[Federal Register Volume 64, Number 18 (Thursday, January 28, 1999)]
[Notices]
[Pages 4435-4454]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-2055]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Draft Compliance Guidance for the Durable Medical Equipment, 
Prosthetics, Orthotics and Supply Industry

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice and comment period.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice seeks the comments of interested 
parties

[[Page 4436]]

on draft compliance program guidance developed by the Office of 
Inspector General for the durable medical equipment, prosthetics, 
orthotics and supplier (DMEPOS) industry. Through this notice, the OIG 
is setting forth (1) its general views on the value and fundamental 
principles of DMEPOS suppliers' compliance programs, and (2) the 
specific elements that each DMEPOS supplier should consider when 
developing and implementing an effective compliance program. This 
document presents basic procedural and structural guidance for 
designing a compliance program, that is, a set of guidelines to be 
considered by a DMEPOS supplier interested in implementing a compliance 
program.

DATES: To assure consideration, comments must be delivered to the 
address provided below by no later than 5 p.m. on March 1, 1999.

ADDRESSES: Please mail or deliver written comments to the following 
address: Office of Inspector General, Department of Health and Human 
Services, Attention: OIG-3N-CPG, Room 5246, Cohen Building, 330 
Independence Avenue, S.W., Washington, D.C. 20201.
    We do not accept comments by facsimile (FAX) transmission. In 
commenting, please refer to the file code OIG-3N-CPG. Comments received 
timely will be available for public inspection as they are received, 
generally beginning approximately 3 weeks after publication of a 
document, in Room 5541 of the Office of Inspector General at 330 
Independence Avenue, S.W., Washington, D.C. 20201 on Monday through 
Friday of each week from 8 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT: Christine Saxonis, Office of Counsel 
to the Inspector General, (202) 619-2078.

SUPPLEMENTARY INFORMATION:

A. Background

    The creation of compliance program guidance has become a major 
initiative of the OIG in its efforts to engage the private health care 
community in addressing and fighting fraud and abuse. Recently, the OIG 
has developed and issued compliance program guidance directed at 
various segments of the health care industry in the following areas:
     Clinical laboratories (62 FR 9435; March 3, 1997, as 
amended in 63 FR 45076; August 24, 1998),
     Hospitals (63 FR 8987; February 23, 1998),
     Home health agencies (63 FR 42410; August 7, 1998), and
     Third party medical billing companies (63 FR 70138; 
December 18, 1998).
    The guidance can also be found on the OIG web site at http://
www.dhhs.gov/progorg/oig. The guidance is designed to provide clear 
direction and assistance to specific sections of the health care 
industry that are interested in reducing and eliminating fraud and 
abuse within their organizations.
    In an effort to formalize the process by which the OIG obtains 
public input on the guidances, on August 7, 1998, the OIG published a 
solicitation notice seeking information and recommendations for 
developing guidance for the DMEPOS industry (63 FR 42409). In response 
to that solicitation notice, the OIG received a number of comments from 
various parts of the industry and their representatives. We have 
carefully considered previous OIG publications, such as the Special 
Fraud Alerts and the recent findings and recommendations in reports 
issued by the OIG's Office of Audit Services and Office of Evaluation 
and Inspections, as well as the experience of past and recent fraud 
investigations conducted by the OIG's Office of Investigations and the 
Department of Justice. We have also consulted with the Health Care 
Financing Administration and the durable medical equipment regional 
carriers.

B. Elements Addressed in This Guidance

    This draft of DMEPOS guidance contains the following 7 elements 
that the OIG has determined are fundamental to an effective compliance 
program:
     Implementing written policies, procedures and standards of 
conduct;
     Designating a compliance officer and compliance committee;
     Conducting effective training and education;
     Developing effective lines of communication;
     Enforcing standards through well-publicized disciplinary 
guidelines;
     Conducting internal monitoring and auditing; and
     Responding promptly to detected offenses and developing 
corrective action.
    These elements are contained in the other guidances issued by the 
OIG. As is the case with the other guidances, the contents of the 
guidance should not be viewed as mandatory for providers or as an 
exclusive discussion of the advisable elements of a compliance program.
    In an effort to ensure that all parties have an opportunity to 
provide input into the OIG's guidance, we are publishing this latest 
guidance in draft form, and welcome any comments from interested 
parties regarding this guidance, particularly with respect to the 
section concerning written policies and procedures. We will consider 
all comments received in a timely manner, incorporate any 
recommendations as appropriate, and prepare and publish a final version 
of the DMEPOS guidance later this year.

C. Draft Compliance Program Guidance for the DMEPO Industry

I. Introduction

    The Office of Inspector General (OIG) of the Department of Health 
and Human Services (HHS) continues in its efforts to promote 
voluntarily developed and implemented compliance programs for the 
health care industry. The following compliance program guidance is 
intended to assist suppliers 1 of durable medical 
equipment,2 prosthetics,3 orthotics,4 
and supplies 5 (DMEPOS) and their agents and subcontractors 
(referred to collectively in this document as ``DMEPOS suppliers'') 
develop effective internal controls that promote adherence to 
applicable Federal and State law, and the program requirements of 
Federal, State and private health plans. The adoption and 
implementation of voluntary compliance programs significantly advance 
the prevention of fraud, abuse, and waste in these health care plans 
while at the same time further the fundamental mission of all DMEPOS 
suppliers, which is to provide quality items, service, and care to 
patients.
---------------------------------------------------------------------------

    \1\ The term ``supplier'' is defined in this document as an 
entity or individual, including a physician or Part A provider, 
which sells or rents Part B covered items. See 42 CFR 424.57(a).
    \2\ The term ``durable medical equipment'' is applied in this 
document as defined in 42 U.S.C. 1395x(n).
    \3\ The term ``prosthetics'' and ``prosthetic devices'' are 
applied in this document as defined in 42 U.S.C. 1395 x (s)(9) and 
(s)(8), respectively.
    \4\ The term ``orthotics'' is applied in this document as 
defined in 42 U.S.C. 1395x(s)(9).
    \5\ The term ``supplies'' includes home dialysis supplies and 
equipment as described in 42 U.S.C. 1395x(s)(2)(f); surgical 
dressings and other devices as described in 42 U.S.C. 1395x(s)(5); 
immunosuppressive drugs as described in 42 U.S.C. 1395x(s)(2)(J); 
and any other items or services designated by the Health Care 
Financing Administration (HCFA).
---------------------------------------------------------------------------

    Within this document, the OIG first provides its general views on 
the value and fundamental principles of DMEPOS suppliers' compliance 
programs, and then provides the specific elements that each DMEPOS 
supplier should consider when developing and implementing an

[[Page 4437]]

effective compliance program. While this document presents basic 
procedural and structural guidance for designing a compliance program, 
it is not in itself a compliance program. Rather, it is a set of 
guidelines to be considered by a DMEPOS supplier interested in 
implementing a compliance program.
    The OIG recognizes the size-differential that exists between 
operations of the different DMEPOS suppliers and organizations that 
compose the DMEPOS supplier industry. Appropriately, this guidance is 
pertinent for all DMEPOS suppliers, regardless of size (in terms of 
employees and gross revenue); number of locations; type of equipment 
provided; or corporate structure. The applicability of the 
recommendations and guidelines provided in this document depends on the 
circumstances of each individual DMEPOS supplier. However, regardless 
of a DMEPOS supplier's size or structure, the OIG believes that every 
DMEPOS supplier can and should strive to accomplish the objectives and 
principles underlying all of the compliance policies and procedures 
recommended within this guidance.
    Fundamentally, compliance efforts are designed to establish a 
culture within a DMEPOS supplier that promotes prevention, detection, 
and resolution of instances of conduct that do not conform to Federal 
and State law, and Federal, State and private payor health care program 
requirements, as well as the DMEPOS supplier's ethical and business 
policies. In practice, the compliance program should effectively 
articulate and demonstrate the DMEPOS supplier's commitment to ethical 
conduct. Benchmarks that demonstrate implementation and achievements 
are essential to any effective compliance program. Eventually, a 
compliance program should become part of the fabric of routine DMEPOS 
supplier operations.
    Specifically, compliance programs guide a DMEPOS supplier's 
owner(s), governing body (e.g., board of directors or trustees), chief 
executive officer (CEO), president, vice presidents, managers, sales 
representatives, billing personnel, and other employees in the 
efficient management and operation of a DMEPOS supplier. They are 
especially critical as an internal quality assurance control in the 
reimbursement and payment areas, where claims and billing operations 
are often the source of fraud and abuse, and therefore, historically 
have been the focus of Government regulation, scrutiny, and sanctions.
    It is incumbent upon a DMEPOS supplier's owner(s), corporate 
officers, and managers to provide ethical leadership to the 
organization and to assure that adequate systems are in place to 
facilitate ethical and legal conduct. Employees, managers, and the 
Government will focus on the words and actions of a DMEPOS supplier's 
leadership as a measure of the organization's commitment to compliance. 
Indeed, many DMEPOS suppliers have adopted mission statements 
articulating their commitment to high ethical standards. A formal 
compliance program, as an additional element in this process, offers a 
DMEPOS supplier a further concrete method that may improve quality of 
service and reduce waste. Compliance programs also provide a central 
coordinating mechanism for furnishing and disseminating information and 
guidance on applicable Federal and State statutes, regulations, and 
Federal, State and private health care program requirements.
    Implementing an effective compliance program requires a substantial 
commitment of time, energy, and resources by senior management and the 
DMEPOS supplier's governing body.6 Superficial programs that 
simply have the appearance of compliance without being wholeheartedly 
adopted and implemented by the DMEPOS supplier or programs that are 
hastily constructed and implemented without appropriate ongoing 
monitoring will likely be ineffective and could expose the DMEPOS 
supplier to greater liability than no program at all. Although it may 
require significant additional resources or reallocation of existing 
resources to implement an effective compliance program, the long term 
benefits of implementing the program significantly outweigh the costs. 
Undertaking a voluntary compliance program is a beneficial investment 
that advances both the DMEPOS supplier's organization and the stability 
and solvency of the Medicare program.
---------------------------------------------------------------------------

    \6\ Recent case law suggests that the failure of a corporate 
Director to attempt in good faith to institute a compliance program 
in certain situations may be a breach of a Director's fiduciary 
obligation. See, e.g., In re Caremark International Inc. Derivative 
Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996).
---------------------------------------------------------------------------

A. Benefits of a Compliance Program
    The OIG believes an effective compliance program provides a 
mechanism that brings the public and private sectors together to reach 
mutual goals of reducing fraud and abuse, improving operational 
quality, improving the quality of health care services and reducing the 
cost of health care. Attaining these goals provides positive results to 
the DMEPOS supplier, the Government and individual citizens alike. In 
addition to fulfilling its legal duty to ensure that it is not 
submitting false or inaccurate claims to Government and private payors, 
a DMEPOS supplier may gain numerous additional benefits by voluntarily 
implementing an effective compliance program. These benefits may 
include:
     The formulation of effective internal controls to assure 
compliance with Federal and State statutes, rules, and regulations, and 
Federal, State and private payor health care program requirements, and 
internal guidelines;
     A concrete demonstration to employees and the community at 
large of the DMEPOS supplier's strong commitment to honest and 
responsible corporate conduct;
     The ability to obtain an accurate assessment of employee 
and contractor behavior relating to fraud and abuse;
     An increased likelihood of identification and prevention 
of criminal and unethical conduct;
     The ability to more quickly and accurately react to 
employees' operational compliance concerns and the capability to 
effectively target resources to address those concerns;
     Improvement of the quality, efficiency, and consistency of 
providing services;
     Increased efficiency on the part of employees;
     A centralized source for distributing information on 
health care statutes, regulations, policies, and other program 
directives regarding fraud and abuse and related issues;
     Improved internal communication;
     A methodology that encourages employees to report 
potential problems;
     Procedures that allow the prompt, thorough investigation 
of alleged misconduct by corporate officers, managers, sales 
representatives, employees, independent contractors, consultants, 
clinicians, and other health care professionals;
     Initiation of immediate, appropriate, and decisive 
corrective action;
     Early detection and reporting, minimizing the loss to the 
Government from false claims, and thereby reducing the DMEPOS 
supplier's exposure to civil damages and penalties, criminal sanctions, 
and administrative remedies, such as program exclusion; 7 
and
---------------------------------------------------------------------------

    \7\ The OIG, for example, will consider the existence of an 
effective compliance program that pre-dated any governmental 
investigation when addressing the appropriateness of administrative 
sanctions. However, the burden is on the DMEPOS supplier to 
demonstrate the operational effectiveness of a compliance program. 
Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a 
person who has violated the Act, but who voluntarily discloses the 
violation to the Government within 30 days of detection, in certain 
circumstances will be subject to not less than double, as opposed to 
treble, damages. See 31 U.S.C. 3729(a). Thus, the ability to react 
quickly when violations of the law are discovered may materially 
help reduce the DMEPOS supplier's liability.

---------------------------------------------------------------------------

[[Page 4438]]

     Enhancement of the structure of the DMEPOS supplier's 
operations and the consistency between: any related entities of the 
DMEPOS supplier; different departments within the DMEPOS supplier; the 
DMEPOS supplier's different locations; and the DMEPOS supplier's 
separate business units (e.g., franchises, subsidiaries).
    Overall, the OIG believes that an effective compliance program is a 
sound investment on the part of a DMEPOS supplier.
    The OIG recognizes that the implementation of a compliance program 
may not entirely eliminate fraud, abuse, and waste from the DMEPOS 
supplier system. However, a sincere effort by DMEPOS suppliers to 
comply with applicable Federal and State statutes, rules, and 
regulations and Federal, State and private payor health care program 
requirements, through the establishment of an effective compliance 
program, significantly reduces the risk of unlawful or improper 
conduct.
B. Application of Compliance Program Guidance
    Given the diversity within the industry, there is no single 
``best'' DMEPOS supplier compliance program. 8 The OIG 
understands the variances and complexities within the DMEPOS supplier 
industry and is sensitive to the differences among large national and 
regional DMEPOS supplier organizations, and small independent DMEPOS 
suppliers. However, elements of this guidance can be used by all DMEPOS 
suppliers, regardless of size (in terms of employees and gross 
revenue); number of locations; type of equipment provided; or corporate 
structure, to establish an effective compliance program. Similarly, a 
DMEPOS supplier or corporation that owns a DMEPOS supplier or provides 
DMEPOS supplies may incorporate these elements into its system-wide 
compliance or managerial structure. 9 We recognize that some 
DMEPOS suppliers may not be able to adopt certain elements to the same 
comprehensive degree that others with more extensive resources may 
achieve. This guidance represents the OIG's suggestions on how a DMEPOS 
supplier can best establish internal controls and monitor its conduct 
to correct and prevent fraudulent activities. By no means should the 
contents of this guidance be viewed as an exclusive discussion of the 
advisable elements of a compliance program. On the contrary, the OIG 
strongly encourages DMEPOS suppliers to develop and implement 
compliance elements that uniquely address the individual DMEPOS 
supplier's risk areas.
---------------------------------------------------------------------------

    \8\ This is particularly true in the context of DMEPOS 
suppliers, which include many small independent DMEPOS suppliers 
with limited financial resources and staff, as well as large DMEPOS 
supplier chains with extensive financial resources and staff.
    \9\ For Medicare, this would include any individual or entity 
that meets the supplier standards as described in 42 CFR 424.57 and 
has a National Supplier Clearinghouse Number.
---------------------------------------------------------------------------

    The OIG believes that input and support by individuals and 
organizations that will utilize the tools set forth in this document is 
critical to the development and success of this compliance program 
guidance. In a continuing effort to collaborate closely with the 
private sector, the OIG placed a notice in the Federal Register 
soliciting recommendations and suggestions on what should be included 
in this compliance program guidance. 10 Further, we 
considered previous OIG publications, such as Special Fraud Alerts, 
advisory opinions, 11 the findings and recommendations in 
reports issued by OIG's Office of Audit Services and Office of 
Evaluation and Inspections, as well as the experience of past and 
recent fraud investigations related to DMEPOS suppliers conducted by 
OIG's Office of Investigations and the Department of Justice.
---------------------------------------------------------------------------

    \10\ See 63 FR 42409 (August 7, 1998), Notice for Solicitation 
of Information and Recommendations for Developing OIG Compliance 
Program Guidance for the Durable Medical Equipment Industry.
    \11\ The OIG periodically issues advisory opinions responding to 
specific inquiries from members of the public and Special Fraud 
Alerts setting forth activities that raise legal and enforcement 
issues. Special Fraud Alerts and Advisory Opinions, as well as the 
regulations governing issuance of advisory opinions can be obtained 
on the Internet at: http://www.dhhs.gov/progorg/oig, in the Federal 
Register, or by contacting the OIG's Public Information Desk at 
(202) 619-1142.
---------------------------------------------------------------------------

    As appropriate, this guidance may be modified and expanded as more 
information and knowledge is obtained by the OIG, and as changes in the 
statutes, rules, regulations, policies, and procedures of the Federal, 
State and private health plans occur. The OIG understands DMEPOS 
suppliers will need adequate time to react to these modifications and 
expansions and to make any necessary changes to their voluntary 
compliance programs. New compliance practices may eventually be 
incorporated into this guidance if the OIG discovers significant 
enhancements to better ensure an effective compliance program.
    The OIG recognizes that the development and implementation of 
compliance programs in DMEPOS suppliers often raise sensitive and 
complex legal and managerial issues. 12 However, the OIG 
wishes to offer what it believes is critical guidance for providers who 
are sincerely attempting to comply with the relevant health care 
statutes and regulations.
---------------------------------------------------------------------------

    \12\ Nothing stated within this document should be substituted 
for, or used in lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------

II. Compliance Program Elements

    The elements proposed by these guidelines are similar to those of 
the other OIG compliance program guidances 13 and the OIG's 
corporate integrity agreements. 14 The OIG believes that 
every DMEPOS supplier can benefit from the principles espoused in this 
guidance, which can be tailored to fit the needs and financial 
realities of a particular DMEPOS supplier.
---------------------------------------------------------------------------

    \13\ See 63 FR 70138 (December 18, 1998) for the Compliance 
Program Guidance for Third Party Medical Billing Companies; 63 FR 
42410 (August 7, 1998) for the Compliance Program Guidance for Home 
Health Agencies; 63 FR 45076 (August 24, 1998) for the Compliance 
Program Guidance for Clinical Laboratories, as revised; 63 FR 8987 
(February 23, 1998) for the Compliance Program Guidance for 
Hospitals. These documents are also located on the Internet at 
http://www.dhhs.gov/progorg/oig.
    \14\ Corporate integrity agreements are executed as part of a 
civil settlement between a health care provider or entity 
responsible for billing on behalf of the provider and the Government 
to resolve a case based on allegations of health care fraud or 
abuse. These OIG-imposed programs are in effect for a period of 
three to five years and require many of the elements included in 
this compliance program guidance.
---------------------------------------------------------------------------

    The OIG believes that every effective compliance program must begin 
with a formal commitment 15 by the DMEPOS supplier's 
governing body to include all of the applicable elements listed below, 
which are based on the seven steps of the Federal Sentencing 
Guidelines. 16 The OIG recognizes full implementation of all 
elements may not be immediately feasible for all DMEPOS suppliers. 
However, as a first step, a good faith and meaningful commitment on the 
part of

[[Page 4439]]

the DMEPOS supplier, especially the owner(s), governing body, 
president, vice presidents, CEO, and managing employees, will 
substantially contribute to the program's successful implementation. As 
the compliance program is implemented, that commitment should cascade 
down through the management to every employee of the DMEPOS supplier.
---------------------------------------------------------------------------

    \15\ A formal commitment may include a resolution by the board 
of directors, owner(s) or president, where applicable. A formal 
commitment should include the allocation of adequate resources to 
ensure that each of the elements is addressed.
    \16\ See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(k). The Federal 
Sentencing Guidelines are detailed policies and practices for the 
Federal criminal justice system that prescribe the appropriate 
sanctions for offenders convicted of Federal crimes.
---------------------------------------------------------------------------

    At a minimum, comprehensive compliance programs should include the 
following seven elements:
    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures that promote the 
DMEPOS supplier's commitment to compliance (e.g., by including 
adherence to the compliance program as an element in evaluating 
managers and employees) and address specific areas of potential fraud, 
such as claims development and submission processes, completing 
certificates of medical necessity (CMNs), and financial relationships 
with physicians and/or other persons authorized to order DMEPOS;
    (2) The designation of a compliance officer and other appropriate 
bodies, (e.g., a corporate compliance committee), charged with the 
responsibility for operating and monitoring the compliance program, and 
who report directly to the CEO and the governing body; 17
---------------------------------------------------------------------------

    \17\ The integral functions of the compliance officer and the 
corporate compliance committee in implementing an effective 
compliance program are discussed throughout this compliance program 
guidance. However, the OIG recognizes that the differences in the 
sizes and structures of DMEPOS suppliers will result in differences 
in the ways in which compliance programs are set up. The important 
thing is that the DMEPOS supplier structures its compliance program 
in such a way that the program is able to accomplish the key 
functions of the corporate compliance officer and the corporate 
compliance committee discussed within this document.
---------------------------------------------------------------------------

    (3) The development and implementation of regular, effective 
education and training programs for all affected employees; 
18
---------------------------------------------------------------------------

    \18\ Training and education programs for DMEPOS suppliers should 
be detailed and comprehensive. They should cover specific billing 
procedures, sales and marketing practices, as well as the general 
areas of compliance. See section II.C and accompanying notes.
---------------------------------------------------------------------------

    (4) The creation and maintenance of a process, such as a hotline or 
other reporting system, to receive complaints, and the adoption of 
procedures to protect the anonymity of complainants and to protect 
callers from retaliation;
    (5) The development of a system to respond to allegations of 
improper/illegal activities and the enforcement of appropriate 
disciplinary action against employees who have violated internal 
compliance policies, applicable statutes, regulations, or Federal, 
State or private payor health care program requirements; 19
---------------------------------------------------------------------------

    \19\ The term ``Federal health care programs'' is applied in 
this document as defined in 42 U.S.C. 1320a-7b(f), which includes 
any plan or program that provides health benefits, whether directly, 
through insurance, or otherwise, which is funded directly, in whole 
or in part, by the United States Government (i.e., via programs such 
as Medicare, Federal Employees' Compensation Act, Black Lung, or the 
Longshore and Harbor Worker's Compensation Act) or any State health 
plan (e.g., Medicaid, or a program receiving funds from block grants 
for social services or child health services). Also, for the 
purposes of this document, the term ``Federal health care program 
requirements'' refers to the statutes, regulations, rules, 
requirements, directives, and instructions governing Medicare, 
Medicaid, and all other Federal health care programs.
---------------------------------------------------------------------------

    (6) The use of audits and/or other risk evaluation techniques to 
monitor compliance, identify problem areas, and assist in the reduction 
of identified problem areas; 20 and
---------------------------------------------------------------------------

    \20\ For example, spot-checking the work of coding and billing 
personnel periodically should be an element of an effective 
compliance program.
---------------------------------------------------------------------------

    (7) The investigation and remediation of identified systemic 
problems and the development of policies addressing the non-employment 
or retention of sanctioned individuals.
A. Written Policies and Procedures
    Every compliance program should require the development and 
distribution of written compliance policies, standards, and practices 
that identify specific areas of risk and vulnerability to the 
individual DMEPOS supplier. These policies, standards, and practices 
should be developed under the direction and supervision of the 
compliance officer and the compliance committee (if such a committee is 
practicable for the DMEPOS supplier) and, at a minimum, should be 
provided to all individuals who are affected by the particular policy 
at issue, including the DMEPOS supplier's agents and independent 
contractors who may affect billing decisions.21 In addition 
to these general corporate policies, it may be necessary to implement 
individual policies for the different components of the DMEPOS 
supplier.
---------------------------------------------------------------------------

    \21\ According to the Federal Sentencing Guidelines, an 
organization must have established compliance standards and 
procedures to be followed by its employees and other agents in order 
to receive sentencing credit for an ``effective'' compliance 
program. The Federal Sentencing Guidelines define ``agent'' as ``any 
individual, including a director, an officer, an employee, or an 
independent contractor, authorized to act on behalf of the 
organization.'' See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------

    1. Standards of Conduct. DMEPOS suppliers should develop standards 
of conduct for all affected employees that include a clearly delineated 
commitment to compliance by the DMEPOS supplier's senior 
management,22 including any related entities or affiliated 
providers operating under the DMEPOS supplier's control,23 
and other health care professionals (e.g., nurses, licensed 
pharmacists, physicians, and respiratory therapists). The standards of 
conduct should function in the same fashion as a constitution, i.e., as 
a foundational document that details the fundamental principles, 
values, and framework for action within the DMEPOS supplier. The 
standards should articulate the DMEPOS supplier's commitment to comply 
with all Federal and State statutes, rules, regulations and Federal, 
State and private payor health care program requirements, with an 
emphasis on preventing fraud and abuse. They should explicitly state 
the organization's mission, goals, and ethical principles relative to 
compliance and clearly define the DMEPOS supplier's commitment to 
compliance and its expectations for all DMEPOS supplier owners, 
governing body members, president, vice presidents, corporate officers, 
managers, sales representatives, employees, and, where appropriate, 
independent contractors and other agents. These standards should 
promote integrity, support objectivity, and foster trust. Standards 
should not only address compliance with statutes and regulations, but 
should also set forth broad principles that guide employees in 
conducting business professionally and properly.
---------------------------------------------------------------------------

    \22\ The OIG strongly encourages high-level involvement by the 
DMEPOS supplier's owner(s), governing body, chief executive officer, 
president, vice presidents, as well as other personnel, as 
appropriate, in the development of standards of conduct. Such 
involvement should help communicate a strong and explicit 
organizational commitment to compliance goals and standards.
    \23\ E.g., pharmacies, billing services, and manufacturers.
---------------------------------------------------------------------------

    The standards should be distributed to, and comprehensible by, all 
affected employees (e.g., translated into other languages when 
necessary and written at appropriate reading levels). Further, to 
assist in ensuring that employees continuously meet the expected high 
standards set forth in the standards of conduct, any employee handbook 
delineating or expanding upon these standards should be regularly 
updated as applicable statutes, regulations, and Federal, State and 
private payor health care program requirements are modified and/or 
clarified.24
---------------------------------------------------------------------------

    \24\ The OIG recognizes that not all statutes, rules, 
regulations, standards, policies, and procedures need to be 
communicated to all employees. However, the OIG believes that the 
bulk of the standards that relate to complying with fraud and abuse 
laws and other ethical areas should be addressed and made part of 
all affected employees' training. The DMEPOS supplier must decide 
whether additional educational programs should be targeted to 
specific categories of employees based on job functions and areas of 
responsibility.

---------------------------------------------------------------------------

[[Page 4440]]

    When employees first begin working for the DMEPOS supplier, and 
each time new standards of conduct are issued, the OIG suggests 
employees be asked to sign a statement certifying that they have 
received, read, and understood the standards of conduct. The employee's 
certification should be retained by the DMEPOS supplier in the 
employee's personnel file, and available for review by the compliance 
officer.
    2. Written Policies for Risk Areas. As part of its commitment to 
compliance, DMEPOS suppliers should establish a comprehensive set of 
written policies and procedures that take into consideration the 
particular statutes, rules, regulations and program instructions 
applicable to each function of the DMEPOS supplier.25 In 
contrast to the standards of conduct, which are designed to be a clear 
and concise collection of fundamental standards, the written policies 
should articulate specific procedures personnel should follow.
---------------------------------------------------------------------------

    \25\ A DMEPOS supplier can conduct focus groups composed of 
managers from various departments to solicit their concerns and 
ideas about compliance risks that may be incorporated into the 
DMEPOS supplier's policies and procedures. Such employee 
participation in the development of the DMEPOS supplier's compliance 
program can enhance its credibility and foster employee acceptance 
of the program.
---------------------------------------------------------------------------

    Consequently, we recommend that the individual policies and 
procedures be coordinated with the appropriate training and educational 
programs with an emphasis on areas of special concern that have been 
identified by the OIG.26 Some of the special areas of OIG 
concern include: 27
---------------------------------------------------------------------------

    \26\ DMEPOS supplier compliance programs should require that the 
legal staff, compliance officer, or other appropriate personnel 
carefully consider any and all Special Fraud Alerts and advisory 
opinions issued by the OIG that relate to DMEPOS suppliers. See note 
11. Moreover, the compliance programs should address the 
ramifications of failing to cease and correct any conduct criticized 
in such a Special Fraud Alert or advisory opinion, if applicable to 
DMEPOS suppliers, or to take reasonable action to prevent such 
conduct from reoccurring in the future. If appropriate, a DMEPOS 
supplier should take the steps described in section G regarding 
investigations, reporting, and correction of identified problems.
    \27\ The OIG's work plan is currently available on the Internet 
at: http://www.dhhs.gov/progorg/oig. The OIG Work Plan details the 
various projects of the Office of Audit Services, Office of 
Evaluation and Inspections, Office of Investigations, and Office of 
Counsel to the Inspector General that are planned to be addressed 
during each Fiscal Year.
---------------------------------------------------------------------------

     Billing for items or services not provided; 28
---------------------------------------------------------------------------

    \28\ Billing for items or services not provided involves 
submitting a claim representing the DMEPOS supplier provided an item 
or service or part of an item or service that the patient did not 
receive.
---------------------------------------------------------------------------

     Billing for medically unnecessary services; 29
---------------------------------------------------------------------------

    \29\ Billing for medically unnecessary services involves seeking 
reimbursement for a service that is not warranted by the patient's 
current and documented medical condition. See 42 U.S.C. 
1395y(a)(1)(A) (``no payment may be made under part A or part B [of 
Medicare] for any expenses incurred for items or services which . . 
. are not reasonable and necessary for the diagnosis or treatment of 
illness or injury or to improve the functioning of the malformed 
body member''). Upon submission of a HCFA claim form (whether paper 
or electronic), a DMEPOS supplier certifies that the services 
provided and billed were medically necessary for the health of the 
beneficiary, and were provided in accordance with orders by the 
beneficiary's treating physician or other authorized person. In 
limited instances, HCFA does allow DMEPOS suppliers to submit claims 
when the DMEPOS supplier believes the item or service may be denied. 
Such instances include, but are not limited to: when a beneficiary 
has signed a written notice (see Medicare Carriers Manual, section 
7300.5) (See also section II.A.3.i for further discussion on written 
notices); and when the beneficiary requests the DMEPOS supplier to 
submit the claim (see Medicare Carriers Manual, section 3043). In 
the first instance, the DMEPOS supplier should include modifier 
``GA'' on the claim, which indicates the beneficiary has signed a 
written notice. In the latter instance, the DMEPOS supplier should 
use modifier ``ZY.'' Civil monetary penalties and administrative 
sanctions may be imposed against any person who submits a claim for 
services ``that [the] person knows or should know are not medically 
necessary.'' See 42 U.S.C. 1320a-7a(a). Remedies may also be 
available under criminal and civil law, including the False Claims 
Act. See discussion in section II.A.3.a and accompanying notes.
---------------------------------------------------------------------------

     Duplicate billing; 30
---------------------------------------------------------------------------

    \30\ Duplicate billing occurs when more than one claim for 
payment is submitted for the same patient, for the same service, for 
the same date of service (by the same or different DMEPOS 
suppliers), or the same claim is submitted to more than one primary 
payor. Although duplicate billing can occur due to simple error, 
fraudulent duplicate billing is evidenced by systematic or repeated 
double billing, and creates liability under criminal, civil, or 
administrative law, particularly if any overpayment is not promptly 
refunded.
---------------------------------------------------------------------------

     Billing for items or services not ordered; 31
---------------------------------------------------------------------------

    \31\ Billing for items or services not ordered involves seeking 
reimbursement for services provided but not ordered by the treating 
physician or other authorized person.
---------------------------------------------------------------------------

     Using a billing agent whose compensation is based on the 
dollar amounts billed or based on the actual collection of payment; 
32
---------------------------------------------------------------------------

    \32\ DMEPOS supplier billing agents may only receive payment 
based on a fixed fee, and not based upon a percentage of revenue. 
See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual, 
section 3060; 3060.10.
---------------------------------------------------------------------------

     Upcoding; 33
---------------------------------------------------------------------------

    \33\ Upcoding involves selecting a code to maximize 
reimbursement when such a code is not the most appropriate 
descriptor of the service (e.g., billing for a more expensive piece 
of equipment when a less expensive piece of equipment is provided).
---------------------------------------------------------------------------

     Billing patients for denied charges without a signed 
written notice; 34
---------------------------------------------------------------------------

    \34\ This includes, but is not limited to, billing the patient 
for items or services denied by the payor on assigned claims, where 
there has been no written notice signed by the patient, the written 
notice has been inappropriately obtained or the written notice was 
drafted inappropriately. See Medicare Carrier Manual, section 
7300.5A, regarding the requirements for written notice.
---------------------------------------------------------------------------

     Unbundling items or supplies; 35
---------------------------------------------------------------------------

    \35\ Unbundling items or supplies involves billing for 
individual components when a specific HCPCs code provides for the 
components to be billed as a unit (e.g., providing a wheelchair and 
billing the individual parts of the wheelchair, rather than the 
wheelchair as a whole).
---------------------------------------------------------------------------

     Billing for new equipment and providing used equipment; 
36
---------------------------------------------------------------------------

    \36\ The DMEPOS supplier must indicate on the Medicare claim 
form, through the use of modifiers, whether the item provided is new 
or used. The modifier for providing new equipment is ``NU.'' The 
modifier for providing used equipment is ``UE.'' A knowing failure 
to correctly document the item provided would constitute falsifying 
information on the claim form and would constitute a violation of 
the False Claims Act. See 31 U.S.C. 3729.
---------------------------------------------------------------------------

     Continuing to bill for rental items after they are no 
longer medically necessary; 37
---------------------------------------------------------------------------

    \37\ Once a rental item is no longer medically necessary, the 
DMEPOS supplier is required to discontinue billing the payor for it. 
In addition, the OIG recommends the DMEPOS supplier pick up such 
equipment from the patient in a timely manner.
---------------------------------------------------------------------------

     Resubmission of denied claims with different and incorrect 
information in an attempt to be reimbursed; 38
---------------------------------------------------------------------------

    \38\ This practice involves the DMEPOS supplier improperly 
changing information on a previously denied claim and continuing to 
resubmit the claim in an attempt to receive payment.
---------------------------------------------------------------------------

     Refusing to submit a claim to Medicare; 39
---------------------------------------------------------------------------

    \39\ This practice involves a DMEPOS supplier not submitting a 
claim to the Medicare program on behalf of the beneficiary. 
Irrespective of whether or not a DMEPOS supplier accepts assignment, 
it is obligated to submit the claim on behalf of the beneficiary. 
See 42 U.S.C 1395w-4(g)(4).
---------------------------------------------------------------------------

     Inadequate management and oversight of contracted 
services, which results in improper billing; 40
---------------------------------------------------------------------------

    \40\ DMEPOS suppliers should create internal mechanisms to 
ensure that the use of contractors does not lead to improper billing 
practices.
---------------------------------------------------------------------------

    Charge limitations; 41
---------------------------------------------------------------------------

    \41\ DMEPOS suppliers should ensure their billing personnel are 
informed of the different payment rules of all Federal, State, and 
private health care programs they bill. DMEPOS suppliers should be 
aware that billing for items or services furnished substantially in 
excess of the DMEPOS supplier's usual charges may result in 
exclusion. See 42 U.S.C. 320a-7(b)(6)(A). See also OIG Ad. Op. 98-8 
(1998) regarding this issue.
---------------------------------------------------------------------------

     Providing and/or billing substantially excessive amounts 
of DMEPOS items or supplies; 42
---------------------------------------------------------------------------

    \42\ This practice, which constitutes overutilization, involves 
providing and/or billing for substantially more items or supplies 
than are reasonable and necesssary for the needs of each individual 
patient. Such practices may lead to exclusion from Federal health 
care programs. See 42 U.S.C. 1320a-7(b)(6)(B).

---------------------------------------------------------------------------

[[Page 4441]]

     Providing and/or billing for an item or service that does 
not meet the quality and standard of the DMEPOS item claimed (e.g., 
item provided is in violation of Food and Drug Administration (FDA) 
regulations and standards); 43
---------------------------------------------------------------------------

    \43\ This practice involves providing and/or billing for an item 
or service that does not meet the definition and/or requirement of 
the item or service ordered by the treating physician or other 
authorized person. Generally, such items are inferior in quality, 
and therefore, do not meet the definition of what was ordered and/or 
billed. Sometimes this may mean that products were never determined 
to be safe and effective by the FDA, as required by law. This 
practice may lead to billing for items that are not reasonable and 
necessary. DMEPOS suppliers should ensure that the items or services 
they furnish meet professionally recognized minimum standards of 
health care.
---------------------------------------------------------------------------

     Capped rentals; 44
---------------------------------------------------------------------------

    \44\ See discussion in section II.A.3.k and accompanying notes.
---------------------------------------------------------------------------

     Failure to monitor medical necessity on an on-going basis; 
45
---------------------------------------------------------------------------

    \45\ In order for a patient to continue to receive items or 
supplies (e.g., rental equipments, supplies for an on-going 
condition), the patient must meet the medical necessity criteria for 
that specific item or supply on an on-going basis. The items or 
supplies furnished by the DMEPOS supplier should be replaced or 
adjusted, in a timely manner, to reflect changes in the patient's 
condition.
---------------------------------------------------------------------------

     Dispensing certain items or supplies prior to receiving a 
physician's order and/or appropriate CMN; 46
---------------------------------------------------------------------------

    \46\ This practice involves the DMEPOS supplier dispensing to 
the patient, and/or billing the payor for, items or supplies that 
have not yet been ordered by the treating physician or other 
authorized person. Medicare requires written physician orders for 
certain items before dispensing. See 42 CFR 410.38.
---------------------------------------------------------------------------

     Falsifying information on the claim form, CMN, and/or 
accompanying documentation; 47
---------------------------------------------------------------------------

    \47\ This practice involves supplying false information to be 
included on the claim form, the CMN, or other accompanying 
documentation. The information reported on these documents should 
accurately reflect the patient's information, including medical 
information, and the items or services ordered by the treating 
physician or other authorized person and provided by the DMEPOS 
supplier.
---------------------------------------------------------------------------

     Completing portions of CMNs reserved for completion only 
by treating physician or other authorized person; 48
---------------------------------------------------------------------------

    \48\ This practice involves not completing the CMN in compliance 
with Medicare regulations (i.e., sections B and D should never be 
completed by the supplier). Instructions for completing the CMN can 
be found on the back of the form. See section 3312 of the Medicare 
Carriers Manual, which provides instructions on how to complete the 
CMN and the civil monetary penalties (CMPs) that may be assessed for 
improper completion of the CMN. See also 42 U.S.C. 1395m(j)(2); 
section II.A.3.c and accompanying notes for further discussion on 
CMNs.
---------------------------------------------------------------------------

     Altering medical records; 49
---------------------------------------------------------------------------

    \49\ This practice involves the DMEPOS supplier falsifying 
information on the medical records to justify reimbursement for an 
item or service.
---------------------------------------------------------------------------

     Manipulating the patient's diagnosis in order to receive 
payment; 50
---------------------------------------------------------------------------

    \50\ This practice involves the DMEPOS supplier incorrectly 
altering the diagnosis in order to receive reimbursement for the 
particular item or service. A DMEPOS supplier should not claim the 
patient has a particular medical condition in order to qualify for 
an item for which he or she would not otherwise qualify.
---------------------------------------------------------------------------

     Failing to maintain medical necessity documentation; 
51
---------------------------------------------------------------------------

    \51\ This practice involves failing to ensure that the medical 
necessity documentation requirements for the item or service billed 
are properly met (e.g., failing to maintain the original physician 
orders or CMNs or failing to ensure that CMNs contain adequate and 
correct information). See section 4105.2 of the Medicare Carriers 
Manual for evidence of medical necessity. See also sections II.A.3.b 
and II.A.3.c regarding physician orders and CMNs, respectively.
---------------------------------------------------------------------------

     Inappropriate use of place of service codes; 52
---------------------------------------------------------------------------

    \52\ This practice involves indicating on the claim form that 
the place of service is a location other than where the service was 
provided. For example, the patient resides in a skilled nursing 
facility (SNF) and the DMEPOS supplier submits a claim with the 
place of service being the patient's home. Provided that the DMEPOS 
items or services are ordered, provided, reasonable and necessary 
given the clinical condition of the patient, the items or services 
may be covered if the beneficiary resides at home. However, such 
items may not be covered if the beneficiary resides in a SNF. See 
Medicare Carriers Manual, section 2100.3 for the definition of a 
beneficiary's home.
---------------------------------------------------------------------------

     Inappropriate use of cover letters; 53
---------------------------------------------------------------------------

    \53\ This practice involves sending the treating physician or 
other authorized person a cover letter attached to the CMN that 
contains information that the physician is supposed to include on 
the CMN or otherwise may lead the physician to order medically 
unnecessary equipment or supplies for the specified patient. Cover 
letters should only be used to describe what is being ordered and 
how it is to be administered. See discussion in section II.A.3.m.
---------------------------------------------------------------------------

     Improper use of ZX modifier; 54
---------------------------------------------------------------------------

    \54\ This practice involves the improper use of the ZX modifier, 
relating to maintaining medical necessity documentation. See 
discussion in section II.A.3.l.
---------------------------------------------------------------------------

     Providing incentives to actual or potential referral 
sources (e.g., physicians, hospitals, patients, etc.) that may violate 
the anti-kickback statute or other similar Federal or State statute or 
regulation; 55
---------------------------------------------------------------------------

    \55\ Examples of arrangements that may run afoul of the anti-
kickback statute include practices in which a DMEPOS supplier pays a 
fee to a physician for each CMN the physician signs, provides free 
gifts to physicians for signing CMNs, and/or provides items or 
services for free or below fair market value to providers or 
beneficiaries of Federal health care programs. See 42 U.S.C. 1320a-
7b(b); 60 FR 40847 (August 10, 1995). See also discussion in section 
II.A.4. and accompanying notes.
---------------------------------------------------------------------------

     Compensation programs that offer incentives for items or 
services ordered and revenue generated; 56
---------------------------------------------------------------------------

    \56\ Compensation programs that offer incentives for items or 
services ordered or the revenue they generate may lead to the 
ordering of medically unnecessary items or supplies and/or the 
``dumping'' of such items or supplies in a facility or in a 
beneficiary's home (e.g., mail order supply companies that continue 
to send the patient supplies when the supplies are no longer 
medically necessary).
---------------------------------------------------------------------------

     Routine waiver of deductibles and coinsurance; 
57
---------------------------------------------------------------------------

    \57\ See discussion in section II.A.3.j and accompanying notes.
---------------------------------------------------------------------------

     Joint ventures between parties, one of whom can refer 
Medicare or Medicaid business to the other; 58
---------------------------------------------------------------------------

    \58\ Equally troubling to the OIG is the proliferation of 
business arrangements that may violate the anti-kickback statute. 
Such arrangements are generally established between those in a 
position to refer business, such as physicians, and those providing 
items or services, such as a DMEPOS supplier, for which a Federal 
health care program pays. Sometimes established as ``joint 
ventures,'' these arrangements may take a variety of forms. The OIG 
currently has a number of investigations and audits underway that 
focus on such areas of concern. The OIG has also issued a Special 
Fraud Alert on Joint Venture Arrangements. This Special Fraud Alert 
can be found at 59 FR 65372 (December 19, 1994) or on the Internet 
at: http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

     Situations where conflict of interest may result due to 
referrals by physicians that own or have compensation arrangements with 
DMEPOS supply companies; 59
---------------------------------------------------------------------------

    \59\ See 42 U.S.C. 1395nn.
---------------------------------------------------------------------------

     Billing for items or services furnished pursuant to a 
prohibited referral under the Stark physician self-referral law; 
60
---------------------------------------------------------------------------

    \60\ Under the Stark physician self-referral law, if a physician 
(or an immediate family member of such physician) has a financial 
relationship with a DMEPOS supplier, the physician may not make a 
referral to the DMEPOS supplier and the DMEPOS supplier may not bill 
for furnishing DMEPOS items or supplies for which payment may be 
made under the Federal health care programs. See 42 U.S.C. 1395nn.
---------------------------------------------------------------------------

     Improper telemarketing practices; 61
---------------------------------------------------------------------------

    \61\ See 42 U.S.C. 1395m(a)(17) or Pub.L. 103-432, section 
132(a) for the prohibition on telemarketing. See also discussion in 
section II.A.5 and accompanying notes.
---------------------------------------------------------------------------

     Improper patient solicitation activities and high-pressure 
marketing of non-covered or unnecessary services; 62
---------------------------------------------------------------------------

    \62\ DMEPOS suppliers should not utilize prohibited or 
inappropriate conduct to carry out their initiatives and activities 
designed to maximize business growth and patient retention. Many 
cases against DMEPOS suppliers have involved the DMEPOS supplier 
giving the beneficiary free gifts such as angora underwear, 
microwaves and air conditioners in exchange for providing and 
billing for unnecessary items. Any marketing information offered by 
DMEPOS suppliers should be clear, correct, non-deceptive, and fully 
informative. See discussion in section II.A.5 and accompanying 
notes.
---------------------------------------------------------------------------

     Co-location of DMEPOS items and supplies with the referral 
source; 63
---------------------------------------------------------------------------

    \63\ In this situation, a physician allows a DMEPOS supplier to 
stock space (space may or may not be rented by the DMEPOS supplier) 
in a physician's office with DMEPOS items and supplies. When such 
items and supplies are dispensed to the patient, Medicare is then 
billed. DEMPOS suppliers should check the policy of the individual 
durable medical equipment regional carrier(s) (DMERC) they bill with 
regard to this arrangement. Although such arrangements are not 
prohibited by a national policy, the OIG believes that such 
arrangements may potentially raise anti-kickback and self-referral 
issues.

---------------------------------------------------------------------------

[[Page 4442]]

     Non-compliance with the Federal, State and private payor 
supplier standards; 64
---------------------------------------------------------------------------

    \64\ See 42 CFR 424.57 for the Medicare supplier standards. 
DMEPOS suppliers may have the appropriate personnel acknowledge they 
have reviewed and will abide by these standards. In addition, DMEPOS 
suppliers should ensure they are meeting individual state and 
private payor supplier standards.
---------------------------------------------------------------------------

     Providing false information on the Medicare DMEPOS 
supplier enrollment form; 65
---------------------------------------------------------------------------

    \65\ Criminal penalties may be imposed against an individual who 
knowingly and willfully makes or causes to be made any false 
statements or representations of a material fact in any application 
for any benefit or payment under a Federal health care program. See 
42 U.S.C. 1320a-7b(a)(1).
---------------------------------------------------------------------------

     Not providing corrected information on the DMEPOS supplier 
enrollment form in a timely manner; 66
---------------------------------------------------------------------------

    \66\ By signing the DMEPOS supplier enrollment application, the 
DMEPOS supplier certifies it will notify the Medicare contractor of 
any changes in its enrollment information within 30 days of the 
effective date of the change.
---------------------------------------------------------------------------

     Misrepresentation of a person's status as an agent or 
representative of Medicare; 67
---------------------------------------------------------------------------

    \67\ It is unlawful for a DMEPOS supplier to represent itself as 
a Medicare representative. See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------

     Knowing misuse of supplier number, which results in 
improper billing; 68
---------------------------------------------------------------------------

    \68\ This practice may involve, but is not limited to, using 
another DMEPOS supplier's billing number.
---------------------------------------------------------------------------

     Failing to meet individual payor requirements; 
69
---------------------------------------------------------------------------

    \69\ DMEPOS suppliers should be aware of the requirements of any 
payor they bill, especially in those situations where there is a 
primary and secondary payor.
---------------------------------------------------------------------------

     Performing tests on a beneficiary that a DMEPOS supplier 
is not authorized to perform; 70
---------------------------------------------------------------------------

    \70\ E.g., Medicare does not permit DMEPOS suppliers to perform 
oxygen tests (e.g., oximetry tests and arterial blood gas tests) to 
qualify patients for oxygen and oxygen supplies. See section 60-4 of 
the Medicare Coverage Issues Manual. See also discussion in section 
II.A.3.o.
---------------------------------------------------------------------------

     Failing to refund overpayments to a health care program; 
71
---------------------------------------------------------------------------

    \71\ An overpayment is the amount of money the DMEPOS supplier 
has received in excess of the amount due and payable under a health 
care program. Examples of overpayments include, but are not limited 
to, instances where a DMEPOS supplier is: (1) paid twice for the 
same service, for the same beneficiary; or (2) paid for services 
that were provided but not ordered by the treating physician or 
other authorized person. DMEPOS suppliers should institute 
procedures to detect overpayments and to promptly remit such 
overpayments to the affected payor. See 42 U.S.C. 1320a-7b(a)(3), 
which provides criminal penalties for failure to disclose an 
overpayment.
---------------------------------------------------------------------------

     Failing to refund overpayments to patients; 72
---------------------------------------------------------------------------

    \72\ If the patient is also due money when a DMEPOS supplier 
identifies an overpayment to a health care program, the DMEPOS 
supplier should make a prompt refund to the patient. See 42 U.S.C. 
1395m(j)(4) on limitation of patient liability for non-assigned 
claims that are denied due to medical necessity. See also 42 U.S.C. 
1395pp(h) on limitation of patient liability for assigned claims 
that are denied due to medical necessity.
---------------------------------------------------------------------------

     Lack of communication between the DMEPOS supplier, the 
physician, and the patient; 73
---------------------------------------------------------------------------

    \73\ A lack of communication between the DMEPOS supplier, 
physician, and patient may result in the DMEPOS supplier 
inappropriately billing for items or supplies (e.g., supplies for an 
on-going condition or rental equipment that are no longer medically 
necessary).
---------------------------------------------------------------------------

     Lack of communication between different departments within 
the DMEPOS supplier; 74 and
---------------------------------------------------------------------------

    \74\ A lack of communication between the different departments 
of the DMEPOS supplier may result in the DMEPOS supplier filing 
incorrect claims and/or equipment delivery problems.
---------------------------------------------------------------------------

     Employing persons excluded from participation in Federal 
health care programs. 75
---------------------------------------------------------------------------

    \75\ This involves hiring or contracting with individuals or 
entities who have been excluded from participation in Federal health 
care programs or any other Federal prucurement or non-prucurement 
program. See section II.E.2.
---------------------------------------------------------------------------

    A DMEPOS supplier's prior history of noncompliance with applicable 
statutes, regulations, and Federal, State or private health care 
program requirements may indicate additional types of risk areas where 
the DMEPOS supplier may be vulnerable and that may require necessary 
policy measures to be taken to prevent avoidable 
recurrence.76 Additional risk areas should be assessed by 
DMEPOS suppliers and incorporated into the written policies and 
procedures and training elements developed as part of their compliance 
program.
---------------------------------------------------------------------------

    \76\ ``Recurrence of misconduct similar to that which an 
organization has previously committed casts doubt on whether it took 
all reasonable steps to prevent such misconduct'' and is a 
significant factor in the assessment of whether a compliance program 
is effective. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(k)(iii).
---------------------------------------------------------------------------

    3. Claims Development and Submission. a. Medical Necessity. A 
DMEPOS supplier's compliance program should ensure that services are 
billed only if they were ordered by the treating physician or other 
authorized person, have been provided, are covered, and are reasonable 
and necessary given the clinical condition of the patient.77 
DMEPOS suppliers must keep the treating physician's or other authorized 
person's original signed and dated order or CMN on file for all DMEPOS 
items and services.78 Because the DMEPOS supplier is in a 
unique position to inform its clients who write orders and refer 
patients, the DMEPOS supplier may want to send a written notice to such 
clients concerning the necessary paperwork requirements.
---------------------------------------------------------------------------

    \77\ See note 29.
    \78\ See Medicare Carriers Manual, section 3312. See also 
Medicare Carrier Manual, section 4105.2 regarding what information 
must be included on the physician's order.
---------------------------------------------------------------------------

    As a preliminary matter, the OIG recognizes that physicians and 
other authorized persons must be able to order any items or services 
for the treatment of their patients. However, Medicare and other 
Government and private health care plans will only pay for those 
services otherwise covered that meet the appropriate medical necessity 
standards (e.g., ordered, provided, covered, reasonable, necessary, and 
criteria established by medical review policies). DMEPOS suppliers 
should not knowingly bill for services that do not meet the applicable 
medical necessity standards.79 Upon a payor's request, the 
DMEPOS supplier must be able to provide documentation, such as original 
orders, proof of delivery, completed original certificates of medical 
necessity, written confirmation of verbal orders and any other 
documentation, to support the medical necessity of an item or service 
that the DMEPOS supplier has provided. 80
---------------------------------------------------------------------------

    \79\ See note 29.
    \80\ In order to ensure correct reimbursement, the payor may 
conduct a post-payment audit of the DMEPOS supplier's claims. Such 
audits may require that the DMEPOS supplier submit documentation 
that substantiates that the items or services were ordered by the 
treating physician or other authorized person, provided, covered, 
reasonable and necessary. See 42 CFR 424.5(a)(6).
---------------------------------------------------------------------------

    Although DMEPOS suppliers do not and cannot treat patients or make 
medical necessity determinations, there are steps that a DMEPOS 
supplier can take to help maximize the likelihood that they only bill 
for services that are ordered, provided, covered, reasonable and 
necessary for each individual patient. The OIG recommends that DMEPOS 
supplier personnel understand the coverage and payment criteria of each 
payor they bill. To help aid supplier personnel, the DMEPOS supplier's 
compliance officer may want to create a clear, comprehensive summary of 
the ``medical necessity'' or coverage criteria and applicable rules of 
the various Government and private plans. This summary should be 
disseminated and explained to the appropriate DMEPOS supplier 
personnel.
    We also recommend that DMEPOS suppliers formulate internal control 
mechanisms through their written policies and procedures. Such policies 
and procedures should include periodic claim reviews, both prior and 
subsequent to billing for items and services. Such a procedure will 
verify that patients are receiving and the DMEPOS supplier is billing 
for items and/or services that are ordered,

[[Page 4443]]

provided, covered, reasonable and necessary. DMEPOS suppliers may 
choose to incorporate this claims review function into pre-existing 
quality assurance mechanisms.
    b. Physician Orders. The DMEPOS supplier's written policies and 
procedures should state that the DMEPOS supplier will not bill for an 
item or service unless and until it has been ordered by the treating 
physician or any other authorized person. For all Medicare reimbursed 
DMEPOS items or services, the DMEPOS supplier must receive a written 
order from the patient's physician. When the DMEPOS supplier receives a 
verbal order, the supplier should document the verbal order and must 
have the treating physician confirm it in writing prior to billing.
    The written policies and procedures should also state for items 
requiring a written order prior to delivery, that the order must be 
received by the DMEPOS supplier before it delivers the equipment to the 
patient and before it bills the payor.81
---------------------------------------------------------------------------

    \81\ See 42 CFR 410.38.
---------------------------------------------------------------------------

    c. Certificate of Medical Necessity.82 For some DMEPOS 
items and services, the DMEPOS supplier must receive a signed CMN from 
the treating physician or other authorized person. Currently, CMNs are 
required for Medicare reimbursement for fourteen items.83 
The original CMN must be retained in the DMEPOS supplier's file and be 
available to the DMERCs upon request.84
---------------------------------------------------------------------------

    \82\ As defined in 42 U.S.C. 1395m(j)(2)(B). See also OIG 
Special Fraud Alert regarding Physician Liability for Certifications 
in the Provision of Medical Equipment and Supplies and Home Health 
Services, 64 FR 1813 (January 12, 1999). Special Fraud Alerts are 
also available on the Internet.
    \83\ Items or services requiring CMNs are as follows: Home 
oxygen therapy (HCFA form 484); Hospital beds (HCFA form 841); 
Support surfaces (HCFA form 842); Motorized wheelchairs (HCFA form 
843) (Section C continuation, HCFA form 854); Manual wheelchairs 
(HCFA form 844) (Section C continuation, HCFA form 854); Continuous 
positive airway pressure (CPAP) devices (HCFA form 845); Lymphedema 
pumps (pneumatic compression devices) (HCFA form 846); Osteogenesis 
stimulators (HCFA form 847); Transcutaneous electrical nerve 
stimulators (TENS) (HCFA form 848); Seat lift mechanisms (HCFA form 
849); Power operated vehicles (HCFA form 850); Infusion pumps (HCFA 
form 851); Parenteral nutrition (HCFA form 852); and Enteral 
nutrition (HCFA form 853).
    \84\ See Medicare Carrier Manual, section 3312.
---------------------------------------------------------------------------

    Each CMN has four sections: A, B, C, and D. Section A may be 
completed by the DMEPOS supplier. Section B may not be completed by the 
DMEPOS supplier.85 Section B may only be completed by the 
treating physician, a non-physician clinician involved in the care of 
the patient or a physician employee who is knowledgeable about the 
patient's treatment. If section B was completed by a physician 
employee, the section must be reviewed by the treating physician or 
other person authorized to order such equipment for the patient to 
ensure accuracy. Section C must be completed by the DMEPOS supplier 
prior to the CMN being furnished to the treating physician or other 
authorized person for signature.86 Section D is the 
attestation statement and may only be signed by the treating physician 
or other person authorized to order equipment for the 
patient.87 The written policies and procedures on completing 
CMNs should reflect these standards.
---------------------------------------------------------------------------

    \85\ A supplier who knowingly and willfully completes section B 
of the form is, at a minimum, subject to a civil money penalty up to 
$1,000 for each form or document completed in such manner. See 42 
U.S.C. 1395m(j)(2). That supplier may also face civil or criminal 
liability.
    \86\ A supplier who knowingly and willfully fails to include, in 
section C, the fee schedule amount and the supplier's charge for the 
equipment or supplies being furnished may be subject to a civil 
money penalty up to $1,000 for each form or document so distributed. 
See 42 U.S.C. 1395m(j)(2).
    \87\ Physicians or other authorized persons should only sign 
CMNs in which sections A-C are completed and correct. Signature and 
date stamps are not acceptable. See Medicare Carriers Manual, 
section 3312.
---------------------------------------------------------------------------

    DMEPOS suppliers should take all reasonable steps to ensure that 
each section of the CMN is completed in accordance with the above 
guidelines. The DMEPOS suppliers' written policies and procedures 
should require, at a minimum, that they:
     Do not forward blank CMNs to the treating physician or 
other authorized person for signature;
     Do not complete section B (Medical Necessity) of the CMN;
     Do not include diagnostic information on a cover letter 
(to the treating physician or other authorized person) attached to the 
CMN; 88
---------------------------------------------------------------------------

    \88\ See discussion in section A.II.3.m.
---------------------------------------------------------------------------

     Do not alter or add any information on the CMN after 
receiving the completed and signed CMN from the physician or other 
authorized person; 89
---------------------------------------------------------------------------

    \89\ There have been many investigations centering on DMEPOS 
suppliers who alter information in order to affect their 
reimbursement (e.g., altering diagnosis code, altering HCPCs code of 
service provided).
---------------------------------------------------------------------------

     Do not sign the CMN for the treating physician or other 
authorized person;
     Do not urge physicians or other authorized person to order 
equipment or supplies that exceed what is reasonable and necessary for 
the patient;
     Do not deliver an item that needs pre-authorization prior 
to receiving the physician order and CMN; 90
---------------------------------------------------------------------------

    \90\ See 42 U.S.C. 1395m(a)(11)(B). See also 42 CFR 410.38.
---------------------------------------------------------------------------

     Do not submit a claim for items or services until the CMN 
is properly and correctly completed by the treating physician or other 
authorized person;
     Do maintain the original CMNs in their files;
     Do consult with the treating physician or other authorized 
person who signed the CMN when there is a question on the order;
     Do properly complete sections A and C of the CMN and 
forward the remainder of the CMN to the treating physician or other 
authorized person for his/her review, information, and signature; and
     Only bill for services that the treating physician or 
other authorized person attests in section D are ordered, covered, 
reasonable, and necessary for the patient.
    d. Billing. DMEPOS suppliers should include in their written 
policies and procedures that they will only submit to Medicare or other 
Federal, State or private payor health care plans claims for equipment 
and supplies that are properly completed, accurate, and correctly 
identify the equipment or supplies ordered by the treating physician or 
other authorized person and furnished to the patient. Also, before 
submitting a claim, the DMEPOS supplier should ensure the item or 
service being claimed was provided, covered, reasonable and necessary.
    The written policies and procedures should also clarify that a 
DMEPOS supplier cannot submit bills or receive payment for drugs used 
in conjunction with DMEPOS, unless the DMEPOS supplier is licensed to 
dispense the drug.91
---------------------------------------------------------------------------

    \91\ See Medicare program memoranda B-98-6 and B-98-18.
---------------------------------------------------------------------------

    e. Selection of HCPCs Codes. DMEPOS suppliers' written policies and 
procedures should state that only the HCPCs code that most accurately 
describes the item or service ordered and provided should be billed. 
The OIG views intentional ``upcoding'' (i.e., the selection of a code 
to maximize reimbursement when such a code is not the most appropriate 
descriptor of the service) as raising, among other things, false claims 
issues under the Federal False Claims Act.92 To ensure code 
accuracy, the OIG recommends the DMEPOS supplier include a requirement 
in its policies and procedures that the codes be reviewed (random 
sample or certain codes) by individuals with technical expertise in 
coding before claims containing such codes are submitted to the 
affected payor. If a DMEPOS supplier has questions regarding the 
appropriate

[[Page 4444]]

code to be used, it should contact the Statistical Analysis Durable 
Medical Equipment Carrier's (SADMERC) HCPCS coding help 
line.93
---------------------------------------------------------------------------

    \92\ See 31 U.S.C. 3729, which provides for the imposition of 
penalties of $5,000 to $10,000 per false claim, plus up to three 
times the amount of damages suffered by the Federal Government 
because of the false claim.
    \93\ The phone number for the SADMERC's HCPCS coding help line 
is: (803) 736-6809. The hours of operation are Monday through Friday 
from 9:00 am to 4:00 pm, EST. The SADMERC will aid the DMEPOS 
supplier in choosing the most accurate code for the item or service 
ordered and supplied. However, DMEPOS suppliers should be aware that 
assigning a HCPCs code to an item or service does not necessarily 
guarantee reimbursement.
---------------------------------------------------------------------------

    f. Valid Supplier Numbers. The DMEPOS supplier should ensure that 
appropriate personnel are knowledgeable in (1) completing the HCFA 855S 
supplier application; 94 and (2) complying with the Federal 
requirements of 42 CFR 424.57(e) for updating supplier number 
applications.
---------------------------------------------------------------------------

    \94\ By signing the certification statement of the enrollment 
application, the applicant agrees that he/she has read, understood, 
meets and will continue to meet the supplier standards and will be 
disenrolled from the program if any standards are not met or 
violated.
---------------------------------------------------------------------------

    The written policies and procedures should state that the DMEPOS 
supplier should not bill any other Federal, State or private payor 
health care plan without obtaining the necessary billing numbers and 
that the billing numbers will be used correctly.95
---------------------------------------------------------------------------

    \95\ E.g., if a DMEPOS supplier has more than one location, the 
supplier number of the location that filled the physician's order 
will be used on the claim form.
---------------------------------------------------------------------------

    Prior to applying for a valid supplier number, DMEPOS suppliers 
providing services to Medicare beneficiaries must meet the supplier 
standards.96 DMEPOS suppliers should take all affirmative 
steps to ensure that no claims for Medicare reimbursement are submitted 
prior to the DMEPOS supplier being issued a valid supplier number by 
the National Supplier Clearinghouse. A DMEPOS supplier should not have 
more than one supplier number unless it is appropriate to identify 
subsidiary or regional entities under the supplier's ownership or 
control.97
---------------------------------------------------------------------------

    \96\ See 42 CFR 424.57.
    \97\ See 42 U.S.C. 1395m(j)(1)(D).
---------------------------------------------------------------------------

    g. Mail Order Suppliers. We recommend that any DMEPOS supplier who 
engages in the mail order supply business clearly articulate its 
protocol for this segment of its business in the company's written 
policies and procedures.
    Mail order supplies should only be delivered in accordance with the 
treating physician's or other authorized person's order. Regularly 
shipping supplies without such orders may lead to providing supplies 
substantially in excess of the patient's needs.98 We also 
recommend that the supplier utilize a tracking system so it will be 
able to determine whether or not the patient received the supplies and 
will be able to track the location of an item or supply at any given 
time. In addition, the mail order DMEPOS supplier should maintain an 
accurate inventory list and should not bill for or commit to sending 
items that are not part of its inventory.
---------------------------------------------------------------------------

    \98\ Providing a substantially excessive amount of supplies may, 
for example, constitute grounds for a supplier's exclusion under 42 
U.S.C. 1320a-7(b)(6)(B).
---------------------------------------------------------------------------

    h. Assignment. If a DMEPOS supplier accepts Medicare assignment, 
its written policies and procedures should state that it will not 
charge Medicare beneficiaries more than the amounts allowed under the 
Medicare fee schedule, including coinsurance and deductibles. If the 
beneficiary pays the DMEPOS supplier prior to the DMEPOS supplier 
submitting the claim, the DMEPOS supplier should ensure it is not 
charging the beneficiary more than the coinsurance on the allowed 
amount under the fee schedule. In the event that the DMEPOS supplier 
collects excess payments from a Medicare beneficiary, it should have 
mechanisms in place to promptly refund the overpayment to the 
beneficiary. DMEPOS suppliers should be knowledgeable about the 
Medicare rules and instructions for accepting assignment and receiving 
direct payment from beneficiaries for items or services.
    If a DMEPOS supplier chooses not to accept Medicare assignment, it 
is still responsible for submitting the claim to Medicare on behalf of 
the beneficiary.99
---------------------------------------------------------------------------

    \99\ See 42 U.S.C. 1395w-4(g)(4).
---------------------------------------------------------------------------

    If the DMEPOS supplier chooses to utilize a billing agent, the 
DMEPOS supplier should ensure it is complying with all of the relevant 
statutes and requirements governing such an arrangement.100 
The OIG strongly recommends that the supplier coordinate closely with 
the billing company to establish compliance responsibilities. Once the 
responsibilities have been clearly delineated, they should be 
formalized in the written contract between the DMEPOS supplier and the 
billing agent. The OIG recommends that the contract enumerate those 
functions that are shared responsibilities and those that are the sole 
responsibility of either the billing agent or the DMEPOS supplier.
---------------------------------------------------------------------------

    \100\ See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carrier 
Manual, section 3060. See also OIG Ad. Op. 98-1 (1998) and OIG Ad. 
Op. 98-4 (1998).
---------------------------------------------------------------------------

    i. Liability Issues. A DMEPOS supplier or Medicare beneficiary is 
not liable for payment on assigned claims where the beneficiary did not 
know, and could not reasonably have been expected to know, that the 
payment for such services would not be made.101 However, 
when the DMEPOS supplier knew, or could have been expected to know, the 
items or services would be denied, the liability for the charges for 
the denied items or services rest with the DMEPOS 
supplier.102
---------------------------------------------------------------------------

    \101\ See 42 U.S.C. 1395pp.
    \102\ Id.
---------------------------------------------------------------------------

    When a DMEPOS supplier knows or has reason to believe that the 
equipment or supplies ordered by the treating physician or other 
authorized person will be denied, the DMEPOS supplier should inform the 
patient prior to furnishing the item or service and ask the patient to 
sign a written notice.103 If the DMEPOS supplier has not 
received a signed written notice from the beneficiary and the claim is 
denied, the DMEPOS supplier should not bill the beneficiary. The 
written notice must be in writing, must clearly identify the particular 
item or service, must state that the payment for the particular service 
likely will be denied, and must give the reason(s) for the belief that 
payment is likely to be denied. It is the beneficiary's decision 
whether or not to sign the written notice. If the beneficiary does sign 
the notice, the supplier should: (1) include the appropriate modifier 
on the claim form; (2) maintain the written notice in its files; and 
(3) be able to produce the written notice to the DMERC, upon request.
---------------------------------------------------------------------------

    \103\ See Medicare Carriers Manual, section 7300.5.
---------------------------------------------------------------------------

    Routine notices to beneficiaries that do no more than state that 
denial of payment is possible or that they never know whether payment 
will be denied are not considered acceptable evidence of written 
notice. Notices should not be given to beneficiaries unless there is 
some genuine doubt regarding the likelihood of payment as evidenced by 
the reasons stated on the written notice. Giving notice for all claims, 
items or services is not an acceptable practice.
    The DMEPOS supplier should include liability issues (e.g., 
circumstances where the DMEPOS supplier knows or could be expected to 
know of a denial, use of advance beneficiary notice, etc.) in their 
written policies and procedures.
    j. Routine Waiver of Deductibles and Coinsurance. Routine waivers 
of deductibles and coinsurance may result in false claims, violations 
of the anti-kickback statute and overutilization of items or 
services.104 DMEPOS suppliers are permitted to waive the 
Medicare coinsurance amounts for cases of

[[Page 4445]]

indigency.105 However, we recommend the supplier develop and 
maintain written criteria documenting its policy for determining 
indigency, and consistently apply these criteria to all cases. This 
indigency exception must not be used routinely and a good faith effort 
must be made to collect deductibles and coinsurance.
---------------------------------------------------------------------------

    \104\ See 59 FR 31157 (December 19, 1994) or the OIG web site at 
http://www.dhhs.gov/progorg/oig for the OIG Special Fraud Alert on 
Medicare Deductibles and Copayments.
    \105\ See section 5520 of the Medicare Carriers Manual.
---------------------------------------------------------------------------

    DMEPOS suppliers' written policies and procedures should state that 
they will not routinely waive deductibles and coinsurance for Medicare 
beneficiaries. Such policies and procedures should include, but not be 
limited to, statements that DMEPOS supplier personnel are prohibited 
from: advertising an intent to waive deductibles or coinsurance; 
advertising an intent to discount services for Medicare beneficiaries; 
giving unsolicited advice to patients that they need not pay; charging 
Medicare beneficiaries more than other patients for similar services 
and items; or collecting deductibles and coinsurance only when a 
patient has a certain insurance. Routine waivers of deductibles and 
coinsurance may result in civil monetary penalties, False Claims Act 
liability, and/or a violation of the anti-kickback 
statute.106
---------------------------------------------------------------------------

    \106\ See 42 U.S.C. 1320a-7a(a)(5); 31 U.S.C. 3729-3733; 42 
U.S.C. 1320a-7b.
---------------------------------------------------------------------------

    K. Capped Rentals. DMEPOS suppliers' written policies and 
procedures should address Government and private payor requirements 
when providing rental equipment to beneficiaries (e.g., the purchase 
option 107 and servicing and maintenance 108). 
DMEPOS suppliers must offer a purchase option to beneficiaries during 
the 10th continuous rental month.109 The DMEPOS supplier 
should clearly, accurately, and non-deceptively discuss the pros and 
cons of the different options with the beneficiary. If the beneficiary 
does not accept the purchase option, the DMEPOS supplier must continue 
to provide the item without charge to the beneficiary or Medicare after 
the 15th continuous month of receiving rental payments from Medicare, 
providing the item or service continues to be medically necessary.
---------------------------------------------------------------------------

    \107\ See 42 CFR 414.229(d).
    \108\ See 42 CFR 414.229(e).
    \109\ DMEPOS suppliers must offer beneficiaries the option of 
purchasing power-driven wheelchairs at the time the DMEOS supplier 
first furnishes the item. See 42 CFR 414.229(d)(1).
---------------------------------------------------------------------------

    However, the DMEPOS supplier may submit additional claims for the 
maintenance and servicing fees associated with the rental 
item.110 The DMEPOS supplier should ensure it is performing 
basic safety and operational function checks after use by each patient, 
and is performing routine and preventative maintenance on equipment. 
The DMEPOS supplier must ensure it has qualified staff or contractors 
to service, set up, and instruct the patient on the proper use of the 
equipment. The DMEPOS supplier should ensure it maintains current 
service manuals for all equipment they supply. In addition, the 
policies and procedures should also establish an internal control 
system which allowed the DMEPOS suppler to track the location of each 
piece of equipment at any given time.
---------------------------------------------------------------------------

    \110\ See 42 CFR 414.229(e).
---------------------------------------------------------------------------

    The policies and procedures should also address the guidelines for 
determining continuous use and criteria for a new rental 
period.111 If a beneficiary dies during a rental period, the 
DMEPOS supplier may receive the entire monthly rental 
payment.112 However, if the DMEPOS supplier continues to 
bill for the item because it did not receive notice of the 
beneficiary's death until the following month, any payments received 
for rental items the month after the beneficiary dies are considered an 
overpayment and must promptly be refunded. The DMEPOS supplier should 
create internal mechanisms to ensure the correct rental month appears 
on the claim and the correct modifier is used.
---------------------------------------------------------------------------

    \111\ See 42 CFR 414.230.
    \112\ See Medicare Carriers Manual, section 4105.3.
---------------------------------------------------------------------------

    In addition, the DMEPOS supplier should ensure it is not submitting 
claims for rental equipment when the beneficiary is residing in an 
institution. The OIG is aware that some DMEPOS suppliers deliver 
equipment to beneficiaries residing in institutions just prior to the 
beneficiary being discharged. However, if the beneficiary is residing 
in an institution when the DMEPOS supplier delivers the equipment, the 
HCFA claim form should indicate the date of delivery as being the date 
the beneficiary is discharged from the institution. The DMEPOS supplier 
may not submit the claim prior to the beneficiary's date of discharge.
    l. ZX Modifier. The ZX modifier is used to indicate that the DMEPOS 
supplier is maintaining medical necessity documentation in its files. 
Such documentation only needs to be submitted to the DMERC upon 
request.
    DMEPOS suppliers should create internal mechanisms to ensure the 
proper use of the ZX modifier. Improper use of the modifier may result 
in the submission of false claims. The written policies and procedures 
should address the DMEPOS supplier's protocol for using the ZX 
modifier.113
---------------------------------------------------------------------------

    \113\ See relevant DMERC supplier manual(s) for guidelines on 
proper use.
---------------------------------------------------------------------------

    m. Cover Letters. The DMEPOS supplier should address the use of 
cover letters in its written policies and procedures, if 
applicable.114
---------------------------------------------------------------------------

    \114\ Id.
---------------------------------------------------------------------------

    In many instances, the DMEPOS supplier will send a cover letter 
along with the CMN to the physician. The information contained in the 
cover letter should address issues relating to HCFA or DMERC 
regulation/policy changes, brief descriptions of the item(s) being 
provided and changes in the patient's regimen. The cover letter must 
not (i) lead physicians to order medically unnecessary items or 
supplies or (ii) include diagnostic information. In addition, the 
DMEPOS supplier should not distribute completed ``sample'' CMNs to 
physicians. DMEPOS suppliers should maintain on file a copy of the 
cover letter sent to physicians. The DMERCs may request to review the 
information provided in cover letters to ensure the DMEPOS supplier is 
in compliance with the law.
    n. Communication. The OIG suggests DMEPOS suppliers create 
mechanisms that increase the communication between treating physicians 
or other authorized persons who refer business to the DMEPOS supplier, 
the patients, and the DMEPOS supplier. Such mechanisms should be 
included in the DMEPOS supplier's written policies and procedures and 
may include the DMEPOS supplier periodically calling the patient to 
ensure the equipment is still being used and operating properly or an 
arrangement between the DMEPOS supplier and the physician whereby the 
physician immediately informs the DMEPOS supplier when equipment is no 
longer medically necessary. The DMEPOS supplier should create 
mechanisms to ensure communications between different departments 
(e.g., sales and billing) in order to prevent the filing of incorrect 
claims.
    o. Oxygen and Oxygen Equipment. The OIG recommends the written 
policies and procedures for DMEPOS suppliers furnishing oxygen state 
that the DMEPOS supplier will ensure that initial claims for oxygen 
therapy include the written results of an arterial blood gas study or 
oximetry test (on the CMN) that has been ordered and evaluated by the 
patient's treating physician. Further, the written policies

[[Page 4446]]

and procedures should provide for the DMEPOS supplier to maintain such 
test results and any other independent physiological laboratory (IPL) 
documents supporting the patient's medical necessity for the oxygen. 
The DMEPOS supplier should have the IPLs from which they receive tests 
results submit all raw test results to the ordering physician for the 
physician's benefit, and not just a summary of the results. The written 
policies and procedures should provide that a DMEPOS supplier is not 
qualified to conduct the blood gas study or to prescribe the oxygen 
therapy.115 When submitting an oxygen or oxygen equipment 
claim for reimbursement, the DMEPOS supplier must ensure it is 
complying with the payment rules.116
---------------------------------------------------------------------------

    \115\ See Coverage Issues Manual, section 60-4.
    \116\ See 42 CFR 414.226.
---------------------------------------------------------------------------

    4. Anti-Kickback and Self-Referral Concerns. The DMEPOS supplier 
should have policies and procedures in place with respect to compliance 
with Federal and State laws, including the anti-kickback statute, as 
well as the Stark physician self-referral law.117 Such 
policies should provide that:
---------------------------------------------------------------------------

    \117\ Towards this end, the DMEPOS supplier should, among other 
things, obtain copies of all relevant OIG regulations, Special Fraud 
Alerts, and advisory opinions (these documents are located on the 
Internet at http://www.dhhs.gov/progorg/oig), and ensure that the 
DMEPOS supplier's policies reflect the guidance provided by the OIG. 
See 42 U.S.C. 1395nn(a) for the Stark physician referral laws. See 
also 42 U.S.C. 1320a-7b for prohibited activities under the anti-
kickback statute.
---------------------------------------------------------------------------

     All of the DMEPOS supplier's contracts and arrangements 
with actual or potential referral sources (e.g., physicians) are 
reviewed by counsel and comply with all applicable statutes and 
regulations, including the anti-kickback statute and the Stark 
physician self-referral law provisions; 118
---------------------------------------------------------------------------

    \118\ If the DMEPOS supplier questions an arrangement it may 
enter into, it should consider asking the OIG for an advisory 
opinion regarding the anti-kickback statute or HCFA for an advisory 
opinion regarding Stark. See 62 FR 7350 (February 19, 1997) and 63 
FR 38311 (July 16, 1998) for instructions on how to submit an 
Advisory Opinion to the OIG. These instructions are also located on 
the Internet at: http://www.dhhs.gov/progorg/oig. See 63 FR 1645 
(January 9, 1998) on how to submit an advisory opinion to HCFA.
---------------------------------------------------------------------------

     The DMEPOS supplier not submit or cause to be submitted to 
the Federal health care programs claims for patients who were referred 
to the DMEPOS supplier in accordance with contracts or financial 
arrangements that were designed to induce such referrals in violation 
of the anti-kickback statute or similar Federal or State statute or 
regulation or that otherwise violates the Stark physician self-referral 
law; and
     The DMEPOS supplier does not offer or provide gifts, free 
services, or other incentives or things of value to patients, relatives 
of patients, physicians, home health agencies, nursing homes, 
hospitals, contractors, assisted living facilities, or other potential 
referral sources for the purpose of inducing referrals in violation of 
the anti-kickback statute or similar Federal or State statute or 
regulation.119
---------------------------------------------------------------------------

    \119\ See 42 U.S.C. 1320a-7(a)(5), which provides for civil 
money penalties for improper inducements to beneficiaries. See also 
42 U.S.C. 1320a-7b(b).
---------------------------------------------------------------------------

    Further, the written policies and procedures should specifically 
reference and take into account the OIG's safe harbor regulations, 
which describe those payment practices that are immune from criminal 
and administrative prosecution under the anti-kickback 
statute.120
---------------------------------------------------------------------------

    \120\ See 42 CFR 1001.952.
---------------------------------------------------------------------------

    5. Marketing. DMEPOS supplier compliance programs should require 
honest, straightforward, fully informative and non-deceptive marketing, 
where marketing is permitted. It is in the best interest of patients, 
DMEPOS suppliers, physicians and health care programs that physicians 
or other persons authorized to order DMEPOS fully understand the 
services offered by the DMEPOS supplier, the items or services that 
will be provided when ordered and the financial consequences for 
Medicare as well as other payors for items or services ordered. If the 
DMEPOS supplier services a large number of non-English speaking 
patients, it should ensure its marketing materials are available in 
that other language. The DMEPOS supplier's written policies and 
procedures should ensure that its marketing information is clear, 
correct, and fully informative. Salespeople must not offer physicians, 
patients or other potential referral sources incentives, in cash or in 
kind, for their business.121 Similarly, they must not engage 
in any marketing activity that either explicitly or implicitly implies 
that Medicare beneficiaries are not obligated to pay their coinsurance 
or can receive ``free'' services.122 In addition, DMEPOS 
suppliers must not promote items or services to patients or physicians 
that are not reasonable or necessary for the treatment of the 
individual patient. The OIG suggests the DMEPOS supplier's written 
policies and procedures create internal mechanisms to avoid these 
situations.
---------------------------------------------------------------------------

    \121\ See anti-kickback statute discussion in section II.A.4.
    \122\ See discussion in section II.A.3.j.
---------------------------------------------------------------------------

    With respect to marketing and sales, the OIG has a longstanding 
concern that percentage compensation arrangements for sales and 
marketing personnel may increase the risk of such persons violating the 
anti-kickback statute.123 The OIG recommends the DMEPOS 
supplier monitor its sales representatives on a regular basis (e.g., 
rotate sales staff or send sales manager on some sales calls).
---------------------------------------------------------------------------

    \123\ See, e.g., 42 U.S.C. 1320a-7b(b); OIG Ad. Op. 98-10 
(1998); section II.A.4.
---------------------------------------------------------------------------

    DMEPOS suppliers are prohibited from making unsolicited telephone 
contacts to Medicare beneficiaries.124 In addition, a DMEPOS 
supplier cannot accomplish through an agent that which it cannot do 
itself. Since a DMEPOS supplier has no control over the means by which 
a non-employee sales or other representative might contact a Medicare 
beneficiary regarding the furnishing of such items, DMEPOS suppliers 
may not accept any referral from a sales or other representative who is 
not an employee of the DMEPOS supplier, regardless of the means 
allegedly used to contact the beneficiary. We suggest the DMEPOS 
supplier's written policies and procedures reflect this prohibition.
---------------------------------------------------------------------------

    \124\ See 42 U.S.C. 1395m(a)(17), Pub. L. 103-432, section 
132(a).
---------------------------------------------------------------------------

    DMEPOS suppliers are prohibited from using symbols, emblems, or 
names in reference to Social Security or Medicare in a manner that such 
person knows or should know would convey the false impression that such 
item is approved, endorsed, or authorized by the Social Security 
Administration, the Health Care Financing Administration, or the 
Department of Health and Human Services or that such person has some 
connection with, or authorization from, any of these 
agencies.125
---------------------------------------------------------------------------

    \125\ See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------

    6. Retention of Records. DMEPOS supplier compliance programs should 
provide for the implementation of a records system. DMEPOS suppliers 
should ensure that records are maintained for the length of time 
required by Federal and State law and private payors, or by the 
supplier's record retention policies, whichever is longer. This system 
should establish policies and procedures regarding the creation, 
distribution, retention, storage, retrieval, and destruction of 
documents.126 The three types of documents developed under 
this system should include: (1) all records and documentation (e.g., 
billing and claims documentation) required either by Federal or State 
law and the program requirements of Federal, State and private health 
plans; (2) records listing the persons responsible for implementing 
each part of the

[[Page 4447]]

compliance program; and (3) all records necessary to protect the 
integrity of the DMEPOS supplier's compliance process and confirm the 
effectiveness of the program. The documentation necessary to satisfy 
the third requirement includes, but is not limited to: evidence of 
adequate employee training; reports from the DMEPOS supplier's hotline; 
results of any investigation conducted as a consequence of a hotline 
call; modifications to the compliance program; self-disclosure; all 
written notifications to providers;127 and the results of 
the DMEPOS supplier's auditing and monitoring efforts.128
---------------------------------------------------------------------------

    \126\ This records system should be tailored to fit the 
individual needs and financial resources of the DMEPOS supplier.
    \127\ This should include notifications regarding inappropriate 
claims and overpayments.
    \128\ The creation and retention of such documents and reports 
may raise a variety of legal issues, such as patient privacy and 
confidentiality. These issues are best discussed with legal counsel.
---------------------------------------------------------------------------

    7. Compliance as an Element of a Performance Plan. Compliance 
programs should require that the promotion of, and adherence to, the 
elements of the compliance program be a factor in evaluating the 
performance of all employees. Employees should be periodically trained 
in new compliance policies and procedures. In addition, all managers 
and supervisors involved in the claims development and submission 
processes should:
     Discuss with all supervised employees and relevant 
contractors the compliance policies and legal requirements applicable 
to their function;
     Inform all supervised personnel that strict compliance 
with these policies and requirements is a condition of employment; and
     Disclose to all supervised personnel that the DMEPOS 
supplier will take disciplinary action up to and including termination 
for violation of these policies or requirements.
    In addition to making performance of these duties an element in 
evaluations, the compliance officer or DMEPOS supplier management 
should include a policy that managers and supervisors will be 
sanctioned for failing to adequately instruct their subordinates or for 
failing to detect noncompliance with applicable policies and legal 
requirements, where reasonable diligence on the part of the manager or 
supervisor would have led to the discovery of any problems or 
violations.
B. Designation of a Compliance Officer and a Compliance Committee
    1. Compliance Officer. Every DMEPOS supplier should designate a 
compliance officer to serve as the focal point for compliance 
activities. The compliance officer should be a person of high 
integrity. This responsibility may be the individual's sole duty or 
added to other management responsibilities, depending upon the size and 
resources of the DMEPOS supplier and the complexity of the task. When a 
compliance officer has other duties, the other duties should not be in 
conflict with the compliance goals.129
---------------------------------------------------------------------------

    \129\ E.g., companies should not choose a sales manager who may 
be pressured to achieve high sales, which might result in a conflict 
with compliance goals.
---------------------------------------------------------------------------

    Designating a compliance officer with the appropriate authority is 
critical to the success of the program, necessitating the appointment 
of a high-level official in the DMEPOS supplier with direct access to 
the DMEPOS supplier's owner(s), president or CEO, governing body, all 
other senior management, and legal counsel.130 The 
compliance officer should be highly enough placed in the company so 
that he or she can exercise independent judgment without fear of 
reprisal, and so that employees will know that bringing a problem to 
that person's attention is not a wasted exercise. The compliance 
officer should have sufficient funding and staff to fully perform his 
or her responsibilities. Coordination and communication are the key 
functions of the compliance officer with regard to planning, 
implementing, and monitoring the compliance program.
---------------------------------------------------------------------------

    \130\ The OIG believes that it is not advisable for the 
compliance function to be subordinate to the DMEPOS supplier's 
general counsel, comptroller or similar DMEPOS supplier financial 
officer. Free standing compliance functions help to ensure 
independent and objective legal reviews and financial analyses of 
the institution's compliance efforts and activities. By separating 
the compliance function from the key management positions of general 
counsel or chief financial officer (where the size and structure of 
the DMEPOS supplier make this a feasible option), a system of checks 
and balances is established to more effectively achieve the goals of 
the compliance program.
---------------------------------------------------------------------------

    The compliance officer's primary responsibilities should include:
     Overseeing and monitoring the implementation of the 
compliance program;131
---------------------------------------------------------------------------

    \131\ For DMEPOS supplier chains, the OIG encourages 
coordination with each DMEPOS supplier location through the use of a 
headquarter's compliance officer, communicating with parallel 
positions in each facility or regional office, as appropriate.
---------------------------------------------------------------------------

     Reporting on a regular basis to the DMEPOS supplier's 
owner(s), governing body, CEO, president, and compliance committee (if 
applicable) on the progress of implementation, and assisting these 
components in establishing methods to improve the DMEPOS supplier's 
efficiency and quality of services, and to reduce the DMEPOS supplier's 
vulnerability to fraud, abuse and waste;
     Periodically revising the program in light of changes in 
the organization's needs, and in the statutes, rules, regulations, and 
requirements of Federal, State and private payor health care plans;
     Reviewing employees' certifications that they have 
received, read, and understood the standards of conduct;
     Developing, coordinating, and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program, and seeks to ensure that all 
appropriate employees and management are knowledgeable of, and comply 
with, pertinent Federal, State and private payor health care program 
requirements;
     Ensuring independent contractors and agents who provide 
services (e.g., billing companies, delivery services and sources of 
referrals) to the DMEPOS supplier are aware of the requirements of the 
DMEPOS supplier's compliance program with respect to coverage, billing, 
and marketing, among other things;
     Coordinating personnel issues with the DMEPOS supplier's 
Human Resources/Personnel office (or its equivalent) to ensure that the 
National Practitioner Data Bank,132 Cumulative Sanction 
Report,133 and the General Services Administration's List of 
Parties Excluded from Federal Procurement and Nonprocurement Programs 
134 have been checked with respect to all employees, 
referring physicians or other authorized persons, and independent 
contractors (as appropriate);135
---------------------------------------------------------------------------

    \132\ The National Practitioner Data Bank, maintained by the 
Public Health Service, is a data base that contains information 
about medical malpractice payments, sanctions by boards of medical 
examiners or state licensing boards, adverse clinical privilege 
actions, and adverse professional society membership actions. Health 
care entities can have access to this data base to seek information 
about their own medical or clinical staff, as well as prospective 
employees.
    \133\ The Cumulative Sanction Report is an OIG-produced report 
available on the Internet at http://www.dhhs.gov/progorg/oig. It is 
updated on a regular basis to reflect the status of individuals and 
entities who have been excluded from participation in the Medicare 
and Medicaid programs.
    \134\ The List of Parties from Federal Procurement and 
Nonprocurement programs is a GSA-produced report available on the 
Internet at: http://www.arnet.gov/epls.
    \135\ Depending upon State requirements or DMEPOS supplier 
policy, the Compliance Officer may also conduct a criminal 
background check of employees.
---------------------------------------------------------------------------

     Assisting the DMEPOS supplier's financial management in 
coordinating internal compliance review and monitoring activities, 
including annual or periodic reviews of departments;
     Independently investigating and acting on matters related 
to compliance,

[[Page 4448]]

including the flexibility to design and coordinate internal 
investigations (e.g., responding to reports of problems or suspected 
violations) and any resulting corrective action (e.g., making necessary 
improvements to DMEPOS supplier policies and practices, taking 
appropriate disciplinary action, etc.) with all DMEPOS supplier 
departments, independent contractors, and health care professionals;
     Developing policies and programs that encourage managers 
and employees to report suspected fraud and other improprieties without 
fear of retaliation; and
     Continuing the momentum of the compliance program and the 
accomplishment of its objectives long after the initial years of 
implementation.136
---------------------------------------------------------------------------

    \136\ Periodic on-site visits of DMEPOS supplier operations, 
bulletins with compliance updates and reminders, distribution of 
audiotapes or videotapes on different risk areas, lectures at 
management and employee meetings, circulation of recent health care 
articles covering fraud and abuse, and innovative changes to 
compliance training are various examples of approaches and 
techniques the compliance officer can employ for the purpose of 
ensuring continued interest in the compliance program and the DMEPOS 
supplier's commitment to its policies and principles.
---------------------------------------------------------------------------

    The compliance officer must have the authority to review all 
documents and other information that are relevant to compliance 
activities, including, but not limited to, patient records (where 
appropriate), billing records, and DMEPOS supplier records concerning 
the marketing efforts of the DMEPOS supplier and the DMEPOS supplier's 
arrangements with other parties, including employees, home health 
agencies, skilled nursing facilities, and ordering physicians or other 
authorized persons. This policy enables the compliance officer to 
review contracts and obligations (seeking the advice of legal counsel, 
where appropriate) that may contain referral and payment provisions 
that could violate the anti-kickback statute, as well as the Stark 
physician self-referral prohibition or other statutory or regulatory 
requirements.
    In addition, the compliance officer should be copied on the results 
of all internal audit reports and work closely with key managers to 
identify aberrant trends in the coding and billing areas. The 
compliance officer should ascertain patterns that require a change in 
policy and forward these issues to the compliance committee to remedy 
the problem. The compliance officer should have full authority to stop 
the processing of claims that he or she believes are problematic until 
such time as the issue in question has been resolved.
    2. Compliance Committee. The OIG recommends, where feasible,\137\ 
that a compliance committee be established to advise the compliance 
officer and assist in the implementation of the compliance 
program.\138\ When assembling a team of people to serve as the DMEPOS 
supplier's compliance committee, the DMEPOS supplier should include 
individuals with a variety of skills.\139\ The OIG strongly recommends 
that the compliance officer manage the compliance committee. Once a 
DMEPOS supplier chooses the people that will accept the 
responsibilities vested in members of the compliance committee, the 
DMEPOS supplier must train these individuals on the policies and 
procedures of the compliance program, as well as how to discharge their 
duties.
---------------------------------------------------------------------------

    \137\ The OIG recognizes that smaller DMEPOS suppliers may not 
be able to establish a compliance committee. In those situations, 
the compliance officer should fulfill the responsibility of the 
compliance committee.
    \138\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities in the 
organization, such as operations, billing, coding, marketing, and 
human resources, as well as employees and managers of key operating 
units. These individuals should have the requisite seniority and 
comprehensive experience within their respective departments to 
implement any necessary changes to the DMEPOS supplier's policies 
and procedures as recommended by the committee. A compliance 
committee for a DMEPOS supplier that is part of another organization 
(e.g., home health agency) might benefit from the participation of 
officials from other departments in the organization, such as the 
accounting and billing departments.
    \139\ A DMEPOS supplier should expect its compliance committee 
members and compliance officer to demonstrate high integrity, good 
judgment, assertiveness, and an approachable demeanor, while 
eliciting the respect and trust of employees of the DMEPOS supplier. 
The DMEPOS supplier's compliance committee members should also have 
significant professional experience working with billing, 
documentation, and auditing principles.
---------------------------------------------------------------------------

    The committee's responsibilities should include:
     Analyzing the organization's regulatory environment, the 
legal requirements with which it must comply,\140\ and specific risk 
areas;
---------------------------------------------------------------------------

    \140\ This includes, but is not limited to, the civil False 
Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes, 
18 U.S.C. 287, 1001; the fraud and abuse provisions of the Balanced 
Budget Act of 1997, Pub. L. 105-33; the Health Insurance Portability 
and Accountability Act of 1996, Pub. L. 104-191; and compliance with 
the Medicare supplier standards, 42 CFR 424.57.
---------------------------------------------------------------------------

     Assessing existing policies and procedures that address 
these risk areas for possible incorporation into the compliance 
program;
     Working with appropriate DMEPOS supplier departments to 
develop standards of conduct and policies and procedures that promote 
allegiance to the DMEPOS supplier's compliance program;
     Recommending and monitoring, in conjunction with the 
relevant departments, the development of internal systems and controls 
to carry out the organization's standards, policies, and procedures as 
part of its daily operations; \141\
---------------------------------------------------------------------------

    \141\ With respect to national DMEPOS supplier chains, this may 
include fostering coordination and communication between those 
employees responsible for compliance at headquarters and those 
responsible for compliance at the individual supplier branches.
---------------------------------------------------------------------------

     Determining the appropriate strategy/approach to promote 
compliance with the program and detection of any potential violations, 
such as through hotlines and other fraud reporting mechanisms;
     Developing a system to solicit, evaluate, and respond to 
complaints and problems; and
     Monitoring internal and external audits and investigations 
for the purpose of identifying troublesome issues and deficient areas 
experienced by the DMEPOS supplier, and implementing corrective and 
preventive action.
    The committee may also address other functions as the compliance 
concept becomes part of the overall DMEPOS supplier's operating 
structure and daily routine.
C. Conducting Effective Training and Education
    1. Initial Training in Compliance. The proper education and 
training of corporate officers, managers, employees and the continual 
retraining of current personnel at all levels, are significant elements 
of an effective compliance program. In order to ensure the appropriate 
information is being disseminated to the correct individuals, the 
training should be separated into sessions. All employees should attend 
the general session on compliance, employees whose job primarily 
focuses on submission of claims for reimbursement should receive 
additional training on this subject, and employees who are involved in 
sales and marketing should receive additional training on this subject.
    a. General Sessions. As part of their compliance programs, DMEPOS 
suppliers should require all affected personnel to attend training on 
an annual basis, including appropriate training in Federal and State 
statutes, regulations and guidelines, the policies of private payors, 
and training in corporate ethics. The general training sessions should 
emphasize the DMEPOS

[[Page 4449]]

supplier's commitment to compliance with these legal requirements and 
policies.
    These training programs should include sessions highlighting the 
DMEPOS supplier's compliance program, summarizing fraud and abuse laws 
and regulations, Federal, State and private payor health care program 
requirements, claim submission procedures and marketing practices that 
reflect current legal and program standards. The DMEPOS supplier must 
take steps to communicate effectively its standards and procedures to 
all affected employees, physicians, independent contractors and other 
significant agents, e.g., by requiring participation in training 
programs and disseminating publications that explain specific 
requirements in a practical manner.\142\ Managers of specific 
departments can assist in identifying areas that require training and 
in carrying out such training.\143\ Training instructors may come from 
outside or inside the organization. New employees should be targeted 
for training early in their employment.\144\
---------------------------------------------------------------------------

    \142\ Publications such as Special Fraud Alerts, audit and 
inspection reports, and advisory opinions, as well as the annual OIG 
work plan, are readily available from the OIG and could be the basis 
for standards, educational courses and programs.
    \143\ Significant variations in functions and responsibilities 
of different departments may create the need for training materials 
that are tailored to the compliance concerns associated with 
particular operations and duties.
    \144\ Certain positions, such as those involving developing and 
submitting claims, as well as sales and marketing, create a greater 
organizational legal exposure, and therefore require specialized 
training. DMEPOS suppliers should fill such positions with 
individuals who have the appropriate educational background, 
training, experience, and credentials.
---------------------------------------------------------------------------

    As part of the initial training, the standards of conduct should be 
distributed to all employees.\145\ At the end of this training session, 
every employee, as well as physicians, independent contractors, and 
other significant agents, should be required to sign and date a 
statement that reflects their knowledge of and commitment to the 
standards of conduct. This attestation should be retained in the 
employee's personnel file. For physicians, independent contractors, and 
other significant agents, the attestation should become part of the 
contract and remain in the file that contains such documentation.
---------------------------------------------------------------------------

    \145\ Where the DMEPOS supplier has a culturally diverse 
employee base, the standards of conduct should be translated into 
other languages and written at appropriate reading levels.
---------------------------------------------------------------------------

    Further, to assist in ensuring that employees continuously meet the 
expected high standards of conduct, any employee handbook delineating 
or expanding upon these standards should be regularly updated as 
applicable statutes, regulations and Federal health care program 
requirements are modified.\146\ DMEPOS suppliers should provide an 
additional attestation in the modified standards that stipulates the 
employee's knowledge of and commitment to the modifications.
---------------------------------------------------------------------------

    \146\ The OIG recognizes that not all standards, policies and 
procedures need to be communicated to all employees. However, the 
OIG believes that the bulk of the standards that relate to complying 
with fraud and abuse laws and other ethical areas should be 
addressed and made part of all employees' training. The DMEPOS 
supplier should determine what additional training to provide 
categories of employees based upon their job responsibilities.
---------------------------------------------------------------------------

    b. Claim Development and Billing Training. In addition to specific 
training in the risk areas identified in section II.A.2, above, primary 
training to appropriate corporate officers, managers and other claim 
development and billing staff should include such topics as:
     Specific Government and private payor reimbursement 
principles; \147\
---------------------------------------------------------------------------

    \147\ Government, in this context, includes the appropriate 
Medicare DMERC(s).
---------------------------------------------------------------------------

     Providing DMEPOS items or services without proper 
authorization;
     Proper documentation of services rendered, including the 
correct application of official ICD-9 and HCPCs coding rules and 
guidelines;
     Improper alterations to documentation (e.g., patient 
records, CMNs);
     Compliance with the Federal, State and privator payor 
supplier standards;
     Signing a form for a physician without the physician's 
authorization; and
     Duty to report misconduct.
     Clarifying and emphasizing these areas of concern through 
training and educational programs are particularly relevant to a DMEPOS 
supplier's billing and coding personnel, in that the pressure to meet 
business goals may render employees vulnerable to engaging in 
prohibited practices.
    c. Sales and Marketing Training. In addition to specific training 
in the risk areas identified in section II.A.2, above, primary training 
to sales and marketing personnel should include such topics as:
     General prohibition on paying or receiving renumeration to 
induce referrals;
     Routine waiver of deductibles and/or coinsurance;
     Disguising referral fees as salaries;
     Offering free items or services to induce referrals;
     High pressure marketing of non-covered or unnecessary 
services;
     Improper patient solicitation; and
     Duty to report misconduct.
    Clarifying and emphasizing these areas of concern through training 
and educational programs are particularly relevant to a DMEPOS 
supplier's sales and marketing personnel, in that the pressure to meet 
business goals may render employees vulnerable to engaging in 
prohibited practices.
    2. Format of the Training Program. The OIG suggests that all 
relevant levels of personnel be made part of various educational and 
training programs of the DMEPOS supplier. 148 Employees 
should be required to have a minimum number of educational hours per 
year, as appropriate, as part of their employment responsibilities. 
149 For example, as discussed above, employees involved in 
billing functions should be required to attend periodic training in 
applicable reimbursement coverage and documentation of records. 
150
---------------------------------------------------------------------------

    \148\ In addition, where feasible, the OIG recommends that a 
DMEPOS supplier afford outside contractors and its physician clients 
that opportunity to participate in the DMEPOS supplier's compliance 
training and educational programs, or develop their own programs 
that complement the DMEPOS supplier's standards of conduct, 
compliance requirements and other rules and practices.
    \149\Currently, the OIG is monitoring a significant number of 
corporate integrity agreements that require many of these training 
elements. The OIG usually requires a minimum of one to three hours 
annually for basic training in compliance areas. Additional training 
is required for specialty fields such as billing, coding, sales and 
marketing.
    \150\ Appropriate coding and billing depends upon the quality 
and completeness of documentation. Therefore, the OIG believes that 
the DMEPOS supplier must foster an environment where interactive 
communication is encouraged.
---------------------------------------------------------------------------

    A variety of teaching methods, such as interactive training and 
training in several different languages, particularly where a DMEPOS 
supplier has a culturally diverse staff, should be implemented so that 
all affected employees are knowledgeable about the DMEPOS supplier's 
standards of conduct and procedures for alerting senior management to 
problems and concerns. 151 Targeted training should be 
provided to corporate officers, managers and other employees whose 
actions affect the accuracy of the claims submitted to the Government, 
such as employees involved in the coding, billing, sales, and marketing 
processes. All training materials should be designed to take into 
account the skills, knowledge and experience of the individual 
trainees. Given the complexity and interdependent relationships of many 
departments, it is

[[Page 4450]]

important for the compliance officer to supervise and coordinate the 
training program.
---------------------------------------------------------------------------

    \151\ Post training tests can be used to assess the success of 
training provided and employee comprehension of the DMEPOS 
supplier's policies and procedures.
---------------------------------------------------------------------------

    The OIG recommends that attendance and participation in training 
programs be made a condition of continued employment and that failure 
to comply with training requirements should result in disciplinary 
action, including possible termination, when such failure is serious. 
Adherence to the provisions of the compliance program, such as training 
requirements, should be a factor in the annual evaluation of each 
employee. The DMEPOS supplier should retain adequate records of its 
training of employees, including attendance logs and material 
distributed at training sessions.
    3. Continuing Education on Compliance Issues. It is essential that 
compliance issues remain at the forefront of the DMEPOS supplier's 
priorities. The OIG recommends that DMEPOS supplier compliance programs 
address the need for periodic professional education courses for DMEPOS 
supplier personnel. In particular, the DMEPOS supplier should ensure 
that coding personnel receive annual professional training on the 
updated codes for the current year and have knowledge of the SADMERC's 
HCPCs coding helpline. 152
---------------------------------------------------------------------------

    \152\ See note 93.
---------------------------------------------------------------------------

    In order to maintain a sense of seriousness about compliance in a 
DMEPOS supplier's operations, the DMEPOS supplier must continue to 
disseminate the compliance message. One effective mechanism for 
maintaining a consistent presence of the compliance message is to 
publish a monthly newsletter to address compliance concerns. This would 
allow the DMEPOS supplier to address specific examples of problems the 
company encountered during its ongoing audits and risk analyses, while 
reinforcing the DMEPOS supplier's firm commitment to the general 
principles of compliance and ethical conduct. The newsletter could also 
include the risk areas published by the OIG in its Special Fraud 
Alerts. Finally, the DMEPOS supplier could use the newsletter as a 
mechanism to address areas of ambiguity in the coding and billing 
process and/or its sales and marketing practices. The DMEPOS supplier 
should maintain its newsletters in a central location to document the 
guidance offered, and provide new employees with access to guidance 
previously provided.
D. Developing Effective Lines of Communication
    1. Access to the Compliance Officer. An open line of communication 
between the compliance officer and DMEPOS supplier employees is equally 
important to the successful implementation of a compliance program and 
the reduction of any potential for fraud, abuse and waste. Written 
confidentiality and non-retaliation policies should be developed and 
distributed to all employees to encourage communication and the 
reporting of incidents of potential fraud. 153 The 
compliance committee should also develop several independent reporting 
paths for an employee to report fraud, waste or abuse so that such 
reports cannot be diverted by supervisors or other personnel.
---------------------------------------------------------------------------

    \153\ The OIG believes that whistleblowers should be protected 
against retaliation, a concept embodied in the provisions of the 
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees 
sue their employers under the False Claims Act's qui tam provisions 
out of frustration because of the company's failure to take action 
when a questionable, fraudulent, or abusive situation was brought to 
the attention of senior corporate officials.
---------------------------------------------------------------------------

    The OIG encourages the establishment of a procedure for personnel 
to seek clarification from the compliance officer or members of the 
compliance committee in the event of any confusion or question 
regarding a DMEPOS supplier policy, practice, or procedure. Questions 
and responses should be documented and dated and, if appropriate, 
shared with other staff so that standards, policies, practices, and 
procedures can be updated and improved to reflect any necessary changes 
or clarifications. The compliance officer may want to solicit employee 
input in developing these communication and reporting systems.
    2. Hotlines and Other Forms of Communication. The OIG encourages 
the use of hotlines, 154 e-mails, written memoranda, 
newsletters, suggestion boxes and other forms of information exchange 
to maintain these open lines of communication. 155 If the 
DMEPOS supplier establishes a hotline, the telephone number should be 
made readily available to all employees and independent contractors, 
possibly by circulating the number on wallet cards or conspicuously 
posting the telephone number in common work areas. 156 
Employees should be permitted to report matters on an anonymous basis. 
157 Matters reported through the hotline or other 
communication sources that suggest substantial violations of compliance 
policies, Federal, State or private payor health care program 
requirements, regulations, or statutes should be documented and 
investigated promptly to determine their veracity. A log should be 
maintained by the compliance officer that records such calls, including 
the nature of any investigation and its results. 158 Such 
information should be included in reports to the owner(s), governing 
body, the CEO, president, and compliance committee. 159 
Further, while the DMEPOS supplier should always strive to maintain the 
confidentiality of an employee's identity, it should also explicitly 
communicate that there may be a point where the individual's identity 
may become known or may have to be revealed.
---------------------------------------------------------------------------

    \154\ The OIG recognizes that it may not be financially feasible 
for a smaller DMEPOS supplier to maintain a telephone hotline 
dedicated to receiving calls solely on compliance issues. These 
companies may want to explore alternative methods, e.g., outsourcing 
the hotline or establishing a written method of confidential 
disclosure.
    \155\ In addition to methods of communication used by current 
employees, an effective employee exit interview program could be 
designed to solicit information from departing employees regarding 
potential misconduct and suspected violations of DMEPOS supplier 
policies and procedures.
    \156\ DMEPOS suppliers should also post in a prominent, 
available area the HHS-OIG Hotline telephone number, 1-800-447-8477 
(1-800-HHS-TIPS), in addition to any company hotline number that may 
be posted.
    \157\ The OIG recognizes that guaranteeing anonymity may be 
infeasible for small DMEPOS suppliers. In such instances, we 
recommend DMEPOS employees need not fear retribution when reporting 
a portential violation.
    \158\ To efficiently and accurately fulfill such an obligation, 
the DMEPOS supplier should create an intake form for all compliance 
issues identified through reporting mechanisms. The form could 
include information concerning the date that the potential problem 
was reported, the internal investigative methods utilized, the 
results of the investigation, any corrective action implemented, any 
disciplinary measures imposed, and any overpayments returned.
    \159\ Information obtained over the hotline may provide valuable 
insight into management practices and operations, whether reported 
problems are actual or perceived.
---------------------------------------------------------------------------

    The OIG recognizes that assertions of fraud and abuse by employees 
who may have participated in illegal conduct or committed other 
malfeasance raise numerous complex legal and management issues that 
should be examined on a case-by-case basis. The compliance officer 
should work closely with legal counsel, who can provide guidance 
regarding such issues.
E. Enforcing Standards Through Well-Publicized Disciplinary Guidelines
    1. Discipline Policy and Actions. An effective compliance program 
should include guidance regarding disciplinary action for corporate 
officers, managers, employees, and other health care professionals who 
have failed to comply with the DMEPOS supplier's standards

[[Page 4451]]

of conduct, policies and procedures, Federal and State statutes, rules, 
and regulations or Federal, State or private payor health care program 
requirements. It should also address disciplinary actions for those who 
have engaged in wrongdoing, which has the potential to impair the 
DMEPOS supplier's status as a reliable, honest, and trustworthy health 
care provider.
    The OIG believes that the compliance program should include a 
written policy statement setting forth the degrees of disciplinary 
actions that may be imposed upon corporate officers, managers, 
employees, and other health care professionals for failing to comply 
with the DMEPOS supplier's standards, policies, and applicable statutes 
and regulations. Intentional or reckless noncompliance should subject 
transgressors to significant sanctions. Such sanctions could range from 
oral warnings to suspension, termination, or financial penalties, as 
appropriate. Each situation must be considered on a case-by-case basis 
to determine the appropriate sanction. The written standards of conduct 
should elaborate on the procedures for handling disciplinary problems 
and those who will be responsible for taking appropriate action. Some 
disciplinary actions can be handled by managers, while others may have 
to be resolved by the owner(s), president or CEO. Disciplinary action 
may be appropriate where a responsible employee's failure to detect a 
violation is attributable to his or her negligence or reckless conduct. 
Personnel should be advised by the DMEPOS supplier that disciplinary 
action will be taken on a fair and equitable basis. Managers and 
supervisors should be made aware that they have a responsibility to 
discipline employees in an appropriate and consistent manner.
    It is vital to publish and disseminate the range of disciplinary 
standards for improper conduct and to educate corporate officers, 
managers, and other DMEPOS supplier employees regarding these 
standards. The consequences of noncompliance should be consistently 
applied and enforced, in order for the disciplinary policy to have the 
required deterrent effect. All levels of employees should be subject to 
the same types of disciplinary action for the commission of similar 
offenses. The commitment to compliance applies to all personnel levels 
within a DMEPOS supplier. The OIG believes that corporate officers, 
managers, supervisors, and health care professionals should be held 
accountable for failing to comply with, or for the foreseeable failure 
of their subordinates to adhere to, the applicable standards, statutes, 
rules, regulations and procedures.
    2. New Employee Policy. For all new employees who have 
discretionary authority to make decisions that may involve compliance 
with the law or compliance oversight, DMEPOS suppliers should conduct a 
reasonable and prudent background investigation, including a reference 
check,160 as part of every such employment application. The 
application should specifically require the applicant to disclose any 
criminal conviction, as defined by 42 U.S.C. 1320a-7(i), or exclusion 
action. In accordance with the compliance program, DMEPOS supplier 
policies should prohibit the employment of individuals who have been 
recently convicted of a criminal offense related to health care or who 
are listed as debarred, excluded, or otherwise ineligible for 
participation in Federal health care programs (as defined in 42 U.S.C. 
1320a-7b(f)).161 In addition, pending the resolution of any 
criminal charges or proposed debarment or exclusion, the OIG recommends 
that such individuals should be removed from direct responsibility for, 
or involvement with, the DMEPOS supplier's business operations related 
to any Federal health care program. In addition, we recommend the 
DMEPOS supplier remove such individual from any position(s) for which 
the individual's salary or the items or services rendered, ordered, or 
prescribed by the individual are paid in whole or part, directly or 
indirectly, by Federal health care programs or otherwise with Federal 
funds.162 Similarly, with regard to current employees or 
independent contractors, if resolution of the matter results in 
conviction, debarment, or exclusion, then the DMEPOS supplier should 
remove the individual from direct responsibility for or involvement 
with all Federal health care programs.
---------------------------------------------------------------------------

    \160\ See notes 132-135. Since the employees of DMEPOS suppliers 
have access to potentially vulnerable people and their property, 
DMEPOS suppliers should also strictly scrutinize whether it should 
employ individuals who have been convicted of crimes of neglect, 
violence or financial misconduct.
    \161\ Likewise, DMEPOS supplier compliance programs should 
establish standards prohibiting the execution of contracts with 
companies that have been recently convicted of a criminal offense 
related to health care or that are listed by a federal agency as 
debarred, excluded, or otherwise ineligible for participation in 
Federal health care programs. See notes 133 and 134.
    \162\ Prospective employees who have been officially reinstated 
into the Medicare and Medicaid programs by the OIG may be considered 
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------

F. Auditing and Monitoring

    An ongoing evaluation process is critical to a successful 
compliance program. The OIG believes that an effective program should 
incorporate thorough monitoring of its implementation and regular 
reporting to the DMEPOS supplier's corporate officers.163 
Compliance reports created by this ongoing monitoring, including 
reports of suspected noncompliance, should be maintained by the 
compliance officer and shared with the DMEPOS supplier's corporate 
officers and the compliance committee. The extent and frequency of the 
audit function may vary depending on factors such as the size of the 
DMEPOS supplier, the resources available to the DMEPOS supplier, the 
DMEPOS supplier's prior history of noncompliance, and the risk factors 
that are prevalent in a particular DMEPOS supplier.
---------------------------------------------------------------------------

    \163\ Even when a DMEPOS supplier is owned by a larger corporate 
entity, the regular auditing and monitoring of the compliance 
activities of an individual DMEPOS supplier must be a key feature in 
any annual review. Appropriate reports on audit findings should be 
periodically provided and explained to a parent organization's 
senior staff and officers.
---------------------------------------------------------------------------

    Although many monitoring techniques are available, one effective 
tool to promote and ensure compliance is the performance of regular, 
periodic compliance audits by internal or external auditors who have 
expertise in Federal and State health care statutes, rules, 
regulations, and Federal, State and private payor health care program 
requirements. The audits should focus on the different DMEPOS 
supplier's departments, including external relationships with third-
party contractors, specifically those with substantive exposure to 
Government enforcement actions. At a minimum, these audits should be 
designed to address the DMEPOS supplier's compliance with laws 
governing kickback arrangements, the physician self-referral 
prohibition, pricing, contracts, claim development and submission, 
reimbursement, sales and marketing. In addition, the audits and reviews 
should examine the DMEPOS supplier's compliance with the Federal, State 
and private payor supplier standards and the specific rules and 
policies that have been the focus of particular attention on the part 
of the Medicare DMERCs, and law enforcement, as evidenced by 
educational and other communications from OIG Special Fraud Alerts, 
advisory opinions, OIG audits and evaluations,

[[Page 4452]]

and law enforcement's initiatives.164 In addition, the 
DMEPOS supplier should focus on any areas of specific concern 
identified within that DMEPOS supplier and those that may have been 
identified by any entity, whether Federal, State, private or internal.
---------------------------------------------------------------------------

    \164\ See also section II.A.2.
---------------------------------------------------------------------------

    Monitoring techniques may include sampling protocols that permit 
the compliance officer to identify and review variations from an 
established baseline.165 Significant variations from the 
baseline should trigger a reasonable inquiry to determine the cause of 
the deviation. If the inquiry determines that the deviation occurred 
for legitimate, explainable reasons, the compliance officer and DMEPOS 
supplier management may want to limit any corrective action or take no 
action. If it is determined that the deviation was caused by improper 
procedures, misunderstanding of rules, including fraud and systemic 
problems, the DMEPOS supplier should take prompt steps to correct the 
problem.166 Any overpayments discovered as a result of such 
deviations should be returned promptly to the affected payor, with the 
following information: (1) That the refund is being made pursuant to a 
voluntary compliance program; (2) a description of the complete causes 
and circumstances surrounding the overpayment; (3) the methodology by 
which the overpayment was determined; (4) the amount of the 
overpayment; and (5) any claim-specific information, reviewed as part 
of the self-audit, used to determine the overpayment (e.g., beneficiary 
health insurance claims number, claim number, date of service, and 
payment date).
---------------------------------------------------------------------------

    \165\ The OIG recommends that when a compliance program is 
established in a DMEPOS supplier, the compliance officer, with the 
assistance of department managers, should take a ``snapshot'' of 
operations from a compliance perspective. This assessment can be 
undertaken by outside consultants, law or accounting firms, or 
internal staff, with authoritative knowledge of health care 
compliance requirements. This ``snapshot,'' often used as part of 
benchmarking analyses, becomes a baseline for the compliance officer 
and other managers to judge the DMEPOS supplier's progress in 
reducing or eliminating potential areas of vulnerability.
    \166\ In addition, when appropriate, as referenced in section 
G.2, below, reports of fraud or systemic problems should also be 
made to the appropriate governmental authority.
---------------------------------------------------------------------------

    An effective compliance program should also incorporate periodic 
(at least annual) reviews of whether the program's compliance elements 
have been satisfied, e.g., whether there has been appropriate 
dissemination of the program's standards, training, ongoing educational 
programs, and disciplinary actions, among other elements.167 
This process will verify actual conformance by all departments with the 
compliance program and may identify the necessity for improvements to 
be made to the compliance program, as well as the DMEPOS supplier's 
operations. Such reviews could support a determination that appropriate 
records have been created and maintained to document the implementation 
of an effective program.168 However, when monitoring 
discloses that deviations were not detected in a timely manner due to 
program deficiencies, appropriate modifications must be implemented. 
Such evaluations, when developed with the support of management, can 
help ensure compliance with the DMEPOS supplier's policies and 
procedures.
---------------------------------------------------------------------------

    \167\ One way to assess the knowledge, awareness, and 
perceptions of the DMEPOS supplier's employees is through the use of 
a validated survey instrument (e.g., employee questionnaires, 
interviews, or focus groups).
    \168\ Such records should include, but not be limited to, logs 
of hotline calls, logs of training attendees, training agenda and 
materials, and summaries of corrective action and improvements with 
respect to DMEPOS supplier policies as a result of compliance 
activities.
---------------------------------------------------------------------------

    As part of the review process, the compliance officer or reviewers 
should consider techniques such as:
     Testing billing staff on their knowledge of reimbursement 
coverage criteria and official coding guidelines (e.g., present 
hypothetical scenarios of situations experienced in daily practice and 
assess responses);
     On-site visits to all facilities and locations;
     Ongoing risk analysis and vulnerability assessments of the 
DMEPOS supplier's operations;
     Assessment of existing relationships with physicians, and 
other potential referral sources;
     Unannounced audits, mock surveys, and investigations;
     Examination of DMEPOS supplier complaint logs;
     Checking personnel records to determine whether any 
individuals who have been reprimanded for compliance issues in the past 
are among those currently engaged in improper conduct;
     Interviews with personnel involved in management, 
operations, sales and marketing, claim development and submission, and 
other related activities;
     Questionnaires developed to solicit impressions of the 
DMEPOS supplier's employees;
     Interviews with physicians or other authorized persons who 
order services provided by the DMEPOS supplier;
     Interviews with independent contractors who provide 
services to the DMEPOS supplier;
     Reviews of medical necessity documentation (e.g., 
physicians orders, CMNs), and other documents that support claims for 
reimbursement;
     Validation of qualifications of physicians or other 
authorized persons who order services provided by the DMEPOS supplier;
     Evaluation of written materials and documentation 
outlining the DMEPOS supplier's policies and procedures; and
     Utilization/trend analyses that uncover deviations, 
positive or negative, for specific HCPCs codes or types of items over a 
given period.
    The reviewers should:
     Possess the qualifications and experience necessary to 
adequately identify potential issues with the subject matter to be 
reviewed;
     Be objective and independent of line management; 
169
---------------------------------------------------------------------------

    \169\ The OIG recognizes that DMEPOS suppliers that are small in 
size and have limited resources may not be able to use internal 
reviewers who are not part of line management or hire outside 
reviewers.
---------------------------------------------------------------------------

     Have access to existing audit and health care resources, 
relevant personnel, and all relevant areas of operation;
     Present written evaluative reports on compliance 
activities to the owner(s), president, CEO, governing body, and members 
of the compliance committee on a regular basis, but not less than 
annually; and
     Specifically identify areas where corrective actions are 
needed.
    We recommend these audit reports be prepared and submitted to the 
compliance officer and senior management to ensure they are aware of 
the results. We suggest the reports specifically identify areas where 
corrective actions are needed. With these reports, DMEPOS supplier 
management can take whatever steps are necessary to correct past 
problems and prevent them from recurring. In certain cases, subsequent 
reviews or studies would be advisable to ensure that the recommended 
corrective actions have been implemented successfully.
    The DMEPOS supplier should document its efforts to comply with 
applicable Federal and State statutes, rules, and regulations, and 
Federal, State and private payor health care program requirements. For 
example, where a DMEPOS supplier, in its efforts to comply with a 
particular statute, regulation or program requirement, requests advice 
from a Government agency (including a Medicare DMERC) charged with 
administering a Federal health care program, the DMEPOS supplier should 
document and retain a record of the request and any written or

[[Page 4453]]

oral response, including the identity and position of the individual 
providing the response. DMEPOS suppliers should take the same steps 
when requesting advice from private payors. This step is extremely 
important if the DMEPOS supplier intends to rely on that response to 
guide it in future decisions, actions, or claim reimbursement requests 
or appeals. A log of oral inquiries between the DMEPOS supplier and 
third parties will help the organization document its attempts at 
compliance. In addition, the DMEPOS supplier should maintain records 
relevant to the issue of whether its reliance was ``reasonable'' and 
whether it exercised due diligence in developing procedures and 
practices to implement the advice.
G. Responding to Detected Offenses and Developing Corrective Action 
Initiatives
    1. Violations and Investigations. Violations of a DMEPOS supplier's 
compliance program, failures to comply with applicable Federal or State 
statutes, rules, regulations or Federal, State or private payor health 
care program requirements, and other types of misconduct threaten a 
DMEPOS supplier's status as a reliable, honest and trustworthy health 
care provider. Detected but uncorrected misconduct can seriously 
endanger the mission, reputation, and legal status of the DMEPOS 
supplier. Consequently, upon reports or reasonable indications of 
suspected noncompliance, it is important that the compliance officer or 
other management officials immediately investigate the conduct in 
question to determine whether a material violation of applicable law, 
rules or program instructions or the requirements of the compliance 
program has occurred, and if so, take decisive steps to correct the 
problem.170 As appropriate, such steps may include an 
immediate referral to criminal and/or civil law enforcement 
authorities, a corrective action plan,171 a report to the 
Government,172 and the return of any overpayments, if 
applicable.
---------------------------------------------------------------------------

    \170\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a 
health care program is not solely determinative of whether or not 
the conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss at all, but corrective action and 
reporting are still necessary to protect the integrity of the 
applicable program and its beneficiaries.
    \171\ Advice from the DMEPOS supplier's in-house counsel or an 
outside law firm may be sought to determine the extent of the DMEPOS 
supplier's liability and to plan the appropriate course of action.
    \172\ The OIG currently maintains a provider self-disclosure 
protocol that encourages providers to report suspected fraud. The 
concept of voluntary self-disclosure is premised on a recognition 
that the Government alone cannot protect the integrity of the 
Medicare and other Federal health care programs. Health care 
providers must be willing to police themselves, correct underlying 
problems, and work with the Government to resolve these matters. The 
self-disclosure protocol can be located on the OIG's web site at: 
http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    Where potential fraud or False Claims Act liability is not 
involved, the OIG recommends that the DMEPOS supplier promptly return 
overpayments to the affected payor as they are discovered. However, 
even if the overpayment detection and return process is working and is 
being monitored by the DMEPOS supplier, the OIG still believes that the 
compliance officer needs to be made aware of these overpayments, 
violations, or deviations that may reveal trends or patterns indicative 
of a systemic problem.
    Depending upon the nature of the alleged violations, an internal 
investigation will probably include interviews and a review of relevant 
documents, such as submitted claims and CMNs. Some DMEPOS suppliers 
should consider engaging outside auditors or health care experts to 
assist in an investigation. Records of the investigation should contain 
documentation of the alleged violation, a description of the 
investigative process (including the objectivity of the investigators 
and methodologies utilized), copies of interview notes and key 
documents, a log of the witnesses interviewed and the documents 
reviewed, the results of the investigation, e.g., any disciplinary 
action taken, and any corrective action implemented. Although any 
action taken as the result of an investigation will necessarily vary 
depending upon the DMEPOS supplier and the situation, DMEPOS suppliers 
should strive for some consistency by utilizing sound practices and 
disciplinary protocols.173 Further, after a reasonable 
period, the compliance officer should review the circumstances that 
formed the basis for the investigation to determine whether similar 
problems have been uncovered or modifications of the compliance program 
are necessary to prevent and detect other inappropriate conduct or 
violations.
---------------------------------------------------------------------------

    \173\ The parameters of a claim review subject to an internal 
investigation will depend on the circumstances surrounding the 
issue(s) identified. By limiting the scope of an internal audit to 
current billing, a DMEPOS supplier may fail to identify major 
problems and deficiencies in operations, as well as be subject to 
certain liability.
---------------------------------------------------------------------------

    If an investigation of an alleged violation is undertaken and the 
compliance officer believes the integrity of the investigation may be 
at stake because of the presence of employees under investigation, 
those subjects should be removed from their current work activity until 
the investigation is completed (unless an internal or Government-led 
undercover operation known to the DMEPOS supplier is in effect). In 
addition, the compliance officer should take appropriate steps to 
secure or prevent the destruction of documents or other evidence 
relevant to the investigation. If the DMEPOS supplier determines 
disciplinary action is warranted, it should be prompt and imposed in 
accordance with the DMEPOS supplier's written standards of disciplinary 
action.
    2. Reporting. If the compliance officer, compliance committee or 
other management official discovers credible evidence of misconduct 
from any source and, after a reasonable inquiry, has reason to believe 
that the misconduct may violate criminal, civil, or administrative law, 
then the DMEPOS supplier should promptly report the existence of 
misconduct to the appropriate Federal and State authorities 
174 within a reasonable period, but not more than sixty (60) 
days 175 after determining that there is credible evidence 
of a violation.176 Prompt reporting will demonstrate the 
DMEPOS supplier's good faith and willingness to work with governmental 
authorities to correct and remedy the problem. In addition, reporting 
such conduct will be considered a mitigating

[[Page 4454]]

factor by the OIG in determining administrative sanctions (e.g., 
penalties, assessments and exclusion), if the reporting provider 
becomes the target of an OIG investigation.177
---------------------------------------------------------------------------

    \174\ Appropriate Federal and State authorities include the 
Office of Inspector General, Department of Health and Human 
Services; the Criminal and Civil Divisions of the Department of 
Justice; the U.S. Attorney in the relevant district(s); and the 
other investigative arms for the agencies administering the affected 
Federal or State health care programs, such as: the State Medicaid 
Fraud Control Unit; the Defense Criminal Investigative Service; the 
Department of Veterans Affairs; the Office of Inspector General, 
U.S. Department of Labor (which has primary criminal jurisdiction 
over FECA, Black Lung and Longshore programs); and the Office of 
Inspector General, U.S. Office of Personnel Management (which has 
primary jurisdiction over the Federal Employee Health Benefits 
Program).
    \175\ In contrast, to qualify for the ``not less than double 
damages'' provision of the False Claims Act, the report must be 
provided to the Government within thirty (30) days after the date 
when the DMEPOS supplier first obtained the information. See 31 
U.S.C. 3729(a).
    \176\ The OIG believes that some violations may be so serious 
that they warrant immediate notification to governmental 
authorities, prior to, or simultaneous with, commencing an internal 
investigation, e.g., if the conduct: (1) is a clear violation of 
criminal law; (2) has a significant adverse effect on the quality of 
care provided to program beneficiaries (in addition to any other 
legal obligations regarding quality of care); or (3) indicates 
evidence of a systemic failure to comply with applicable laws, rules 
or program instructions or an existing corporate integrity 
agreement, regardless of the financial impact on Federal health care 
programs.
    \177\ The OIG has published criteria setting forth those factors 
that the OIG takes into consideration in determining whether it is 
appropriate to exclude a health care provider from program 
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of 
various fraud and abuse laws. See 62 FR 67392 (December 24, 1997).
---------------------------------------------------------------------------

    When reporting misconduct to the Government, a DMEPOS supplier 
should provide all evidence relevant to the alleged violation of 
applicable Federal or State law(s) and potential cost impact. The 
compliance officer, if applicable, with advice of counsel, and with 
guidance from the governmental authorities, could be requested to 
continue to investigate the reported violation. Once the investigation 
is completed, the compliance officer should be required to notify the 
appropriate governmental authority of the outcome of the investigation, 
including a description of the impact of the alleged violation on the 
operation of the applicable health care programs or their 
beneficiaries. If the investigation ultimately reveals that criminal, 
civil, or administrative violations have occurred, the appropriate 
Federal and State authorities 178 should be notified 
immediately.
---------------------------------------------------------------------------

    \178\ See note 174.
---------------------------------------------------------------------------

    3. Corrective Actions. As previously stated, the DMEPOS supplier 
should take appropriate corrective action, including prompt 
identification of any overpayment to the affected payor and the 
imposition of proper disciplinary action. If potential fraud or 
violations of the False Claims Act are involved, any repayment of the 
overpayment should be made as part of the discussion with the 
Government following a report of the matter to law enforcement 
authorities. Otherwise, the overpayment should be promptly refunded to 
the affected payor. The refund should also include the information as 
outlined in section II.F. Failure to disclose overpayments within a 
reasonable period of time could be interpreted as an intentional 
attempt to conceal the overpayment from the Government, thereby 
establishing an independent basis for a criminal violation with respect 
to the DMEPOS supplier, as well as any individuals who may have been 
involved. For this reason, DMEPOS supplier compliance programs should 
emphasize that overpayments obtained from Medicare or other Federal 
health care programs should be promptly disclosed and returned to the 
payor that made the erroneous payment.

III. Conclusion

    Through this document, the OIG has attempted to provide a 
foundation to the process necessary to develop an effective and cost-
efficient DMEPOS supplier compliance program. As previously stated, 
however, each program must be tailored to fit the needs and resources 
of an individual DMEPOS supplier, depending upon its size; number of 
locations; type of equipment provided; or corporate structure. The 
Federal and State health care statutes, rules, and regulations and 
Federal, State and private payor health care program requirements, 
should be integrated into every DMEPOS supplier's compliance program.
    The OIG recognizes that the health care industry in this country, 
which reaches millions of beneficiaries and expends about a trillion 
dollars annually, is constantly evolving. In particular, legislation 
has been passed that creates additional Medicare program participation 
requirements, such as requiring DMEPOS suppliers to purchase surety 
bonds and expanding the Medicare supplier standards.179 As 
stated throughout this guidance, compliance is a dynamic process that 
helps to ensure DMEPOS suppliers and other health care providers are 
better able to fulfill their commitment to ethical behavior, as well as 
meet the changes and challenges being imposed upon them by Congress and 
private insurers. Ultimately, it is OIG's hope that a voluntarily 
created compliance program will enable DMEPOS suppliers to meet their 
goals, improve the quality of service to patients, and substantially 
reduce fraud, waste, and abuse, as well as the cost of health care, to 
Federal, State and private health insurers.
---------------------------------------------------------------------------

    \179\ See 63 FR 2926 (January 20, 1998).

    Dated: January 22, 1999.
Michael Mangano,
Principal Deputy Inspector General.
[FR Doc. 99-2055 Filed 1-27-99; 8:45 am]
BILLING CODE: 4150-04-P