[Federal Register Volume 64, Number 18 (Thursday, January 28, 1999)]
[Notices]
[Pages 4435-4454]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-2055]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Draft Compliance Guidance for the Durable Medical Equipment,
Prosthetics, Orthotics and Supply Industry
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice and comment period.
-----------------------------------------------------------------------
SUMMARY: This Federal Register notice seeks the comments of interested
parties
[[Page 4436]]
on draft compliance program guidance developed by the Office of
Inspector General for the durable medical equipment, prosthetics,
orthotics and supplier (DMEPOS) industry. Through this notice, the OIG
is setting forth (1) its general views on the value and fundamental
principles of DMEPOS suppliers' compliance programs, and (2) the
specific elements that each DMEPOS supplier should consider when
developing and implementing an effective compliance program. This
document presents basic procedural and structural guidance for
designing a compliance program, that is, a set of guidelines to be
considered by a DMEPOS supplier interested in implementing a compliance
program.
DATES: To assure consideration, comments must be delivered to the
address provided below by no later than 5 p.m. on March 1, 1999.
ADDRESSES: Please mail or deliver written comments to the following
address: Office of Inspector General, Department of Health and Human
Services, Attention: OIG-3N-CPG, Room 5246, Cohen Building, 330
Independence Avenue, S.W., Washington, D.C. 20201.
We do not accept comments by facsimile (FAX) transmission. In
commenting, please refer to the file code OIG-3N-CPG. Comments received
timely will be available for public inspection as they are received,
generally beginning approximately 3 weeks after publication of a
document, in Room 5541 of the Office of Inspector General at 330
Independence Avenue, S.W., Washington, D.C. 20201 on Monday through
Friday of each week from 8 a.m. to 4:30 p.m.
FOR FURTHER INFORMATION CONTACT: Christine Saxonis, Office of Counsel
to the Inspector General, (202) 619-2078.
SUPPLEMENTARY INFORMATION:
A. Background
The creation of compliance program guidance has become a major
initiative of the OIG in its efforts to engage the private health care
community in addressing and fighting fraud and abuse. Recently, the OIG
has developed and issued compliance program guidance directed at
various segments of the health care industry in the following areas:
Clinical laboratories (62 FR 9435; March 3, 1997, as
amended in 63 FR 45076; August 24, 1998),
Hospitals (63 FR 8987; February 23, 1998),
Home health agencies (63 FR 42410; August 7, 1998), and
Third party medical billing companies (63 FR 70138;
December 18, 1998).
The guidance can also be found on the OIG web site at http://
www.dhhs.gov/progorg/oig. The guidance is designed to provide clear
direction and assistance to specific sections of the health care
industry that are interested in reducing and eliminating fraud and
abuse within their organizations.
In an effort to formalize the process by which the OIG obtains
public input on the guidances, on August 7, 1998, the OIG published a
solicitation notice seeking information and recommendations for
developing guidance for the DMEPOS industry (63 FR 42409). In response
to that solicitation notice, the OIG received a number of comments from
various parts of the industry and their representatives. We have
carefully considered previous OIG publications, such as the Special
Fraud Alerts and the recent findings and recommendations in reports
issued by the OIG's Office of Audit Services and Office of Evaluation
and Inspections, as well as the experience of past and recent fraud
investigations conducted by the OIG's Office of Investigations and the
Department of Justice. We have also consulted with the Health Care
Financing Administration and the durable medical equipment regional
carriers.
B. Elements Addressed in This Guidance
This draft of DMEPOS guidance contains the following 7 elements
that the OIG has determined are fundamental to an effective compliance
program:
Implementing written policies, procedures and standards of
conduct;
Designating a compliance officer and compliance committee;
Conducting effective training and education;
Developing effective lines of communication;
Enforcing standards through well-publicized disciplinary
guidelines;
Conducting internal monitoring and auditing; and
Responding promptly to detected offenses and developing
corrective action.
These elements are contained in the other guidances issued by the
OIG. As is the case with the other guidances, the contents of the
guidance should not be viewed as mandatory for providers or as an
exclusive discussion of the advisable elements of a compliance program.
In an effort to ensure that all parties have an opportunity to
provide input into the OIG's guidance, we are publishing this latest
guidance in draft form, and welcome any comments from interested
parties regarding this guidance, particularly with respect to the
section concerning written policies and procedures. We will consider
all comments received in a timely manner, incorporate any
recommendations as appropriate, and prepare and publish a final version
of the DMEPOS guidance later this year.
C. Draft Compliance Program Guidance for the DMEPO Industry
I. Introduction
The Office of Inspector General (OIG) of the Department of Health
and Human Services (HHS) continues in its efforts to promote
voluntarily developed and implemented compliance programs for the
health care industry. The following compliance program guidance is
intended to assist suppliers 1 of durable medical
equipment,2 prosthetics,3 orthotics,4
and supplies 5 (DMEPOS) and their agents and subcontractors
(referred to collectively in this document as ``DMEPOS suppliers'')
develop effective internal controls that promote adherence to
applicable Federal and State law, and the program requirements of
Federal, State and private health plans. The adoption and
implementation of voluntary compliance programs significantly advance
the prevention of fraud, abuse, and waste in these health care plans
while at the same time further the fundamental mission of all DMEPOS
suppliers, which is to provide quality items, service, and care to
patients.
---------------------------------------------------------------------------
\1\ The term ``supplier'' is defined in this document as an
entity or individual, including a physician or Part A provider,
which sells or rents Part B covered items. See 42 CFR 424.57(a).
\2\ The term ``durable medical equipment'' is applied in this
document as defined in 42 U.S.C. 1395x(n).
\3\ The term ``prosthetics'' and ``prosthetic devices'' are
applied in this document as defined in 42 U.S.C. 1395 x (s)(9) and
(s)(8), respectively.
\4\ The term ``orthotics'' is applied in this document as
defined in 42 U.S.C. 1395x(s)(9).
\5\ The term ``supplies'' includes home dialysis supplies and
equipment as described in 42 U.S.C. 1395x(s)(2)(f); surgical
dressings and other devices as described in 42 U.S.C. 1395x(s)(5);
immunosuppressive drugs as described in 42 U.S.C. 1395x(s)(2)(J);
and any other items or services designated by the Health Care
Financing Administration (HCFA).
---------------------------------------------------------------------------
Within this document, the OIG first provides its general views on
the value and fundamental principles of DMEPOS suppliers' compliance
programs, and then provides the specific elements that each DMEPOS
supplier should consider when developing and implementing an
[[Page 4437]]
effective compliance program. While this document presents basic
procedural and structural guidance for designing a compliance program,
it is not in itself a compliance program. Rather, it is a set of
guidelines to be considered by a DMEPOS supplier interested in
implementing a compliance program.
The OIG recognizes the size-differential that exists between
operations of the different DMEPOS suppliers and organizations that
compose the DMEPOS supplier industry. Appropriately, this guidance is
pertinent for all DMEPOS suppliers, regardless of size (in terms of
employees and gross revenue); number of locations; type of equipment
provided; or corporate structure. The applicability of the
recommendations and guidelines provided in this document depends on the
circumstances of each individual DMEPOS supplier. However, regardless
of a DMEPOS supplier's size or structure, the OIG believes that every
DMEPOS supplier can and should strive to accomplish the objectives and
principles underlying all of the compliance policies and procedures
recommended within this guidance.
Fundamentally, compliance efforts are designed to establish a
culture within a DMEPOS supplier that promotes prevention, detection,
and resolution of instances of conduct that do not conform to Federal
and State law, and Federal, State and private payor health care program
requirements, as well as the DMEPOS supplier's ethical and business
policies. In practice, the compliance program should effectively
articulate and demonstrate the DMEPOS supplier's commitment to ethical
conduct. Benchmarks that demonstrate implementation and achievements
are essential to any effective compliance program. Eventually, a
compliance program should become part of the fabric of routine DMEPOS
supplier operations.
Specifically, compliance programs guide a DMEPOS supplier's
owner(s), governing body (e.g., board of directors or trustees), chief
executive officer (CEO), president, vice presidents, managers, sales
representatives, billing personnel, and other employees in the
efficient management and operation of a DMEPOS supplier. They are
especially critical as an internal quality assurance control in the
reimbursement and payment areas, where claims and billing operations
are often the source of fraud and abuse, and therefore, historically
have been the focus of Government regulation, scrutiny, and sanctions.
It is incumbent upon a DMEPOS supplier's owner(s), corporate
officers, and managers to provide ethical leadership to the
organization and to assure that adequate systems are in place to
facilitate ethical and legal conduct. Employees, managers, and the
Government will focus on the words and actions of a DMEPOS supplier's
leadership as a measure of the organization's commitment to compliance.
Indeed, many DMEPOS suppliers have adopted mission statements
articulating their commitment to high ethical standards. A formal
compliance program, as an additional element in this process, offers a
DMEPOS supplier a further concrete method that may improve quality of
service and reduce waste. Compliance programs also provide a central
coordinating mechanism for furnishing and disseminating information and
guidance on applicable Federal and State statutes, regulations, and
Federal, State and private health care program requirements.
Implementing an effective compliance program requires a substantial
commitment of time, energy, and resources by senior management and the
DMEPOS supplier's governing body.6 Superficial programs that
simply have the appearance of compliance without being wholeheartedly
adopted and implemented by the DMEPOS supplier or programs that are
hastily constructed and implemented without appropriate ongoing
monitoring will likely be ineffective and could expose the DMEPOS
supplier to greater liability than no program at all. Although it may
require significant additional resources or reallocation of existing
resources to implement an effective compliance program, the long term
benefits of implementing the program significantly outweigh the costs.
Undertaking a voluntary compliance program is a beneficial investment
that advances both the DMEPOS supplier's organization and the stability
and solvency of the Medicare program.
---------------------------------------------------------------------------
\6\ Recent case law suggests that the failure of a corporate
Director to attempt in good faith to institute a compliance program
in certain situations may be a breach of a Director's fiduciary
obligation. See, e.g., In re Caremark International Inc. Derivative
Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996).
---------------------------------------------------------------------------
A. Benefits of a Compliance Program
The OIG believes an effective compliance program provides a
mechanism that brings the public and private sectors together to reach
mutual goals of reducing fraud and abuse, improving operational
quality, improving the quality of health care services and reducing the
cost of health care. Attaining these goals provides positive results to
the DMEPOS supplier, the Government and individual citizens alike. In
addition to fulfilling its legal duty to ensure that it is not
submitting false or inaccurate claims to Government and private payors,
a DMEPOS supplier may gain numerous additional benefits by voluntarily
implementing an effective compliance program. These benefits may
include:
The formulation of effective internal controls to assure
compliance with Federal and State statutes, rules, and regulations, and
Federal, State and private payor health care program requirements, and
internal guidelines;
A concrete demonstration to employees and the community at
large of the DMEPOS supplier's strong commitment to honest and
responsible corporate conduct;
The ability to obtain an accurate assessment of employee
and contractor behavior relating to fraud and abuse;
An increased likelihood of identification and prevention
of criminal and unethical conduct;
The ability to more quickly and accurately react to
employees' operational compliance concerns and the capability to
effectively target resources to address those concerns;
Improvement of the quality, efficiency, and consistency of
providing services;
Increased efficiency on the part of employees;
A centralized source for distributing information on
health care statutes, regulations, policies, and other program
directives regarding fraud and abuse and related issues;
Improved internal communication;
A methodology that encourages employees to report
potential problems;
Procedures that allow the prompt, thorough investigation
of alleged misconduct by corporate officers, managers, sales
representatives, employees, independent contractors, consultants,
clinicians, and other health care professionals;
Initiation of immediate, appropriate, and decisive
corrective action;
Early detection and reporting, minimizing the loss to the
Government from false claims, and thereby reducing the DMEPOS
supplier's exposure to civil damages and penalties, criminal sanctions,
and administrative remedies, such as program exclusion; 7
and
---------------------------------------------------------------------------
\7\ The OIG, for example, will consider the existence of an
effective compliance program that pre-dated any governmental
investigation when addressing the appropriateness of administrative
sanctions. However, the burden is on the DMEPOS supplier to
demonstrate the operational effectiveness of a compliance program.
Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a
person who has violated the Act, but who voluntarily discloses the
violation to the Government within 30 days of detection, in certain
circumstances will be subject to not less than double, as opposed to
treble, damages. See 31 U.S.C. 3729(a). Thus, the ability to react
quickly when violations of the law are discovered may materially
help reduce the DMEPOS supplier's liability.
---------------------------------------------------------------------------
[[Page 4438]]
Enhancement of the structure of the DMEPOS supplier's
operations and the consistency between: any related entities of the
DMEPOS supplier; different departments within the DMEPOS supplier; the
DMEPOS supplier's different locations; and the DMEPOS supplier's
separate business units (e.g., franchises, subsidiaries).
Overall, the OIG believes that an effective compliance program is a
sound investment on the part of a DMEPOS supplier.
The OIG recognizes that the implementation of a compliance program
may not entirely eliminate fraud, abuse, and waste from the DMEPOS
supplier system. However, a sincere effort by DMEPOS suppliers to
comply with applicable Federal and State statutes, rules, and
regulations and Federal, State and private payor health care program
requirements, through the establishment of an effective compliance
program, significantly reduces the risk of unlawful or improper
conduct.
B. Application of Compliance Program Guidance
Given the diversity within the industry, there is no single
``best'' DMEPOS supplier compliance program. 8 The OIG
understands the variances and complexities within the DMEPOS supplier
industry and is sensitive to the differences among large national and
regional DMEPOS supplier organizations, and small independent DMEPOS
suppliers. However, elements of this guidance can be used by all DMEPOS
suppliers, regardless of size (in terms of employees and gross
revenue); number of locations; type of equipment provided; or corporate
structure, to establish an effective compliance program. Similarly, a
DMEPOS supplier or corporation that owns a DMEPOS supplier or provides
DMEPOS supplies may incorporate these elements into its system-wide
compliance or managerial structure. 9 We recognize that some
DMEPOS suppliers may not be able to adopt certain elements to the same
comprehensive degree that others with more extensive resources may
achieve. This guidance represents the OIG's suggestions on how a DMEPOS
supplier can best establish internal controls and monitor its conduct
to correct and prevent fraudulent activities. By no means should the
contents of this guidance be viewed as an exclusive discussion of the
advisable elements of a compliance program. On the contrary, the OIG
strongly encourages DMEPOS suppliers to develop and implement
compliance elements that uniquely address the individual DMEPOS
supplier's risk areas.
---------------------------------------------------------------------------
\8\ This is particularly true in the context of DMEPOS
suppliers, which include many small independent DMEPOS suppliers
with limited financial resources and staff, as well as large DMEPOS
supplier chains with extensive financial resources and staff.
\9\ For Medicare, this would include any individual or entity
that meets the supplier standards as described in 42 CFR 424.57 and
has a National Supplier Clearinghouse Number.
---------------------------------------------------------------------------
The OIG believes that input and support by individuals and
organizations that will utilize the tools set forth in this document is
critical to the development and success of this compliance program
guidance. In a continuing effort to collaborate closely with the
private sector, the OIG placed a notice in the Federal Register
soliciting recommendations and suggestions on what should be included
in this compliance program guidance. 10 Further, we
considered previous OIG publications, such as Special Fraud Alerts,
advisory opinions, 11 the findings and recommendations in
reports issued by OIG's Office of Audit Services and Office of
Evaluation and Inspections, as well as the experience of past and
recent fraud investigations related to DMEPOS suppliers conducted by
OIG's Office of Investigations and the Department of Justice.
---------------------------------------------------------------------------
\10\ See 63 FR 42409 (August 7, 1998), Notice for Solicitation
of Information and Recommendations for Developing OIG Compliance
Program Guidance for the Durable Medical Equipment Industry.
\11\ The OIG periodically issues advisory opinions responding to
specific inquiries from members of the public and Special Fraud
Alerts setting forth activities that raise legal and enforcement
issues. Special Fraud Alerts and Advisory Opinions, as well as the
regulations governing issuance of advisory opinions can be obtained
on the Internet at: http://www.dhhs.gov/progorg/oig, in the Federal
Register, or by contacting the OIG's Public Information Desk at
(202) 619-1142.
---------------------------------------------------------------------------
As appropriate, this guidance may be modified and expanded as more
information and knowledge is obtained by the OIG, and as changes in the
statutes, rules, regulations, policies, and procedures of the Federal,
State and private health plans occur. The OIG understands DMEPOS
suppliers will need adequate time to react to these modifications and
expansions and to make any necessary changes to their voluntary
compliance programs. New compliance practices may eventually be
incorporated into this guidance if the OIG discovers significant
enhancements to better ensure an effective compliance program.
The OIG recognizes that the development and implementation of
compliance programs in DMEPOS suppliers often raise sensitive and
complex legal and managerial issues. 12 However, the OIG
wishes to offer what it believes is critical guidance for providers who
are sincerely attempting to comply with the relevant health care
statutes and regulations.
---------------------------------------------------------------------------
\12\ Nothing stated within this document should be substituted
for, or used in lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------
II. Compliance Program Elements
The elements proposed by these guidelines are similar to those of
the other OIG compliance program guidances 13 and the OIG's
corporate integrity agreements. 14 The OIG believes that
every DMEPOS supplier can benefit from the principles espoused in this
guidance, which can be tailored to fit the needs and financial
realities of a particular DMEPOS supplier.
---------------------------------------------------------------------------
\13\ See 63 FR 70138 (December 18, 1998) for the Compliance
Program Guidance for Third Party Medical Billing Companies; 63 FR
42410 (August 7, 1998) for the Compliance Program Guidance for Home
Health Agencies; 63 FR 45076 (August 24, 1998) for the Compliance
Program Guidance for Clinical Laboratories, as revised; 63 FR 8987
(February 23, 1998) for the Compliance Program Guidance for
Hospitals. These documents are also located on the Internet at
http://www.dhhs.gov/progorg/oig.
\14\ Corporate integrity agreements are executed as part of a
civil settlement between a health care provider or entity
responsible for billing on behalf of the provider and the Government
to resolve a case based on allegations of health care fraud or
abuse. These OIG-imposed programs are in effect for a period of
three to five years and require many of the elements included in
this compliance program guidance.
---------------------------------------------------------------------------
The OIG believes that every effective compliance program must begin
with a formal commitment 15 by the DMEPOS supplier's
governing body to include all of the applicable elements listed below,
which are based on the seven steps of the Federal Sentencing
Guidelines. 16 The OIG recognizes full implementation of all
elements may not be immediately feasible for all DMEPOS suppliers.
However, as a first step, a good faith and meaningful commitment on the
part of
[[Page 4439]]
the DMEPOS supplier, especially the owner(s), governing body,
president, vice presidents, CEO, and managing employees, will
substantially contribute to the program's successful implementation. As
the compliance program is implemented, that commitment should cascade
down through the management to every employee of the DMEPOS supplier.
---------------------------------------------------------------------------
\15\ A formal commitment may include a resolution by the board
of directors, owner(s) or president, where applicable. A formal
commitment should include the allocation of adequate resources to
ensure that each of the elements is addressed.
\16\ See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(k). The Federal
Sentencing Guidelines are detailed policies and practices for the
Federal criminal justice system that prescribe the appropriate
sanctions for offenders convicted of Federal crimes.
---------------------------------------------------------------------------
At a minimum, comprehensive compliance programs should include the
following seven elements:
(1) The development and distribution of written standards of
conduct, as well as written policies and procedures that promote the
DMEPOS supplier's commitment to compliance (e.g., by including
adherence to the compliance program as an element in evaluating
managers and employees) and address specific areas of potential fraud,
such as claims development and submission processes, completing
certificates of medical necessity (CMNs), and financial relationships
with physicians and/or other persons authorized to order DMEPOS;
(2) The designation of a compliance officer and other appropriate
bodies, (e.g., a corporate compliance committee), charged with the
responsibility for operating and monitoring the compliance program, and
who report directly to the CEO and the governing body; 17
---------------------------------------------------------------------------
\17\ The integral functions of the compliance officer and the
corporate compliance committee in implementing an effective
compliance program are discussed throughout this compliance program
guidance. However, the OIG recognizes that the differences in the
sizes and structures of DMEPOS suppliers will result in differences
in the ways in which compliance programs are set up. The important
thing is that the DMEPOS supplier structures its compliance program
in such a way that the program is able to accomplish the key
functions of the corporate compliance officer and the corporate
compliance committee discussed within this document.
---------------------------------------------------------------------------
(3) The development and implementation of regular, effective
education and training programs for all affected employees;
18
---------------------------------------------------------------------------
\18\ Training and education programs for DMEPOS suppliers should
be detailed and comprehensive. They should cover specific billing
procedures, sales and marketing practices, as well as the general
areas of compliance. See section II.C and accompanying notes.
---------------------------------------------------------------------------
(4) The creation and maintenance of a process, such as a hotline or
other reporting system, to receive complaints, and the adoption of
procedures to protect the anonymity of complainants and to protect
callers from retaliation;
(5) The development of a system to respond to allegations of
improper/illegal activities and the enforcement of appropriate
disciplinary action against employees who have violated internal
compliance policies, applicable statutes, regulations, or Federal,
State or private payor health care program requirements; 19
---------------------------------------------------------------------------
\19\ The term ``Federal health care programs'' is applied in
this document as defined in 42 U.S.C. 1320a-7b(f), which includes
any plan or program that provides health benefits, whether directly,
through insurance, or otherwise, which is funded directly, in whole
or in part, by the United States Government (i.e., via programs such
as Medicare, Federal Employees' Compensation Act, Black Lung, or the
Longshore and Harbor Worker's Compensation Act) or any State health
plan (e.g., Medicaid, or a program receiving funds from block grants
for social services or child health services). Also, for the
purposes of this document, the term ``Federal health care program
requirements'' refers to the statutes, regulations, rules,
requirements, directives, and instructions governing Medicare,
Medicaid, and all other Federal health care programs.
---------------------------------------------------------------------------
(6) The use of audits and/or other risk evaluation techniques to
monitor compliance, identify problem areas, and assist in the reduction
of identified problem areas; 20 and
---------------------------------------------------------------------------
\20\ For example, spot-checking the work of coding and billing
personnel periodically should be an element of an effective
compliance program.
---------------------------------------------------------------------------
(7) The investigation and remediation of identified systemic
problems and the development of policies addressing the non-employment
or retention of sanctioned individuals.
A. Written Policies and Procedures
Every compliance program should require the development and
distribution of written compliance policies, standards, and practices
that identify specific areas of risk and vulnerability to the
individual DMEPOS supplier. These policies, standards, and practices
should be developed under the direction and supervision of the
compliance officer and the compliance committee (if such a committee is
practicable for the DMEPOS supplier) and, at a minimum, should be
provided to all individuals who are affected by the particular policy
at issue, including the DMEPOS supplier's agents and independent
contractors who may affect billing decisions.21 In addition
to these general corporate policies, it may be necessary to implement
individual policies for the different components of the DMEPOS
supplier.
---------------------------------------------------------------------------
\21\ According to the Federal Sentencing Guidelines, an
organization must have established compliance standards and
procedures to be followed by its employees and other agents in order
to receive sentencing credit for an ``effective'' compliance
program. The Federal Sentencing Guidelines define ``agent'' as ``any
individual, including a director, an officer, an employee, or an
independent contractor, authorized to act on behalf of the
organization.'' See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------
1. Standards of Conduct. DMEPOS suppliers should develop standards
of conduct for all affected employees that include a clearly delineated
commitment to compliance by the DMEPOS supplier's senior
management,22 including any related entities or affiliated
providers operating under the DMEPOS supplier's control,23
and other health care professionals (e.g., nurses, licensed
pharmacists, physicians, and respiratory therapists). The standards of
conduct should function in the same fashion as a constitution, i.e., as
a foundational document that details the fundamental principles,
values, and framework for action within the DMEPOS supplier. The
standards should articulate the DMEPOS supplier's commitment to comply
with all Federal and State statutes, rules, regulations and Federal,
State and private payor health care program requirements, with an
emphasis on preventing fraud and abuse. They should explicitly state
the organization's mission, goals, and ethical principles relative to
compliance and clearly define the DMEPOS supplier's commitment to
compliance and its expectations for all DMEPOS supplier owners,
governing body members, president, vice presidents, corporate officers,
managers, sales representatives, employees, and, where appropriate,
independent contractors and other agents. These standards should
promote integrity, support objectivity, and foster trust. Standards
should not only address compliance with statutes and regulations, but
should also set forth broad principles that guide employees in
conducting business professionally and properly.
---------------------------------------------------------------------------
\22\ The OIG strongly encourages high-level involvement by the
DMEPOS supplier's owner(s), governing body, chief executive officer,
president, vice presidents, as well as other personnel, as
appropriate, in the development of standards of conduct. Such
involvement should help communicate a strong and explicit
organizational commitment to compliance goals and standards.
\23\ E.g., pharmacies, billing services, and manufacturers.
---------------------------------------------------------------------------
The standards should be distributed to, and comprehensible by, all
affected employees (e.g., translated into other languages when
necessary and written at appropriate reading levels). Further, to
assist in ensuring that employees continuously meet the expected high
standards set forth in the standards of conduct, any employee handbook
delineating or expanding upon these standards should be regularly
updated as applicable statutes, regulations, and Federal, State and
private payor health care program requirements are modified and/or
clarified.24
---------------------------------------------------------------------------
\24\ The OIG recognizes that not all statutes, rules,
regulations, standards, policies, and procedures need to be
communicated to all employees. However, the OIG believes that the
bulk of the standards that relate to complying with fraud and abuse
laws and other ethical areas should be addressed and made part of
all affected employees' training. The DMEPOS supplier must decide
whether additional educational programs should be targeted to
specific categories of employees based on job functions and areas of
responsibility.
---------------------------------------------------------------------------
[[Page 4440]]
When employees first begin working for the DMEPOS supplier, and
each time new standards of conduct are issued, the OIG suggests
employees be asked to sign a statement certifying that they have
received, read, and understood the standards of conduct. The employee's
certification should be retained by the DMEPOS supplier in the
employee's personnel file, and available for review by the compliance
officer.
2. Written Policies for Risk Areas. As part of its commitment to
compliance, DMEPOS suppliers should establish a comprehensive set of
written policies and procedures that take into consideration the
particular statutes, rules, regulations and program instructions
applicable to each function of the DMEPOS supplier.25 In
contrast to the standards of conduct, which are designed to be a clear
and concise collection of fundamental standards, the written policies
should articulate specific procedures personnel should follow.
---------------------------------------------------------------------------
\25\ A DMEPOS supplier can conduct focus groups composed of
managers from various departments to solicit their concerns and
ideas about compliance risks that may be incorporated into the
DMEPOS supplier's policies and procedures. Such employee
participation in the development of the DMEPOS supplier's compliance
program can enhance its credibility and foster employee acceptance
of the program.
---------------------------------------------------------------------------
Consequently, we recommend that the individual policies and
procedures be coordinated with the appropriate training and educational
programs with an emphasis on areas of special concern that have been
identified by the OIG.26 Some of the special areas of OIG
concern include: 27
---------------------------------------------------------------------------
\26\ DMEPOS supplier compliance programs should require that the
legal staff, compliance officer, or other appropriate personnel
carefully consider any and all Special Fraud Alerts and advisory
opinions issued by the OIG that relate to DMEPOS suppliers. See note
11. Moreover, the compliance programs should address the
ramifications of failing to cease and correct any conduct criticized
in such a Special Fraud Alert or advisory opinion, if applicable to
DMEPOS suppliers, or to take reasonable action to prevent such
conduct from reoccurring in the future. If appropriate, a DMEPOS
supplier should take the steps described in section G regarding
investigations, reporting, and correction of identified problems.
\27\ The OIG's work plan is currently available on the Internet
at: http://www.dhhs.gov/progorg/oig. The OIG Work Plan details the
various projects of the Office of Audit Services, Office of
Evaluation and Inspections, Office of Investigations, and Office of
Counsel to the Inspector General that are planned to be addressed
during each Fiscal Year.
---------------------------------------------------------------------------
Billing for items or services not provided; 28
---------------------------------------------------------------------------
\28\ Billing for items or services not provided involves
submitting a claim representing the DMEPOS supplier provided an item
or service or part of an item or service that the patient did not
receive.
---------------------------------------------------------------------------
Billing for medically unnecessary services; 29
---------------------------------------------------------------------------
\29\ Billing for medically unnecessary services involves seeking
reimbursement for a service that is not warranted by the patient's
current and documented medical condition. See 42 U.S.C.
1395y(a)(1)(A) (``no payment may be made under part A or part B [of
Medicare] for any expenses incurred for items or services which . .
. are not reasonable and necessary for the diagnosis or treatment of
illness or injury or to improve the functioning of the malformed
body member''). Upon submission of a HCFA claim form (whether paper
or electronic), a DMEPOS supplier certifies that the services
provided and billed were medically necessary for the health of the
beneficiary, and were provided in accordance with orders by the
beneficiary's treating physician or other authorized person. In
limited instances, HCFA does allow DMEPOS suppliers to submit claims
when the DMEPOS supplier believes the item or service may be denied.
Such instances include, but are not limited to: when a beneficiary
has signed a written notice (see Medicare Carriers Manual, section
7300.5) (See also section II.A.3.i for further discussion on written
notices); and when the beneficiary requests the DMEPOS supplier to
submit the claim (see Medicare Carriers Manual, section 3043). In
the first instance, the DMEPOS supplier should include modifier
``GA'' on the claim, which indicates the beneficiary has signed a
written notice. In the latter instance, the DMEPOS supplier should
use modifier ``ZY.'' Civil monetary penalties and administrative
sanctions may be imposed against any person who submits a claim for
services ``that [the] person knows or should know are not medically
necessary.'' See 42 U.S.C. 1320a-7a(a). Remedies may also be
available under criminal and civil law, including the False Claims
Act. See discussion in section II.A.3.a and accompanying notes.
---------------------------------------------------------------------------
Duplicate billing; 30
---------------------------------------------------------------------------
\30\ Duplicate billing occurs when more than one claim for
payment is submitted for the same patient, for the same service, for
the same date of service (by the same or different DMEPOS
suppliers), or the same claim is submitted to more than one primary
payor. Although duplicate billing can occur due to simple error,
fraudulent duplicate billing is evidenced by systematic or repeated
double billing, and creates liability under criminal, civil, or
administrative law, particularly if any overpayment is not promptly
refunded.
---------------------------------------------------------------------------
Billing for items or services not ordered; 31
---------------------------------------------------------------------------
\31\ Billing for items or services not ordered involves seeking
reimbursement for services provided but not ordered by the treating
physician or other authorized person.
---------------------------------------------------------------------------
Using a billing agent whose compensation is based on the
dollar amounts billed or based on the actual collection of payment;
32
---------------------------------------------------------------------------
\32\ DMEPOS supplier billing agents may only receive payment
based on a fixed fee, and not based upon a percentage of revenue.
See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual,
section 3060; 3060.10.
---------------------------------------------------------------------------
Upcoding; 33
---------------------------------------------------------------------------
\33\ Upcoding involves selecting a code to maximize
reimbursement when such a code is not the most appropriate
descriptor of the service (e.g., billing for a more expensive piece
of equipment when a less expensive piece of equipment is provided).
---------------------------------------------------------------------------
Billing patients for denied charges without a signed
written notice; 34
---------------------------------------------------------------------------
\34\ This includes, but is not limited to, billing the patient
for items or services denied by the payor on assigned claims, where
there has been no written notice signed by the patient, the written
notice has been inappropriately obtained or the written notice was
drafted inappropriately. See Medicare Carrier Manual, section
7300.5A, regarding the requirements for written notice.
---------------------------------------------------------------------------
Unbundling items or supplies; 35
---------------------------------------------------------------------------
\35\ Unbundling items or supplies involves billing for
individual components when a specific HCPCs code provides for the
components to be billed as a unit (e.g., providing a wheelchair and
billing the individual parts of the wheelchair, rather than the
wheelchair as a whole).
---------------------------------------------------------------------------
Billing for new equipment and providing used equipment;
36
---------------------------------------------------------------------------
\36\ The DMEPOS supplier must indicate on the Medicare claim
form, through the use of modifiers, whether the item provided is new
or used. The modifier for providing new equipment is ``NU.'' The
modifier for providing used equipment is ``UE.'' A knowing failure
to correctly document the item provided would constitute falsifying
information on the claim form and would constitute a violation of
the False Claims Act. See 31 U.S.C. 3729.
---------------------------------------------------------------------------
Continuing to bill for rental items after they are no
longer medically necessary; 37
---------------------------------------------------------------------------
\37\ Once a rental item is no longer medically necessary, the
DMEPOS supplier is required to discontinue billing the payor for it.
In addition, the OIG recommends the DMEPOS supplier pick up such
equipment from the patient in a timely manner.
---------------------------------------------------------------------------
Resubmission of denied claims with different and incorrect
information in an attempt to be reimbursed; 38
---------------------------------------------------------------------------
\38\ This practice involves the DMEPOS supplier improperly
changing information on a previously denied claim and continuing to
resubmit the claim in an attempt to receive payment.
---------------------------------------------------------------------------
Refusing to submit a claim to Medicare; 39
---------------------------------------------------------------------------
\39\ This practice involves a DMEPOS supplier not submitting a
claim to the Medicare program on behalf of the beneficiary.
Irrespective of whether or not a DMEPOS supplier accepts assignment,
it is obligated to submit the claim on behalf of the beneficiary.
See 42 U.S.C 1395w-4(g)(4).
---------------------------------------------------------------------------
Inadequate management and oversight of contracted
services, which results in improper billing; 40
---------------------------------------------------------------------------
\40\ DMEPOS suppliers should create internal mechanisms to
ensure that the use of contractors does not lead to improper billing
practices.
---------------------------------------------------------------------------
Charge limitations; 41
---------------------------------------------------------------------------
\41\ DMEPOS suppliers should ensure their billing personnel are
informed of the different payment rules of all Federal, State, and
private health care programs they bill. DMEPOS suppliers should be
aware that billing for items or services furnished substantially in
excess of the DMEPOS supplier's usual charges may result in
exclusion. See 42 U.S.C. 320a-7(b)(6)(A). See also OIG Ad. Op. 98-8
(1998) regarding this issue.
---------------------------------------------------------------------------
Providing and/or billing substantially excessive amounts
of DMEPOS items or supplies; 42
---------------------------------------------------------------------------
\42\ This practice, which constitutes overutilization, involves
providing and/or billing for substantially more items or supplies
than are reasonable and necesssary for the needs of each individual
patient. Such practices may lead to exclusion from Federal health
care programs. See 42 U.S.C. 1320a-7(b)(6)(B).
---------------------------------------------------------------------------
[[Page 4441]]
Providing and/or billing for an item or service that does
not meet the quality and standard of the DMEPOS item claimed (e.g.,
item provided is in violation of Food and Drug Administration (FDA)
regulations and standards); 43
---------------------------------------------------------------------------
\43\ This practice involves providing and/or billing for an item
or service that does not meet the definition and/or requirement of
the item or service ordered by the treating physician or other
authorized person. Generally, such items are inferior in quality,
and therefore, do not meet the definition of what was ordered and/or
billed. Sometimes this may mean that products were never determined
to be safe and effective by the FDA, as required by law. This
practice may lead to billing for items that are not reasonable and
necessary. DMEPOS suppliers should ensure that the items or services
they furnish meet professionally recognized minimum standards of
health care.
---------------------------------------------------------------------------
Capped rentals; 44
---------------------------------------------------------------------------
\44\ See discussion in section II.A.3.k and accompanying notes.
---------------------------------------------------------------------------
Failure to monitor medical necessity on an on-going basis;
45
---------------------------------------------------------------------------
\45\ In order for a patient to continue to receive items or
supplies (e.g., rental equipments, supplies for an on-going
condition), the patient must meet the medical necessity criteria for
that specific item or supply on an on-going basis. The items or
supplies furnished by the DMEPOS supplier should be replaced or
adjusted, in a timely manner, to reflect changes in the patient's
condition.
---------------------------------------------------------------------------
Dispensing certain items or supplies prior to receiving a
physician's order and/or appropriate CMN; 46
---------------------------------------------------------------------------
\46\ This practice involves the DMEPOS supplier dispensing to
the patient, and/or billing the payor for, items or supplies that
have not yet been ordered by the treating physician or other
authorized person. Medicare requires written physician orders for
certain items before dispensing. See 42 CFR 410.38.
---------------------------------------------------------------------------
Falsifying information on the claim form, CMN, and/or
accompanying documentation; 47
---------------------------------------------------------------------------
\47\ This practice involves supplying false information to be
included on the claim form, the CMN, or other accompanying
documentation. The information reported on these documents should
accurately reflect the patient's information, including medical
information, and the items or services ordered by the treating
physician or other authorized person and provided by the DMEPOS
supplier.
---------------------------------------------------------------------------
Completing portions of CMNs reserved for completion only
by treating physician or other authorized person; 48
---------------------------------------------------------------------------
\48\ This practice involves not completing the CMN in compliance
with Medicare regulations (i.e., sections B and D should never be
completed by the supplier). Instructions for completing the CMN can
be found on the back of the form. See section 3312 of the Medicare
Carriers Manual, which provides instructions on how to complete the
CMN and the civil monetary penalties (CMPs) that may be assessed for
improper completion of the CMN. See also 42 U.S.C. 1395m(j)(2);
section II.A.3.c and accompanying notes for further discussion on
CMNs.
---------------------------------------------------------------------------
Altering medical records; 49
---------------------------------------------------------------------------
\49\ This practice involves the DMEPOS supplier falsifying
information on the medical records to justify reimbursement for an
item or service.
---------------------------------------------------------------------------
Manipulating the patient's diagnosis in order to receive
payment; 50
---------------------------------------------------------------------------
\50\ This practice involves the DMEPOS supplier incorrectly
altering the diagnosis in order to receive reimbursement for the
particular item or service. A DMEPOS supplier should not claim the
patient has a particular medical condition in order to qualify for
an item for which he or she would not otherwise qualify.
---------------------------------------------------------------------------
Failing to maintain medical necessity documentation;
51
---------------------------------------------------------------------------
\51\ This practice involves failing to ensure that the medical
necessity documentation requirements for the item or service billed
are properly met (e.g., failing to maintain the original physician
orders or CMNs or failing to ensure that CMNs contain adequate and
correct information). See section 4105.2 of the Medicare Carriers
Manual for evidence of medical necessity. See also sections II.A.3.b
and II.A.3.c regarding physician orders and CMNs, respectively.
---------------------------------------------------------------------------
Inappropriate use of place of service codes; 52
---------------------------------------------------------------------------
\52\ This practice involves indicating on the claim form that
the place of service is a location other than where the service was
provided. For example, the patient resides in a skilled nursing
facility (SNF) and the DMEPOS supplier submits a claim with the
place of service being the patient's home. Provided that the DMEPOS
items or services are ordered, provided, reasonable and necessary
given the clinical condition of the patient, the items or services
may be covered if the beneficiary resides at home. However, such
items may not be covered if the beneficiary resides in a SNF. See
Medicare Carriers Manual, section 2100.3 for the definition of a
beneficiary's home.
---------------------------------------------------------------------------
Inappropriate use of cover letters; 53
---------------------------------------------------------------------------
\53\ This practice involves sending the treating physician or
other authorized person a cover letter attached to the CMN that
contains information that the physician is supposed to include on
the CMN or otherwise may lead the physician to order medically
unnecessary equipment or supplies for the specified patient. Cover
letters should only be used to describe what is being ordered and
how it is to be administered. See discussion in section II.A.3.m.
---------------------------------------------------------------------------
Improper use of ZX modifier; 54
---------------------------------------------------------------------------
\54\ This practice involves the improper use of the ZX modifier,
relating to maintaining medical necessity documentation. See
discussion in section II.A.3.l.
---------------------------------------------------------------------------
Providing incentives to actual or potential referral
sources (e.g., physicians, hospitals, patients, etc.) that may violate
the anti-kickback statute or other similar Federal or State statute or
regulation; 55
---------------------------------------------------------------------------
\55\ Examples of arrangements that may run afoul of the anti-
kickback statute include practices in which a DMEPOS supplier pays a
fee to a physician for each CMN the physician signs, provides free
gifts to physicians for signing CMNs, and/or provides items or
services for free or below fair market value to providers or
beneficiaries of Federal health care programs. See 42 U.S.C. 1320a-
7b(b); 60 FR 40847 (August 10, 1995). See also discussion in section
II.A.4. and accompanying notes.
---------------------------------------------------------------------------
Compensation programs that offer incentives for items or
services ordered and revenue generated; 56
---------------------------------------------------------------------------
\56\ Compensation programs that offer incentives for items or
services ordered or the revenue they generate may lead to the
ordering of medically unnecessary items or supplies and/or the
``dumping'' of such items or supplies in a facility or in a
beneficiary's home (e.g., mail order supply companies that continue
to send the patient supplies when the supplies are no longer
medically necessary).
---------------------------------------------------------------------------
Routine waiver of deductibles and coinsurance;
57
---------------------------------------------------------------------------
\57\ See discussion in section II.A.3.j and accompanying notes.
---------------------------------------------------------------------------
Joint ventures between parties, one of whom can refer
Medicare or Medicaid business to the other; 58
---------------------------------------------------------------------------
\58\ Equally troubling to the OIG is the proliferation of
business arrangements that may violate the anti-kickback statute.
Such arrangements are generally established between those in a
position to refer business, such as physicians, and those providing
items or services, such as a DMEPOS supplier, for which a Federal
health care program pays. Sometimes established as ``joint
ventures,'' these arrangements may take a variety of forms. The OIG
currently has a number of investigations and audits underway that
focus on such areas of concern. The OIG has also issued a Special
Fraud Alert on Joint Venture Arrangements. This Special Fraud Alert
can be found at 59 FR 65372 (December 19, 1994) or on the Internet
at: http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
Situations where conflict of interest may result due to
referrals by physicians that own or have compensation arrangements with
DMEPOS supply companies; 59
---------------------------------------------------------------------------
\59\ See 42 U.S.C. 1395nn.
---------------------------------------------------------------------------
Billing for items or services furnished pursuant to a
prohibited referral under the Stark physician self-referral law;
60
---------------------------------------------------------------------------
\60\ Under the Stark physician self-referral law, if a physician
(or an immediate family member of such physician) has a financial
relationship with a DMEPOS supplier, the physician may not make a
referral to the DMEPOS supplier and the DMEPOS supplier may not bill
for furnishing DMEPOS items or supplies for which payment may be
made under the Federal health care programs. See 42 U.S.C. 1395nn.
---------------------------------------------------------------------------
Improper telemarketing practices; 61
---------------------------------------------------------------------------
\61\ See 42 U.S.C. 1395m(a)(17) or Pub.L. 103-432, section
132(a) for the prohibition on telemarketing. See also discussion in
section II.A.5 and accompanying notes.
---------------------------------------------------------------------------
Improper patient solicitation activities and high-pressure
marketing of non-covered or unnecessary services; 62
---------------------------------------------------------------------------
\62\ DMEPOS suppliers should not utilize prohibited or
inappropriate conduct to carry out their initiatives and activities
designed to maximize business growth and patient retention. Many
cases against DMEPOS suppliers have involved the DMEPOS supplier
giving the beneficiary free gifts such as angora underwear,
microwaves and air conditioners in exchange for providing and
billing for unnecessary items. Any marketing information offered by
DMEPOS suppliers should be clear, correct, non-deceptive, and fully
informative. See discussion in section II.A.5 and accompanying
notes.
---------------------------------------------------------------------------
Co-location of DMEPOS items and supplies with the referral
source; 63
---------------------------------------------------------------------------
\63\ In this situation, a physician allows a DMEPOS supplier to
stock space (space may or may not be rented by the DMEPOS supplier)
in a physician's office with DMEPOS items and supplies. When such
items and supplies are dispensed to the patient, Medicare is then
billed. DEMPOS suppliers should check the policy of the individual
durable medical equipment regional carrier(s) (DMERC) they bill with
regard to this arrangement. Although such arrangements are not
prohibited by a national policy, the OIG believes that such
arrangements may potentially raise anti-kickback and self-referral
issues.
---------------------------------------------------------------------------
[[Page 4442]]
Non-compliance with the Federal, State and private payor
supplier standards; 64
---------------------------------------------------------------------------
\64\ See 42 CFR 424.57 for the Medicare supplier standards.
DMEPOS suppliers may have the appropriate personnel acknowledge they
have reviewed and will abide by these standards. In addition, DMEPOS
suppliers should ensure they are meeting individual state and
private payor supplier standards.
---------------------------------------------------------------------------
Providing false information on the Medicare DMEPOS
supplier enrollment form; 65
---------------------------------------------------------------------------
\65\ Criminal penalties may be imposed against an individual who
knowingly and willfully makes or causes to be made any false
statements or representations of a material fact in any application
for any benefit or payment under a Federal health care program. See
42 U.S.C. 1320a-7b(a)(1).
---------------------------------------------------------------------------
Not providing corrected information on the DMEPOS supplier
enrollment form in a timely manner; 66
---------------------------------------------------------------------------
\66\ By signing the DMEPOS supplier enrollment application, the
DMEPOS supplier certifies it will notify the Medicare contractor of
any changes in its enrollment information within 30 days of the
effective date of the change.
---------------------------------------------------------------------------
Misrepresentation of a person's status as an agent or
representative of Medicare; 67
---------------------------------------------------------------------------
\67\ It is unlawful for a DMEPOS supplier to represent itself as
a Medicare representative. See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------
Knowing misuse of supplier number, which results in
improper billing; 68
---------------------------------------------------------------------------
\68\ This practice may involve, but is not limited to, using
another DMEPOS supplier's billing number.
---------------------------------------------------------------------------
Failing to meet individual payor requirements;
69
---------------------------------------------------------------------------
\69\ DMEPOS suppliers should be aware of the requirements of any
payor they bill, especially in those situations where there is a
primary and secondary payor.
---------------------------------------------------------------------------
Performing tests on a beneficiary that a DMEPOS supplier
is not authorized to perform; 70
---------------------------------------------------------------------------
\70\ E.g., Medicare does not permit DMEPOS suppliers to perform
oxygen tests (e.g., oximetry tests and arterial blood gas tests) to
qualify patients for oxygen and oxygen supplies. See section 60-4 of
the Medicare Coverage Issues Manual. See also discussion in section
II.A.3.o.
---------------------------------------------------------------------------
Failing to refund overpayments to a health care program;
71
---------------------------------------------------------------------------
\71\ An overpayment is the amount of money the DMEPOS supplier
has received in excess of the amount due and payable under a health
care program. Examples of overpayments include, but are not limited
to, instances where a DMEPOS supplier is: (1) paid twice for the
same service, for the same beneficiary; or (2) paid for services
that were provided but not ordered by the treating physician or
other authorized person. DMEPOS suppliers should institute
procedures to detect overpayments and to promptly remit such
overpayments to the affected payor. See 42 U.S.C. 1320a-7b(a)(3),
which provides criminal penalties for failure to disclose an
overpayment.
---------------------------------------------------------------------------
Failing to refund overpayments to patients; 72
---------------------------------------------------------------------------
\72\ If the patient is also due money when a DMEPOS supplier
identifies an overpayment to a health care program, the DMEPOS
supplier should make a prompt refund to the patient. See 42 U.S.C.
1395m(j)(4) on limitation of patient liability for non-assigned
claims that are denied due to medical necessity. See also 42 U.S.C.
1395pp(h) on limitation of patient liability for assigned claims
that are denied due to medical necessity.
---------------------------------------------------------------------------
Lack of communication between the DMEPOS supplier, the
physician, and the patient; 73
---------------------------------------------------------------------------
\73\ A lack of communication between the DMEPOS supplier,
physician, and patient may result in the DMEPOS supplier
inappropriately billing for items or supplies (e.g., supplies for an
on-going condition or rental equipment that are no longer medically
necessary).
---------------------------------------------------------------------------
Lack of communication between different departments within
the DMEPOS supplier; 74 and
---------------------------------------------------------------------------
\74\ A lack of communication between the different departments
of the DMEPOS supplier may result in the DMEPOS supplier filing
incorrect claims and/or equipment delivery problems.
---------------------------------------------------------------------------
Employing persons excluded from participation in Federal
health care programs. 75
---------------------------------------------------------------------------
\75\ This involves hiring or contracting with individuals or
entities who have been excluded from participation in Federal health
care programs or any other Federal prucurement or non-prucurement
program. See section II.E.2.
---------------------------------------------------------------------------
A DMEPOS supplier's prior history of noncompliance with applicable
statutes, regulations, and Federal, State or private health care
program requirements may indicate additional types of risk areas where
the DMEPOS supplier may be vulnerable and that may require necessary
policy measures to be taken to prevent avoidable
recurrence.76 Additional risk areas should be assessed by
DMEPOS suppliers and incorporated into the written policies and
procedures and training elements developed as part of their compliance
program.
---------------------------------------------------------------------------
\76\ ``Recurrence of misconduct similar to that which an
organization has previously committed casts doubt on whether it took
all reasonable steps to prevent such misconduct'' and is a
significant factor in the assessment of whether a compliance program
is effective. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(k)(iii).
---------------------------------------------------------------------------
3. Claims Development and Submission. a. Medical Necessity. A
DMEPOS supplier's compliance program should ensure that services are
billed only if they were ordered by the treating physician or other
authorized person, have been provided, are covered, and are reasonable
and necessary given the clinical condition of the patient.77
DMEPOS suppliers must keep the treating physician's or other authorized
person's original signed and dated order or CMN on file for all DMEPOS
items and services.78 Because the DMEPOS supplier is in a
unique position to inform its clients who write orders and refer
patients, the DMEPOS supplier may want to send a written notice to such
clients concerning the necessary paperwork requirements.
---------------------------------------------------------------------------
\77\ See note 29.
\78\ See Medicare Carriers Manual, section 3312. See also
Medicare Carrier Manual, section 4105.2 regarding what information
must be included on the physician's order.
---------------------------------------------------------------------------
As a preliminary matter, the OIG recognizes that physicians and
other authorized persons must be able to order any items or services
for the treatment of their patients. However, Medicare and other
Government and private health care plans will only pay for those
services otherwise covered that meet the appropriate medical necessity
standards (e.g., ordered, provided, covered, reasonable, necessary, and
criteria established by medical review policies). DMEPOS suppliers
should not knowingly bill for services that do not meet the applicable
medical necessity standards.79 Upon a payor's request, the
DMEPOS supplier must be able to provide documentation, such as original
orders, proof of delivery, completed original certificates of medical
necessity, written confirmation of verbal orders and any other
documentation, to support the medical necessity of an item or service
that the DMEPOS supplier has provided. 80
---------------------------------------------------------------------------
\79\ See note 29.
\80\ In order to ensure correct reimbursement, the payor may
conduct a post-payment audit of the DMEPOS supplier's claims. Such
audits may require that the DMEPOS supplier submit documentation
that substantiates that the items or services were ordered by the
treating physician or other authorized person, provided, covered,
reasonable and necessary. See 42 CFR 424.5(a)(6).
---------------------------------------------------------------------------
Although DMEPOS suppliers do not and cannot treat patients or make
medical necessity determinations, there are steps that a DMEPOS
supplier can take to help maximize the likelihood that they only bill
for services that are ordered, provided, covered, reasonable and
necessary for each individual patient. The OIG recommends that DMEPOS
supplier personnel understand the coverage and payment criteria of each
payor they bill. To help aid supplier personnel, the DMEPOS supplier's
compliance officer may want to create a clear, comprehensive summary of
the ``medical necessity'' or coverage criteria and applicable rules of
the various Government and private plans. This summary should be
disseminated and explained to the appropriate DMEPOS supplier
personnel.
We also recommend that DMEPOS suppliers formulate internal control
mechanisms through their written policies and procedures. Such policies
and procedures should include periodic claim reviews, both prior and
subsequent to billing for items and services. Such a procedure will
verify that patients are receiving and the DMEPOS supplier is billing
for items and/or services that are ordered,
[[Page 4443]]
provided, covered, reasonable and necessary. DMEPOS suppliers may
choose to incorporate this claims review function into pre-existing
quality assurance mechanisms.
b. Physician Orders. The DMEPOS supplier's written policies and
procedures should state that the DMEPOS supplier will not bill for an
item or service unless and until it has been ordered by the treating
physician or any other authorized person. For all Medicare reimbursed
DMEPOS items or services, the DMEPOS supplier must receive a written
order from the patient's physician. When the DMEPOS supplier receives a
verbal order, the supplier should document the verbal order and must
have the treating physician confirm it in writing prior to billing.
The written policies and procedures should also state for items
requiring a written order prior to delivery, that the order must be
received by the DMEPOS supplier before it delivers the equipment to the
patient and before it bills the payor.81
---------------------------------------------------------------------------
\81\ See 42 CFR 410.38.
---------------------------------------------------------------------------
c. Certificate of Medical Necessity.82 For some DMEPOS
items and services, the DMEPOS supplier must receive a signed CMN from
the treating physician or other authorized person. Currently, CMNs are
required for Medicare reimbursement for fourteen items.83
The original CMN must be retained in the DMEPOS supplier's file and be
available to the DMERCs upon request.84
---------------------------------------------------------------------------
\82\ As defined in 42 U.S.C. 1395m(j)(2)(B). See also OIG
Special Fraud Alert regarding Physician Liability for Certifications
in the Provision of Medical Equipment and Supplies and Home Health
Services, 64 FR 1813 (January 12, 1999). Special Fraud Alerts are
also available on the Internet.
\83\ Items or services requiring CMNs are as follows: Home
oxygen therapy (HCFA form 484); Hospital beds (HCFA form 841);
Support surfaces (HCFA form 842); Motorized wheelchairs (HCFA form
843) (Section C continuation, HCFA form 854); Manual wheelchairs
(HCFA form 844) (Section C continuation, HCFA form 854); Continuous
positive airway pressure (CPAP) devices (HCFA form 845); Lymphedema
pumps (pneumatic compression devices) (HCFA form 846); Osteogenesis
stimulators (HCFA form 847); Transcutaneous electrical nerve
stimulators (TENS) (HCFA form 848); Seat lift mechanisms (HCFA form
849); Power operated vehicles (HCFA form 850); Infusion pumps (HCFA
form 851); Parenteral nutrition (HCFA form 852); and Enteral
nutrition (HCFA form 853).
\84\ See Medicare Carrier Manual, section 3312.
---------------------------------------------------------------------------
Each CMN has four sections: A, B, C, and D. Section A may be
completed by the DMEPOS supplier. Section B may not be completed by the
DMEPOS supplier.85 Section B may only be completed by the
treating physician, a non-physician clinician involved in the care of
the patient or a physician employee who is knowledgeable about the
patient's treatment. If section B was completed by a physician
employee, the section must be reviewed by the treating physician or
other person authorized to order such equipment for the patient to
ensure accuracy. Section C must be completed by the DMEPOS supplier
prior to the CMN being furnished to the treating physician or other
authorized person for signature.86 Section D is the
attestation statement and may only be signed by the treating physician
or other person authorized to order equipment for the
patient.87 The written policies and procedures on completing
CMNs should reflect these standards.
---------------------------------------------------------------------------
\85\ A supplier who knowingly and willfully completes section B
of the form is, at a minimum, subject to a civil money penalty up to
$1,000 for each form or document completed in such manner. See 42
U.S.C. 1395m(j)(2). That supplier may also face civil or criminal
liability.
\86\ A supplier who knowingly and willfully fails to include, in
section C, the fee schedule amount and the supplier's charge for the
equipment or supplies being furnished may be subject to a civil
money penalty up to $1,000 for each form or document so distributed.
See 42 U.S.C. 1395m(j)(2).
\87\ Physicians or other authorized persons should only sign
CMNs in which sections A-C are completed and correct. Signature and
date stamps are not acceptable. See Medicare Carriers Manual,
section 3312.
---------------------------------------------------------------------------
DMEPOS suppliers should take all reasonable steps to ensure that
each section of the CMN is completed in accordance with the above
guidelines. The DMEPOS suppliers' written policies and procedures
should require, at a minimum, that they:
Do not forward blank CMNs to the treating physician or
other authorized person for signature;
Do not complete section B (Medical Necessity) of the CMN;
Do not include diagnostic information on a cover letter
(to the treating physician or other authorized person) attached to the
CMN; 88
---------------------------------------------------------------------------
\88\ See discussion in section A.II.3.m.
---------------------------------------------------------------------------
Do not alter or add any information on the CMN after
receiving the completed and signed CMN from the physician or other
authorized person; 89
---------------------------------------------------------------------------
\89\ There have been many investigations centering on DMEPOS
suppliers who alter information in order to affect their
reimbursement (e.g., altering diagnosis code, altering HCPCs code of
service provided).
---------------------------------------------------------------------------
Do not sign the CMN for the treating physician or other
authorized person;
Do not urge physicians or other authorized person to order
equipment or supplies that exceed what is reasonable and necessary for
the patient;
Do not deliver an item that needs pre-authorization prior
to receiving the physician order and CMN; 90
---------------------------------------------------------------------------
\90\ See 42 U.S.C. 1395m(a)(11)(B). See also 42 CFR 410.38.
---------------------------------------------------------------------------
Do not submit a claim for items or services until the CMN
is properly and correctly completed by the treating physician or other
authorized person;
Do maintain the original CMNs in their files;
Do consult with the treating physician or other authorized
person who signed the CMN when there is a question on the order;
Do properly complete sections A and C of the CMN and
forward the remainder of the CMN to the treating physician or other
authorized person for his/her review, information, and signature; and
Only bill for services that the treating physician or
other authorized person attests in section D are ordered, covered,
reasonable, and necessary for the patient.
d. Billing. DMEPOS suppliers should include in their written
policies and procedures that they will only submit to Medicare or other
Federal, State or private payor health care plans claims for equipment
and supplies that are properly completed, accurate, and correctly
identify the equipment or supplies ordered by the treating physician or
other authorized person and furnished to the patient. Also, before
submitting a claim, the DMEPOS supplier should ensure the item or
service being claimed was provided, covered, reasonable and necessary.
The written policies and procedures should also clarify that a
DMEPOS supplier cannot submit bills or receive payment for drugs used
in conjunction with DMEPOS, unless the DMEPOS supplier is licensed to
dispense the drug.91
---------------------------------------------------------------------------
\91\ See Medicare program memoranda B-98-6 and B-98-18.
---------------------------------------------------------------------------
e. Selection of HCPCs Codes. DMEPOS suppliers' written policies and
procedures should state that only the HCPCs code that most accurately
describes the item or service ordered and provided should be billed.
The OIG views intentional ``upcoding'' (i.e., the selection of a code
to maximize reimbursement when such a code is not the most appropriate
descriptor of the service) as raising, among other things, false claims
issues under the Federal False Claims Act.92 To ensure code
accuracy, the OIG recommends the DMEPOS supplier include a requirement
in its policies and procedures that the codes be reviewed (random
sample or certain codes) by individuals with technical expertise in
coding before claims containing such codes are submitted to the
affected payor. If a DMEPOS supplier has questions regarding the
appropriate
[[Page 4444]]
code to be used, it should contact the Statistical Analysis Durable
Medical Equipment Carrier's (SADMERC) HCPCS coding help
line.93
---------------------------------------------------------------------------
\92\ See 31 U.S.C. 3729, which provides for the imposition of
penalties of $5,000 to $10,000 per false claim, plus up to three
times the amount of damages suffered by the Federal Government
because of the false claim.
\93\ The phone number for the SADMERC's HCPCS coding help line
is: (803) 736-6809. The hours of operation are Monday through Friday
from 9:00 am to 4:00 pm, EST. The SADMERC will aid the DMEPOS
supplier in choosing the most accurate code for the item or service
ordered and supplied. However, DMEPOS suppliers should be aware that
assigning a HCPCs code to an item or service does not necessarily
guarantee reimbursement.
---------------------------------------------------------------------------
f. Valid Supplier Numbers. The DMEPOS supplier should ensure that
appropriate personnel are knowledgeable in (1) completing the HCFA 855S
supplier application; 94 and (2) complying with the Federal
requirements of 42 CFR 424.57(e) for updating supplier number
applications.
---------------------------------------------------------------------------
\94\ By signing the certification statement of the enrollment
application, the applicant agrees that he/she has read, understood,
meets and will continue to meet the supplier standards and will be
disenrolled from the program if any standards are not met or
violated.
---------------------------------------------------------------------------
The written policies and procedures should state that the DMEPOS
supplier should not bill any other Federal, State or private payor
health care plan without obtaining the necessary billing numbers and
that the billing numbers will be used correctly.95
---------------------------------------------------------------------------
\95\ E.g., if a DMEPOS supplier has more than one location, the
supplier number of the location that filled the physician's order
will be used on the claim form.
---------------------------------------------------------------------------
Prior to applying for a valid supplier number, DMEPOS suppliers
providing services to Medicare beneficiaries must meet the supplier
standards.96 DMEPOS suppliers should take all affirmative
steps to ensure that no claims for Medicare reimbursement are submitted
prior to the DMEPOS supplier being issued a valid supplier number by
the National Supplier Clearinghouse. A DMEPOS supplier should not have
more than one supplier number unless it is appropriate to identify
subsidiary or regional entities under the supplier's ownership or
control.97
---------------------------------------------------------------------------
\96\ See 42 CFR 424.57.
\97\ See 42 U.S.C. 1395m(j)(1)(D).
---------------------------------------------------------------------------
g. Mail Order Suppliers. We recommend that any DMEPOS supplier who
engages in the mail order supply business clearly articulate its
protocol for this segment of its business in the company's written
policies and procedures.
Mail order supplies should only be delivered in accordance with the
treating physician's or other authorized person's order. Regularly
shipping supplies without such orders may lead to providing supplies
substantially in excess of the patient's needs.98 We also
recommend that the supplier utilize a tracking system so it will be
able to determine whether or not the patient received the supplies and
will be able to track the location of an item or supply at any given
time. In addition, the mail order DMEPOS supplier should maintain an
accurate inventory list and should not bill for or commit to sending
items that are not part of its inventory.
---------------------------------------------------------------------------
\98\ Providing a substantially excessive amount of supplies may,
for example, constitute grounds for a supplier's exclusion under 42
U.S.C. 1320a-7(b)(6)(B).
---------------------------------------------------------------------------
h. Assignment. If a DMEPOS supplier accepts Medicare assignment,
its written policies and procedures should state that it will not
charge Medicare beneficiaries more than the amounts allowed under the
Medicare fee schedule, including coinsurance and deductibles. If the
beneficiary pays the DMEPOS supplier prior to the DMEPOS supplier
submitting the claim, the DMEPOS supplier should ensure it is not
charging the beneficiary more than the coinsurance on the allowed
amount under the fee schedule. In the event that the DMEPOS supplier
collects excess payments from a Medicare beneficiary, it should have
mechanisms in place to promptly refund the overpayment to the
beneficiary. DMEPOS suppliers should be knowledgeable about the
Medicare rules and instructions for accepting assignment and receiving
direct payment from beneficiaries for items or services.
If a DMEPOS supplier chooses not to accept Medicare assignment, it
is still responsible for submitting the claim to Medicare on behalf of
the beneficiary.99
---------------------------------------------------------------------------
\99\ See 42 U.S.C. 1395w-4(g)(4).
---------------------------------------------------------------------------
If the DMEPOS supplier chooses to utilize a billing agent, the
DMEPOS supplier should ensure it is complying with all of the relevant
statutes and requirements governing such an arrangement.100
The OIG strongly recommends that the supplier coordinate closely with
the billing company to establish compliance responsibilities. Once the
responsibilities have been clearly delineated, they should be
formalized in the written contract between the DMEPOS supplier and the
billing agent. The OIG recommends that the contract enumerate those
functions that are shared responsibilities and those that are the sole
responsibility of either the billing agent or the DMEPOS supplier.
---------------------------------------------------------------------------
\100\ See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carrier
Manual, section 3060. See also OIG Ad. Op. 98-1 (1998) and OIG Ad.
Op. 98-4 (1998).
---------------------------------------------------------------------------
i. Liability Issues. A DMEPOS supplier or Medicare beneficiary is
not liable for payment on assigned claims where the beneficiary did not
know, and could not reasonably have been expected to know, that the
payment for such services would not be made.101 However,
when the DMEPOS supplier knew, or could have been expected to know, the
items or services would be denied, the liability for the charges for
the denied items or services rest with the DMEPOS
supplier.102
---------------------------------------------------------------------------
\101\ See 42 U.S.C. 1395pp.
\102\ Id.
---------------------------------------------------------------------------
When a DMEPOS supplier knows or has reason to believe that the
equipment or supplies ordered by the treating physician or other
authorized person will be denied, the DMEPOS supplier should inform the
patient prior to furnishing the item or service and ask the patient to
sign a written notice.103 If the DMEPOS supplier has not
received a signed written notice from the beneficiary and the claim is
denied, the DMEPOS supplier should not bill the beneficiary. The
written notice must be in writing, must clearly identify the particular
item or service, must state that the payment for the particular service
likely will be denied, and must give the reason(s) for the belief that
payment is likely to be denied. It is the beneficiary's decision
whether or not to sign the written notice. If the beneficiary does sign
the notice, the supplier should: (1) include the appropriate modifier
on the claim form; (2) maintain the written notice in its files; and
(3) be able to produce the written notice to the DMERC, upon request.
---------------------------------------------------------------------------
\103\ See Medicare Carriers Manual, section 7300.5.
---------------------------------------------------------------------------
Routine notices to beneficiaries that do no more than state that
denial of payment is possible or that they never know whether payment
will be denied are not considered acceptable evidence of written
notice. Notices should not be given to beneficiaries unless there is
some genuine doubt regarding the likelihood of payment as evidenced by
the reasons stated on the written notice. Giving notice for all claims,
items or services is not an acceptable practice.
The DMEPOS supplier should include liability issues (e.g.,
circumstances where the DMEPOS supplier knows or could be expected to
know of a denial, use of advance beneficiary notice, etc.) in their
written policies and procedures.
j. Routine Waiver of Deductibles and Coinsurance. Routine waivers
of deductibles and coinsurance may result in false claims, violations
of the anti-kickback statute and overutilization of items or
services.104 DMEPOS suppliers are permitted to waive the
Medicare coinsurance amounts for cases of
[[Page 4445]]
indigency.105 However, we recommend the supplier develop and
maintain written criteria documenting its policy for determining
indigency, and consistently apply these criteria to all cases. This
indigency exception must not be used routinely and a good faith effort
must be made to collect deductibles and coinsurance.
---------------------------------------------------------------------------
\104\ See 59 FR 31157 (December 19, 1994) or the OIG web site at
http://www.dhhs.gov/progorg/oig for the OIG Special Fraud Alert on
Medicare Deductibles and Copayments.
\105\ See section 5520 of the Medicare Carriers Manual.
---------------------------------------------------------------------------
DMEPOS suppliers' written policies and procedures should state that
they will not routinely waive deductibles and coinsurance for Medicare
beneficiaries. Such policies and procedures should include, but not be
limited to, statements that DMEPOS supplier personnel are prohibited
from: advertising an intent to waive deductibles or coinsurance;
advertising an intent to discount services for Medicare beneficiaries;
giving unsolicited advice to patients that they need not pay; charging
Medicare beneficiaries more than other patients for similar services
and items; or collecting deductibles and coinsurance only when a
patient has a certain insurance. Routine waivers of deductibles and
coinsurance may result in civil monetary penalties, False Claims Act
liability, and/or a violation of the anti-kickback
statute.106
---------------------------------------------------------------------------
\106\ See 42 U.S.C. 1320a-7a(a)(5); 31 U.S.C. 3729-3733; 42
U.S.C. 1320a-7b.
---------------------------------------------------------------------------
K. Capped Rentals. DMEPOS suppliers' written policies and
procedures should address Government and private payor requirements
when providing rental equipment to beneficiaries (e.g., the purchase
option 107 and servicing and maintenance 108).
DMEPOS suppliers must offer a purchase option to beneficiaries during
the 10th continuous rental month.109 The DMEPOS supplier
should clearly, accurately, and non-deceptively discuss the pros and
cons of the different options with the beneficiary. If the beneficiary
does not accept the purchase option, the DMEPOS supplier must continue
to provide the item without charge to the beneficiary or Medicare after
the 15th continuous month of receiving rental payments from Medicare,
providing the item or service continues to be medically necessary.
---------------------------------------------------------------------------
\107\ See 42 CFR 414.229(d).
\108\ See 42 CFR 414.229(e).
\109\ DMEPOS suppliers must offer beneficiaries the option of
purchasing power-driven wheelchairs at the time the DMEOS supplier
first furnishes the item. See 42 CFR 414.229(d)(1).
---------------------------------------------------------------------------
However, the DMEPOS supplier may submit additional claims for the
maintenance and servicing fees associated with the rental
item.110 The DMEPOS supplier should ensure it is performing
basic safety and operational function checks after use by each patient,
and is performing routine and preventative maintenance on equipment.
The DMEPOS supplier must ensure it has qualified staff or contractors
to service, set up, and instruct the patient on the proper use of the
equipment. The DMEPOS supplier should ensure it maintains current
service manuals for all equipment they supply. In addition, the
policies and procedures should also establish an internal control
system which allowed the DMEPOS suppler to track the location of each
piece of equipment at any given time.
---------------------------------------------------------------------------
\110\ See 42 CFR 414.229(e).
---------------------------------------------------------------------------
The policies and procedures should also address the guidelines for
determining continuous use and criteria for a new rental
period.111 If a beneficiary dies during a rental period, the
DMEPOS supplier may receive the entire monthly rental
payment.112 However, if the DMEPOS supplier continues to
bill for the item because it did not receive notice of the
beneficiary's death until the following month, any payments received
for rental items the month after the beneficiary dies are considered an
overpayment and must promptly be refunded. The DMEPOS supplier should
create internal mechanisms to ensure the correct rental month appears
on the claim and the correct modifier is used.
---------------------------------------------------------------------------
\111\ See 42 CFR 414.230.
\112\ See Medicare Carriers Manual, section 4105.3.
---------------------------------------------------------------------------
In addition, the DMEPOS supplier should ensure it is not submitting
claims for rental equipment when the beneficiary is residing in an
institution. The OIG is aware that some DMEPOS suppliers deliver
equipment to beneficiaries residing in institutions just prior to the
beneficiary being discharged. However, if the beneficiary is residing
in an institution when the DMEPOS supplier delivers the equipment, the
HCFA claim form should indicate the date of delivery as being the date
the beneficiary is discharged from the institution. The DMEPOS supplier
may not submit the claim prior to the beneficiary's date of discharge.
l. ZX Modifier. The ZX modifier is used to indicate that the DMEPOS
supplier is maintaining medical necessity documentation in its files.
Such documentation only needs to be submitted to the DMERC upon
request.
DMEPOS suppliers should create internal mechanisms to ensure the
proper use of the ZX modifier. Improper use of the modifier may result
in the submission of false claims. The written policies and procedures
should address the DMEPOS supplier's protocol for using the ZX
modifier.113
---------------------------------------------------------------------------
\113\ See relevant DMERC supplier manual(s) for guidelines on
proper use.
---------------------------------------------------------------------------
m. Cover Letters. The DMEPOS supplier should address the use of
cover letters in its written policies and procedures, if
applicable.114
---------------------------------------------------------------------------
\114\ Id.
---------------------------------------------------------------------------
In many instances, the DMEPOS supplier will send a cover letter
along with the CMN to the physician. The information contained in the
cover letter should address issues relating to HCFA or DMERC
regulation/policy changes, brief descriptions of the item(s) being
provided and changes in the patient's regimen. The cover letter must
not (i) lead physicians to order medically unnecessary items or
supplies or (ii) include diagnostic information. In addition, the
DMEPOS supplier should not distribute completed ``sample'' CMNs to
physicians. DMEPOS suppliers should maintain on file a copy of the
cover letter sent to physicians. The DMERCs may request to review the
information provided in cover letters to ensure the DMEPOS supplier is
in compliance with the law.
n. Communication. The OIG suggests DMEPOS suppliers create
mechanisms that increase the communication between treating physicians
or other authorized persons who refer business to the DMEPOS supplier,
the patients, and the DMEPOS supplier. Such mechanisms should be
included in the DMEPOS supplier's written policies and procedures and
may include the DMEPOS supplier periodically calling the patient to
ensure the equipment is still being used and operating properly or an
arrangement between the DMEPOS supplier and the physician whereby the
physician immediately informs the DMEPOS supplier when equipment is no
longer medically necessary. The DMEPOS supplier should create
mechanisms to ensure communications between different departments
(e.g., sales and billing) in order to prevent the filing of incorrect
claims.
o. Oxygen and Oxygen Equipment. The OIG recommends the written
policies and procedures for DMEPOS suppliers furnishing oxygen state
that the DMEPOS supplier will ensure that initial claims for oxygen
therapy include the written results of an arterial blood gas study or
oximetry test (on the CMN) that has been ordered and evaluated by the
patient's treating physician. Further, the written policies
[[Page 4446]]
and procedures should provide for the DMEPOS supplier to maintain such
test results and any other independent physiological laboratory (IPL)
documents supporting the patient's medical necessity for the oxygen.
The DMEPOS supplier should have the IPLs from which they receive tests
results submit all raw test results to the ordering physician for the
physician's benefit, and not just a summary of the results. The written
policies and procedures should provide that a DMEPOS supplier is not
qualified to conduct the blood gas study or to prescribe the oxygen
therapy.115 When submitting an oxygen or oxygen equipment
claim for reimbursement, the DMEPOS supplier must ensure it is
complying with the payment rules.116
---------------------------------------------------------------------------
\115\ See Coverage Issues Manual, section 60-4.
\116\ See 42 CFR 414.226.
---------------------------------------------------------------------------
4. Anti-Kickback and Self-Referral Concerns. The DMEPOS supplier
should have policies and procedures in place with respect to compliance
with Federal and State laws, including the anti-kickback statute, as
well as the Stark physician self-referral law.117 Such
policies should provide that:
---------------------------------------------------------------------------
\117\ Towards this end, the DMEPOS supplier should, among other
things, obtain copies of all relevant OIG regulations, Special Fraud
Alerts, and advisory opinions (these documents are located on the
Internet at http://www.dhhs.gov/progorg/oig), and ensure that the
DMEPOS supplier's policies reflect the guidance provided by the OIG.
See 42 U.S.C. 1395nn(a) for the Stark physician referral laws. See
also 42 U.S.C. 1320a-7b for prohibited activities under the anti-
kickback statute.
---------------------------------------------------------------------------
All of the DMEPOS supplier's contracts and arrangements
with actual or potential referral sources (e.g., physicians) are
reviewed by counsel and comply with all applicable statutes and
regulations, including the anti-kickback statute and the Stark
physician self-referral law provisions; 118
---------------------------------------------------------------------------
\118\ If the DMEPOS supplier questions an arrangement it may
enter into, it should consider asking the OIG for an advisory
opinion regarding the anti-kickback statute or HCFA for an advisory
opinion regarding Stark. See 62 FR 7350 (February 19, 1997) and 63
FR 38311 (July 16, 1998) for instructions on how to submit an
Advisory Opinion to the OIG. These instructions are also located on
the Internet at: http://www.dhhs.gov/progorg/oig. See 63 FR 1645
(January 9, 1998) on how to submit an advisory opinion to HCFA.
---------------------------------------------------------------------------
The DMEPOS supplier not submit or cause to be submitted to
the Federal health care programs claims for patients who were referred
to the DMEPOS supplier in accordance with contracts or financial
arrangements that were designed to induce such referrals in violation
of the anti-kickback statute or similar Federal or State statute or
regulation or that otherwise violates the Stark physician self-referral
law; and
The DMEPOS supplier does not offer or provide gifts, free
services, or other incentives or things of value to patients, relatives
of patients, physicians, home health agencies, nursing homes,
hospitals, contractors, assisted living facilities, or other potential
referral sources for the purpose of inducing referrals in violation of
the anti-kickback statute or similar Federal or State statute or
regulation.119
---------------------------------------------------------------------------
\119\ See 42 U.S.C. 1320a-7(a)(5), which provides for civil
money penalties for improper inducements to beneficiaries. See also
42 U.S.C. 1320a-7b(b).
---------------------------------------------------------------------------
Further, the written policies and procedures should specifically
reference and take into account the OIG's safe harbor regulations,
which describe those payment practices that are immune from criminal
and administrative prosecution under the anti-kickback
statute.120
---------------------------------------------------------------------------
\120\ See 42 CFR 1001.952.
---------------------------------------------------------------------------
5. Marketing. DMEPOS supplier compliance programs should require
honest, straightforward, fully informative and non-deceptive marketing,
where marketing is permitted. It is in the best interest of patients,
DMEPOS suppliers, physicians and health care programs that physicians
or other persons authorized to order DMEPOS fully understand the
services offered by the DMEPOS supplier, the items or services that
will be provided when ordered and the financial consequences for
Medicare as well as other payors for items or services ordered. If the
DMEPOS supplier services a large number of non-English speaking
patients, it should ensure its marketing materials are available in
that other language. The DMEPOS supplier's written policies and
procedures should ensure that its marketing information is clear,
correct, and fully informative. Salespeople must not offer physicians,
patients or other potential referral sources incentives, in cash or in
kind, for their business.121 Similarly, they must not engage
in any marketing activity that either explicitly or implicitly implies
that Medicare beneficiaries are not obligated to pay their coinsurance
or can receive ``free'' services.122 In addition, DMEPOS
suppliers must not promote items or services to patients or physicians
that are not reasonable or necessary for the treatment of the
individual patient. The OIG suggests the DMEPOS supplier's written
policies and procedures create internal mechanisms to avoid these
situations.
---------------------------------------------------------------------------
\121\ See anti-kickback statute discussion in section II.A.4.
\122\ See discussion in section II.A.3.j.
---------------------------------------------------------------------------
With respect to marketing and sales, the OIG has a longstanding
concern that percentage compensation arrangements for sales and
marketing personnel may increase the risk of such persons violating the
anti-kickback statute.123 The OIG recommends the DMEPOS
supplier monitor its sales representatives on a regular basis (e.g.,
rotate sales staff or send sales manager on some sales calls).
---------------------------------------------------------------------------
\123\ See, e.g., 42 U.S.C. 1320a-7b(b); OIG Ad. Op. 98-10
(1998); section II.A.4.
---------------------------------------------------------------------------
DMEPOS suppliers are prohibited from making unsolicited telephone
contacts to Medicare beneficiaries.124 In addition, a DMEPOS
supplier cannot accomplish through an agent that which it cannot do
itself. Since a DMEPOS supplier has no control over the means by which
a non-employee sales or other representative might contact a Medicare
beneficiary regarding the furnishing of such items, DMEPOS suppliers
may not accept any referral from a sales or other representative who is
not an employee of the DMEPOS supplier, regardless of the means
allegedly used to contact the beneficiary. We suggest the DMEPOS
supplier's written policies and procedures reflect this prohibition.
---------------------------------------------------------------------------
\124\ See 42 U.S.C. 1395m(a)(17), Pub. L. 103-432, section
132(a).
---------------------------------------------------------------------------
DMEPOS suppliers are prohibited from using symbols, emblems, or
names in reference to Social Security or Medicare in a manner that such
person knows or should know would convey the false impression that such
item is approved, endorsed, or authorized by the Social Security
Administration, the Health Care Financing Administration, or the
Department of Health and Human Services or that such person has some
connection with, or authorization from, any of these
agencies.125
---------------------------------------------------------------------------
\125\ See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------
6. Retention of Records. DMEPOS supplier compliance programs should
provide for the implementation of a records system. DMEPOS suppliers
should ensure that records are maintained for the length of time
required by Federal and State law and private payors, or by the
supplier's record retention policies, whichever is longer. This system
should establish policies and procedures regarding the creation,
distribution, retention, storage, retrieval, and destruction of
documents.126 The three types of documents developed under
this system should include: (1) all records and documentation (e.g.,
billing and claims documentation) required either by Federal or State
law and the program requirements of Federal, State and private health
plans; (2) records listing the persons responsible for implementing
each part of the
[[Page 4447]]
compliance program; and (3) all records necessary to protect the
integrity of the DMEPOS supplier's compliance process and confirm the
effectiveness of the program. The documentation necessary to satisfy
the third requirement includes, but is not limited to: evidence of
adequate employee training; reports from the DMEPOS supplier's hotline;
results of any investigation conducted as a consequence of a hotline
call; modifications to the compliance program; self-disclosure; all
written notifications to providers;127 and the results of
the DMEPOS supplier's auditing and monitoring efforts.128
---------------------------------------------------------------------------
\126\ This records system should be tailored to fit the
individual needs and financial resources of the DMEPOS supplier.
\127\ This should include notifications regarding inappropriate
claims and overpayments.
\128\ The creation and retention of such documents and reports
may raise a variety of legal issues, such as patient privacy and
confidentiality. These issues are best discussed with legal counsel.
---------------------------------------------------------------------------
7. Compliance as an Element of a Performance Plan. Compliance
programs should require that the promotion of, and adherence to, the
elements of the compliance program be a factor in evaluating the
performance of all employees. Employees should be periodically trained
in new compliance policies and procedures. In addition, all managers
and supervisors involved in the claims development and submission
processes should:
Discuss with all supervised employees and relevant
contractors the compliance policies and legal requirements applicable
to their function;
Inform all supervised personnel that strict compliance
with these policies and requirements is a condition of employment; and
Disclose to all supervised personnel that the DMEPOS
supplier will take disciplinary action up to and including termination
for violation of these policies or requirements.
In addition to making performance of these duties an element in
evaluations, the compliance officer or DMEPOS supplier management
should include a policy that managers and supervisors will be
sanctioned for failing to adequately instruct their subordinates or for
failing to detect noncompliance with applicable policies and legal
requirements, where reasonable diligence on the part of the manager or
supervisor would have led to the discovery of any problems or
violations.
B. Designation of a Compliance Officer and a Compliance Committee
1. Compliance Officer. Every DMEPOS supplier should designate a
compliance officer to serve as the focal point for compliance
activities. The compliance officer should be a person of high
integrity. This responsibility may be the individual's sole duty or
added to other management responsibilities, depending upon the size and
resources of the DMEPOS supplier and the complexity of the task. When a
compliance officer has other duties, the other duties should not be in
conflict with the compliance goals.129
---------------------------------------------------------------------------
\129\ E.g., companies should not choose a sales manager who may
be pressured to achieve high sales, which might result in a conflict
with compliance goals.
---------------------------------------------------------------------------
Designating a compliance officer with the appropriate authority is
critical to the success of the program, necessitating the appointment
of a high-level official in the DMEPOS supplier with direct access to
the DMEPOS supplier's owner(s), president or CEO, governing body, all
other senior management, and legal counsel.130 The
compliance officer should be highly enough placed in the company so
that he or she can exercise independent judgment without fear of
reprisal, and so that employees will know that bringing a problem to
that person's attention is not a wasted exercise. The compliance
officer should have sufficient funding and staff to fully perform his
or her responsibilities. Coordination and communication are the key
functions of the compliance officer with regard to planning,
implementing, and monitoring the compliance program.
---------------------------------------------------------------------------
\130\ The OIG believes that it is not advisable for the
compliance function to be subordinate to the DMEPOS supplier's
general counsel, comptroller or similar DMEPOS supplier financial
officer. Free standing compliance functions help to ensure
independent and objective legal reviews and financial analyses of
the institution's compliance efforts and activities. By separating
the compliance function from the key management positions of general
counsel or chief financial officer (where the size and structure of
the DMEPOS supplier make this a feasible option), a system of checks
and balances is established to more effectively achieve the goals of
the compliance program.
---------------------------------------------------------------------------
The compliance officer's primary responsibilities should include:
Overseeing and monitoring the implementation of the
compliance program;131
---------------------------------------------------------------------------
\131\ For DMEPOS supplier chains, the OIG encourages
coordination with each DMEPOS supplier location through the use of a
headquarter's compliance officer, communicating with parallel
positions in each facility or regional office, as appropriate.
---------------------------------------------------------------------------
Reporting on a regular basis to the DMEPOS supplier's
owner(s), governing body, CEO, president, and compliance committee (if
applicable) on the progress of implementation, and assisting these
components in establishing methods to improve the DMEPOS supplier's
efficiency and quality of services, and to reduce the DMEPOS supplier's
vulnerability to fraud, abuse and waste;
Periodically revising the program in light of changes in
the organization's needs, and in the statutes, rules, regulations, and
requirements of Federal, State and private payor health care plans;
Reviewing employees' certifications that they have
received, read, and understood the standards of conduct;
Developing, coordinating, and participating in a
multifaceted educational and training program that focuses on the
elements of the compliance program, and seeks to ensure that all
appropriate employees and management are knowledgeable of, and comply
with, pertinent Federal, State and private payor health care program
requirements;
Ensuring independent contractors and agents who provide
services (e.g., billing companies, delivery services and sources of
referrals) to the DMEPOS supplier are aware of the requirements of the
DMEPOS supplier's compliance program with respect to coverage, billing,
and marketing, among other things;
Coordinating personnel issues with the DMEPOS supplier's
Human Resources/Personnel office (or its equivalent) to ensure that the
National Practitioner Data Bank,132 Cumulative Sanction
Report,133 and the General Services Administration's List of
Parties Excluded from Federal Procurement and Nonprocurement Programs
134 have been checked with respect to all employees,
referring physicians or other authorized persons, and independent
contractors (as appropriate);135
---------------------------------------------------------------------------
\132\ The National Practitioner Data Bank, maintained by the
Public Health Service, is a data base that contains information
about medical malpractice payments, sanctions by boards of medical
examiners or state licensing boards, adverse clinical privilege
actions, and adverse professional society membership actions. Health
care entities can have access to this data base to seek information
about their own medical or clinical staff, as well as prospective
employees.
\133\ The Cumulative Sanction Report is an OIG-produced report
available on the Internet at http://www.dhhs.gov/progorg/oig. It is
updated on a regular basis to reflect the status of individuals and
entities who have been excluded from participation in the Medicare
and Medicaid programs.
\134\ The List of Parties from Federal Procurement and
Nonprocurement programs is a GSA-produced report available on the
Internet at: http://www.arnet.gov/epls.
\135\ Depending upon State requirements or DMEPOS supplier
policy, the Compliance Officer may also conduct a criminal
background check of employees.
---------------------------------------------------------------------------
Assisting the DMEPOS supplier's financial management in
coordinating internal compliance review and monitoring activities,
including annual or periodic reviews of departments;
Independently investigating and acting on matters related
to compliance,
[[Page 4448]]
including the flexibility to design and coordinate internal
investigations (e.g., responding to reports of problems or suspected
violations) and any resulting corrective action (e.g., making necessary
improvements to DMEPOS supplier policies and practices, taking
appropriate disciplinary action, etc.) with all DMEPOS supplier
departments, independent contractors, and health care professionals;
Developing policies and programs that encourage managers
and employees to report suspected fraud and other improprieties without
fear of retaliation; and
Continuing the momentum of the compliance program and the
accomplishment of its objectives long after the initial years of
implementation.136
---------------------------------------------------------------------------
\136\ Periodic on-site visits of DMEPOS supplier operations,
bulletins with compliance updates and reminders, distribution of
audiotapes or videotapes on different risk areas, lectures at
management and employee meetings, circulation of recent health care
articles covering fraud and abuse, and innovative changes to
compliance training are various examples of approaches and
techniques the compliance officer can employ for the purpose of
ensuring continued interest in the compliance program and the DMEPOS
supplier's commitment to its policies and principles.
---------------------------------------------------------------------------
The compliance officer must have the authority to review all
documents and other information that are relevant to compliance
activities, including, but not limited to, patient records (where
appropriate), billing records, and DMEPOS supplier records concerning
the marketing efforts of the DMEPOS supplier and the DMEPOS supplier's
arrangements with other parties, including employees, home health
agencies, skilled nursing facilities, and ordering physicians or other
authorized persons. This policy enables the compliance officer to
review contracts and obligations (seeking the advice of legal counsel,
where appropriate) that may contain referral and payment provisions
that could violate the anti-kickback statute, as well as the Stark
physician self-referral prohibition or other statutory or regulatory
requirements.
In addition, the compliance officer should be copied on the results
of all internal audit reports and work closely with key managers to
identify aberrant trends in the coding and billing areas. The
compliance officer should ascertain patterns that require a change in
policy and forward these issues to the compliance committee to remedy
the problem. The compliance officer should have full authority to stop
the processing of claims that he or she believes are problematic until
such time as the issue in question has been resolved.
2. Compliance Committee. The OIG recommends, where feasible,\137\
that a compliance committee be established to advise the compliance
officer and assist in the implementation of the compliance
program.\138\ When assembling a team of people to serve as the DMEPOS
supplier's compliance committee, the DMEPOS supplier should include
individuals with a variety of skills.\139\ The OIG strongly recommends
that the compliance officer manage the compliance committee. Once a
DMEPOS supplier chooses the people that will accept the
responsibilities vested in members of the compliance committee, the
DMEPOS supplier must train these individuals on the policies and
procedures of the compliance program, as well as how to discharge their
duties.
---------------------------------------------------------------------------
\137\ The OIG recognizes that smaller DMEPOS suppliers may not
be able to establish a compliance committee. In those situations,
the compliance officer should fulfill the responsibility of the
compliance committee.
\138\ The compliance committee benefits from having the
perspectives of individuals with varying responsibilities in the
organization, such as operations, billing, coding, marketing, and
human resources, as well as employees and managers of key operating
units. These individuals should have the requisite seniority and
comprehensive experience within their respective departments to
implement any necessary changes to the DMEPOS supplier's policies
and procedures as recommended by the committee. A compliance
committee for a DMEPOS supplier that is part of another organization
(e.g., home health agency) might benefit from the participation of
officials from other departments in the organization, such as the
accounting and billing departments.
\139\ A DMEPOS supplier should expect its compliance committee
members and compliance officer to demonstrate high integrity, good
judgment, assertiveness, and an approachable demeanor, while
eliciting the respect and trust of employees of the DMEPOS supplier.
The DMEPOS supplier's compliance committee members should also have
significant professional experience working with billing,
documentation, and auditing principles.
---------------------------------------------------------------------------
The committee's responsibilities should include:
Analyzing the organization's regulatory environment, the
legal requirements with which it must comply,\140\ and specific risk
areas;
---------------------------------------------------------------------------
\140\ This includes, but is not limited to, the civil False
Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes,
18 U.S.C. 287, 1001; the fraud and abuse provisions of the Balanced
Budget Act of 1997, Pub. L. 105-33; the Health Insurance Portability
and Accountability Act of 1996, Pub. L. 104-191; and compliance with
the Medicare supplier standards, 42 CFR 424.57.
---------------------------------------------------------------------------
Assessing existing policies and procedures that address
these risk areas for possible incorporation into the compliance
program;
Working with appropriate DMEPOS supplier departments to
develop standards of conduct and policies and procedures that promote
allegiance to the DMEPOS supplier's compliance program;
Recommending and monitoring, in conjunction with the
relevant departments, the development of internal systems and controls
to carry out the organization's standards, policies, and procedures as
part of its daily operations; \141\
---------------------------------------------------------------------------
\141\ With respect to national DMEPOS supplier chains, this may
include fostering coordination and communication between those
employees responsible for compliance at headquarters and those
responsible for compliance at the individual supplier branches.
---------------------------------------------------------------------------
Determining the appropriate strategy/approach to promote
compliance with the program and detection of any potential violations,
such as through hotlines and other fraud reporting mechanisms;
Developing a system to solicit, evaluate, and respond to
complaints and problems; and
Monitoring internal and external audits and investigations
for the purpose of identifying troublesome issues and deficient areas
experienced by the DMEPOS supplier, and implementing corrective and
preventive action.
The committee may also address other functions as the compliance
concept becomes part of the overall DMEPOS supplier's operating
structure and daily routine.
C. Conducting Effective Training and Education
1. Initial Training in Compliance. The proper education and
training of corporate officers, managers, employees and the continual
retraining of current personnel at all levels, are significant elements
of an effective compliance program. In order to ensure the appropriate
information is being disseminated to the correct individuals, the
training should be separated into sessions. All employees should attend
the general session on compliance, employees whose job primarily
focuses on submission of claims for reimbursement should receive
additional training on this subject, and employees who are involved in
sales and marketing should receive additional training on this subject.
a. General Sessions. As part of their compliance programs, DMEPOS
suppliers should require all affected personnel to attend training on
an annual basis, including appropriate training in Federal and State
statutes, regulations and guidelines, the policies of private payors,
and training in corporate ethics. The general training sessions should
emphasize the DMEPOS
[[Page 4449]]
supplier's commitment to compliance with these legal requirements and
policies.
These training programs should include sessions highlighting the
DMEPOS supplier's compliance program, summarizing fraud and abuse laws
and regulations, Federal, State and private payor health care program
requirements, claim submission procedures and marketing practices that
reflect current legal and program standards. The DMEPOS supplier must
take steps to communicate effectively its standards and procedures to
all affected employees, physicians, independent contractors and other
significant agents, e.g., by requiring participation in training
programs and disseminating publications that explain specific
requirements in a practical manner.\142\ Managers of specific
departments can assist in identifying areas that require training and
in carrying out such training.\143\ Training instructors may come from
outside or inside the organization. New employees should be targeted
for training early in their employment.\144\
---------------------------------------------------------------------------
\142\ Publications such as Special Fraud Alerts, audit and
inspection reports, and advisory opinions, as well as the annual OIG
work plan, are readily available from the OIG and could be the basis
for standards, educational courses and programs.
\143\ Significant variations in functions and responsibilities
of different departments may create the need for training materials
that are tailored to the compliance concerns associated with
particular operations and duties.
\144\ Certain positions, such as those involving developing and
submitting claims, as well as sales and marketing, create a greater
organizational legal exposure, and therefore require specialized
training. DMEPOS suppliers should fill such positions with
individuals who have the appropriate educational background,
training, experience, and credentials.
---------------------------------------------------------------------------
As part of the initial training, the standards of conduct should be
distributed to all employees.\145\ At the end of this training session,
every employee, as well as physicians, independent contractors, and
other significant agents, should be required to sign and date a
statement that reflects their knowledge of and commitment to the
standards of conduct. This attestation should be retained in the
employee's personnel file. For physicians, independent contractors, and
other significant agents, the attestation should become part of the
contract and remain in the file that contains such documentation.
---------------------------------------------------------------------------
\145\ Where the DMEPOS supplier has a culturally diverse
employee base, the standards of conduct should be translated into
other languages and written at appropriate reading levels.
---------------------------------------------------------------------------
Further, to assist in ensuring that employees continuously meet the
expected high standards of conduct, any employee handbook delineating
or expanding upon these standards should be regularly updated as
applicable statutes, regulations and Federal health care program
requirements are modified.\146\ DMEPOS suppliers should provide an
additional attestation in the modified standards that stipulates the
employee's knowledge of and commitment to the modifications.
---------------------------------------------------------------------------
\146\ The OIG recognizes that not all standards, policies and
procedures need to be communicated to all employees. However, the
OIG believes that the bulk of the standards that relate to complying
with fraud and abuse laws and other ethical areas should be
addressed and made part of all employees' training. The DMEPOS
supplier should determine what additional training to provide
categories of employees based upon their job responsibilities.
---------------------------------------------------------------------------
b. Claim Development and Billing Training. In addition to specific
training in the risk areas identified in section II.A.2, above, primary
training to appropriate corporate officers, managers and other claim
development and billing staff should include such topics as:
Specific Government and private payor reimbursement
principles; \147\
---------------------------------------------------------------------------
\147\ Government, in this context, includes the appropriate
Medicare DMERC(s).
---------------------------------------------------------------------------
Providing DMEPOS items or services without proper
authorization;
Proper documentation of services rendered, including the
correct application of official ICD-9 and HCPCs coding rules and
guidelines;
Improper alterations to documentation (e.g., patient
records, CMNs);
Compliance with the Federal, State and privator payor
supplier standards;
Signing a form for a physician without the physician's
authorization; and
Duty to report misconduct.
Clarifying and emphasizing these areas of concern through
training and educational programs are particularly relevant to a DMEPOS
supplier's billing and coding personnel, in that the pressure to meet
business goals may render employees vulnerable to engaging in
prohibited practices.
c. Sales and Marketing Training. In addition to specific training
in the risk areas identified in section II.A.2, above, primary training
to sales and marketing personnel should include such topics as:
General prohibition on paying or receiving renumeration to
induce referrals;
Routine waiver of deductibles and/or coinsurance;
Disguising referral fees as salaries;
Offering free items or services to induce referrals;
High pressure marketing of non-covered or unnecessary
services;
Improper patient solicitation; and
Duty to report misconduct.
Clarifying and emphasizing these areas of concern through training
and educational programs are particularly relevant to a DMEPOS
supplier's sales and marketing personnel, in that the pressure to meet
business goals may render employees vulnerable to engaging in
prohibited practices.
2. Format of the Training Program. The OIG suggests that all
relevant levels of personnel be made part of various educational and
training programs of the DMEPOS supplier. 148 Employees
should be required to have a minimum number of educational hours per
year, as appropriate, as part of their employment responsibilities.
149 For example, as discussed above, employees involved in
billing functions should be required to attend periodic training in
applicable reimbursement coverage and documentation of records.
150
---------------------------------------------------------------------------
\148\ In addition, where feasible, the OIG recommends that a
DMEPOS supplier afford outside contractors and its physician clients
that opportunity to participate in the DMEPOS supplier's compliance
training and educational programs, or develop their own programs
that complement the DMEPOS supplier's standards of conduct,
compliance requirements and other rules and practices.
\149\Currently, the OIG is monitoring a significant number of
corporate integrity agreements that require many of these training
elements. The OIG usually requires a minimum of one to three hours
annually for basic training in compliance areas. Additional training
is required for specialty fields such as billing, coding, sales and
marketing.
\150\ Appropriate coding and billing depends upon the quality
and completeness of documentation. Therefore, the OIG believes that
the DMEPOS supplier must foster an environment where interactive
communication is encouraged.
---------------------------------------------------------------------------
A variety of teaching methods, such as interactive training and
training in several different languages, particularly where a DMEPOS
supplier has a culturally diverse staff, should be implemented so that
all affected employees are knowledgeable about the DMEPOS supplier's
standards of conduct and procedures for alerting senior management to
problems and concerns. 151 Targeted training should be
provided to corporate officers, managers and other employees whose
actions affect the accuracy of the claims submitted to the Government,
such as employees involved in the coding, billing, sales, and marketing
processes. All training materials should be designed to take into
account the skills, knowledge and experience of the individual
trainees. Given the complexity and interdependent relationships of many
departments, it is
[[Page 4450]]
important for the compliance officer to supervise and coordinate the
training program.
---------------------------------------------------------------------------
\151\ Post training tests can be used to assess the success of
training provided and employee comprehension of the DMEPOS
supplier's policies and procedures.
---------------------------------------------------------------------------
The OIG recommends that attendance and participation in training
programs be made a condition of continued employment and that failure
to comply with training requirements should result in disciplinary
action, including possible termination, when such failure is serious.
Adherence to the provisions of the compliance program, such as training
requirements, should be a factor in the annual evaluation of each
employee. The DMEPOS supplier should retain adequate records of its
training of employees, including attendance logs and material
distributed at training sessions.
3. Continuing Education on Compliance Issues. It is essential that
compliance issues remain at the forefront of the DMEPOS supplier's
priorities. The OIG recommends that DMEPOS supplier compliance programs
address the need for periodic professional education courses for DMEPOS
supplier personnel. In particular, the DMEPOS supplier should ensure
that coding personnel receive annual professional training on the
updated codes for the current year and have knowledge of the SADMERC's
HCPCs coding helpline. 152
---------------------------------------------------------------------------
\152\ See note 93.
---------------------------------------------------------------------------
In order to maintain a sense of seriousness about compliance in a
DMEPOS supplier's operations, the DMEPOS supplier must continue to
disseminate the compliance message. One effective mechanism for
maintaining a consistent presence of the compliance message is to
publish a monthly newsletter to address compliance concerns. This would
allow the DMEPOS supplier to address specific examples of problems the
company encountered during its ongoing audits and risk analyses, while
reinforcing the DMEPOS supplier's firm commitment to the general
principles of compliance and ethical conduct. The newsletter could also
include the risk areas published by the OIG in its Special Fraud
Alerts. Finally, the DMEPOS supplier could use the newsletter as a
mechanism to address areas of ambiguity in the coding and billing
process and/or its sales and marketing practices. The DMEPOS supplier
should maintain its newsletters in a central location to document the
guidance offered, and provide new employees with access to guidance
previously provided.
D. Developing Effective Lines of Communication
1. Access to the Compliance Officer. An open line of communication
between the compliance officer and DMEPOS supplier employees is equally
important to the successful implementation of a compliance program and
the reduction of any potential for fraud, abuse and waste. Written
confidentiality and non-retaliation policies should be developed and
distributed to all employees to encourage communication and the
reporting of incidents of potential fraud. 153 The
compliance committee should also develop several independent reporting
paths for an employee to report fraud, waste or abuse so that such
reports cannot be diverted by supervisors or other personnel.
---------------------------------------------------------------------------
\153\ The OIG believes that whistleblowers should be protected
against retaliation, a concept embodied in the provisions of the
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees
sue their employers under the False Claims Act's qui tam provisions
out of frustration because of the company's failure to take action
when a questionable, fraudulent, or abusive situation was brought to
the attention of senior corporate officials.
---------------------------------------------------------------------------
The OIG encourages the establishment of a procedure for personnel
to seek clarification from the compliance officer or members of the
compliance committee in the event of any confusion or question
regarding a DMEPOS supplier policy, practice, or procedure. Questions
and responses should be documented and dated and, if appropriate,
shared with other staff so that standards, policies, practices, and
procedures can be updated and improved to reflect any necessary changes
or clarifications. The compliance officer may want to solicit employee
input in developing these communication and reporting systems.
2. Hotlines and Other Forms of Communication. The OIG encourages
the use of hotlines, 154 e-mails, written memoranda,
newsletters, suggestion boxes and other forms of information exchange
to maintain these open lines of communication. 155 If the
DMEPOS supplier establishes a hotline, the telephone number should be
made readily available to all employees and independent contractors,
possibly by circulating the number on wallet cards or conspicuously
posting the telephone number in common work areas. 156
Employees should be permitted to report matters on an anonymous basis.
157 Matters reported through the hotline or other
communication sources that suggest substantial violations of compliance
policies, Federal, State or private payor health care program
requirements, regulations, or statutes should be documented and
investigated promptly to determine their veracity. A log should be
maintained by the compliance officer that records such calls, including
the nature of any investigation and its results. 158 Such
information should be included in reports to the owner(s), governing
body, the CEO, president, and compliance committee. 159
Further, while the DMEPOS supplier should always strive to maintain the
confidentiality of an employee's identity, it should also explicitly
communicate that there may be a point where the individual's identity
may become known or may have to be revealed.
---------------------------------------------------------------------------
\154\ The OIG recognizes that it may not be financially feasible
for a smaller DMEPOS supplier to maintain a telephone hotline
dedicated to receiving calls solely on compliance issues. These
companies may want to explore alternative methods, e.g., outsourcing
the hotline or establishing a written method of confidential
disclosure.
\155\ In addition to methods of communication used by current
employees, an effective employee exit interview program could be
designed to solicit information from departing employees regarding
potential misconduct and suspected violations of DMEPOS supplier
policies and procedures.
\156\ DMEPOS suppliers should also post in a prominent,
available area the HHS-OIG Hotline telephone number, 1-800-447-8477
(1-800-HHS-TIPS), in addition to any company hotline number that may
be posted.
\157\ The OIG recognizes that guaranteeing anonymity may be
infeasible for small DMEPOS suppliers. In such instances, we
recommend DMEPOS employees need not fear retribution when reporting
a portential violation.
\158\ To efficiently and accurately fulfill such an obligation,
the DMEPOS supplier should create an intake form for all compliance
issues identified through reporting mechanisms. The form could
include information concerning the date that the potential problem
was reported, the internal investigative methods utilized, the
results of the investigation, any corrective action implemented, any
disciplinary measures imposed, and any overpayments returned.
\159\ Information obtained over the hotline may provide valuable
insight into management practices and operations, whether reported
problems are actual or perceived.
---------------------------------------------------------------------------
The OIG recognizes that assertions of fraud and abuse by employees
who may have participated in illegal conduct or committed other
malfeasance raise numerous complex legal and management issues that
should be examined on a case-by-case basis. The compliance officer
should work closely with legal counsel, who can provide guidance
regarding such issues.
E. Enforcing Standards Through Well-Publicized Disciplinary Guidelines
1. Discipline Policy and Actions. An effective compliance program
should include guidance regarding disciplinary action for corporate
officers, managers, employees, and other health care professionals who
have failed to comply with the DMEPOS supplier's standards
[[Page 4451]]
of conduct, policies and procedures, Federal and State statutes, rules,
and regulations or Federal, State or private payor health care program
requirements. It should also address disciplinary actions for those who
have engaged in wrongdoing, which has the potential to impair the
DMEPOS supplier's status as a reliable, honest, and trustworthy health
care provider.
The OIG believes that the compliance program should include a
written policy statement setting forth the degrees of disciplinary
actions that may be imposed upon corporate officers, managers,
employees, and other health care professionals for failing to comply
with the DMEPOS supplier's standards, policies, and applicable statutes
and regulations. Intentional or reckless noncompliance should subject
transgressors to significant sanctions. Such sanctions could range from
oral warnings to suspension, termination, or financial penalties, as
appropriate. Each situation must be considered on a case-by-case basis
to determine the appropriate sanction. The written standards of conduct
should elaborate on the procedures for handling disciplinary problems
and those who will be responsible for taking appropriate action. Some
disciplinary actions can be handled by managers, while others may have
to be resolved by the owner(s), president or CEO. Disciplinary action
may be appropriate where a responsible employee's failure to detect a
violation is attributable to his or her negligence or reckless conduct.
Personnel should be advised by the DMEPOS supplier that disciplinary
action will be taken on a fair and equitable basis. Managers and
supervisors should be made aware that they have a responsibility to
discipline employees in an appropriate and consistent manner.
It is vital to publish and disseminate the range of disciplinary
standards for improper conduct and to educate corporate officers,
managers, and other DMEPOS supplier employees regarding these
standards. The consequences of noncompliance should be consistently
applied and enforced, in order for the disciplinary policy to have the
required deterrent effect. All levels of employees should be subject to
the same types of disciplinary action for the commission of similar
offenses. The commitment to compliance applies to all personnel levels
within a DMEPOS supplier. The OIG believes that corporate officers,
managers, supervisors, and health care professionals should be held
accountable for failing to comply with, or for the foreseeable failure
of their subordinates to adhere to, the applicable standards, statutes,
rules, regulations and procedures.
2. New Employee Policy. For all new employees who have
discretionary authority to make decisions that may involve compliance
with the law or compliance oversight, DMEPOS suppliers should conduct a
reasonable and prudent background investigation, including a reference
check,160 as part of every such employment application. The
application should specifically require the applicant to disclose any
criminal conviction, as defined by 42 U.S.C. 1320a-7(i), or exclusion
action. In accordance with the compliance program, DMEPOS supplier
policies should prohibit the employment of individuals who have been
recently convicted of a criminal offense related to health care or who
are listed as debarred, excluded, or otherwise ineligible for
participation in Federal health care programs (as defined in 42 U.S.C.
1320a-7b(f)).161 In addition, pending the resolution of any
criminal charges or proposed debarment or exclusion, the OIG recommends
that such individuals should be removed from direct responsibility for,
or involvement with, the DMEPOS supplier's business operations related
to any Federal health care program. In addition, we recommend the
DMEPOS supplier remove such individual from any position(s) for which
the individual's salary or the items or services rendered, ordered, or
prescribed by the individual are paid in whole or part, directly or
indirectly, by Federal health care programs or otherwise with Federal
funds.162 Similarly, with regard to current employees or
independent contractors, if resolution of the matter results in
conviction, debarment, or exclusion, then the DMEPOS supplier should
remove the individual from direct responsibility for or involvement
with all Federal health care programs.
---------------------------------------------------------------------------
\160\ See notes 132-135. Since the employees of DMEPOS suppliers
have access to potentially vulnerable people and their property,
DMEPOS suppliers should also strictly scrutinize whether it should
employ individuals who have been convicted of crimes of neglect,
violence or financial misconduct.
\161\ Likewise, DMEPOS supplier compliance programs should
establish standards prohibiting the execution of contracts with
companies that have been recently convicted of a criminal offense
related to health care or that are listed by a federal agency as
debarred, excluded, or otherwise ineligible for participation in
Federal health care programs. See notes 133 and 134.
\162\ Prospective employees who have been officially reinstated
into the Medicare and Medicaid programs by the OIG may be considered
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------
F. Auditing and Monitoring
An ongoing evaluation process is critical to a successful
compliance program. The OIG believes that an effective program should
incorporate thorough monitoring of its implementation and regular
reporting to the DMEPOS supplier's corporate officers.163
Compliance reports created by this ongoing monitoring, including
reports of suspected noncompliance, should be maintained by the
compliance officer and shared with the DMEPOS supplier's corporate
officers and the compliance committee. The extent and frequency of the
audit function may vary depending on factors such as the size of the
DMEPOS supplier, the resources available to the DMEPOS supplier, the
DMEPOS supplier's prior history of noncompliance, and the risk factors
that are prevalent in a particular DMEPOS supplier.
---------------------------------------------------------------------------
\163\ Even when a DMEPOS supplier is owned by a larger corporate
entity, the regular auditing and monitoring of the compliance
activities of an individual DMEPOS supplier must be a key feature in
any annual review. Appropriate reports on audit findings should be
periodically provided and explained to a parent organization's
senior staff and officers.
---------------------------------------------------------------------------
Although many monitoring techniques are available, one effective
tool to promote and ensure compliance is the performance of regular,
periodic compliance audits by internal or external auditors who have
expertise in Federal and State health care statutes, rules,
regulations, and Federal, State and private payor health care program
requirements. The audits should focus on the different DMEPOS
supplier's departments, including external relationships with third-
party contractors, specifically those with substantive exposure to
Government enforcement actions. At a minimum, these audits should be
designed to address the DMEPOS supplier's compliance with laws
governing kickback arrangements, the physician self-referral
prohibition, pricing, contracts, claim development and submission,
reimbursement, sales and marketing. In addition, the audits and reviews
should examine the DMEPOS supplier's compliance with the Federal, State
and private payor supplier standards and the specific rules and
policies that have been the focus of particular attention on the part
of the Medicare DMERCs, and law enforcement, as evidenced by
educational and other communications from OIG Special Fraud Alerts,
advisory opinions, OIG audits and evaluations,
[[Page 4452]]
and law enforcement's initiatives.164 In addition, the
DMEPOS supplier should focus on any areas of specific concern
identified within that DMEPOS supplier and those that may have been
identified by any entity, whether Federal, State, private or internal.
---------------------------------------------------------------------------
\164\ See also section II.A.2.
---------------------------------------------------------------------------
Monitoring techniques may include sampling protocols that permit
the compliance officer to identify and review variations from an
established baseline.165 Significant variations from the
baseline should trigger a reasonable inquiry to determine the cause of
the deviation. If the inquiry determines that the deviation occurred
for legitimate, explainable reasons, the compliance officer and DMEPOS
supplier management may want to limit any corrective action or take no
action. If it is determined that the deviation was caused by improper
procedures, misunderstanding of rules, including fraud and systemic
problems, the DMEPOS supplier should take prompt steps to correct the
problem.166 Any overpayments discovered as a result of such
deviations should be returned promptly to the affected payor, with the
following information: (1) That the refund is being made pursuant to a
voluntary compliance program; (2) a description of the complete causes
and circumstances surrounding the overpayment; (3) the methodology by
which the overpayment was determined; (4) the amount of the
overpayment; and (5) any claim-specific information, reviewed as part
of the self-audit, used to determine the overpayment (e.g., beneficiary
health insurance claims number, claim number, date of service, and
payment date).
---------------------------------------------------------------------------
\165\ The OIG recommends that when a compliance program is
established in a DMEPOS supplier, the compliance officer, with the
assistance of department managers, should take a ``snapshot'' of
operations from a compliance perspective. This assessment can be
undertaken by outside consultants, law or accounting firms, or
internal staff, with authoritative knowledge of health care
compliance requirements. This ``snapshot,'' often used as part of
benchmarking analyses, becomes a baseline for the compliance officer
and other managers to judge the DMEPOS supplier's progress in
reducing or eliminating potential areas of vulnerability.
\166\ In addition, when appropriate, as referenced in section
G.2, below, reports of fraud or systemic problems should also be
made to the appropriate governmental authority.
---------------------------------------------------------------------------
An effective compliance program should also incorporate periodic
(at least annual) reviews of whether the program's compliance elements
have been satisfied, e.g., whether there has been appropriate
dissemination of the program's standards, training, ongoing educational
programs, and disciplinary actions, among other elements.167
This process will verify actual conformance by all departments with the
compliance program and may identify the necessity for improvements to
be made to the compliance program, as well as the DMEPOS supplier's
operations. Such reviews could support a determination that appropriate
records have been created and maintained to document the implementation
of an effective program.168 However, when monitoring
discloses that deviations were not detected in a timely manner due to
program deficiencies, appropriate modifications must be implemented.
Such evaluations, when developed with the support of management, can
help ensure compliance with the DMEPOS supplier's policies and
procedures.
---------------------------------------------------------------------------
\167\ One way to assess the knowledge, awareness, and
perceptions of the DMEPOS supplier's employees is through the use of
a validated survey instrument (e.g., employee questionnaires,
interviews, or focus groups).
\168\ Such records should include, but not be limited to, logs
of hotline calls, logs of training attendees, training agenda and
materials, and summaries of corrective action and improvements with
respect to DMEPOS supplier policies as a result of compliance
activities.
---------------------------------------------------------------------------
As part of the review process, the compliance officer or reviewers
should consider techniques such as:
Testing billing staff on their knowledge of reimbursement
coverage criteria and official coding guidelines (e.g., present
hypothetical scenarios of situations experienced in daily practice and
assess responses);
On-site visits to all facilities and locations;
Ongoing risk analysis and vulnerability assessments of the
DMEPOS supplier's operations;
Assessment of existing relationships with physicians, and
other potential referral sources;
Unannounced audits, mock surveys, and investigations;
Examination of DMEPOS supplier complaint logs;
Checking personnel records to determine whether any
individuals who have been reprimanded for compliance issues in the past
are among those currently engaged in improper conduct;
Interviews with personnel involved in management,
operations, sales and marketing, claim development and submission, and
other related activities;
Questionnaires developed to solicit impressions of the
DMEPOS supplier's employees;
Interviews with physicians or other authorized persons who
order services provided by the DMEPOS supplier;
Interviews with independent contractors who provide
services to the DMEPOS supplier;
Reviews of medical necessity documentation (e.g.,
physicians orders, CMNs), and other documents that support claims for
reimbursement;
Validation of qualifications of physicians or other
authorized persons who order services provided by the DMEPOS supplier;
Evaluation of written materials and documentation
outlining the DMEPOS supplier's policies and procedures; and
Utilization/trend analyses that uncover deviations,
positive or negative, for specific HCPCs codes or types of items over a
given period.
The reviewers should:
Possess the qualifications and experience necessary to
adequately identify potential issues with the subject matter to be
reviewed;
Be objective and independent of line management;
169
---------------------------------------------------------------------------
\169\ The OIG recognizes that DMEPOS suppliers that are small in
size and have limited resources may not be able to use internal
reviewers who are not part of line management or hire outside
reviewers.
---------------------------------------------------------------------------
Have access to existing audit and health care resources,
relevant personnel, and all relevant areas of operation;
Present written evaluative reports on compliance
activities to the owner(s), president, CEO, governing body, and members
of the compliance committee on a regular basis, but not less than
annually; and
Specifically identify areas where corrective actions are
needed.
We recommend these audit reports be prepared and submitted to the
compliance officer and senior management to ensure they are aware of
the results. We suggest the reports specifically identify areas where
corrective actions are needed. With these reports, DMEPOS supplier
management can take whatever steps are necessary to correct past
problems and prevent them from recurring. In certain cases, subsequent
reviews or studies would be advisable to ensure that the recommended
corrective actions have been implemented successfully.
The DMEPOS supplier should document its efforts to comply with
applicable Federal and State statutes, rules, and regulations, and
Federal, State and private payor health care program requirements. For
example, where a DMEPOS supplier, in its efforts to comply with a
particular statute, regulation or program requirement, requests advice
from a Government agency (including a Medicare DMERC) charged with
administering a Federal health care program, the DMEPOS supplier should
document and retain a record of the request and any written or
[[Page 4453]]
oral response, including the identity and position of the individual
providing the response. DMEPOS suppliers should take the same steps
when requesting advice from private payors. This step is extremely
important if the DMEPOS supplier intends to rely on that response to
guide it in future decisions, actions, or claim reimbursement requests
or appeals. A log of oral inquiries between the DMEPOS supplier and
third parties will help the organization document its attempts at
compliance. In addition, the DMEPOS supplier should maintain records
relevant to the issue of whether its reliance was ``reasonable'' and
whether it exercised due diligence in developing procedures and
practices to implement the advice.
G. Responding to Detected Offenses and Developing Corrective Action
Initiatives
1. Violations and Investigations. Violations of a DMEPOS supplier's
compliance program, failures to comply with applicable Federal or State
statutes, rules, regulations or Federal, State or private payor health
care program requirements, and other types of misconduct threaten a
DMEPOS supplier's status as a reliable, honest and trustworthy health
care provider. Detected but uncorrected misconduct can seriously
endanger the mission, reputation, and legal status of the DMEPOS
supplier. Consequently, upon reports or reasonable indications of
suspected noncompliance, it is important that the compliance officer or
other management officials immediately investigate the conduct in
question to determine whether a material violation of applicable law,
rules or program instructions or the requirements of the compliance
program has occurred, and if so, take decisive steps to correct the
problem.170 As appropriate, such steps may include an
immediate referral to criminal and/or civil law enforcement
authorities, a corrective action plan,171 a report to the
Government,172 and the return of any overpayments, if
applicable.
---------------------------------------------------------------------------
\170\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a
health care program is not solely determinative of whether or not
the conduct should be investigated and reported to governmental
authorities. In fact, there may be instances where there is no
readily identifiable monetary loss at all, but corrective action and
reporting are still necessary to protect the integrity of the
applicable program and its beneficiaries.
\171\ Advice from the DMEPOS supplier's in-house counsel or an
outside law firm may be sought to determine the extent of the DMEPOS
supplier's liability and to plan the appropriate course of action.
\172\ The OIG currently maintains a provider self-disclosure
protocol that encourages providers to report suspected fraud. The
concept of voluntary self-disclosure is premised on a recognition
that the Government alone cannot protect the integrity of the
Medicare and other Federal health care programs. Health care
providers must be willing to police themselves, correct underlying
problems, and work with the Government to resolve these matters. The
self-disclosure protocol can be located on the OIG's web site at:
http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
Where potential fraud or False Claims Act liability is not
involved, the OIG recommends that the DMEPOS supplier promptly return
overpayments to the affected payor as they are discovered. However,
even if the overpayment detection and return process is working and is
being monitored by the DMEPOS supplier, the OIG still believes that the
compliance officer needs to be made aware of these overpayments,
violations, or deviations that may reveal trends or patterns indicative
of a systemic problem.
Depending upon the nature of the alleged violations, an internal
investigation will probably include interviews and a review of relevant
documents, such as submitted claims and CMNs. Some DMEPOS suppliers
should consider engaging outside auditors or health care experts to
assist in an investigation. Records of the investigation should contain
documentation of the alleged violation, a description of the
investigative process (including the objectivity of the investigators
and methodologies utilized), copies of interview notes and key
documents, a log of the witnesses interviewed and the documents
reviewed, the results of the investigation, e.g., any disciplinary
action taken, and any corrective action implemented. Although any
action taken as the result of an investigation will necessarily vary
depending upon the DMEPOS supplier and the situation, DMEPOS suppliers
should strive for some consistency by utilizing sound practices and
disciplinary protocols.173 Further, after a reasonable
period, the compliance officer should review the circumstances that
formed the basis for the investigation to determine whether similar
problems have been uncovered or modifications of the compliance program
are necessary to prevent and detect other inappropriate conduct or
violations.
---------------------------------------------------------------------------
\173\ The parameters of a claim review subject to an internal
investigation will depend on the circumstances surrounding the
issue(s) identified. By limiting the scope of an internal audit to
current billing, a DMEPOS supplier may fail to identify major
problems and deficiencies in operations, as well as be subject to
certain liability.
---------------------------------------------------------------------------
If an investigation of an alleged violation is undertaken and the
compliance officer believes the integrity of the investigation may be
at stake because of the presence of employees under investigation,
those subjects should be removed from their current work activity until
the investigation is completed (unless an internal or Government-led
undercover operation known to the DMEPOS supplier is in effect). In
addition, the compliance officer should take appropriate steps to
secure or prevent the destruction of documents or other evidence
relevant to the investigation. If the DMEPOS supplier determines
disciplinary action is warranted, it should be prompt and imposed in
accordance with the DMEPOS supplier's written standards of disciplinary
action.
2. Reporting. If the compliance officer, compliance committee or
other management official discovers credible evidence of misconduct
from any source and, after a reasonable inquiry, has reason to believe
that the misconduct may violate criminal, civil, or administrative law,
then the DMEPOS supplier should promptly report the existence of
misconduct to the appropriate Federal and State authorities
174 within a reasonable period, but not more than sixty (60)
days 175 after determining that there is credible evidence
of a violation.176 Prompt reporting will demonstrate the
DMEPOS supplier's good faith and willingness to work with governmental
authorities to correct and remedy the problem. In addition, reporting
such conduct will be considered a mitigating
[[Page 4454]]
factor by the OIG in determining administrative sanctions (e.g.,
penalties, assessments and exclusion), if the reporting provider
becomes the target of an OIG investigation.177
---------------------------------------------------------------------------
\174\ Appropriate Federal and State authorities include the
Office of Inspector General, Department of Health and Human
Services; the Criminal and Civil Divisions of the Department of
Justice; the U.S. Attorney in the relevant district(s); and the
other investigative arms for the agencies administering the affected
Federal or State health care programs, such as: the State Medicaid
Fraud Control Unit; the Defense Criminal Investigative Service; the
Department of Veterans Affairs; the Office of Inspector General,
U.S. Department of Labor (which has primary criminal jurisdiction
over FECA, Black Lung and Longshore programs); and the Office of
Inspector General, U.S. Office of Personnel Management (which has
primary jurisdiction over the Federal Employee Health Benefits
Program).
\175\ In contrast, to qualify for the ``not less than double
damages'' provision of the False Claims Act, the report must be
provided to the Government within thirty (30) days after the date
when the DMEPOS supplier first obtained the information. See 31
U.S.C. 3729(a).
\176\ The OIG believes that some violations may be so serious
that they warrant immediate notification to governmental
authorities, prior to, or simultaneous with, commencing an internal
investigation, e.g., if the conduct: (1) is a clear violation of
criminal law; (2) has a significant adverse effect on the quality of
care provided to program beneficiaries (in addition to any other
legal obligations regarding quality of care); or (3) indicates
evidence of a systemic failure to comply with applicable laws, rules
or program instructions or an existing corporate integrity
agreement, regardless of the financial impact on Federal health care
programs.
\177\ The OIG has published criteria setting forth those factors
that the OIG takes into consideration in determining whether it is
appropriate to exclude a health care provider from program
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of
various fraud and abuse laws. See 62 FR 67392 (December 24, 1997).
---------------------------------------------------------------------------
When reporting misconduct to the Government, a DMEPOS supplier
should provide all evidence relevant to the alleged violation of
applicable Federal or State law(s) and potential cost impact. The
compliance officer, if applicable, with advice of counsel, and with
guidance from the governmental authorities, could be requested to
continue to investigate the reported violation. Once the investigation
is completed, the compliance officer should be required to notify the
appropriate governmental authority of the outcome of the investigation,
including a description of the impact of the alleged violation on the
operation of the applicable health care programs or their
beneficiaries. If the investigation ultimately reveals that criminal,
civil, or administrative violations have occurred, the appropriate
Federal and State authorities 178 should be notified
immediately.
---------------------------------------------------------------------------
\178\ See note 174.
---------------------------------------------------------------------------
3. Corrective Actions. As previously stated, the DMEPOS supplier
should take appropriate corrective action, including prompt
identification of any overpayment to the affected payor and the
imposition of proper disciplinary action. If potential fraud or
violations of the False Claims Act are involved, any repayment of the
overpayment should be made as part of the discussion with the
Government following a report of the matter to law enforcement
authorities. Otherwise, the overpayment should be promptly refunded to
the affected payor. The refund should also include the information as
outlined in section II.F. Failure to disclose overpayments within a
reasonable period of time could be interpreted as an intentional
attempt to conceal the overpayment from the Government, thereby
establishing an independent basis for a criminal violation with respect
to the DMEPOS supplier, as well as any individuals who may have been
involved. For this reason, DMEPOS supplier compliance programs should
emphasize that overpayments obtained from Medicare or other Federal
health care programs should be promptly disclosed and returned to the
payor that made the erroneous payment.
III. Conclusion
Through this document, the OIG has attempted to provide a
foundation to the process necessary to develop an effective and cost-
efficient DMEPOS supplier compliance program. As previously stated,
however, each program must be tailored to fit the needs and resources
of an individual DMEPOS supplier, depending upon its size; number of
locations; type of equipment provided; or corporate structure. The
Federal and State health care statutes, rules, and regulations and
Federal, State and private payor health care program requirements,
should be integrated into every DMEPOS supplier's compliance program.
The OIG recognizes that the health care industry in this country,
which reaches millions of beneficiaries and expends about a trillion
dollars annually, is constantly evolving. In particular, legislation
has been passed that creates additional Medicare program participation
requirements, such as requiring DMEPOS suppliers to purchase surety
bonds and expanding the Medicare supplier standards.179 As
stated throughout this guidance, compliance is a dynamic process that
helps to ensure DMEPOS suppliers and other health care providers are
better able to fulfill their commitment to ethical behavior, as well as
meet the changes and challenges being imposed upon them by Congress and
private insurers. Ultimately, it is OIG's hope that a voluntarily
created compliance program will enable DMEPOS suppliers to meet their
goals, improve the quality of service to patients, and substantially
reduce fraud, waste, and abuse, as well as the cost of health care, to
Federal, State and private health insurers.
---------------------------------------------------------------------------
\179\ See 63 FR 2926 (January 20, 1998).
Dated: January 22, 1999.
Michael Mangano,
Principal Deputy Inspector General.
[FR Doc. 99-2055 Filed 1-27-99; 8:45 am]
BILLING CODE: 4150-04-P