are fundamental to all practices, no matter how small.

The requirement for written policies and procedures can be met by developing a written compliance manual and updating clinical forms. The OIG has suggested that the compliance manual be as simple as a binder - a practical suggestion for which the OIG should be commended. The binder would contain all procedures specific to that practice; HCFA directives and carrier bulletins relative to the practice; summaries of relevant OIG documents (including Special Fraud Alerts, Advisory Opinions, inspection and audit reports); and a summary of the relevant reimbursement requirements of payer plans (including those relating to reasonable and necessary services, coding, and documentation). The binder or any other written manual should be reviewed at least annually, and any appropriate updates should be made regularly.

The OIG recommends that the compliance manual or binder be accessible to all employees, contractors, and agents. If each employee is not provided with a copy of the manual, a reference copy should be available in an area easily accessible by all employees. If summaries of materials are used in the binder, the full documents should be available to employees upon request. Any updates to the policies and procedures should be provided to employees.

Within its discussion of Standards of Conduct, the OIG addresses the need for a record retention system for all medical practices, regardless of size. The policies on records retention should cover the creation, distribution, retention, and destruction of documents. Specifically, the system should specify the length of time that medical records are to be retained based on applicable Federal and State guidelines. The safety and privacy of medical records should also be addressed, including a provision to address how medical records will be disposed of in the event of a sale or closure of the practice.

As a matter of practical advice, the OIG also suggests that efforts to conform with any applicable Federal health care program requirements be documented and retained. For example, if a practice requests advice from a government agency regarding a Federal health care program, a copy of both the request and the reply should both be retained and the entire process documented. While this holds true whether the response is oral or written, written advise is always preferred. If oral advice is obtained, however, the practice is encouraged to maintain a log of oral inquiries between the practice and third parties in order to document attempts at compliance. These records can be extremely important in any subsequent investigation.

B. Designation of a Compliance Officer or Contact

The practice should designate a compliance officer to administer the program. The compliance officer is responsible for overseeing all aspects of the compliance program, including the investigation of any allegations of possible unethical or improper business practices and the monitoring of any appropriate corrective action taken.

Recognizing the limitations on small practices, the OIG has provided for some flexibility in the designation of a compliance officer. The OIG notes that the compliance officer could have other duties within the practice, or, in the alternative, the duties of administering the program could be split and performed by more than one person acting as "compliance contacts." Still another option would allow one person to serve as the compliance officer for more than one practice, enabling small practices to share resources. Practices could also outsource the functions of the compliance officer. We note that while the OIG's flexibility is helpful, there will be practical confidentiality concerns that must be addressed under any system where one individual serves as a Compliance Officer for multiple practices.

The OIG warns that if the duties are outsourced, the compliance officer must still have sufficient interaction with the physician practice to effectively fulfill the required duties. For example, there are limitations to having a compliance officer who spends most of his or her time off-site. On the other hand, the OIG warns that the compliance officer must be sufficiently independent to avoid potential conflicts of interest raised by the performance of the compliance officer's regular duties. The OIG, however, provides no specific guidelines on how to determine if a person is sufficiently "independent" or adequately "interactive" with the practice.

C. Conducting Effective Training and Education

The OIG guidance states that new employees should be trained "immediately," while another states that training of new employees should take place within 60 days of their start date. The guidance's introduction refers to the requirement of "comprehensive" training for all employees on the practice's policies and procedures, which suggests that all employees must be trained on all details of the compliance program, regardless of their duties. At the same time, the guidance states that educational objectives for employees must be defined by each practice to identify who needs training, what form of training should be used, when training is needed, and how much training each employee should receive.

The OIG clearly has provided for flexibility in training methods, stating that training can be in-person or through means such as newsletters or a community bulletin board. Training may be conducted in-house or by an outside source. It is important to note, however, that the OIG specifically states that simply providing documents for an individual to read on his or her own will seldom be sufficient.

It is clear from the guidance that training should be conducted at the outset of the compliance program. Recurring training should also be provided, as appropriate; the OIG generally states that there is no set formula for determining the appropriate frequency of training. The OIG does stipulate, however, that training for employees involved in coding and billing be conducted at least annually.

The goal of training should be to ensure that all employees understand how to perform their jobs in compliance with the standards of the practice and applicable regulations. Employees should also understand that the practice views compliance as a condition of continued employment. The OIG states that all employees should be made familiar with at least the key risk areas in the guidance and areas of particular OIG interest, as identified in the OIG's Work Plan published each year.

Training on coding and billing should be provided to members of the staff who are directly involved with billing, coding, or other aspects of the Federal health care programs. Items to be covered may include:

  • coding requirements;
  • claim development and submission processes;
  • marketing practices that reflect current legal and program standards;
  • the ramifications of submitting a claim for physician services when actually rendered by a non-physician;
  • signing a form for a physician without the physician's authorization;
  • the ramifications of altering medical records;
  • proper documentation of services rendered;
  • how to report misconduct;
  • proper billing standards and procedures and the submission of accurate bills for services or items rendered to Federal health care program beneficiaries;
  • the personal obligation of each person involved in the billing process to ensure claims are properly and accurately submitted;
  • the legal sanctions for submitting deliberately false or reckless billings; and
  • an understanding that a practice cannot receive payment or any type of incentive to induce referrals.

Physician practices should make updated ICD-9 and CPT manuals available to all employees involved in the billing process and should have a method for making continuous updates on billing policies readily available to their billing staff. Furthermore, physician practices should work with third-party billing companies, when contracted, to identify potential problems and incorporate these areas into compliance training.

D. Developing Effective Lines of Communication

In compliance guidelines issued previously by the OIG for application to other entities, the OIG has encouraged the use of multiple, and somewhat formal, means of communication between the compliance officer and personnel, such as telephone "hotlines" to allow for anonymous communications. The OIG recognizes that this approach may not be practical in smaller practices. Instead, the guidance allows for informal lines of communications, such as maintaining an "open door" policy on compliance issues, developing a compliance bulletin board in a common area, and providing an anonymous drop box for reporting fraudulent or erroneous conduct. The OIG recognition that anonymity may be infeasible in small practices, and that employees must understand that anonymity may not always be covered. The OIG emphasizes the importance, however, of employees being aware of whom to ask for assistance in compliance matters and feel comfortable with approaching that person without fear of retribution.

Overall, the compliance program's communication systems should include:

  • a requirement that employees report conduct which a reasonable person would believe to be fraudulent or erroneous;
  • user-friendly processes for reporting fraudulent or erroneous conduct;
  • provisions in the policies and procedures that state that failure to report fraudulent or erroneous conduct is a violation of the compliance program;
  • simple and readily accessible procedures to process reports of fraudulent or erroneous conduct;
  • protection of confidentiality to the maximum degree possible, both of the person making the allegation and the alleged fraudulent or erroneous conduct; and
  • procedures to ensure that there will be no retribution for reporting fraudulent or erroneous conduct.

E. Auditing and Monitoring

The auditing component of the compliance program is designed to ensure that the practice's procedures and standards are current and accurate and that the overall compliance program is effective. The OIG states that the practice should conduct audits to review bills and medical records for compliance with billing, coding, and documentation requirements.

According to the OIG, the auditing process may be conducted by the compliance officer in conjunction with a medically trained person, preferably a physician. Claims may be reviewed retrospectively or at the time they are submitted. Audits should examine whether bills are coded accurately and reflect the services actually provided, as well as whether the services provided were reasonable and necessary. The audit also should seek to identify any potential incentives for providing unnecessary services. Finally, the audit should determine if medical records contain the documentation required to support the charges billed.

The OIG recommends that the practice conduct a baseline audit at the start of the compliance program to evaluate areas of vulnerability and set benchmarks. The baseline audit should review the claim development and submission process from start to finish, seeking to identify specific risk areas for the practice. The baseline audit also can be used to develop procedures for future audits, including the process for selection and examination of records. The OIG recommends that a baseline audit review claims for three months following the initial training of employees under the compliance program.

Following the completion of a baseline audit, periodic audits should be conducted at least once a year. The OIG has provided workable recommendations for determining the number of records that should be reviewed. Specifically, the OIG recommends that each practice review either five to ten medical records per physician or, alternatively, two to five medical records per payer on at least an annual basis. If problems are identified in the audit process, a more focused review should be conducted on a more frequent basis to assess whether the problem is being properly addressed. Future training should incorporate information about the problem areas identified in the audits.

The OIG suggests that periodic audits could include:

  • a valid sample of the practice's top ten denials, or the top ten services provided;
  • confirmation that the practice is using specific codes to identify reasonable and necessary services;
  • a check for data entry errors;
  • confirmation that all orders are written and signed by a physician;
  • a check for reasonable and necessary services;
  • confirmation that all tests ordered were actually performed and documented and that the bills accurately reflect the tests completed; and
  • a review of assignment codes and modifiers to the claims.

If the audit process identifies problems, the OIG states that the practice should take appropriate action as soon as possible, but preferably within 60 days. Meanwhile, a separate section of the guidance states that self-reporting to the applicable authorities, if appropriate, should be done within 90 days. The action taken will depend upon the problem identified, but may be as basic as generating a repayment. The OIG suggests that in more complicated cases, the practice may want to seek legal advice or consult a billing and coding expert to determine the best action to take.

The practice should develop a system of guiding its response to potential problems, including the reporting of problems. Finally, information related to the potential problem should be carefully preserved, and any response to the issue should be documented.

F. Enforcing Standards through Well-Publicized Disciplinary Guidelines

The OIG states that enforcement of the practice's compliance procedures and standards is considered essential to the effectiveness of the program. Sanctions should be well-publicized and applied in a consistent and appropriate manner. Potential sanctions include oral warnings, written reprimands, probation, demotion, temporary suspension, discharge of employment, restitution of damages, and referral for criminal prosecution. Termination of employment must be a potential sanction. The OIG reaffirms that failure to report a violation of the compliance program should subject an individual to discipline. The OIG stipulates that the inclusion of disciplinary guidelines in an in-house training program and procedure manual is sufficient to meet the requirement that the sanctions be "well-publicized." The OIG also recognizes that the enforcement procedures should be flexible enough to account for mitigating or aggravating circumstances. According to the OIG, practices should document any communication regarding non-compliant conduct, including the date of the incident, the name of the reporting party, the name of the person responsible for taking action, and the follow-up action taken.

G. Responding to Detected Offenses and Developing Corrective Action Initiatives

The OIG stresses the importance of investigating all potential violations and taking decisive steps to correct any violations. Corrective measures may include an action plan, the return of overpayments, a report to the government, and/or a referral to law enforcement agencies. If an offense is found, the practice should take all reasonable steps to respond and prevent similar offenses in the future. This includes an internal investigation of every reported violation. Individuals involved in a violation should be retrained or, in some cases, terminated.

The OIG guidance requires that practices self-report any violations to the applicable authority within 90 days of the identification of the violation. Previously released guidelines for other entities have required self-reporting within 60 days, and the OIG should be commended for recognizing that small physician practices may require a longer period of time to investigate potential violations. As a practical matter, however, small practices may require an even longer time frame in order to determine the proper authorities to ask for guidance and to establish whether or not a violation has occurred.

II. Specific Risk Areas

Perhaps the most helpful section of the Draft Compliance Guidance are the definitions of risk areas identified by the OIG. The Guideline includes four broad areas of risk within the body of the Guidelines as well as several specific concerns in the Appendix to the Guidelines. Both groups are discussed here.

The four broad areas of risk for individual and small group physician practices are considered by the OIG to be a starting point for a compliance plan. The primary areas of risk identified in the guidelines are:

  1. coding and billing,
  2. reasonable and necessary services,
  3. documentation, and
  4. kickbacks, inducements, and self-referrals.

A. Coding and Billing

The OIG has identified the following areas as among the most frequent subjects of its investigations and audits of billing and coding practices:

  • billing for items or services not rendered or not provided as claimed;
  • submitting claims for equipment, medical supplies, and services that are not considered reasonable and necessary;
  • double billing;
  • billing for non-covered services as if they were covered;
  • knowing misuses of provider identification numbers;
  • billing for unbundled services;
  • not properly using coding modifiers; and
  • upcoding the level of service provided.

B. Reasonable and Necessary Services

Medicare will pay only for services that are deemed reasonable and necessary for a particular patient. A physician practice, therefore, should only bill Medicare for services that are believed to be reasonable and necessary. There may be occasions when a physician believes a particular service is appropriate, but the service will not be considered reasonable and necessary under Medicare guidelines. The physician should be able to provide documentation, including the patient's medical history, to demonstrate the medical necessity of the service provided. Appropriate use of advanced beneficiary notice forms should be instituted.

C. Documentation

The OIG guidance ranks documentation as one of the most important issues in a compliance program. Medical records should be complete and legible. According to the model plan, each record should contain, at a minimum, the following information for each encounter with a patient:

  • the reason for the encounter;
  • any relevant history;
  • findings from any physical examination;
  • prior diagnostic test results;
  • an assessment or diagnosis;
  • a description of the plan of care;
  • the date of the encounter; and
  • the identity of the observer.

Any appropriate health risk factors for the patient should be identified in the medical record. Finally, the patient's progress, response to treatment, or any changes in treatment or diagnosis should be fully documented. The guidance also directs that the CPT and ICD-9-CM codes used for health insurance claims should be clearly supported by the documentation in the medical record, and the provider of the specific services should be easily identified. The OIG states that the rationale for ordering any diagnostic or other ancillary services should be clearly identified if it will not be "easily inferred" by a third-party reviewer.

D. Kickbacks, Inducements, and Self-Referrals

A compliance plan must address kickback and self-referral issues. The guidance states that it is illegal to receive remuneration for a referral because it may distort medical decision-making, cause over-utilization of services and supplies, increase costs of Federal health care programs, and result in unfair competition by shutting out competitors who are unwilling to pay for referrals.

Arrangements which may raise concerns about kickbacks and referrals include those with hospitals, hospices, nursing facilities, home health agencies, durable medical equipment suppliers, and vendors. In general, the OIG recommends that all business arrangements in which a physician refers business to an outside entity be conducted on a fair market value basis. The OIG specifically recommends that any business arrangement which involves the making of referrals be reviewed by counsel familiar with the anti-kickback and physician self-referral statute before the physician enters into the arrangement.

The OIG identifies potential areas of risk to be addressed in the practices compliance plan as follows:

  • financial arrangements with outside entities to whom the practice may refer Federal health care program business;
  • joint ventures with entities supplying goods or services to the physician practice or its patients;
  • consulting contracts or medical directorship;
  • office and equipment leases with entities to which the physician refers; and
  • soliciting, accepting, or offering any gift or gratuity of more than nominal value to or from those who may benefit from a physician practice's referral of Federal health care program business.

The OIG has included an Appendix which provide more information about specific risk areas to which physician practices should be sensitive. These areas are divided into a number of major categories, as follows:

1) Reasonable and Necessary Services

  • Local Medical Review Policy - The OIG notes that a determination of reasonable and necessary services may vary in local medical review policies (LMRPs) among carriers, and that physicians are responsible for following the guidelines of their respective carrier.
  • Advanced Beneficiary Notices - Physicians must recognize their responsibility to provide Advanced Beneficiary Notices to patients whenever the physician believes that Medicare will not pay for services reasonable and necessary. The notice must be specific and provide the patient with the reason for the physician's belief. The OIG notes its concern that ABNs are being used routinely for classes of patients who may be asked to sign blank forms.
  • Physician Certifications for the Provision of Durable Medical Equipment and Supplies and Home Health Services - The OIG cautions that whenever a physician signs a certificate of medical necessity with the provision of home health services and durable medical equipment, the physician is responsible for the accuracy of the information with respect to whether the item or service is reasonable and necessary. The OIG cautions that signing a blank CMN, signing a CMN without seeing the patient to verify the need for the service, or signing when the physician knows that the service is not reasonable and necessary, can lead to criminal, civil, or administrative penalties.
  • Billing for Non-Covered Services as if Covered - The OIG recognizes that there are situations where physicians submit claims for services in order to receive a denial from Medicare, thereby enabling the patient to obtain coverage from a secondary payer. The OIG notes that appropriate modifiers should be placed on the claims submission to assure denial, and that if the carrier pays the claim in error, the physician is responsible for refunding the amount paid.

2) Physician Relationships with Hospitals

  • Physician Role in the Patient Anti-Dumping Statute - The OIG notes that while the anti-dumping requirements fall mostly on hospitals, physicians with on-call responsibilities must be aware of a hospital's policies, and must fulfill their responsibility when they are on call.
  • Teaching Physicians - The OIG notes that services provided by teaching physicians in teaching settings are reimbursable only if the services are personally furnished by a physician who is present during the key portion of any service or procedure.
  • Gain-Sharing Arrangements - The OIG restates its position that the civil money penalty law prohibits gain-sharing arrangements that involve payments by a hospital to a physician that have the effect of reducing the provision of hospital services to patients under the direct care of the physician.

3) Physician Billing Practices

  • Third-Party Billing Services - While acknowledging that such arrangements are not prohibited, the OIG cautions against arrangements with billing services which provide for payment on a percentage basis. The OIG also notes the limitations under the reassignment rules in connection with percentage billing arrangements.
  • Billing Practices by Non-Participating Physicians - The OIG reminds non-participating physicians not to bill or collect amounts in excess of the limiting charges and of their responsibility to refund any amount collected above the limiting charges within 30 days notice of such violation.
  • Professional Courtesy - The OIG provides fairly clear guidance relating to the provision of professional courtesy. The OIG notes that professional courtesy does not likely implicate fraud and abuse concerns as long as the practice extends professional courtesy by waiving the entire patient services rendered to a group or persons, and the members of the group receiving the courtesy is determined in a manner that does not take into account the ability to refer. The OIG also notes that the practice of waiving applicable co-payments for services rendered to individuals is permissible if the patient is financially needy.

4) Miscellaneous

  • Rental of Space from Referral Sources - The OIG notes the risk of the kickback law being implicated if space is rented from referral sources under terms which do not meet the space rental safe harbor to the anti-kickback statute.
  • Unlawful Advertising - The OIG notes that it is unlawful to advertise using the name, abbreviation, symbol, or emblem of any federal health care agency in a manner that could convey the false impression that the advertised item is endorsed by the agency.

Physicians should keep abreast of any changes in this area of the law, which can be accomplished by obtaining copies of OIG Special Fraud Alerts and Advisory Opinions posted on the OIG website. Policies and procedures should also be updated as needed to reflect any changes in the law or its interpretation.

Summary

The draft compliance guidance for individual and small group physician practices underscores the OIG's commitment to encourage all health care providers to develop compliance programs. Although not mandatory, physician practices would be well served to follow the guidance and develop compliance programs. While the draft is subject to change, it is likely that most of the critical provisions will remain in place. Therefore, it is not too early for practices to begin serious consideration of implementing their own programs.

Was this helpful?

Copied to clipboard