The federal Department of Justice, the Office of Inspector General (OIG) at the Department of Health and Human Service, state Medicaid fraud control units, and other enforcement agencies have brought multiple enforcement actions against various healthcare practices - even small practices - over the course of the past twenty years.

The institutional risks of noncompliance have grown since 1995 from relatively non-adversarial audits and occasional return of payments to formal investigations, prosecution under the False Claims Act, and whistleblower action.

The personal risks of noncompliance have changed too from money return to exclusion from government programs to loss of practice license and imprisonment. Administrators can be barred from working in the healthcare industry and clinicians, managers, corporate directors, even outside consultants can be jailed for healthcare fraud and abuse.

The federal government strongly encourages health compliance programs and promotes voluntary compliance and self-policing in a variety of ways. For instance, in the case of Medicare and the OIG, the existence of a corporate compliance program influences the approach to a violation of a federal requirement in terms of an innocent mistake or a fraudulent act. The existence of a compliance program may determine whether the matter can be routinely handled as an overpayment by the payer or it must be investigated by the OIG, or even referred to the Department of Justice to be pursued as a civil infraction or as a criminal matter.

The Seven Core Elements of a Compliance Program

Generally, compliance programs programs are not required by law. Unless a practice has been ordered to implement such a plan by a court of law or has agreed to a compliance plan as part of a settlement agreement, each group is free to decide about development of such a program and its extent.

The Federal Sentencing Guidelines are designed to ensure consistency in criminal sentencing by federal judges for federal crimes. These guidelines describe seven elements that must be included in the program for it to be counted as an effective compliance program. If a compliance program was in place, and deemed to be effective, the sentence will be less harsh. Both the existence and the efficacy of a compliance program are necessary to receive a less harsh sentencing.

The Sentencing Guidelines define an “effective program to prevent and detect violations of law” as a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct and will include at least the following seven elements:

1. Establishment of compliance rules and procedures that are reasonably capable of reducing the prospect of wrongdoing;
2. The assignment of high-level personnel to oversee the compliance effort;
3. The use of due care to prevent delegation of substantial discretionary authority to individuals whom the company knows or should know have a propensity to engage in illegal activities;
4. The effective communication of the standards and procedures of the program to all employees by either training programs or dissemination of information;
5. Taking reasonable steps to achieve compliance with the standards, e.g., by using monitoring and auditing systems reasonably calculated to detect criminal conduct and the establishment and publicizing of a reporting system that employees and other agents can use to report criminal conduct without fear of retribution;
6. Consistent enforcement of the standards through disciplinary mechanisms, including discipline of individuals responsible for the failure to detect and offense; and
7. Appropriate response to offences detected including the implementation of any modifications to the program necessary to prevent future offences of the same kind.

Coding and Billing Regulatory Risks

OIG lists the following items as specific regulatory risks most frequently subject to investigation and audit:

1. Billing for items or services not rendered as claims
2. Submitting claims for supplies and services that are not reasonable and necessary
3. Double billing
4. Billing for non-covered services
5. Failure to properly use coding modifiers
6. “Clustering” (using only a few codes on the theory that it will average out)
7. “Upcoding” (using a higher reimbursement code than the code reflecting the service rendered)
8. Inappropriate balance billing (billing Medicare beneficiaries for the difference between the total provider charges and the Medicare Part B allowable amount)
9. Routine waiver of co-payments and billing third-party insurance only
10. Discounts and professional courtesy
11. Improper billing for incident-to services
12. Improper reassignment of physician billing numbers
13. Failure to refund credit balances due to patients and payers
14. Billing for services provided by unqualified or unlicensed clinical personnel

Audits are most commonly used to review the accuracy and completeness of documentation, coding, and billing records to

1. Protect the practice against the submission of claims that could be construed as false and fraudulent,
2. To identify overpayments received from payers or patients that should be refunded, and
3. To identify under coded claims for fear of insufficient documentation and payer audit.

Such audits typically take two forms:

1. Standards and procedure review
2. Claims submission process review

Alternatively, you may draw 5-10 samples of claims per payer per physician from a high-risk universe in comparison to E and M coding. OIG recommends a typical audit to be performed on an annual basis or upon identifying at least one of the following warning signs

1. Significant change in the number/type of claim rejections
2. Payers challenging the medical necessity or validity of claims
3. High volumes of unusual charge or payment adjustments