[Federal Register Volume 63, Number 243 (Friday, December 18, 1998)]
[Notices]
[Pages 70138-70152]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-33565]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Publication of the OIG Compliance Program Guidance for Third-
Party Medical Billing Companies

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice sets forth the recently issued 
Compliance Program Guidance for Third-Party Medical Billing Companies 
developed by the Office of Inspector General (OIG) in cooperation with, 
and with input from, the Health Care Financing Administration, the 
Department of Justice and representatives of various trade associations 
and health care practice groups. The OIG has previously developed and 
published compliance program guidance focused on the clinical 
laboratory and hospital industries and on home health agencies. We 
believe that the development and issuance of this compliance program 
guidance for third-party medical billing companies will serve as a 
positive step towards promoting a higher level of ethical and lawful 
conduct throughout the entire health care industry.

FOR FURTHER INFORMATION CONTACT: Susan Lemanski, Office of Counsel to 
the Inspector General, (202) 619-2078

SUPPLEMENTARY INFORMATION:

Background

    The creation of compliance program guidance remains a major effort 
by the OIG in its effort to engage the health care community in 
combating fraud and abuse. In formulating compliance guidance, the OIG 
has worked closely with the Health Care Financing Administration 
(HCFA), the Department of Justice (DOJ) and various sectors of the 
health care industry to provide clear guidance to those segments of the 
industry that are interested in reducing fraud and abuse within their 
organizations. The 3 previously-issued compliance program guidances 
were focused on the hospital industry, home health agencies clinical 
laboratories, and were published in the Federal Register on February 
23, 1998 (63 FR 8987), August 7, 1998 (63 FR 42410) and August 24, 1998 
(63 FR 45076) , respectively. The development of these types of 
compliance program guidance is based on our belief that a health care 
provider can use internal controls to more efficiently monitor 
adherence to applicable statutes, regulations and program requirements.

Elements for an Effective Compliance Program

    Through experience, the OIG has identified 7 fundamental elements 
to an effective compliance program. They are:
     Implementing written policies, procedures and standards of 
conduct;
     Designating a compliance officer and compliance committee;
     Conducting effective training and education;
     Developing effective lines of communication;
     Enforcing standards through well-publicized disciplinary 
guidelines;
     Conducting internal monitoring and auditing; and
     Responding promptly to detected offenses and developing 
corrective action.

Third-Party Medical Billing Companies

    Increasingly, third-party medical billing companies are providing 
crucial services that could greatly impact the solvency and stability 
of the Medicare Trust Fund. Health care providers are relying on these 
billing companies to a greater degree in assisting them in processing 
claims in accordance with applicable statutes and regulations. 
Additionally, health care professionals are consulting with billing 
companies to provide timely and accurate advice with regard to 
reimbursement matters, as well as overall business decision-making. As 
a result, the OIG considers compliance program guidance to third-party 
medical billing companies particularly important in efforts to combat 
health care fraud and abuse. Further, because individual billing 
companies may support a variety of providers with different 
specialties, we recommend that billing companies coordinate with their 
provider-clients in establishing compliance responsibilities. Using 
these 7 basic elements outlined above, the OIG has identified specific 
areas of third-party medical billing company operations that may prove 
to be vulnerable to fraud and abuse.
    Like previously-issued OIG compliance guidances, adoption of the 
Compliance Program Guidance for Third-Party Medical Billing Companies 
set forth below will be strictly voluntary. A reprint of this 
compliance program guidance follows:

Office of Inspector General's Compliance Program Guidance for 
Third-Party Medical Billing Companies

I. Introduction

    The Office of Inspector General (OIG) of the Department of Health 
and Human Services (HHS) continues in its efforts to promote 
voluntarily developed and implemented compliance programs for the 
health care industry. The following compliance program guidance is 
intended to assist third-party medical billing companies (hereinafter 
referred to as ``billing companies'') 1 and their agents and 
subcontractors in developing effective internal controls that promote 
adherence to applicable Federal and State law, and the program 
requirements of Federal, State and private health plans.
---------------------------------------------------------------------------

    \1\ For the purposes of this compliance program guidance, 
``third-party medical billing companies'' include clearinghouses and 
value-added networks.
---------------------------------------------------------------------------

    Billing companies are becoming a vital segment of the national 
health care industry.2 Increasingly, health care

[[Page 70139]]

providers 3 are relying on billing companies to assist them 
in processing claims in accordance with applicable statutes and 
regulations. Additionally, health care providers are consulting with 
billing companies to provide timely and accurate advice regarding 
reimbursement matters, as well as overall business decision-making. As 
a result, the OIG considers the compliance guidance for third-party 
medical billing companies particularly important in the partnership to 
defeat health care fraud.
---------------------------------------------------------------------------

    \2\ Recent survey results from the Healthcare Billing and 
Management Association (HBMA) show that its membership processes 
more than 17.6 million claims per month totaling $18 billion a year.
    \3\ For the purposes of this compliance program guidance, 
``provider'' shall include any individual, company, corporation or 
organization that submits claims for reimbursement to a Federal 
health care program. The term ``Federal health care programs'' is 
applied in this document as defined in 42 U.S.C. 1320a-7b(f), which 
includes any plan or program that provides health benefits, whether 
directly, through insurance, or otherwise, which is funded directly, 
in whole or in part by the United States Federal Government (i.e., 
via programs such as Medicare, Federal Employees' Compensation Act, 
Black Lung, or Longshore and Harbor Worker's Compensation Act) or 
any State health plan (e.g., Medicaid, or program receiving funds 
from block grants for social services or child health services). 
Also, for purposes of this document, the term ``Federal health care 
program requirements'' refers to the statutes, regulations, rules, 
requirements, directives and instructions governing Medicare, 
Medicaid and all other Federal health care programs.
---------------------------------------------------------------------------

    At this juncture, it is important to note the tremendous variation 
among billing companies in terms of the type of services 4 
and the manner in which these services are provided to their respective 
clients. For example, some billing companies code the bills for their 
provider clients, while others only process bills that have already 
been coded by the provider. Some billing companies offer a spectrum of 
management services, including accounts receivable management and bad 
debt collections, while others offer only one or none of these 
services. Clearly, variations in services give rise to different 
policies to ensure effective compliance. This guidance does not purport 
to provide instruction on all aspects of regulatory compliance. Rather, 
we have concentrated our attention on general Federal health care 
reimbursement principles. For those billing companies that focus their 
services in a particular sector of the health care industry, the 
billing company should also consult any compliance program guidance 
previously issued by the OIG for that particular sector.5
---------------------------------------------------------------------------

    \4\ Billing companies provide services for virtually every 
aspect of the health care industry. Among the areas of greatest 
concentration for billing companies are: physicians, ambulatory 
surgery centers (ASCs), durable medical equipment, prosthetics, 
orthotics and supplies (DMEPOS) industry, home health agencies 
(HHAs) and hospitals.
    \5\ See 63 FR 45076 (8/24/98) for Compliance Program Guidance 
for Clinical Laboratories; 63 FR 42410 (8/7/98) for Compliance 
Program Guidance for Home Health Agencies; 63 FR 8987 (2/23/98) for 
Compliance Program Guidance for Hospitals. These documents are also 
located on the Internet at http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    This guidance is pertinent for all billing companies, large or 
small, regardless of the type of services provided. The applicability 
of the recommendations and guidelines provided in this document depend 
on the circumstances of each particular billing company. However, 
regardless of the billing company's size and structure, the OIG 
believes every billing company can and should strive to accomplish the 
objectives and principles underlying all of the compliance policies and 
procedures recommended within this guidance.
    Within this document, the OIG first provides its general views on 
the value and fundamental principles of billing company compliance 
programs, and then provides specific elements that each billing company 
should consider when developing and implementing an effective 
compliance program. Although this document presents basic procedural 
and structural guidance for designing a compliance program, it is not 
in itself a compliance program. Rather, it is a set of guidelines for 
consideration by a billing company interested in implementing a 
compliance program.
    Fundamentally, compliance efforts are designed to establish a 
culture within a billing company that promotes prevention, detection 
and resolution of instances of conduct that do not conform to Federal 
and State law, and Federal, State and private payor health care program 
requirements, as well as the billing company's ethical and business 
policies. In practice, the compliance program should effectively 
articulate and demonstrate the organization's commitment to legal and 
ethical conduct. Eventually, a compliance program should become part of 
the fabric of routine billing company operations.
    Specifically, compliance programs guide a billing company's 
governing body (e.g., boards of directors or trustees), chief executive 
officer (CEO), managers, billing and coding personnel and other 
employees in the efficient management and operation of the company. 
They are especially critical as an internal quality assurance control 
in reimbursement and payment areas, where claims and billing operations 
are often the source of fraud and abuse and, therefore, historically 
have been the focus of Government regulation, scrutiny and sanctions.
    It is incumbent upon a billing company's corporate officers and 
managers to provide ethical leadership to the organization and to 
assure adequate systems are in place to facilitate and promote ethical 
and legal conduct. Employees, managers and the Government will focus on 
the words and actions of a billing company's leadership as a measure of 
the organization's commitment to compliance. Indeed, many billing 
companies have adopted mission statements articulating their commitment 
to high ethical standards. Compliance programs also provide a central 
coordinating mechanism for furnishing and disseminating information and 
guidance on applicable Federal and State statutes, regulations and 
other payor requirements.
    The OIG believes that open and frequent communication 6 
between the billing company and the health care provider is fundamental 
to the success of any compliance endeavor. Billing companies are in a 
unique position with regard to establishing compliance programs. An 
individual billing company may support a variety of providers with 
different specialities and, consequently, different risk areas. It is 
with this in mind that the OIG strongly recommends the billing company 
coordinate with its provider clients to establish compliance 
responsibilities.7 Once the responsibilities have been 
clearly delineated, they should be formalized in the written contract 
between the provider and the billing company. The OIG recommends the 
contract enumerate those functions that are shared responsibilities and 
those that are the sole responsibility of either the billing company or 
the provider. Implementing an effective compliance program requires a 
substantial commitment of time, energy and resources by senior 
management and the billing company's governing body. Superficial 
programs that simply purport to comply with the elements discussed and 
described in this guidance or programs hastily constructed and 
implemented without appropriate ongoing monitoring will

[[Page 70140]]

likely be ineffective and could expose the billing company to greater 
liability than no program at all. Additionally, an ineffective 
compliance program may expose the billing company's provider clients to 
liability where those providers rely on the billing company's expertise 
and its assurances of an effective compliance program. Although it may 
require significant additional resources or reallocation of existing 
resources to implement an effective compliance program, the long term 
benefits of implementing the program significantly outweigh the costs. 
Undertaking a voluntary compliance program is a beneficial investment 
that advances both the billing company's organization and the stability 
and solvency of the Medicare program.
---------------------------------------------------------------------------

    \6\ E.g., the billing company should communicate the results of 
audits, determinations of inappropriate claim submissions and 
notifications of overpayments.
    \7\ At a minimum, the billing company should send a copy of its 
compliance program to all of its provider clients. The billing 
company should also coordinate with its provider clients in the 
development of a training program, an audit plan and policies for 
investigating misconduct.
---------------------------------------------------------------------------

A. Benefits of a Compliance Program

    The OIG believes an effective compliance program provides a 
mechanism that brings the public and private sectors together to reach 
mutual goals of reducing fraud and abuse, improving operational 
quality, improving the quality of health care and reducing the costs of 
health care. Attaining these goals provides positive results to 
business, Government and individual citizens alike. In addition to 
fulfilling its legal duty to ensure that it is not submitting false or 
inaccurate claims to Government and private payors, a billing company 
may gain numerous additional benefits by implementing an effective 
compliance program. These benefits may include:
     The formulation of effective internal controls to assure 
compliance with Federal regulations, private payor policies and 
internal guidelines;
     Improved medical record documentation; 8
---------------------------------------------------------------------------

    \8\ Billing and coding personnel can provide critical advice to 
physicians and other health care providers that may greatly improve 
the quality of medical record documentation.
---------------------------------------------------------------------------

     Improved collaboration, communication and cooperation 
among health care providers and those processing and using health 
information;
     The ability to more quickly and accurately react to 
employees' operational compliance concerns and the capability to 
effectively target resources to address those concerns;
     A more efficient communications system that establishes a 
clear process and structure for addressing compliance concerns quickly 
and effectively;
     A concrete demonstration to employees and the community at 
large of the billing company's strong commitment to honest and 
responsible corporate conduct;
     The ability to obtain an accurate assessment of employee 
and contractor behavior relating to fraud and abuse;
     Increased likelihood of identification and prevention of 
criminal and unethical conduct;
     A centralized source for distributing information on 
health care statutes, regulations and other program directives related 
to fraud and abuse and related issues;
     A methodology that encourages employees to report 
potential problems;
     Procedures that allow the prompt, thorough investigation 
of possible misconduct by corporate officers, managers, employees and 
independent contractors, who can impact billing decisions;
     An improved relationship with the applicable Medicare 
contractor;
     Early detection and reporting, minimizing the loss to the 
Government from false claims, and thereby reducing the billing 
company's exposure to civil damages and penalties, criminal sanctions, 
and administrative remedies, such as program exclusion; 9 
and
---------------------------------------------------------------------------

    \9\ The OIG, for example, will consider the existence of an 
effective compliance program that pre-dated any governmental 
investigation when addressing the appropriateness of administrative 
sanctions. However, the burden is on the billing company to 
demonstrate the operational effectiveness of a compliance program. 
Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a 
person who has violated the Act, but who voluntarily discloses the 
violation to the Government within thirty days of detection, in 
certain circumstances will be subject to not less than double, as 
opposed to treble, damages. See 31 U.S.C. 3729(a). Thus, the ability 
to react quickly when violations of the law are discovered may 
materially help reduce the billing company's liability.
---------------------------------------------------------------------------

     Enhancement of the structure of the billing company's 
operations and the consistency between separate business units.
    Overall, the OIG believes that an effective compliance program is a 
sound business investment on the part of a billing company.
    The OIG recognizes the implementation of an effective compliance 
program may not entirely eliminate fraud, abuse and waste from an 
organization. However, a sincere effort by billing companies to comply 
with applicable Federal and State standards, as well as the 
requirements of private health care programs, through the establishment 
of an effective compliance program, significantly reduces the risk of 
unlawful or improper conduct.

B. Application of Compliance Program Guidance

    Given the diversity in size and services offered by billing 
companies within the industry, there is no single ``best'' compliance 
program. The OIG understands the variances and complexities within the 
industry and is sensitive to the differences between large and small 
billing companies. Similarly, the OIG understands the availability of 
resources for any one billing company can differ vastly, given that 
billing companies vary greatly in the type of services offered and the 
manner that they are provided. Nonetheless, elements of this guidance 
can be used by all billing companies, regardless of size, location or 
corporate structure, to establish an effective compliance program. The 
OIG recognizes some billing companies may not be able to adopt certain 
elements to the same comprehensive degree that others with more 
extensive resources may achieve. This guidance represents the OIG's 
suggestions on how a billing company can best establish internal 
controls and monitor company conduct to correct and prevent fraudulent 
activities. By no means should the contents of this guidance be viewed 
as an exclusive discussion of the advisable elements of a compliance 
program. On the contrary, the OIG strongly encourages billing companies 
to develop and implement compliance elements that uniquely address the 
individual billing company's risk areas.
    The OIG appreciates that the success of the compliance program 
guidance hinges on thoughtful and practical comments from those 
individuals and organizations that will utilize the tools set forth in 
this document. In a continuing effort to collaborate closely with the 
private sector, the OIG solicited input and support from 
representatives of the major trade associations in the development of 
this compliance program guidance. Further, we took into consideration 
previous OIG publications, such as Special Fraud Alerts,10 
the recent findings and recommendations in reports issued by OIG's 
Office of Audit Services, comments from the HCFA, as well as the 
experience of past and recent fraud investigations related to billing 
companies conducted by OIG's Office of Investigations and the DOJ.
---------------------------------------------------------------------------

    \10\ Special Fraud Alerts are available on the OIG website at 
http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    As appropriate, this guidance may be modified and expanded as more 
information and knowledge is obtained by the OIG, and as changes in the 
law, and in the rules, policies and procedures of the Federal, State 
and private health plans occur. The OIG understands billing companies 
will need adequate time to react to these

[[Page 70141]]

modifications and expansions and to make any necessary changes to their 
voluntary compliance programs. New compliance practices may eventually 
be incorporated into this guidance if the OIG discovers significant 
enhancements to better ensure an effective compliance program. We 
recognize the development and implementation of compliance programs in 
billing companies often raise sensitive and complex legal and 
managerial issues.11 However, the OIG wishes to offer what 
it believes is critical guidance for those who are sincerely attempting 
to comply with the relevant health care statutes and regulations.
---------------------------------------------------------------------------

    \11\ Nothing stated herein should be substituted for, or used in 
lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------

II. Compliance Program Elements

    The elements proposed by these guidelines are similar to those of 
the clinical laboratory model compliance program guidance published by 
the OIG in February 1997 (updated in August 1998), the hospital 
compliance program guidance published in February 1998, the home health 
compliance program guidance published in August 1998 12 and 
our corporate integrity agreements.13 The elements represent 
a guide that can be tailored to fit the needs and financial realities 
of a particular billing company, large or small, regardless of the type 
of services offered. The OIG is cognizant that with regard to 
compliance programs, one model is not suitable to every organization. 
Nonetheless, the OIG believes every billing company, regardless of 
size, structure or services offered can benefit from the principles 
espoused in this guidance.
---------------------------------------------------------------------------

    \12\ See note 5.
    \13\ Corporate integrity agreements are executed as part of a 
civil settlement agreement between the health care provider or 
entity responsible for billing for the provider and the Government 
to resolve a case based on allegations of health care fraud or 
abuse. These OIG-imposed programs are in effect for a period of 
three to five years and require many of the elements included in 
this compliance guidance.
---------------------------------------------------------------------------

    The OIG believes every effective compliance program must begin with 
a formal commitment 14 by the billing company's governing 
body to include all of the applicable elements listed below. These 
elements are based on the seven steps of the Federal Sentencing 
Guidelines.15 We believe every billing company can implement 
all of the recommended elements, expanding upon the seven steps of the 
Federal Sentencing Guidelines. The OIG recognizes full implementation 
of all elements may not be immediately feasible for all billing 
companies. However, as a first step, a good faith and meaningful 
commitment on the part of the billing company administration, 
especially the governing body and the CEO, will substantially 
contribute to the program's successful implementation. As the 
compliance program is implemented, that commitment should cascade down 
through the management to every employee in the organization. At a 
minimum, comprehensive compliance programs should include the following 
seven elements:
---------------------------------------------------------------------------

    \14\ Formal commitment may include a resolution by the board of 
directors, where applicable. A formal commitment does include the 
allocation of adequate resources to ensure that each of the elements 
is addressed.
    \15\ See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing 
Guidelines are detailed policies and practices for the Federal 
criminal justice system that prescribe appropriate sanctions for 
offenders convicted of Federal crimes.
---------------------------------------------------------------------------

    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures that promote the 
billing company's commitment to compliance (e.g., by including 
adherence to the compliance program as an element in evaluating 
managers and employees) and that address specific areas of potential 
fraud, such as the claims submission process, code gaming and financial 
relationships with its providers;
    (2) The designation of a chief compliance officer and other 
appropriate bodies, e.g., a corporate compliance committee, charged 
with the responsibility of operating and monitoring the compliance 
program and who report directly to the CEO and the governing body; 
16
---------------------------------------------------------------------------

    \16\ The integral functions of a compliance officer and a 
corporate compliance committee in implementing an effective 
compliance program are discussed throughout this compliance 
guidance. However, the OIG recognizes that the differences in the 
sizes and structures of billing companies will result in differences 
in the ways in which compliance programs are set up. The important 
thing is that the billing company structures its compliance program 
in such a way that the program is able to accomplish the key 
functions of a corporate compliance officer and a corporate 
compliance committee discussed within this document.
---------------------------------------------------------------------------

    (3) The development and implementation of regular, effective 
education and training programs for all affected employees; 
17
---------------------------------------------------------------------------

    \17\ Training and education programs for billing companies 
should be detailed and comprehensive. They should cover specific 
billing and coding procedures, as well as the general areas of 
compliance.
---------------------------------------------------------------------------

    (4) The creation and maintenance of a process, such as a hotline, 
to receive complaints and the adoption of procedures to protect the 
anonymity of complainants and to protect callers from retaliation;
    (5) The development of a system to respond to allegations of 
improper/illegal activities and the enforcement of appropriate 
disciplinary action against employees who have violated internal 
compliance policies, applicable statutes, regulations or Federal, State 
or private payor health care program requirements;
    (6) The use of audits and/or other risk evaluation techniques to 
monitor compliance and assist in the reduction of identified problem 
areas;18 and
---------------------------------------------------------------------------

    \18\ For example, spot-checking the work of coding and billing 
personnel periodically should be an element of an effective 
compliance program. Identification of risk areas, discussed in 
further detail in section II.A.2, is the first step in correcting 
aberrant billing patterns.
---------------------------------------------------------------------------

    (7) The investigation and correction of identified systemic 
problems and the development of policies addressing the non-employment 
of sanctioned individuals.

A. Written Policies and Procedures

    Every compliance program should require the development and 
distribution of written compliance policies, standards and practices 
that identify specific areas of risk and vulnerability to the billing 
company. These policies should be developed under the direction and 
supervision of the chief compliance officer and the compliance 
committee (if such a committee is practicable for the billing company) 
and, at a minimum, should be provided to all individuals who are 
affected by the particular policy at issue, including the billing 
company's agents and independent contractors 19 who may 
affect billing decisions.
---------------------------------------------------------------------------

    \19\ According to the Federal Sentencing Guidelines, an 
organization must have established compliance standards and 
procedures to be followed by its employees and other agents in order 
to receive sentencing credit for an ``effective'' compliance 
program. The Federal Sentencing Guidelines define ``agent'' as ``any 
individual, including a director, an officer, an employee, or an 
independent contractor, authorized to act on behalf of the 
organization.'' See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------

1. Standards of Conduct
    Billing companies should develop standards of conduct for all 
affected employees that include a clearly delineated commitment to 
compliance by the billing company's senior management 20 and 
its divisions. The standards should function in the same fashion as a 
constitution, i.e., as a foundational document that details the

[[Page 70142]]

fundamental principles, values and framework for action within an 
organization. Standards should articulate the billing company's 
commitment to comply with all Federal and State standards, with an 
emphasis on preventing fraud and abuse. They should state the 
organization's mission, goals and ethical principles relating to 
compliance and clearly define the organization's commitment to 
compliance and its expectations for all billing company governing body 
members, officers, managers, employees, and, where appropriate, 
contractors and other agents. The standards should promote integrity, 
support objectivity and foster trust. Standards should not only address 
compliance with statutes and regulations, but should also set forth 
broad principles that guide employees in conducting business 
professionally and properly. Furthermore, a billing company's standards 
of conduct should reflect a commitment to the highest quality health 
data submission, as evidenced by its accuracy, reliability, timeliness 
and validity.
---------------------------------------------------------------------------

    \20\ The OIG strongly encourages high-level involvement by the 
billing company's governing body, chief executive officer, chief 
operating officer, general counsel and chief financial officer, in 
the development of standards of conduct. Such involvement should 
help communicate a strong and explicit organizational commitment to 
compliance goals and standards.
---------------------------------------------------------------------------

2. Written Policies for Risk Areas
    As part of its commitment to compliance, billing companies should 
establish a comprehensive set of policies that delineate billing and 
coding procedures for the company. In contrast to the standards of 
conduct, which are designed to be a clear and concise collection of 
fundamental standards, the written policies should articulate specific 
procedures personnel should follow when submitting initial or follow-up 
claims to Federal health care programs.
    Among the issues to be addressed in the polices are the education 
and training requirements for billing and coding personnel; the risk 
areas for fraud, waste and abuse; the integrity of the billing 
company's information system; the methodology for resolving ambiguities 
in the provider's paperwork;21 the procedure for identifying 
and reporting credit balances; and the procedure to ensure duplicate 
bills are not submitted in an attempt to gain duplicate payment.
---------------------------------------------------------------------------

    \21\ Billing company personnel should maintain an open dialogue 
with their providers regarding documentation issues. If the 
documentation received from a provider is ambiguous or conflicting, 
the billing company should contact the provider for clarification or 
resolution.
---------------------------------------------------------------------------

    Billing companies that provide coding services should provide 
additional policies for risk areas that apply specifically to 
coding.22 The policies and procedures should describe the 
necessary steps to take in reviewing a billing document. Specific 
attention should be placed on the proper steps the coder should take if 
unable to locate a code for a documented diagnosis or procedure or if 
the medical record documentation is not sufficient to determine a 
diagnosis or procedure.23 Billing companies that provide 
additional services should consider consulting an attorney for guidance 
on other regulatory issues.24
---------------------------------------------------------------------------

    \22\ See section II.A.2.b.
    \23\ If the coding staff finds the physician's documentation to 
be unclear or conflicting, then they should ask the physician for 
clarification. This will frequently allow the coder to choose a more 
appropriate code. If the coder does not know how to code a 
particular type of bill for Medicare payment, he or she should first 
consult with a supervisor. If the question persists, the supervisor 
should contact the provider's carrier/intermediary. The billing 
company could also contact an authoritative coding organization. For 
example, the American Hospital Association maintains a central 
office on ICD-9-CM. All such correspondence should be maintained in 
a log. In the rare instance that the documentation appears to be for 
a new type of disease or syndrome, the supervisor can send an 
inquiry to the National Center for Health Statistics, 6525 Belcrest 
Road, Room 1100, Hyattsville, MD 20782.
    \24\ For example, billing companies that provide marketing 
services should develop policies to ensure compliance with the anti-
kickback statute. 42 U.S.C. 1320a-7b(b). In addition, such policies 
should provide that the billing company shall not submit or cause to 
be submitted to health care programs claims for patients by virtue 
of a compensation agreement that was designed to induce such 
referrals in violation of the anti-kickback statute, or similar 
Federal or State statute or regulation. Further, the policies and 
procedures should reference the OIG's safe harbor regulations, 
clarifying those payment practices that would be immune from 
prosecution under the anti-kickback statute. See 42 CFR 1001.952.
---------------------------------------------------------------------------

a. Risk Assessment--All Billing Companies
    The OIG believes a billing company's written policies and 
procedures, its educational program and its audit and investigation 
plans should take into consideration the particular statutes, rules and 
program instructions that apply to each function or department of the 
billing company. Consequently, we recommend coordination between these 
functions with an emphasis on areas of special concern that have been 
identified by the OIG through its investigative and audit 
functions.25 Furthermore, the OIG recommends that billing 
companies conduct a comprehensive self-administered risk analysis or 
contract for an independent risk analysis by experienced health care 
consulting professionals. This risk analysis should identify and rank 
the various compliance and business risks the company may experience in 
its daily operations.
---------------------------------------------------------------------------

    \25\ The OIG periodically issues Special Fraud Alerts setting 
forth activities believed to raise legal and enforcement issues. 
Billing company compliance programs should require the legal staff, 
chief compliance officer or other appropriate personnel to carefully 
consider any and all Special Fraud Alerts issued by the OIG that 
relate to health care providers to which they offer services. 
Moreover, the compliance programs should address the ramifications 
of failing to cease and correct any conduct criticized in such a 
Special Fraud Alert, if applicable to billing companies, or to take 
reasonable action to prevent such conduct from reoccurring in the 
future. If appropriate, billing companies should take the steps 
described in Section G regarding investigations, reporting and 
correction of identified problems.
---------------------------------------------------------------------------

    Once completed, the risk analysis should serve as the basis for the 
written policies the billing company should develop. The OIG has 
provided the following specific list of particular risk areas that 
should be addressed by billing companies. It should be noted that this 
list is not all-encompassing and the risk analysis completed as a 
result of the company's audit may provide a more individualized road 
map. Nonetheless, this list is a compilation of several years of OIG 
audits, investigations and evaluations and should provide a solid 
starting point for a company's initial effort.
    Among the risk areas the OIG has identified as particularly 
problematic are:26
---------------------------------------------------------------------------

    \26\ The OIG's work plan is currently available on the Internet 
at http://www.dhhs.gov/progorg/oig. The OIG Work Plan details the 
various projects the OIG intends to address in the fiscal year. The 
Work Plan contains the projects of the Office of Audit Services, 
Office of Evaluation and Inspections, Office of Investigations and 
the Office of Counsel to the Inspector General.
---------------------------------------------------------------------------

     Billing for items or services not actually 
documented;27
---------------------------------------------------------------------------

    \27\ Billing for items or services not actually documented 
involves submitting a claim that cannot be substantiated in the 
documentation.
---------------------------------------------------------------------------

     Unbundling;28
---------------------------------------------------------------------------

    \28\ Unbundling occurs when a billing entity uses separate 
billing codes for services that have an aggregate billing code.
---------------------------------------------------------------------------

     Upcoding,29 such as, for example, DRG 
creep;30
---------------------------------------------------------------------------

    \29\ Upcoding reflects the practice of using a billing code that 
provides a higher reimbursement rate than the billing code that 
actually reflects the service furnished to the patient. Upcoding has 
been a major focus of the OIG's law enforcement efforts. In fact, 
the Health Insurance Portability and Accountability Act of 1996 
added another civil monetary penalty to the OIG's sanction 
authorities for upcoding violations. See 42 U.S.C. 1320a-
7a(a)(1)(A).
    \30\ DRG creep is a variety of upcoding that involves the 
practice of billing using a Diagnosis Related Group (DRG) code that 
provides a higher reimbursement rate than the DRG code that 
accurately reflects patient's diagnosis.
---------------------------------------------------------------------------

     Inappropriate balance billing;31
---------------------------------------------------------------------------

    \31\ Inappropriate balance billing refers to the practice of 
billing Medicare beneficiaries for the difference between the total 
provider charges and the Medicare Part B allowable payment.
---------------------------------------------------------------------------

     Inadequate resolution of overpayments;32
---------------------------------------------------------------------------

    \32\ An overpayment is an improper or excessive payment made to 
a health care provider as a result of patient billing or claims 
processing errors for which a refund is owed by the provider. 
Examples of Medicare overpayments include instances where a provider 
is: (1) Paid twice for the same service either by Medicare or by 
Medicare and another insurer or beneficiary; or (2) paid for 
services planned but not performed or for non-covered services. 
Billing companies should institute procedures to provide for timely 
and accurate reporting to both the provider and the health care 
program of overpayments.

---------------------------------------------------------------------------

[[Page 70143]]

     Lack of integrity in computer systems;33
---------------------------------------------------------------------------

    \33\ Because billing companies are in the business of processing 
health care information, it is essential they develop policies and 
procedures to ensure the integrity of the information they process 
and to ensure that records can be easily located and accessed within 
a well-organized filing or alternative retrieval system. All billing 
companies should have a back-up system (whether by disk, tape or 
system) to ensure the integrity of data. Policies should provide for 
a regular system back-up to ensure that no information is lost.
---------------------------------------------------------------------------

     Computer software programs that encourage billing 
personnel to enter data in fields indicating services were rendered 
though not actually performed or documented;
     Failure to maintain the confidentiality of information/
records;34
---------------------------------------------------------------------------

    \34\ All billing companies should develop, implement, audit and 
enforce policies and procedures to ensure the confidentiality and 
privacy of financial, medical, personnel and other sensitive 
information in their possession. These policies should address both 
electronic and hard copy documents.
---------------------------------------------------------------------------

     Knowing misuse of provider identification numbers, which 
results in improper billing;35
---------------------------------------------------------------------------

    \35\ Of particular concern, billing companies should be aware of 
the provisions of reassignment of benefits. These provisions govern 
who may receive payment due to a provider or supplier of services or 
a beneficiary. See 42 CFR Secs. 424.70-424.80. See also Medicare 
Carrier Manual Sec. 3060.10.
---------------------------------------------------------------------------

     Outpatient services rendered in connection with inpatient 
stays; 36
---------------------------------------------------------------------------

    \36\ Billing companies that submit claims for non-physician 
outpatient services that were already included in the hospital's 
inpatient payment under the Prospective Payment System (PPS) are in 
effect submitting duplicate claims.
---------------------------------------------------------------------------

     Duplicate billing in an attempt to gain duplicate payment; 
37
---------------------------------------------------------------------------

    \37\ Duplicate billing occurs when the billing company submits 
more than one claim for the same service or the bill is submitted to 
more than one primary payor at the same time. Although duplicate 
billing can occur due to simple error, knowing duplicate billing--
which is sometimes evidenced by systematic or repeated double 
billing--can create liability under criminal, civil or 
administrative law, particularly if any overpayment is not promptly 
refunded.
---------------------------------------------------------------------------

     Billing for discharge in lieu of transfer; 38
---------------------------------------------------------------------------

    \38\ Under the Medicare regulations, when a PPS hospital 
transfers a patient to another PPS hospital, only the hospital to 
which the patient was transferred may charge the full DRG; the 
transferring hospital should charge Medicare only a per diem amount. 
See 42 CFR 412.4.
---------------------------------------------------------------------------

     Failure to properly use modifiers; 39
---------------------------------------------------------------------------

    \39\ A modifier, as defined by the CPT-4 manual, provides the 
means by which the reporting position (or provider) can indicate a 
service or procedure that has been performed has been altered by 
some specific circumstance, but not changed in its definition or 
code. Assuming the modifier is used correctly and appropriately, 
this specificity provides the justification for payment for these 
services. For correct use of modifiers, the billing company should 
reference the appropriate sections of the Medicare carrier manual. 
For general information on the correct use of modifiers, the billing 
personnel should also reference the Correct Coding Initiative. See 
Medicare Carrier Manual Sec. 4630.
---------------------------------------------------------------------------

     Billing company incentives that violate the anti-kickback 
statute or other similar Federal or State statute or regulation; 
40
---------------------------------------------------------------------------

    \40\ For billing companies that provide marketing services, 
percentage arrangements may implicate the anti-kickback statute. See 
42 U.S.C. 1320a-7b(b) and 59 FR 65372 (12/19/94). Cf. OIG Ad. Op. 
98-10 (1998). The OIG has a longstanding concern that percentage 
billing arrangements may increase the risk of upcoding and similar 
abusive billing practices. See, e.g., OIG Ad. Op. 98-1 (1998) and 
OIG Ad. Op. 98-4 (1998).
---------------------------------------------------------------------------

     Joint ventures; 41
---------------------------------------------------------------------------

    \41\ The OIG is troubled by the proliferation of business 
arrangements that may violate the anti-kickback statute. Such 
arrangements are generally established between those in a position 
to refer business, such as physicians, and those providing items or 
services for which a Federal health care program pays. Sometimes 
established as ``joint ventures,'' these arrangements may take a 
variety of forms. The OIG currently has a number of investigations 
and audits underway that focus on such areas of concern. Similarly, 
the billing company should not confer gifts/entertainment upon the 
client-provider as this could also implicate the anti-kickback 
statute.
---------------------------------------------------------------------------

     Routine waiver of copayments and billing third-party 
insurance only; 42 and
---------------------------------------------------------------------------

    \42\ Billing companies should encourage providers to make a good 
faith effort to collect copayments, deductibles and non-covered 
services from federally and privately-insured patients. Billing 
``insurance only'' may violate the False Claims Act, the anti-
kickback statute, the Civil Monetary Penalties Law, 42 U.S.C. 1320a-
7a(a)5, as amended by Pub. L. 104-91 section 231(h), and State laws. 
For additional information on this problem, the OIG has published a 
Special Fraud Alert on the routine waiver of copayments or 
deductibles under Medicare Part B. See 59 FR 65,373 (12/19/94).
---------------------------------------------------------------------------

     Discounts and professional courtesy.43
---------------------------------------------------------------------------

    \43\ Discounts and professional courtesy may not be appropriate 
unless the total fee is discounted or reduced. In such situations, 
the payor (e.g., Medicare, Medicaid or any other private payor) 
should receive its proportional share of the discount or reduction.
---------------------------------------------------------------------------

    A billing company's prior history of noncompliance with applicable 
statutes, regulations and Federal health care program requirements may 
indicate additional types of risk areas where the billing company may 
be vulnerable and may require necessary policy measures to prevent 
avoidable recurrence.44 Additional risk areas should be 
assessed by billing companies as well as incorporated into the written 
policies and procedures and training elements developed as part of 
their compliance programs.
---------------------------------------------------------------------------

    \44\ ``Recurrence of misconduct similar to that which an 
organization has previously committed casts doubt on whether it took 
all reasonable steps to prevent such misconduct'' and is a 
significant factor in the assessment of whether a compliance program 
is effective. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(7)(ii).
---------------------------------------------------------------------------

    Billing companies that do not code bills should implement policies 
that require notification to the provider who is coding to implement 
and follow compliance safeguards with respect to documentation of 
services rendered. Moreover, the OIG recommends that billing companies 
who do not code for their provider clients incorporate in their 
contractual agreements the provider's acknowledgment and agreement to 
address the following coding compliance safeguards.45
---------------------------------------------------------------------------

    \45\ The following risk areas are in no way a comprehensive list 
of risk areas for health care providers. They are merely a suggested 
list of documentation risks. They do not address the additional risk 
areas that apply to health care providers (e.g., medical necessity 
issues).
---------------------------------------------------------------------------

b. Risk Assessment--Billing Companies That Provide Coding Services
    The written policies and procedures concerning proper coding should 
reflect the current reimbursement principles set forth in applicable 
statutes, regulations 46 and Federal, State or private payor 
health care program requirements and should be developed in tandem with 
organizational standards. Furthermore, written policies and procedures 
should ensure that coding and billing are based on medical record 
documentation. Particular attention should be paid to issues of 
appropriate diagnosis codes, DRG coding, individual Medicare Part B 
claims (including documentation guidelines for evaluation and 
management services) and the use of patient discharge 
codes.47 The billing company should also institute a policy 
that all rejected claims pertaining to diagnosis and procedure codes be 
reviewed by the coder or the coding department. This should facilitate 
a

[[Page 70144]]

reduction in similar errors. Among the risk areas that billing 
companies who provide coding services should address are:
---------------------------------------------------------------------------

    \46\ The official coding guidelines are promulgated by the HCFA, 
the National Center for Health Statistics, the American Medical 
Association and the American Health Information Management 
Association. See International Classification of Diseases, 9th 
Revision, Clinical Modification (ICD-9 CM) (and its successors); 
1998 HCFA Common Procedure Coding System (HCPCS) (and its 
successors); and Physicians' Current Procedural Terminology 
(CPT)TM. In addition, there are specialized coding 
systems for specific segments of the health care industry. Among 
these are ADA (for dental procedures), DSM IV (psychiatric health 
benefits) and DMERCs (for durable medical equipment, prosthetics, 
orthotics and supplies).
    \47\ The failure of a provider to: (i) Document items and 
services rendered; and (ii) properly submit them for reimbursement 
is a major area of potential fraud and abuse in Federal health care 
programs. The OIG has undertaken numerous audits, investigations, 
inspections and national enforcement initiatives aimed at reducing 
potential and actual fraud, abuse and waste in these areas.
---------------------------------------------------------------------------

     Internal coding practices; 48
---------------------------------------------------------------------------

    \48\ Internal coding practices, including software edits, should 
be reviewed periodically to determine consistency with all 
applicable Federal, State and private payor health care program 
requirements.
---------------------------------------------------------------------------

     ``Assumption'' coding; 49
---------------------------------------------------------------------------

    \49\ This refers to the coding of a diagnosis or procedure 
without supporting clinical documentation. Coding personnel must be 
aware of the need for documented verification of services from the 
attending physician.
---------------------------------------------------------------------------

     Alteration of the documentation;
     Coding without proper documentation 50 of all 
physician and other professional services;
---------------------------------------------------------------------------

    \50\ While proper documentation is the responsibility of the 
health care provider, the coder should be aware of proper 
documentation requirements and should encourage providers to 
document their services appropriately. Depending on the 
circumstances, proper documentation can include:
    (1) The reason for the patient encounter;
    (2) An appropriate history and evaluation;
    (3) Documentation of all services;
    (4) Documentation of reasons for the services;
    (5) An ongoing assessment of the patient's condition;
    (6) Information on the patient's progress and treatment outcome;
    (7) A documented treatment plan;
    (8) A plan of care, including treatments, medications (including 
dosage and frequency), referrals and consultations, patient and 
family education, and follow-up care;
    (9) Changes in treatment plan;
    (10) Documentation of medical rationale for the services 
rendered;
    (11) Documentation that supports the standards of medical 
necessity, e.g., certificates of medical necessity for DMEPOS and 
home health services;
    (12) Abnormal test results addressed in the physician's 
documentation;
    (13) Identification of relevant health risk factors;
    (14) Documentation that meets the E & M codes billed;
    (15) Medical records that are dated and authenticated; and/or
    (16) Prescriptions.
    Billing companies should also reference the Documentation 
Guidelines for Evaluation and Management (E/M) Services, published 
by the HCFA. These guidelines are available on the Internet at 
http://www.hcfa.gov/medicare/mcarpti.htm.
---------------------------------------------------------------------------

     Billing for services provided by unqualified or unlicensed 
clinical personnel;
     Availability of all necessary documentation at the time of 
coding; and
     Employment of sanctioned individuals.51
---------------------------------------------------------------------------

    \51\ Billing companies should ensure that they do not employ or 
contract with individuals that have been sanctioned by the OIG or 
barred from Federal procurement programs. The Cumulative Sanction 
Report is available on the Internet at http://www.dhhs.gov/progorg/
oig. In addition, the General Services Administration maintains a 
monthly listing of debarred contractors on the Internet at http://
www.arnet.gov/epls.
---------------------------------------------------------------------------

    Billing companies that provide coding services should maintain an 
up-to-date, user-friendly index for coding policies and procedures to 
ensure that specific information can be readily located. Similarly, for 
billing companies that provide coding services, the billing company 
should assure that essential coding materials are readily accessible to 
all coding staff.52
---------------------------------------------------------------------------

    \52\ Examples of reference resources necessary for proper coding 
include: a medical dictionary; an anatomy/physiology textbook; up-
to-date ICD, HCPCS and CPTTM code books; Physician's Desk 
Reference; Merck Manual; the applicable contractor's provider 
manual; and subscriptions to the American Hospital Association's 
Coding Clinic for ICD-9-CM (and its successors) and the American 
Medical Association's CPT Assistant.
---------------------------------------------------------------------------

    Finally, billing companies should emphasize in their standards the 
importance of safeguarding the confidentiality of medical, financial 
and other personal information in their possession.
3. Claim Submission Process
    A number of the risk areas identified above, pertaining to the 
claim development and submission process, have been the subject of 
administrative proceedings, as well as investigations and prosecutions 
under the civil False Claims Act and criminal statutes. Settlement of 
these cases often has required the defendants to execute corporate 
integrity agreements, in addition to paying significant civil damages 
and/or criminal fines and penalties. These corporate integrity 
agreements have provided the OIG with a mechanism to advise billing 
companies concerning acceptable practices to ensure compliance with 
applicable Federal and State statutes, regulations and program 
requirements. The following recommendations include a number of 
provisions from various corporate integrity agreements. Although these 
recommendations include examples of effective policies, each billing 
company should develop its own specific policies tailored to fit its 
individual needs.
    With respect to claims, a billing company's written policies and 
procedures should reflect and reinforce current Federal and State 
statutes. The policies must create a mechanism for the billing or 
reimbursement staff to communicate effectively and accurately with the 
health care provider. Policies and procedures should:
     Ensure that proper and timely documentation of all 
physician and other professional services is obtained prior to billing 
to ensure that only accurate and properly documented services are 
billed;
     Emphasize that claims should be submitted only when 
appropriate documentation supports the claims and only when such 
documentation is maintained, appropriately organized in legible form 
and available for audit and review. The documentation, which may 
include patient records, should record the time spent in conducting the 
activity leading to the record entry and the identity of the individual 
providing the service;
     Indicate that the diagnosis and procedures reported on the 
reimbursement claim should be based on the medical record and other 
documentation, and that the documentation necessary for accurate code 
assignment should be available to coding staff at the time of coding. 
The HCFA Common Procedure Coding System (HCPCS), International 
Classification of Disease (ICD), Current Procedural Terminology 
(CPTTM), any other applicable code or revenue code (or 
successor code(s) ) used by the coding staff should accurately describe 
the service that was ordered by the physician;
     Provide that the compensation for billing department 
coders and billing consultants should not provide any financial 
incentive to improperly upcode claims; 53
---------------------------------------------------------------------------

    \53\ See OIG Ad. Op. 98-1 (1998) and OIG Ad. Op. 98-4 (1998). 
See also 42 CFR 424.73.
---------------------------------------------------------------------------

     Establish and maintain a process for pre- and post-
submission review of claims 54 to ensure claims submitted 
for reimbursement accurately represent services provided, are supported 
by sufficient documentation and are in conformity with any applicable 
coverage criteria for reimbursement; and
---------------------------------------------------------------------------

    \54\ The OIG recommends that, at a minimum, a valid statistical 
sample of claims be reviewed annually both before and after billing 
is submitted. This review should be done by a qualified expert in 
the applicable coding process.
---------------------------------------------------------------------------

     Obtain clarification from the provider when documentation 
is confusing or lacking adequate justification.
    Because coding for providers often involves the interpretation of 
medical diagnosis and other clinical data and documentation, a billing 
company may wish to contract with/assign a qualified physician to 
provide guidance to the coding staff regarding clinical issues. 
Procedures should be in place to access medical experts when necessary. 
Such procedures should allow for medical personnel to be available for 
guidance without interrupting or interfering with the quality of 
patient care.
4. Credit Balances
    Credit balances occur when payments, allowances or charge reversals 
posted to an account exceed

[[Page 70145]]

the charges to the account. Providers and their billers should 
establish policies and procedures, as well as responsibility, for 
timely and appropriate identification and resolution of these 
overpayments.55 For example, a billing company may 
redesignate segments of its information system to allow for the 
segregation of patient accounts reflecting credit balances. The billing 
company could remove these accounts from the active accounts and place 
them in a holding account pending the processing of a reimbursement 
claim to the appropriate payor. A billing company's information system 
should have the ability to print out the individual patient accounts 
that reflect a credit balance in order to permit simplified tracking of 
credit balances. The billing company should maintain a complete audit 
trail of all credit balances.
---------------------------------------------------------------------------

    \55\ The billing company should also refer to State escheat laws 
for the specific requirements relating to notifications, time 
periods and payment of any unclaimed funds.
---------------------------------------------------------------------------

    In addition, a billing company should designate at least one person 
(e.g., in the patient accounts department or reasonable equivalent 
thereof) as having the responsibility for the tracking, recording and 
reporting of credit balances. Further, a comptroller or an accountant 
in the billing company's accounting department (or reasonable 
equivalent thereof) may review reports of credit balances and 
adjustments on a monthly basis as an additional safeguard.
5. Integrity of Data Systems
    Increasingly, the health care industry is using electronic data 
interchange (EDI) to conduct business more quickly and efficiently. As 
a result, the industry is relying on the capabilities of computers. 
Billing companies should establish procedures for maintaining the 
integrity of its data collection systems. This should include 
procedures for regularly backing-up data (either by diskette, 
restricted system or tape) to ensure the accuracy of all data collected 
in connection with submission of claims and reporting of credit 
balances. At all times, the billing company should have a complete and 
accurate audit trail. Additionally, billing companies should develop a 
system to prevent the contamination of data by outside parties. This 
system should include regularly scheduled virus checks. Finally, 
billing companies should ensure that electronic data are protected 
against unauthorized access or disclosure.
6. Retention of Records
    Billing company compliance programs should provide for the 
implementation of a records system. This system should establish 
policies and procedures regarding the creation, distribution, 
retention, storage, retrieval and destruction of documents. The three 
types of documents developed under this system should include: (1) All 
records and documentation required by either Federal or State law and 
the program requirements of Federal, State and private health plans 
(for billing companies, this should include all documents related to 
the billing and coding process); (2) records listing the persons 
responsible for implementing each part of the compliance plan; and (3) 
all records necessary to protect the integrity of the billing company's 
compliance process and confirm the effectiveness of the program. The 
documentation necessary to satisfy the third requirement includes: 
evidence of adequate employee training; reports from the billing 
company's hotline; results of any investigation conducted as a 
consequence of a hotline call; modifications to the compliance program; 
self-disclosure; all written notifications to providers; 56 
and the results of the billing company's auditing and monitoring 
efforts.
---------------------------------------------------------------------------

    \56\ This should include notifications regarding: inappropriate 
claims; overpayments; and termination of the contract.
---------------------------------------------------------------------------

7. Compliance as an Element of a Performance Plan
    Compliance programs should require that the promotion of, and 
adherence to, the elements of the compliance program be a factor in 
evaluating the performance of all employees. Employees should be 
periodically trained in new compliance policies and procedures. In 
addition, all managers and supervisors involved in the coding and 
claims submission processes should:
     Discuss with all supervised employees and relevant 
contractors the compliance policies and legal requirements applicable 
to their function;
     Inform all supervised personnel that strict compliance 
with these policies and requirements is a condition of employment; and
     Disclose to all supervised personnel that the billing 
company will take disciplinary action up to and including termination 
for violation of these policies or requirements.
    In addition to making performance of these duties an element in 
evaluations, the compliance officer or company management should 
include a policy that managers and supervisors will be sanctioned for 
failure to instruct adequately their subordinates or for failure to 
detect noncompliance with applicable policies and legal requirements, 
where reasonable diligence on the part of the manager or supervisor 
should have led to the discovery of any problems or violations.

B. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer
    Every billing company should designate a compliance officer to 
serve as the focal point for compliance activities. This responsibility 
may be the individual's sole duty or added to other management 
responsibilities, depending upon the size and resources of the billing 
company and the complexity of the task. For those billing companies 
that have limited resources, the compliance function could be 
outsourced to an expert in compliance.57
---------------------------------------------------------------------------

    \57\ If the billing company chooses to outsource the compliance 
function, the OIG recommends the billing company engage an 
individual with significant experience in the billing and coding 
industries. Multiple small billing and coding facilities may 
contract with an individual to job-share the individual's time and 
expertise in the area of compliance.
---------------------------------------------------------------------------

    Designating a compliance officer with the appropriate authority is 
critical to the success of the program, necessitating the appointment 
of a high-level official in the billing company with direct access to 
the company's governing body, the CEO, all other senior management and 
legal counsel.58 The officer should have sufficient funding 
and staff to perform his or her responsibilities fully. Coordination 
and communication are the key functions of the compliance officer with 
regard to planning, implementing and monitoring the compliance program. 
With this in mind, the OIG recommends the billing company's compliance 
officer closely coordinate compliance functions with the provider's 
compliance officer.
---------------------------------------------------------------------------

    \58\ The OIG believes that it is not advisable for the 
compliance function to be subordinate to the billing company's 
general counsel, or comptroller or similar billing company financial 
officer. Free standing compliance functions help to ensure 
independent and objective legal reviews and financial analyses of 
the institution's compliance efforts and activities. By separating 
the compliance function from the key management positions of general 
counsel or chief financial officer (where the size and structure of 
the billing company make this a feasible option), a system of checks 
and balances is established to more effectively achieve the goals of 
the compliance program.
---------------------------------------------------------------------------

    The compliance officer's primary responsibilities should include:

[[Page 70146]]

     Overseeing and monitoring the implementation of the 
compliance program; 59
---------------------------------------------------------------------------

    \59\ For multi-site billing companies, the OIG encourages 
coordination with each billing facility owned by the billing company 
through the use of a corporate compliance officer.
---------------------------------------------------------------------------

     Reporting on a regular basis to the billing company's 
governing body, CEO and compliance committee (if applicable) on the 
progress of implementation and assisting these components in 
establishing methods to improve the billing company's efficiency and 
quality of services and to reduce the billing company's vulnerability 
to fraud, abuse and waste;
     Periodically revising the program in light of changes in 
the organization's needs and in the law and policies and procedures of 
Government and private payor health plans;
     Reviewing employees' certifications that they have 
received, read and understood the standards of conduct;
     Developing, coordinating and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program and seeks to ensure that all 
appropriate employees and management are knowledgeable of, and comply 
with, pertinent Federal and State standards;
     Coordinating personnel issues with the billing company's 
human resources/personnel office (or its equivalent) to ensure that 
providers and employees do not appear in the Cumulative Sanction 
Report; 60
---------------------------------------------------------------------------

    \60\ See note 51.
---------------------------------------------------------------------------

     Assisting the billing company's financial management in 
coordinating internal compliance review and monitoring activities, 
including annual or periodic reviews of departments;
     Independently investigating and acting on matters related 
to compliance, including the flexibility to design and coordinate 
internal investigations (e.g., responding to reports of problems or 
suspected violations) and any resulting corrective action with all 
billing departments, providers and sub-providers, agents and, if 
appropriate, independent contractors;
     Developing policies and programs that encourage managers 
and employees to report suspected fraud and other improprieties without 
fear of retaliation; and
     Continuing the momentum of the compliance program and the 
accomplishment of its objectives long after the initial years of 
implementation.61
---------------------------------------------------------------------------

    \61\ Periodic on-site visits of the billing company's 
operations, bulletins with compliance updates and reminders, 
distribution of audiotapes or videotapes on different risk areas, 
lectures at management and employee meetings, circulation of recent 
health care articles covering fraud and abuse and innovative changes 
to compliance training are various examples of approaches and 
techniques the compliance officer can employ for the purpose of 
ensuring continued interest in the compliance program and the 
billing company's commitment to its principles and policies.
---------------------------------------------------------------------------

    The compliance officer must have the authority to review all 
documents and other information that are relevant to compliance 
activities, including, but not limited to, patient records (where 
appropriate), billing records and records concerning the marketing 
efforts of the facility and the billing company's arrangements with 
other parties, including employees, professionals on staff, relevant 
independent contractors, suppliers, agents, supplemental staffing 
entities and physicians. This policy enables the compliance officer to 
review contracts and obligations (seeking the advice of legal counsel, 
where appropriate) that may contain referral and payment provisions 
that could violate statutory or regulatory requirements.
    In addition, the compliance officer should be copied on the results 
of all internal audit reports and work closely with key managers to 
identify aberrant trends in the coding and billing areas. The 
compliance officer should ascertain patterns that require a change in 
policy and forward these issues to the compliance committee to remedy 
the problem. A compliance officer should have full authority to stop 
the processing of claims that he or she believes are problematic until 
such time as the issue in question has been resolved.
2. Compliance Committee
    The OIG recommends, where feasible,62 that a compliance 
committee be established to advise the compliance officer and assist in 
the implementation of the compliance program.63 When 
assembling a team of people to serve as the billing company's 
compliance committee, the company should include individuals with a 
variety of skills.64 Appropriate members of the compliance 
committee include the director of billing and the director of coding. 
The OIG strongly recommends that the compliance officer manage the 
compliance committee. Once a billing company chooses the people that 
will accept the responsibilities vested in members of the compliance 
committee, the billing company must train these individuals on the 
policies and procedures of the compliance program.
---------------------------------------------------------------------------

    \62\ The OIG recognizes that smaller billing companies may not 
be able to establish a compliance committee. In those situations, 
the compliance officer should fulfill the responsibilities of the 
compliance committee.
    \63\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities in the 
organization, such as operations, finance, audit, human resources, 
utilization review, medicine, coding and legal, as well as employees 
and managers of key operating units. These individuals should have 
the requisite seniority and comprehensive experience within their 
respective departments to implement any necessary changes in the 
company's policies and procedures.
    \64\ A billing company should expect its compliance committee 
members and compliance officer to demonstrate high integrity, good 
judgment, assertiveness and an approachable demeanor, while 
eliciting the respect and trust of employees of the billing company. 
The compliance committee members should also have significant 
professional experience in working with billing, coding, clinical 
records and auditing principles.
---------------------------------------------------------------------------

    The committee's responsibilities should include:
     Analyzing the organization's regulatory environment, the 
legal requirements with which it must comply 65 and specific 
risk areas;
---------------------------------------------------------------------------

    \65\ This includes, but is not limited to, the civil False 
Claims Act, 31 U.S.C. 3729-3733, the criminal false claims statutes, 
18 U.S.C. 287, 1001, the fraud and abuse provisions of the Balanced 
Budget Act of 1997, Pub. L. 105-33 and the Health Insurance 
Portability and Accountability Act of 1996, Pub. L. 104-191.
---------------------------------------------------------------------------

     Assessing existing policies and procedures that address 
these areas for possible incorporation into the compliance program;
     Working with appropriate departments to develop standards 
of conduct and policies and procedures that promote allegiance to the 
company's compliance program; 66
---------------------------------------------------------------------------

    \66\ For billing companies, this includes developing and 
fostering excellent coordination and communication with its provider 
clients.
---------------------------------------------------------------------------

     Recommending and monitoring, in conjunction with the 
relevant departments, the development of internal systems and controls 
to carry out the organization's standards, policies and procedures as 
part of its daily operations;
     Determining the appropriate strategy/approach to promote 
compliance with the program and detection of any potential violations, 
such as through hotlines and other fraud reporting mechanisms;
     Developing a system to solicit, evaluate and respond to 
complaints and problems; and
     Monitoring internal and external audits and investigations 
for the purpose of identifying troublesome issues and deficient areas 
experienced by the billing company and implementing corrective and 
preventive action.
    The committee may also address other functions as the compliance 
concept becomes part of the overall operating structure and daily 
routine.

[[Page 70147]]

C. Conducting Effective Training and Education

1. Initial Training in Compliance
    The proper education and training of corporate officers, managers, 
employees and the continual retraining of current personnel at all 
levels are significant elements of an effective compliance program. In 
order to ensure the appropriate information is being disseminated to 
the correct individuals, the training should be separated into two 
sessions, depending on the employees' involvement in the submission of 
claims for reimbursement. All employees should attend the general 
session on compliance, while employees whose job primarily focuses on 
submission of claims for reimbursement should be the participants in 
the detailed sessions.
    In the development of a training program, the billing company 
should consult with its provider clients to ensure that a consistent 
message is being delivered and avoid any potential conflicts in the 
implementation of policies and procedures.
a. General Sessions
    As part of their compliance programs, billing companies should 
require all affected personnel to attend training on an annual basis, 
including appropriate training in Federal and State statutes, 
regulations and guidelines, the policies of private payors and training 
in corporate ethics. The general training sessions should emphasize the 
organization's commitment to compliance with these legal requirements 
and policies.
    These training programs should include sessions highlighting the 
organization's compliance program, summarizing fraud and abuse statutes 
and regulations, Federal, State and private payor health care program 
requirements, coding requirements, the claim submission process and 
marketing practices that reflect current legal and program standards. 
The organization must take steps to communicate effectively its 
standards and procedures to all affected employees, physicians, 
independent contractors and other significant agents, e.g., by 
requiring participation in training programs and disseminating 
publications that explain specific requirements in a practical 
manner.67 Managers of specific departments or groups can 
assist in identifying areas that require training and in carrying out 
such training.68 Training instructors may come from outside 
or inside the organization. New employees should be targeted for 
training early in their employment.69
---------------------------------------------------------------------------

    \67\ Some publications, such as Special Fraud Alerts, audit and 
inspection reports, and advisory opinions, as well as the annual OIG 
work plan, are readily available from the OIG and could be the basis 
for standards, educational courses and programs for appropriate 
billing employees.
    \68\ Significant variations in functions and responsibilities of 
different departments or groups may create the need for training 
materials that are tailored to the compliance concerns associated 
with particular operations and duties.
    \69\ Certain positions, such as those involving the coding of 
medical services, create a greater organizational legal exposure, 
and therefore require specialized training. Billing companies should 
fill such positions with individuals who have the appropriate 
educational background, training and credentials.
---------------------------------------------------------------------------

    As part of the initial training, the standards of conduct should be 
distributed to all employees.70 At the end of this training 
session, every employee, as well as contracted consultants, should be 
required to sign and date a statement that reflects the employee's 
knowledge of and commitment to the standards of conduct.
---------------------------------------------------------------------------

    \70\ Where the billing company has a culturally diverse employee 
base, the standards of conduct should be translated into other 
languages and written at appropriate reading levels.
---------------------------------------------------------------------------

    This attestation should be retained in the employee's personnel 
file. For contracted consultants, the attestation should become part of 
the contract and remain in the file that contains such documentation. 
Further, to assist in ensuring employees continuously meet the expected 
high standards set forth in the code of conduct, any employee handbook 
delineating or expanding upon these standards of conduct should be 
regularly updated as applicable statutes, regulations and Federal 
health care program requirements are modified.71 Billing 
companies should provide an additional attestation in the modified 
standards that stipulates the employee's knowledge of and commitment to 
the modifications.
---------------------------------------------------------------------------

    \71\ The OIG recognizes that not all standards, policies and 
procedures need to be communicated to all employees. However, the 
OIG believes that the bulk of the standards that relate to complying 
with fraud and abuse laws and other ethical areas should be 
addressed and made part of all employees' training. The billing 
company should determine what additional training to provide 
categories of employees based upon their job responsibilities.
---------------------------------------------------------------------------

b. Coding and Billing Training
    In addition to specific training in the risk areas identified in 
section II.A.2, above, primary training to appropriate corporate 
officers, managers and other billing company staff should include such 
topics as:
     Specific Government and private payor reimbursement 
principles; 72
---------------------------------------------------------------------------

    \72\ Government, in this context, includes the appropriate 
Medicare carrier or intermediary.
---------------------------------------------------------------------------

     General prohibitions on paying or receiving remuneration 
to induce referrals;
     Proper selection and sequencing of diagnoses;
     Improper alterations to documentation;
     Submitting a claim for physician services when rendered by 
a non-physician (i.e., the ``incident to'' rule and the physician 
physical presence requirement);
     Proper documentation of services rendered, including the 
correct application of official coding rules and guidelines;
     Signing a form for a physician without the physician's 
authorization; and
     Duty to report misconduct.
    Clarifying and emphasizing these areas of concern through training 
and educational programs are particularly relevant to a billing 
company's marketing and financial personnel, in that the pressure to 
meet business goals may render these employees particularly vulnerable 
to engaging in prohibited practices.
2. Format of the Training Program
    The OIG suggests all relevant levels of personnel be made part of 
various educational and training programs of the billing 
company.73 Employees should be required to have a minimum 
number of educational hours per year, as appropriate, as part of their 
employment responsibilities.74 For example, as discussed 
above, certain employees involved in billing functions should be 
required to attend periodic training in applicable reimbursement 
coverage and documentation of records.75 A variety of 
teaching methods, such as interactive training and training in several 
different

[[Page 70148]]

languages, particularly where a billing company has a culturally 
diverse staff, should be implemented so that all affected employees are 
knowledgeable about the institution's standards of conduct and 
procedures for alerting senior management to problems and 
concerns.76 Targeted training should be provided to 
corporate officers, managers and other employees whose actions affect 
the accuracy of the claims submitted to the Government, such as 
employees involved in the coding, billing and marketing processes. All 
training materials should be designed to take into account the skills, 
knowledge and experience of the individual trainees. Given the 
complexity and interdependent relationships of many departments, it is 
important for the compliance officer to supervise and coordinate the 
training program.
---------------------------------------------------------------------------

    \73\ In addition, where feasible, the OIG recommends that a 
billing company afford outside contractors and its provider clients 
the opportunity to participate in the billing company's compliance 
training and educational programs or develop their own programs that 
complement the billing company's standards of conduct, compliance 
requirements and other rules and practices.
    \74\ Currently, the OIG is monitoring a significant number of 
corporate integrity agreements that require many of these training 
elements. The OIG usually requires a minimum of one to three hours 
annually for basic training in compliance areas. Additional training 
is required for specialty fields such as billing, coding and 
marketing.
    \75\ Appropriate coding and billing depends upon the quality and 
completeness of documentation. Therefore, the OIG believes that the 
billing company must foster an environment where interactive 
communication is encouraged. Health care providers should be 
reminded that thorough, precise and timely documentation of services 
provided serves the interests of the patient, the interest of the 
provider, as well as the interests of the billing company.
    \76\ Post-training tests can be used to assess the success of 
training provided and employee comprehension of the billing 
company's policies and procedures.
---------------------------------------------------------------------------

    The OIG recommends attendance and participation at training 
programs be made a condition of continued employment and that failure 
to comply with training requirements should result in disciplinary 
action, including possible termination, when such failure is serious. 
Adherence to the provisions of the compliance program, such as training 
requirements, should be a factor in the annual evaluation of each 
employee. The billing company should retain adequate records of its 
training of employees, including attendance logs and material 
distributed at training sessions.
3. Continuing Education on Compliance Issues
    It is essential that compliance issues remain at the forefront of 
the billing company's priorities. The OIG recommends billing company 
compliance programs address the need for periodic professional 
education courses for billing company personnel. In particular, the 
billing company should ensure that coding personnel receive annual 
professional training on the updated codes for the current year.
    In order to maintain a sense of seriousness about compliance in the 
billing company's operations, the billing company must continue to 
disseminate the compliance message. One effective mechanism for 
maintaining a consistent presence of the compliance message is to 
publish a monthly newsletter to address compliance concerns. This would 
allow the billing company to address specific examples of problems the 
company encountered during its ongoing audits and risk analysis, while 
reinforcing the company's firm commitment to the general principles of 
compliance and ethical conduct. The newsletter could also include the 
risk areas published by the OIG in its Special Fraud Alerts. Finally, 
the billing company could use the newsletter as a mechanism to address 
areas of ambiguity in the coding and billing process. The billing 
company should maintain its newsletters in a central location to 
document the guidance offered and provide new employees with access to 
guidance previously provided.

D. Developing Effective Lines of Communication

1. Access to the Compliance Officer
    An open line of communication between the compliance officer and 
the billing company personnel is equally important to the successful 
implementation of a compliance program and the reduction of any 
potential for fraud, abuse and waste. Written confidentiality and non-
retaliation policies should be developed and distributed to all 
employees to encourage communication and the reporting of incidents of 
potential fraud.77 The compliance committee should also 
develop several independent reporting paths for an employee to report 
fraud, waste or abuse so that such reports cannot be diverted by 
supervisors or other personnel.
---------------------------------------------------------------------------

    \77\ The OIG believes that whistle blowers should be protected 
against retaliation, a concept embodied in the provisions of the 
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees 
sue their employers under the False Claims Act's qui tam provisions 
out of frustration because of the company's failure to take action 
when a questionable, fraudulent or abusive situation was brought to 
the attention of senior corporate officials.
---------------------------------------------------------------------------

    The OIG encourages the establishment of procedures for personnel to 
seek clarification from the compliance officer or members of the 
compliance committee in the event of any confusion or question 
regarding a company policy, practice or procedure. Questions and 
responses should be documented and dated and, if appropriate, shared 
with other staff so that standards, policies, practices and procedures 
can be updated and improved to reflect any necessary changes or 
clarifications. The compliance officer may want to solicit employee 
input in developing these communication and reporting systems.
2. Hotlines and Other Forms of Communication
    The OIG encourages the use of hotlines 78 (including 
anonymous hotlines), e-mails, written memoranda, newsletters and other 
forms of information exchange to maintain these open lines of 
communication.79 If the billing company establishes a 
hotline, the telephone number should be made readily available to all 
employees and independent contractors, by circulating the number on 
wallet cards or conspicuously posting the telephone number in common 
work areas.80 Employees should be permitted to report 
matters on an anonymous basis. Matters reported through the hotline or 
other communication sources that suggest substantial violations of 
compliance policies, Federal, State or private payor health care 
program requirements, regulations or statutes should be documented and 
investigated promptly to determine their veracity. A log should be 
maintained by the compliance officer that records such calls, including 
the nature of any investigation and its results.81 Such 
information should be included in reports to the governing body, the 
CEO and compliance committee.82 Further, while the billing 
company should always strive to maintain the confidentiality of an 
employee's identity, it should also explicitly communicate that there 
may be a point where the individual's identity may

[[Page 70149]]

become known or may have to be revealed.
---------------------------------------------------------------------------

    \78\ The OIG recognizes that it may not be financially feasible 
for a small billing company to maintain a telephone hotline 
dedicated to receiving calls solely on compliance issues. These 
companies may explore alternative methods, e.g., contracting with an 
independent source to provide hotline services or establishing a 
written method of confidential disclosure.
    \79\ In addition to methods of communication used by current 
employees, an effective employee exit interview program could be 
designed to solicit information from departing employees regarding 
potential misconduct and suspected violations of the billing 
company's policy and procedures.
    \80\ Billing companies should also post in a prominent, 
available area the HHS-OIG Hotline telephone number, 1-800-447-8477 
(HHS-TIPS), in addition to any company hotline number that may be 
posted.
    \81\ To efficiently and accurately fulfill such an obligation, 
the billing company should create an intake form for all compliance 
issues identified through reporting mechanisms. The form could 
include information concerning the date the potential problem was 
reported, the internal investigative methods utilized, the results 
of any investigation, any corrective action implemented, any 
disciplinary measures imposed and any overpayments and monies 
returned.
    \82\ Information obtained over the hotline may provide valuable 
insight into management practices and operations, whether reported 
problems are actual or perceived.
---------------------------------------------------------------------------

    The OIG recognizes that assertions of fraud and abuse by employees 
who may have participated in illegal conduct or committed other 
malfeasance raise numerous complex legal and management issues that 
should be examined on a case-by-case basis. The compliance officer 
should work closely with legal counsel, who can provide guidance 
regarding such issues.

E. Enforcing Standards Through Well-p ublicized Disciplinary Guidelines

1. Discipline Policy and Actions
    An effective compliance program should include guidance regarding 
disciplinary action for corporate officers, managers and employees who 
have failed to comply with the billing company's standards of conduct, 
policies and procedures, Federal, State or private payor health care 
program requirements, or Federal and State laws, or those who have 
otherwise engaged in wrongdoing, which has the potential to impair the 
billing company's status as a reliable, honest and trustworthy 
organization.
    The OIG believes the compliance program should include a written 
policy statement setting forth the degrees of disciplinary actions that 
may be imposed upon corporate officers, managers and employees for 
failing to comply with the billing company's standards and policies and 
applicable statutes and regulations. Intentional or reckless 
noncompliance should subject transgressors to significant sanctions. 
Such sanctions could range from oral warnings to suspension, 
termination or financial penalties, as appropriate. Each situation must 
be considered on a case-by-case basis to determine the appropriate 
sanction. The written standards of conduct should elaborate on the 
procedures for handling disciplinary problems and identify who will be 
responsible for taking appropriate action. Some disciplinary actions 
can be handled by department managers, while others may have to be 
resolved by a senior manager. Disciplinary action may be appropriate 
where a responsible employee's failure to detect a violation is 
attributable to his or her negligence or reckless conduct. Personnel 
should be advised by the billing company that disciplinary action will 
be taken on a fair and equitable basis. Managers and supervisors should 
be made aware that they have a responsibility to discipline employees 
in an appropriate and consistent manner.
    It is vital to publish and disseminate the range of possible 
disciplinary actions for improper conduct and to educate officers and 
other staff regarding these standards. The consequences of 
noncompliance should be consistently applied and enforced for the 
disciplinary policy to have the required deterrent effect. All levels 
of employees should be subject to the same disciplinary action for the 
commission of similar offenses. The commitment to compliance applies to 
all personnel levels within a billing company. The OIG believes that 
corporate officers, managers and supervisors should be held accountable 
for failing to comply with, or for the foreseeable failure of their 
subordinates to adhere to, the applicable standards, laws, rules, 
program instructions and procedures.
2. New Employee Policy
    For all new employees who have discretionary authority to make 
decisions that may involve compliance with the law or compliance 
oversight, billing companies should conduct a reasonable and prudent 
background investigation, including a reference check, as part of every 
such employment application. The application should specifically 
require the applicant to disclose any criminal conviction, as defined 
by 42 U.S.C. 1320a-7(i), or exclusion action. Pursuant to the 
compliance program, billing company policies should prohibit the 
employment of individuals who have been recently convicted of a 
criminal offense related to health care or who are listed as debarred, 
excluded or otherwise ineligible for participation in Federal health 
care programs.83 In addition, pending the resolution of any 
criminal charges or proposed debarment or exclusion, the OIG recommends 
that such individuals should be removed from direct responsibility for, 
or involvement, in any Federal health care program.84 
Similarly, with regard to current employees or independent contractors, 
if resolution of the matter results in conviction, debarment or 
exclusion, then the billing company should remove the individual from 
direct responsibility for or involvement with all Federal health care 
programs.
---------------------------------------------------------------------------

    \83\ See note 51. Likewise, billing company compliance programs 
should establish standards prohibiting the execution of contracts 
with companies that have been recently convicted of a criminal 
offense related to health care or that are listed by a Federal 
agency as debarred, excluded or otherwise ineligible for 
participation in Federal health care programs.
    \84\ Prospective employees who have been officially reinstated 
into the Medicare and Medicaid programs by the OIG may be considered 
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------

F. Auditing and Monitoring

    An ongoing evaluation process is critical to a successful 
compliance program. The OIG believes an effective program should 
incorporate thorough monitoring of its implementation and regular 
reporting to senior company officers.85 Compliance reports 
created by this ongoing monitoring, including reports of suspected 
noncompliance, should be maintained by the compliance officer and 
reviewed with the billing company's senior management and the 
compliance committee. The extent and frequency of the audit function 
may vary depending on factors such as the size of the company, the 
resources available to the company, the company's prior history of 
noncompliance and the risk factors that are prevalent in a particular 
billing company.
---------------------------------------------------------------------------

    \85\ Even when a facility is owned by a larger corporate entity, 
the regular auditing and monitoring of the compliance activities of 
an individual facility must be a key feature in any annual review. 
Appropriate reports on audit findings should be periodically 
provided and explained to a parent-organization's senior staff and 
officers.
---------------------------------------------------------------------------

    Although many monitoring techniques are available, one effective 
tool to promote and ensure compliance is the performance of regular, 
periodic compliance audits by internal or external auditors who have 
expertise in Federal and State health care statutes, regulations, and 
Federal, State and private payor health care program requirements. The 
audits should focus on the billing company's programs or divisions, 
including external relationships with third-party contractors, 
specifically those with substantive exposure to Government enforcement 
actions. At a minimum, these audits should be designed to address the 
billing company's compliance with laws governing kickback arrangements, 
coding practices, claim submission, reimbursement and marketing. In 
addition, the audits and reviews should examine the billing company's 
compliance with specific rules and policies that have been the focus of 
particular attention on the part of the Medicare fiscal intermediaries 
or carriers, and law enforcement, as evidenced by OIG Special Fraud 
Alerts, OIG audits and evaluations and law enforcement's 
initiatives.86 In addition, the billing company should focus 
on any areas of specific concern identified within that billing company 
and those

[[Page 70150]]

that may have been identified by any outside agency, whether Federal or 
State.
---------------------------------------------------------------------------

    \86\ See section II.A.2.
---------------------------------------------------------------------------

    Monitoring techniques may include sampling protocols that permit 
the compliance officer to identify and review variations from an 
established baseline.87 Significant variations from the 
baseline should trigger a reasonable inquiry to determine the cause of 
the deviation. If the inquiry determines that the deviation occurred 
for legitimate, explainable reasons, the compliance officer or manager 
may want to limit any corrective action or take no action. If it is 
determined that the deviation was caused by improper procedures, 
misunderstanding of rules, including fraud and systemic problems, the 
billing company should take prompt steps to correct the 
problem.88 Any overpayments discovered as a result of such 
deviations should be reported promptly to the appropriate provider, 
with appropriate documentation and a thorough explanation of the reason 
for the overpayment.89
---------------------------------------------------------------------------

    \87\ The OIG recommends that when a compliance program is 
established in a billing company, the compliance officer, with the 
assistance of department managers, take a ``snapshot'' of the 
company's operations from a compliance perspective. This assessment 
can be undertaken by outside consultants, law or accounting firms, 
or internal staff, with authoritative knowledge of health care 
compliance requirements. This ``snapshot,'' often used as part of 
bench marking analysis, becomes a baseline for the compliance 
officer and other managers to judge the billing company's progress 
in reducing or eliminating potential areas of vulnerability. For 
example, it has been suggested that a baseline level include the 
frequency and percentile levels of CPTTM and HCPCS codes. 
Similarly, billing companies should track statistical data on claim 
rejection by code. This will facilitate identification of problem 
areas and elimination of potential areas of abusive or fraudulent 
conduct.
    \88\ Prompt steps to correct the problem include contacting the 
appropriate provider in situations where the provider's actions 
contributed to the problem.
    \89\ In addition, when appropriate, as referenced in section 
G.2, below, reports of fraud or systemic problems should also be 
made to the appropriate governmental authority.
---------------------------------------------------------------------------

    An effective compliance program should also incorporate periodic 
(at a minimum, annual) reviews of whether the program's compliance 
elements have been satisfied, e.g., whether there has been appropriate 
dissemination of the program's standards, training, ongoing educational 
programs and disciplinary actions, among others.90 This 
process will verify actual conformance by all departments with the 
compliance program. Such reviews could support a determination that 
appropriate records have been created and maintained to document the 
implementation of an effective program. However, when monitoring 
discloses deviations were not detected in a timely manner due to 
program deficiencies, appropriate modifications must be implemented. 
Such evaluations, when developed with the support of management, can 
help ensure compliance with the billing company's policies and 
procedures.
---------------------------------------------------------------------------

    \90\ One way to assess the knowledge, awareness and perceptions 
of the billing company staff is through the use of a validated 
survey instrument (e.g., employee questionnaires, interviews or 
focus groups).
---------------------------------------------------------------------------

    As part of the review process, the compliance officer or reviewers 
should consider techniques such as:
     On-site visits;
     Testing billing and coding staff on their knowledge of 
reimbursement and coverage criteria (e.g., presenting hypothetical 
scenarios of situations experienced in daily practice and assess 
responses);
     Unannounced mock surveys, audits and investigations;
     Examination of the billing company's complaint logs;
     Checking personnel records to determine whether any 
individuals who have been reprimanded for compliance issues in the past 
are among those currently engaged in improper conduct;
     Interviews with personnel involved in management, 
operations, coding, claim development and submission and other related 
activities;
     Questionnaires developed to solicit impressions of a broad 
cross-section of the billing company's employees and staff;
     Reviews of written materials and documentation prepared by 
the different divisions of a billing company; and
     Trend analyses, or longitudinal studies, that seek 
deviations, positive or negative, in specific areas over a given 
period.
    The reviewers should:
     Possess the qualifications and experience necessary to 
adequately identify potential issues with the subject matter to be 
reviewed;
     Be objective and independent of line management; 
91
---------------------------------------------------------------------------

    \91\ The OIG recognizes that billing companies that are small in 
size and have limited resources may not be able to use internal 
reviewers who are not part of line management or hire outside 
reviewers.
---------------------------------------------------------------------------

     Have access to existing audit and health care resources, 
relevant personnel and all relevant areas of operation;
     Present written evaluative reports on compliance 
activities to the CEO, governing body members of the compliance 
committee and its provider clients on a regular basis, but not less 
than annually; 92 and
---------------------------------------------------------------------------

    \92\ These evaluative reports should include a valid statistical 
sample of claims submitted to Federal health care programs.
---------------------------------------------------------------------------

     Specifically identify areas where corrective actions are 
needed.
    With these reports, management can take whatever steps are 
necessary to correct past problems and prevent them from recurring. In 
certain cases, subsequent reviews or studies would be advisable to 
ensure that the recommended corrective actions have been implemented 
successfully.
    The billing company should document its efforts to comply with 
applicable statutes, regulations and Federal health care program 
requirements. For example, where a billing company, in its efforts to 
comply with a particular statute, regulation or program requirement, 
requests advice from a Government agency (including a Medicare fiscal 
intermediary or carrier) charged with administering a Federal health 
care program, the billing company should document and retain a record 
of the request and any written or oral response. This step is extremely 
important if the billing company intends to rely on that response to 
guide it in future decisions, actions or claim reimbursement requests 
or appeals. A log of oral inquiries between the billing company and 
third parties will help the organization document its attempts at 
compliance. In addition, the billing company should maintain records 
relevant to the issue of whether its reliance was ``reasonable,'' and 
whether it exercised due diligence in developing procedures to 
implement the advice.

G. Responding to Detected Offenses and Developing Corrective Action 
Initiatives

1. Violations and Investigations
    Violations of the billing company's compliance program, failures to 
comply with applicable Federal or State law, rules and program 
instructions and other types of misconduct threaten a billing company's 
status as a reliable, honest and trustworthy company. Detected but 
uncorrected misconduct can seriously endanger the mission, reputation 
and legal status of the billing company. Consequently, upon reports or 
reasonable indications of suspected noncompliance, it is important that 
the chief compliance officer or other management officials promptly 
investigate the conduct in question to determine whether a material 
violation of applicable law, rule or program instruction or the 
requirements of the compliance program has occurred, and if so, take 
steps to correct the problem.93

[[Page 70151]]

As appropriate, such steps may include an immediate referral to 
criminal and/or civil law enforcement authorities, a corrective action 
plan,94 a report to the Government,95 and the 
notification to the provider of any discrepancies or overpayments, if 
applicable.
---------------------------------------------------------------------------

    \93\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a 
health care program is not solely determinative of whether or not 
the conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss at all, but corrective action and 
reporting are still necessary to protect the integrity of the 
applicable program and its beneficiaries.
    \94\ Advice from the billing company's in-house counsel or an 
outside law firm may be sought to determine the extent of the 
billing company's liability and to plan the appropriate course of 
action.
    \95\ The OIG currently maintains a provider self-disclosure 
protocol that encourages providers to report suspected fraud. The 
concept of self-disclosure is premised on a recognition that the 
Government alone cannot protect the integrity of the Medicare and 
other Federal health care programs. Health care providers must be 
willing to police themselves, correct underlying problems and work 
with the Government to resolve these matters. The self-disclosure 
protocol can be located on the OIG's website at http://www.dhhs.gov/
progorg/oig.
---------------------------------------------------------------------------

    Even if the overpayment detection and return process is working and 
is being monitored by the billing company's audit or coding divisions, 
the OIG still believes that the compliance officer needs to be made 
aware of these significant overpayments, violations or deviations that 
may reveal trends or patterns indicative of a systemic problem.
    Depending upon the nature of the alleged violations, an internal 
investigation will probably include interviews and a review of relevant 
documents. Some billing companies should consider engaging outside 
counsel, auditors or health care experts to assist in an investigation. 
Records of the investigation should contain documentation of the 
alleged violation, a description of the investigative process 
(including the objectivity of the investigators and methodologies 
utilized), copies of interview notes and key documents, a log of the 
witnesses interviewed and the documents reviewed, the results of the 
investigation, e.g., any disciplinary action taken and any corrective 
action implemented. Although any action taken as the result of an 
investigation will necessarily vary depending upon the billing company 
and the situation, billing companies should strive for some consistency 
by utilizing sound practices and disciplinary protocols.96 
Further, after a reasonable period, the compliance officer should 
review the circumstances that formed the basis for the investigation to 
determine whether similar problems have been uncovered or modifications 
of the compliance program are necessary to prevent and detect other 
inappropriate conduct or violations.
---------------------------------------------------------------------------

    \96\  The parameters of a claim review subject to an internal 
investigation will depend on the circumstances surrounding the 
issue(s) identified. By limiting the scope of the internal audit to 
current billing, a billing company may fail to identify major 
problems and deficiencies in operations, as well as be subject to 
certain liability.
---------------------------------------------------------------------------

    If an investigation of an alleged violation is undertaken and the 
compliance officer believes the integrity of the investigation may be 
at stake because of the presence of employees under investigation, 
those subjects should be removed from their current work activity until 
the investigation is completed (unless an internal or Government-led 
undercover operation known to the billing company is in effect). In 
addition, the compliance officer should take appropriate steps to 
secure or prevent the destruction of documents or other evidence 
relevant to the investigation. If the billing company determines 
disciplinary action is warranted, it should be prompt and imposed in 
accordance with the billing company's written standards of disciplinary 
action.
2. Reporting
a. Obligations Based on Billing Company Misconduct
    If the compliance officer, compliance committee or a management 
official discovers credible evidence of misconduct by the billing 
company from any source and, after reasonable inquiry, has reason to 
believe that the misconduct may violate criminal, civil or 
administrative law,97 then the billing company should report 
the existence of misconduct promptly to the appropriate Government 
authority 98 within a reasonable period, but not more than 
sixty (60) days after determining that there is credible evidence of a 
violation. Prompt reporting will demonstrate the billing company's good 
faith and willingness to work with governmental authorities to correct 
and remedy the problem. In addition, reporting such conduct will be 
considered a mitigating factor by the OIG in determining administrative 
sanctions (e.g., penalties, assessments and exclusion), if the 
reporting company becomes the target of an OIG 
investigation.99
---------------------------------------------------------------------------

    \97\ When making the determination of credible misconduct, the 
billing company should consider 18 U.S.C. 669 [holding an 
individual(s) criminally liable for knowingly and willfully 
embezzling, stealing or otherwise converting to the use of any 
person other than the rightful owner or intentionally misapplying 
any of the monies, funds . . . premiums, credits, property or assets 
of a health care benefit program] and 18 U.S.C. 2 (establishing 
criminal liability for an individual(s) who commits an offense 
against the United States or aids, abets, counsels, commands, 
induces or procures its commission as punishable as the principle).
    \98\ Appropriate Federal and/or State authorities include the 
Office of Inspector General of the Department of Health and Human 
Services, the Criminal and Civil Divisions of the Department of 
Justice, the U.S. Attorneys in the relevant districts, and the other 
investigative arms for agencies administering the affected Federal 
or State health care programs, such as the State Medicaid Fraud 
Control Unit, the Defense Criminal Investigative Service, the 
Department of Veterans Affairs, the Office of Inspector General, 
U.S. Department of Labor (which has primary criminal jurisdiction 
over FECA, Black Lung and Longshore programs) and the Office of 
Inspector General, U.S. Office of Personnel Management (which has 
primary jurisdiction over the Federal Employees Health Benefit 
Program).
    \99\ The OIG has published criteria setting forth those factors 
that the OIG takes into consideration in determining whether it is 
appropriate to exclude a health care provider from program 
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of 
various fraud and abuse laws. See 62 FR 67,392 (12/24/97).
---------------------------------------------------------------------------

b. Obligations Based on Provider Misconduct
    Billing companies are in a unique position to discover various 
types of fraud, waste, abuse and mistakes on the part of the provider 
for which they furnish services. This unique access to information may 
place the billing company in a precarious position. On the one hand, 
the billing company's allegiance is to the provider client. On the 
other, the billing company maintains a commitment to compliance with 
the applicable Federal and State laws, and the program requirements of 
Federal, State and private health plans. The OIG recognizes the 
importance of maintaining a positive and interactive communication 
between billing companies and the providers they service. It is with 
this understanding that the OIG has addressed the issue of obligations 
on the part of third-party medical billing companies with regard to 
provider misconduct.
    If the billing company finds evidence of misconduct 100 
(e.g., inaccurate claim submission) on the part of the provider that 
they service, the billing company should refrain from the submission of 
questionable claims and notify the provider in writing within thirty 
(30) days of such a determination. This notification should include all 
claim specific information and the rationale for such a determination.
---------------------------------------------------------------------------

    \100\ Misconduct does not include inadvertent errors or 
mistakes. Such errors should be reported through the normal channels 
with the applicable carrier, intermediary or other HCFA-designated 
payor.
---------------------------------------------------------------------------

    If the billing company discovers credible evidence of the 
provider's continued misconduct or flagrant fraudulent or abusive 
conduct,101 the

[[Page 70152]]

billing company should: (1) Refrain from submitting any false or 
inappropriate claims; (2) terminate the contract; and/or (3) report the 
misconduct to the appropriate Federal and State authorities within a 
reasonable time, but not more than sixty (60) days after determining 
that there is credible evidence of a violation.
---------------------------------------------------------------------------

    \101\ Such conduct may include patterns of misconduct, 
particularly with regard to conduct that had previously been 
identified by the billing company or carrier as suspect.
---------------------------------------------------------------------------

c. Reporting Procedure
    When reporting misconduct to the Government, a billing company 
should provide all evidence relevant to the alleged violation of 
applicable Federal or State law(s) and the potential cost impact. The 
compliance officer, with guidance from the governmental authorities, 
could be requested to continue to investigate the reported violation. 
Once the investigation is completed, the compliance officer should be 
required to notify the appropriate governmental authority of the 
outcome of the investigation, including a description of the impact of 
the alleged violation on the operation of the applicable health care 
programs or their beneficiaries. If the investigation ultimately 
reveals criminal, civil or administrative violations have occurred, the 
appropriate Federal and State officials 102 should be 
notified immediately.
---------------------------------------------------------------------------

    \102\ See note 98.
---------------------------------------------------------------------------

3. Corrective Actions
    Billing companies play a critical role in the restitution of 
overpayments to appropriate payors.103 As previously stated, 
billing companies should take appropriate corrective action, including 
prompt identification of any overpayment to the provider and the 
affected payor and the imposition of proper disciplinary action, if 
applicable. Failure to notify authorities of an overpayment within a 
reasonable period of time could be interpreted as an intentional 
attempt to conceal the overpayment from the Government, thereby 
establishing an independent basis for a criminal violation with respect 
to the billing company, as well as any individuals who may have been 
involved.104 For this reason, billing company compliance 
programs should ensure that overpayments are identified quickly and 
encourage their providers to promptly return overpayments obtained from 
Medicare or other Federal health care programs.105
---------------------------------------------------------------------------

    \103\ As a result of the limitations on reassignment, billing 
companies rarely engage in receiving payment on behalf of their 
provider clients or negotiating checks on behalf of their provider 
clients. Because of these provisions, the OIG recognizes that 
billing companies are rarely in the position to make restitution on 
behalf of their clients and it is generally viewed as the provider's 
responsibility to make restitution to the appropriate payor. See 42 
CFR 424.73.
    \104\ See 42 U.S.C. 1320a-7b(a)(3).
    \105\ If a billing company needs further guidance to inform its 
provider clients of normal repayment channels, the company should 
consult with the applicable Medicare intermediary/carrier. The 
applicable Medicare intermediary/carrier may require certain 
information (e.g., alleged violation or issue causing overpayment, 
description of overpayment, description of the internal 
investigative process with methodologies used to determine any 
overpayments, disciplinary actions taken and corrective actions 
taken) to be submitted with return of any overpayments, and that 
such repayment information be submitted to a specific department or 
individual in the carrier or intermediary's organization. Interest 
will be assessed, when appropriate. See 42 CFR 405.376.
---------------------------------------------------------------------------

III. Conclusion

    Through this document, the OIG has attempted to provide a 
foundation to the process necessary to develop an effective and cost-
efficient third-party medical billing compliance program. As previously 
stated, however, each program must be tailored to fit the needs and 
resources of an individual billing company, depending upon its 
particular corporate structure, mission and employee composition. The 
statutes, regulations and guidelines of the Federal and State health 
insurance programs, as well as the policies and procedures of the 
private health plans, should be integrated into every billing company's 
compliance program.
    The OIG recognizes that the health care industry in this country, 
which reaches millions of beneficiaries and expends about a trillion 
dollars annually, is constantly evolving. In particular, the billing 
process has changed dramatically in recent years. As a result, the time 
is right for billing companies to implement strong, voluntary 
compliance programs. As stated throughout this guidance, compliance is 
a dynamic process that helps to ensure billing companies are better 
able to fulfill their commitment to ethical behavior and to meet the 
changes and challenges being imposed upon them by Congress and private 
insurers. Ultimately, it is OIG's hope that voluntarily created 
compliance programs will enable billing companies to meet their goals 
and substantially reduce fraud, waste and abuse, as well as the cost of 
health care to Federal, State and private health insurers.

    Dated: December 14, 1998.
June Gibbs Brown,
Inspector General.
[FR Doc. 98-33565 Filed 12-17-98; 8:45 am]
BILLING CODE 4150-04-P