[Federal Register Volume 64, Number 121 (Thursday, June 24, 1999)]
[Notices]
[Pages 33869-33887]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-16072]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Draft OIG Compliance Program Guidance for Certain Medicare+Choice
Organizations
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice and comment period.
-----------------------------------------------------------------------
SUMMARY: This Federal Register notice seeks the comments of interested
parties on draft compliance program guidance developed by the Office of
Inspector General for Medicare+Choice Organizations that offer
Coordinated Care Plans (M+CO/CCPs). Through this notice, the OIG is
setting forth its general views on the value and fundamental principles
of M+CO/CCP compliance programs, and the specific elements that each
M+CO/CCP should consider when developing and implementing an effective
compliance program.
DATES: To assure consideration, comments must be delivered to the
address provided below by no later than 5 p.m. on July 26, 1999.
ADDRESSES: Please mail or deliver written comments to the following
address: Office of Inspector General, Department of Health and Human
Services, Attention: OIG-4N-CPG, Room 5246, Cohen Building, 330
Independence Avenue, S.W., Washington, D.C. 20201.
We do not accept comments by facsimile (FAX) transmission. In
commenting, please refer to file code OIG-4N-CPG. Comments received
timely will be available for public inspection as they are received,
generally beginning approximately 2 weeks after publication of a
document, in Room 5541 of the Office of Inspector General at 330
Independence Avenue, S.W., Washington, D.C. 20201 on Monday through
Friday of each week from 8:00 a.m. to 4:30 p.m.
FOR FURTHER INFORMATION CONTACT: Susan Lemanski or Barbara
Frederickson, (202) 619-2078, Office of Counsel to the Inspector
General.
SUPPLEMENTARY INFORMATION:
[[Page 33870]]
Background
The creation of compliance program guidance has become a major
initiative of the OIG in its efforts to engage the private health care
community in addressing and fighting fraud and abuse. In the last
several years, the OIG has developed and issued the following
compliance program guidance directed at various segments of the health
care industry:
Clinical Laboratories (62 FR 9435; March 3, 1997, as
amended in 63 FR 45076; August 24, 1998),
Hospitals (63 FR 8987; February 23, 1998),
Home Health Agencies (63 FR 42410; August 7, 1998), and
Third-Party Medical Billing Companies (63 FR 70138;
December 18, 1998).
In addition, the OIG published a draft compliance guidance for
Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry
(64 FR 4435; January 28, 1999). The guidance can also be found on the
OIG web site at http://www.dhhs.gov/progorg/oig.
On September 22, 1998, the OIG published a solicitation notice
seeking information and recommendations for developing formal guidance
for M+CO/CCPs (63 FR 50577). In response to that solicitation notice,
the OIG received 5 comments from various parts of the industry and
their representatives. In developing this notice for formal public
comment, we have considered those comments, as well as previous OIG
publications, such as other compliance program guidances, Special Fraud
Alerts, reports issued by the OIG's Office of Audit Services and Office
of Evaluation and Inspections. We also took into account past and
recent fraud investigations conducted by the OIG's Office of
Investigations and the Department of Justice, and have consulted
directly with HCFA.
Elements Addressed in the Draft M+CO/CCP Guidance
This draft of M+CO/CCP guidance contains the following 7 elements
that the OIG has determined are fundamental to an effective compliance
program:
Implementing written policies, procedures and standards of
conduct;
Designating a compliance officer and compliance committee;
Conducting effective training and education;
Developing effective lines of communication;
Conducting internal monitoring and auditing;
Enforcing standards through well-publicized disciplinary
guidelines; and
Responding promptly to detected offenses and developing
corrective action.
These elements are contained in the other guidances issued by the
OIG, indicated above. As with the other guidances, this draft
compliance program guidance represents the OIG's suggestions on how
M+CO/CCPs can best establish internal controls and monitoring to
correct and prevent fraudulent activities. The contents of this
guidance should not be viewed as mandatory or as an exclusive
discussion of the advisable elements of a compliance program. While
elements put forth in this draft compliance guidance are similar to
elements HCFA has included in its conditions to contract as an M+C
organization, the guidance is intended to present voluntary guidance to
the industry, and not represent binding standards for M+CO/CCPs.
Public Input and Comment in Developing Final Guidance
In an effort to ensure that all parties have an opportunity to
provide input into the OIG's guidance, we are publishing this guidance
in draft form. We welcome any comments from interested parties
regarding this guidance.'
We will consider all comments that are received within the above-
cited time frame, incorporate any recommendations as appropriate, and
will prepare and publish a final version of the M+CO/CCP guidance.
Draft Compliance Program Guidance for M+CO/CCPs (June 1999)
I. Introduction
In its ongoing effort to work collaboratively with the health care
industry to achieve the mutual goals of quality health care and the
elimination of fraud, waste and abuse, the Office of Inspector General
(OIG) of the Department of Health and Human Services (HHS) has
encouraged voluntarily developed and implemented compliance programs
for the health care industry. As a demonstration of the OIG's
commitment to compliance, the OIG has issued recommendations, in the
form of compliance program guidances, that provide suggestions
regarding how specific segments of the industry can best implement
compliance programs.1
---------------------------------------------------------------------------
\1\ See 64 FR 4435 (1/28/99) for the draft compliance program
guidance for the durable medical equipment, prosthetics, orthotics
and suppliers industry; 63 FR. 70138 (12/18/98) for compliance
program guidance for third-party medical billing companies; 63 FR
45076 (8/24/98) for compliance program guidance for clinical
laboratories; 63 FR 42410 (8/7/98) for compliance program guidance
for home health agencies; and 63 FR 8987 (2/23/98) for compliance
program guidance for hospitals. These documents are also located on
the Internet at http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
As a result of the changing nature of the health care delivery
system and the growing trend toward reliance on the managed care
industry in the provision of such health care delivery, the OIG
believes it is appropriate to issue a guidance focusing on
Medicare+Choice organizations 2 offering coordinated care
plans 3 (Medicare+Choice organizations). The OIG believes
that the implementation of compliance plans in the managed care
industry can provide a mechanism for further improving the quality,
productivity and efficiency of the health care industry as a whole.
This guidance is intended to assist Medicare+Choice organizations and
their agents and subcontractors in developing effective internal
controls that promote adherence to applicable Federal and State law and
the program requirements of Federal health plans.
---------------------------------------------------------------------------
\2\ A Medicare+Choice organization is defined as a public or
private entity organized and licensed by a State as a risk-bearing
entity (with the exception of provider-sponsored organizations
receiving waivers) that is certified by the Health Care Financing
Administration (HCFA) as meeting the Medicare+Choice contract
requirements. See 42 CFR 422.2.
\3\ For the purposes of this compliance program guidance, a
``coordinated care plan'' is a plan that includes a network of
providers that are under contract or arrangement with the
organization to deliver the benefit package approved by HCFA. See 42
U.S.C. 1395w-28(a)(1); 42 CFR 422.4.
---------------------------------------------------------------------------
While the regulations implementing the Medicare+Choice program, or
Part C, require a Medicare+Choice organization to establish a
compliance plan,4 the OIG's program guidance is voluntary
and simply is intended to provide assistance for Medicare+Choice
organizations looking for additional direction in the development and
implementation of a compliance program. As such, this guidance
addresses the OIG's view on comprehensive compliance programs
pertaining to Medicare+Choice organizations.
---------------------------------------------------------------------------
\4\ The regulations require that any plan contracting with HCFA
implement a compliance plan that encompasses the elements detailed
in the Federal Sentencing Guidelines. See 42 CFR 422.501(b)(vi).
HCFA will release an operational policy letter addressing the
compliance requirements detailed in the regulation. In response to
concerns from industry representatives on the short time frame for
implementing a compliance plan, HCFA delayed the actual
implementation date of the compliance plan until January 1, 2000.
---------------------------------------------------------------------------
The OIG formulated this guidance specifically for Medicare+Choice
organizations because these organizations are well-defined and somewhat
limited in the statutory and regulatory jurisdiction of the States, as
evidenced by the pre-emption
[[Page 33871]]
provisions.5 In this guidance, we have focused our attention
on Federal health care regulations governing marketing, enrollment,
disenrollment, underutilization, data collection, anti-kickback statute
and anti-dumping, rather than providing instruction on all aspects of
regulatory compliance. The OIG encourages managed care organizations to
read the guidance with the whole organization in mind, applying the
guidance to whatever departments or divisions, including private-sector
managed care areas, that are deemed appropriate. Indeed, many of the
suggestions in this guidance can be used by managed care organizations
that do not contract with HCFA. In particular, entities that
participate in other public health care programs, such as Medicaid, may
want to look to the general principles in this document to assist them
in developing compliance programs.
---------------------------------------------------------------------------
\5\ See 42 U.S.C. 1395w-26(b)(3); 42 CFR 422.402. The Federal
preemption provisions in the Medicare+Choice regulations cover: (1)
any State statutes, regulations, contract requirements, or any other
standards that would otherwise apply to Medicare+Choice
organizations only to the extent that such State laws are
inconsistent with the standards under 42 CFR part 422; and (2) State
laws that are specifically preempted in 42 CFR 422.402(b).
---------------------------------------------------------------------------
Within this document, the OIG first provides its general views on
the value and fundamental principles of Medicare+Choice organizations'
compliance programs, and then provides specific elements that each
Medicare+Choice organization should consider when developing and
implementing an effective compliance program.
Fundamentally, compliance efforts are designed to establish a
culture within an organization that promotes prevention, detection and
resolution of instances of conduct that do not conform to Federal and
State law and Federal health care program requirements, as well as the
Medicare+Choice organization's ethical and business policies. In
practice, the compliance program should effectively articulate and
demonstrate the organization's commitment to legal and ethical conduct.
Eventually, a compliance program should become part of the fabric of a
Medicare+Choice organization's routine operations.
It is incumbent upon a Medicare+Choice organization's officers and
managers to provide ethical leadership to the organization and to
assure adequate systems and resources are in place to facilitate and
promote ethical and legal conduct. Employees, managers and the
Government will focus on the words and actions (including decisions
made on resources devoted to compliance) of a Medicare+Choice
organization's leadership as a measure of the organization's commitment
to compliance. Indeed, many organizations have adopted mission
statements articulating their commitment to high ethical standards.
Implementing an effective compliance program requires a substantial
commitment of time, energy and resources by senior management and the
Medicare+Choice organization's governing body. Superficial programs
that simply purport to comply with the elements discussed and described
in this guidance, or programs hastily constructed and implemented
without appropriate ongoing monitoring, will likely be ineffective and
could expose the Medicare+Choice organization to greater liability than
no program at all. Although an effective compliance program may require
significant additional resources or a reallocation of existing
resources, the long term benefits of implementing such a program
significantly outweigh the costs. Undertaking a compliance program is a
beneficial investment that advances the Medicare+Choice organization,
the health of Medicare+Choice enrollees and the stability and solvency
of the Medicare program.
A. Benefits of a Compliance Program
The OIG believes an effective compliance program provides a
mechanism that brings the public and private sectors together to reach
mutual goals of reducing fraud and abuse, improving operational
quality, improving the quality of health care and reducing the costs of
health care. Attaining these goals provides positive results to
business, Government, individual citizens and Medicare beneficiaries
alike. In addition to fulfilling its legal duty to ensure that it is
not submitting false or inaccurate information to the Government or
providing substandard care to Medicare beneficiaries, a Medicare+Choice
organization may gain numerous additional benefits by implementing an
effective compliance program. These benefits may include:
The formulation of effective internal controls to assure
compliance with Federal regulations and internal guidelines;
Improved collaboration, communication and cooperation
between health care providers and the Medicare+Choice organization, as
well as within the Medicare+Choice organization itself;
Improved communication with and satisfaction of
Medicare+Choice enrollees;
The ability to more quickly and accurately react to
employees' operational compliance concerns and the capability to
effectively target resources to address those concerns;
A concrete demonstration to employees and the community at
large of the Medicare+Choice organization's strong commitment to honest
and responsible corporate conduct;
The ability to obtain an accurate assessment of employee
and contractor behavior relating to fraud and abuse;
Improved (clinical and non-clinical) quality of care and
service;
Improved assessment tools that could affect many or all of
the Medicare+Choice organization's divisions or departments;
Increased likelihood of identification and prevention of
unlawful and unethical conduct;
A centralized source for distributing information on
health care statutes, regulations and other program directives related
to fraud and abuse;
An environment that encourages employees to report
potential problems;
Procedures that allow the prompt, thorough investigation
of possible misconduct by corporate officers, managers, employees and
independent contractors;
An improved relationship with the Center for Health Plans
and Providers (CHPP) at HCFA;
Early detection and reporting, minimizing the loss to the
Government from false claims, and thereby reducing the Medicare+Choice
organization's exposure to civil damages and penalties, criminal
sanctions, and administrative remedies, such as program exclusion;
6 and
---------------------------------------------------------------------------
\6\ The OIG, for example, will consider the existence of an
effective compliance program that pre-dated any governmental
investigation when addressing the appropriateness of administrative
sanctions. However, the burden is on the Medicare+Choice
organization to demonstrate the operational effectiveness of a
compliance program. Further, the False Claims Act, 31 U.S.C. 3729-
3733, provides that a person who has violated the Act, but who
voluntarily discloses the violation to the Government within thirty
days of detection, in certain circumstances will be subject to not
less than double, as opposed to treble, damages. See 31 U.S.C.
3729(a). In addition, an organization will receive sentencing credit
for an ``effective'' compliance program under the Federal Sentencing
Guidelines. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8C2.5. Thus, the ability to react quickly when
violations of the law are discovered may materially reduce the
Medicare+Choice organization's liability.
---------------------------------------------------------------------------
An enhancement of the structure of the Medicare+Choice
organization's separate business units.
Overall, the OIG believes that an effective compliance program is a
sound
[[Page 33872]]
business investment that has the potential of enhancing the efficiency
and effectiveness of the Medicare+Choice organization. It may also
improve the Medicare+Choice organization's financial structure by
addressing not only fraud and abuse concerns, but efficiency and
productivity concerns in other operational areas.
The OIG recognizes the implementation of an effective compliance
program may not entirely eliminate fraud, abuse and waste from an
organization. However, a sincere effort by a Medicare+Choice
organization to comply with applicable Federal and State standards,
through the establishment of an effective compliance program,
significantly reduces the probability of unlawful or improper conduct.
B. Application of Compliance Program Guidance
Before explaining the specific elements of a compliance program, it
is important to emphasize several aspects of this document: its
voluntary nature, its applicability to Medicare+Choice organizations
that offer coordinated care plans, the collaborative nature by which it
was developed, and its evolving nature.
First, it should be re-emphasized that while the regulations
implementing the Medicare+Choice program, or Part C, require a
Medicare+Choice organization to establish a compliance plan, including
specified elements, 7 this program guidance is voluntary.
Although this document presents basic procedural and structural
guidance for designing a compliance program, it is not in itself a
compliance program. Rather, it is a set of guidelines for consideration
by a Medicare+Choice organization interested in obtaining specific
information on implementing a compliance program. This guidance
represents the OIG's suggestions on how a Medicare+Choice organization
can establish internal controls and monitor company conduct to correct
and prevent fraudulent activities.
---------------------------------------------------------------------------
\7\ See note 4.
---------------------------------------------------------------------------
It is critical for the Medicare+Choice organization to assess its
own organization and determine its needs with regard to compliance with
applicable Federal and State statutes and Federal health care program
requirements. By no means should the contents of this guidance be
viewed as an exclusive discussion of the advisable components of a
compliance program. On the contrary, the OIG strongly encourages
Medicare+Choice organizations to develop and implement compliance
components that uniquely address the individual organization's risk
areas.
Implementing a compliance program in the managed care industry is a
complicated venture. There are significant variances and complexities
among Medicare+Choice organizations in terms of the type of services
and the manner in which these services are provided to the respective
members. For example, some Medicare+Choice organizations cover broad
service areas, while others are focused on a particular geographic
region. Similarly, the range of benefits covered differ among plans.
Clearly, these differences may give rise to different substantive
policies to ensure effective compliance. Furthermore, some
Medicare+Choice organizations are relatively small (such as provider-
sponsored organizations (PSOs)), while others are fully integrated and
offer Medicare+Choice plans 8 in a wide variety of areas.
Finally, the availability of resources for any one Medicare+Choice
organization can differ vastly.
---------------------------------------------------------------------------
\8\ A ``Medicare+Choice plan,'' as defined in this guidance,
refers to health benefits coverage offered under a policy or
contract by a Medicare+Choice organization that includes a specific
set of health benefits offered at a uniform premium and uniform
level of cost sharing to all Medicare beneficiaries residing in the
service area of the Medicare+Choice plan. See 42 CFR 422.2.
---------------------------------------------------------------------------
Notwithstanding these differences, this guidance is pertinent for
all Medicare+Choice organizations, large or small, regardless of the
type of services provided. The applicability of the recommendations and
guidelines provided in this document may depend on the circumstances
and resources of each particular Medicare+Choice organization. However,
regardless of the organization's size and structure, the OIG believes
every Medicare+Choice organization can and should strive to accomplish
the objectives and major principles underlying all of the compliance
policies and procedures recommended within this guidance.
The OIG recognizes that the success of the compliance program
guidance hinges on thoughtful and practical comments from those
individuals and organizations that will utilize the tools set forth in
this document. In a continuing effort to collaborate closely with the
private sector, the OIG solicited input and support from the public in
the development of this compliance program guidance. 9
Further, we took into consideration previous OIG publications, such as
Special Fraud Alerts, the recent findings and recommendations in
reports issued by OIG's Office of Audit Services (OAS) and Office of
Evaluation and Inspections (OEI), 10 comments from HCFA, as
well as the experience of past and recent fraud investigations related
to managed care organizations 11 conducted by OIG's Office
of Investigations (OI) and the Department of Justice.
---------------------------------------------------------------------------
\9\ See Solicitation of Information and Recommendations for
Developing the OIG Compliance Program Guidance for Certain
Medicare+Choice Organizations. 63 FR 50577 (9/22/98).
\10\ Special Fraud Alerts are available on the OIG website at
http://www.dhhs.gov/progorg/oig. The recent findings and
recommendations of OAS and OEI can be located on the Internet at
http://www.hhs.gov/progorg/oas/cats/hcfa.html and http://
www.hhs.gov/progorg/oei, respectively.
\11\ These investigations include findings based upon Medicare
risk-based Health Maintenance Organizations as defined in 42 U.S.C.
1395mm.
---------------------------------------------------------------------------
As appropriate, this guidance may be modified and expanded as more
information and knowledge is obtained by the OIG, and as changes in the
law, and in the rules, policies and procedures of the Federal and State
plans occur. The OIG understands Medicare+Choice organizations will
need adequate time to react to these modifications and expansions and
to make any necessary changes to their voluntary compliance programs.
New compliance practices may eventually be incorporated into this
guidance if the OIG discovers significant enhancements to better ensure
an effective compliance program. We recognize the development and
implementation of compliance programs in Medicare+Choice organizations
often raise sensitive and complex legal and managerial issues.
12 However, the OIG wishes to offer what it believes is
critical guidance for those who are sincerely attempting to comply with
the relevant health care statutes and regulations.
---------------------------------------------------------------------------
\12\ Nothing stated herein should be substituted for, or used in
lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------
II. Compliance Program Elements
The elements proposed by these guidelines are similar to those of
the other OIG Compliance Program Guidances 13 and our
corporate integrity agreements. 14 As noted above, the
elements represent a guide that can be tailored to fit the needs and
financial realities of a particular Medicare+Choice organization, large
or
[[Page 33873]]
small, regardless of the type of services offered.
---------------------------------------------------------------------------
\13\ See note 1.
\14\ Corporate integrity agreements are executed as part of a
civil settlement agreement between the health care provider and the
Government to resolve a case based on allegations of health care
fraud or abuse. These OIG-imposed programs are in effect for a
period of three to five years and require many of the elements
included in this compliance guidance.
---------------------------------------------------------------------------
Every effective compliance program must begin with a formal
commitment 15 by the Medicare+Choice organization's
governing body to include all of the applicable elements listed below.
A good faith and meaningful commitment on the part of the
Medicare+Choice organization's administration, especially the governing
body and the chief executive officer (CEO), will substantially
contribute to the program's successful implementation. These elements
are based on the seven steps of the Federal Sentencing Guidelines.
16 We believe every Medicare+Choice organization can
implement all of the recommended elements and expand upon them, as
appropriate.
---------------------------------------------------------------------------
\15\ Formal commitment may include a resolution by the board of
directors, where applicable. A formal commitment does include the
allocation of adequate resources to ensure that each of the elements
is addressed.
\16\ See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing
Guidelines are detailed policies and practices for the Federal
criminal justice system that prescribe appropriate sanctions for
offenders convicted of Federal crimes.
---------------------------------------------------------------------------
At a minimum, comprehensive compliance programs should include the
following seven elements:
(1) The development and distribution of written standards of
conduct, as well as written policies and procedures, that promote the
Medicare+Choice organization's commitment to compliance and that
address specific areas of potential fraud (e.g., the marketing process,
and underutilization);
(2) The designation of a chief compliance officer and other
appropriate bodies, e.g., a corporate compliance committee, charged
with the responsibility of operating and monitoring the compliance
program and who report directly to the CEO and the governing body;
(3) The development and implementation of regular, effective
education and training programs for all affected employees;
(4) The development of effective lines of communication between the
compliance officer and all employees, including a process, such as a
hotline, to receive complaints (and the adoption of procedures to
protect the anonymity of complainants and to protect callers from
retaliation);
(5) The use of audits or other risk evaluation techniques to
monitor compliance and assist in the reduction of identified problem
areas;
(6) The development of disciplinary mechanisms to consistently
enforce standards and the development of policies addressing dealings
with sanctioned and other specified individuals; and
(7) The development of policies to respond to detected offenses and
to initiate corrective action to prevent similar offenses.
A. Written Policies and Procedures
Every compliance program should require the development and
distribution of written compliance policies, standards and practices
that identify specific areas of risk and vulnerability to the
Medicare+Choice organization. These policies should be developed under
the direction and supervision of the chief compliance officer and the
compliance committee and, at a minimum, should be provided to all
individuals who are affected by the particular policy at issue,
including the Medicare+Choice organization's agents and independent
contractors.17
---------------------------------------------------------------------------
\17\ According to the Federal Sentencing Guidelines, an
organization must have established compliance standards to be
followed by its employees and other agents in order to receive
sentencing credit. The Guidelines define ``agent'' as ``any
individual, including a director, an officer, an employee, or an
independent contractor, authorized to act on behalf of the
organization.'' See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------
Medicare+Choice organizations maintain ultimate responsibility for
adhering to and otherwise fully complying with all terms and conditions
of their contract with HCFA.18 It is with this in mind that
the OIG strongly recommends that the Medicare+Choice organization
coordinate with its first tier and downstream providers to establish
compliance responsibilities,19 in addition to the
contractual responsibilities required by HCFA.20 For
example, OIG recommends that the Medicare+Choice organization
coordinate with its contracting providers regarding the steps that
should be taken by the providers to verify and confirm to the
Medicare+Choice organization the accuracy of information and data
submitted to the Medicare+Choice organization concerning patient
encounters and fee-for-service claims. Once the responsibilities have
been clearly delineated, they should be formalized in legally
enforceable written arrangement between the health care provider and
the Medicare+Choice organization. The OIG recommends this document
enumerate those functions that are shared responsibilities and those
that are the sole responsibility of the Medicare+Choice organization.
---------------------------------------------------------------------------
\18\ See 42 CFR 422.502(i).
\19\ At a minimum, the Medicare+Choice organization should send
a copy of its compliance program manual to all of its health care
providers. The Medicare+Choice organization should also coordinate
with its health care providers in the development of a training
program, an audit plan and policies for investigating misconduct.
\20\ See 42 CFR 422.502(i)(3)-(4).
---------------------------------------------------------------------------
1. Standards of Conduct
Medicare+Choice organizations should develop standards of conduct
for all affected employees that include a clearly delineated commitment
to compliance by the organization's senior management and its
divisions. To help communicate a strong and explicit organizational
commitment to compliance goals and standards, the Medicare+Choice
organization's governing body, CEO, chief operating officer (COO),
general counsel, chief financial officer (CFO) and other senior
officials should be directly involved in the development of standards
of conduct.
The standards should function in the same fashion as a
constitution, i.e., as a foundational document that details the
fundamental principles, values and framework for action within an
organization, as well as the organization's mission and goals. The
standards should also articulate the Medicare+Choice organization's
commitment to comply with all Federal and State standards, with an
emphasis on preventing fraud and abuse. The standards should not only
address compliance with statutes and regulations, but should also set
forth broad principles that guide employees in conducting business
professionally and properly. In short, the standards should promote
integrity, support objectivity and foster trust. Furthermore, a
Medicare+Choice organization's standards of conduct should reflect a
commitment to the highest quality health care delivery, as evidenced by
its quality, reliability and timeliness.
2. Written Policies for Risk Areas
As part of its commitment to compliance, Medicare+Choice
organizations should establish a comprehensive set of written policies
that address all applicable statutes, rules and program instructions
that apply to each function or department of the Medicare+Choice
organization.21 The
[[Page 33874]]
policies should address specific areas of concern, such as marketing
practices and data collection and submission processes. In contrast to
the standards of conduct, which are designed to be a clear and concise
collection of fundamental standards, the written policies should
articulate specific procedures personnel should follow when performing
their duties.
---------------------------------------------------------------------------
\21\ This includes, but is not limited to, the Medicare+Choice
provisions and the fraud and abuse provisions of the Balanced Budget
Act of 1997, Pub.L. 105-33; the civil False Claims Act, 31 U.S.C.
3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001;
the fraud and abuse provisions of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), Pub.L. 104-191; and the
civil monetary penalties in the Social Security Act, 42 U.S.C.
1320a-7a and 42 U.S.C. 395w-27(g). See also 42 CFR 422.1-422.312.
---------------------------------------------------------------------------
In order to determine what policies and procedures are needed, the
OIG recommends that Medicare+Choice organizations conduct a
comprehensive self-administered risk analysis or contract for an
independent risk analysis by experienced health care consulting
professionals. This risk analysis should identify and rank the various
compliance and business risks the company may experience in its daily
operations. A Medicare+Choice organization's prior history of
noncompliance with applicable statutes, regulations and Federal health
care program requirements may indicate additional types of risk areas
where the organization may be vulnerable and may require necessary
policy measures to prevent avoidable recurrence.22
---------------------------------------------------------------------------
\22\ ``Recurrence of misconduct similar to that which an
organization has previously committed casts doubt on whether it took
all reasonable steps to prevent such misconduct'' and is a
significant factor in the assessment of whether a compliance program
is effective. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(7)(ii).
---------------------------------------------------------------------------
The fact that Medicare+Choice organizations may be both providers
and insurers of health care increases the number and type of risk areas
to which a Medicare+Choice organization must be attuned, as well as the
type of auditing and monitoring procedures that must be implemented, in
the development of its compliance efforts. For example, an individual
Medicare+Choice organization may contract with a variety of providers
with different specialities and, consequently, must consider a variety
of different risk areas.
The regulations and operational policies issued by HCFA that
implement the Medicare+Choice program are very comprehensive and should
serve as the basis for the policies and procedures of a Medicare+Choice
organization.23 The legal and policy requirements that
organizations must meet to qualify as a Medicare+Choice organization
are articulated in documentation promulgated by HCFA and other Federal
agencies and should be considered de facto risk areas. Included among
these risk areas are: (1) The election process; (2) benefits and
beneficiary protections; (3) quality assurance; (4) premiums and cost
sharing; (5) solvency, licensure and other State regulatory issues; (6)
claims processing; and (7) appeals and grievance procedures. Given the
detailed nature of the rules and regulations, we have not attempted in
this document to identify each and every policy that should be
established by a Medicare+Choice organization. Rather, based on a
review OIG audits, investigations and evaluations, we have identified
the following areas of particular concern to OIG that the
Medicare+Choice organization should consider in developing its written
policies and procedures: 24
---------------------------------------------------------------------------
\23\ Medicare+Choice organizations should regularly access the
HCFA managed care website for updates on operational policies and
procedures. Operational Policy Letters can be located on HCFA's
website at http://www.hcfa.gov/medicare/mgd-ops.htm.
\24\ Medicare+Choice organizations may also want to consult the
OIG's Work Plan when conducting the risk assessment. The OIG Work
Plan details the various projects the OIG currently intends to
address in the fiscal year. It should be noted that the priorities
in the Work Plan are subject to modification and revision as the
year progresses and the Work Plan does not represent a complete or
final list of areas of concern to the OIG. The Work Plan is
currently available on the Internet at http://www.dhhs.gov/progorg/
oig.
---------------------------------------------------------------------------
Marketing materials and personnel;
Selective marketing and enrollment;
Disenrollment;
Underutilization and quality of care;
Data collection and submission processes;
Anti-kickback statute and other inducements; and
Anti-dumping statute.
As note above, the list is not all-encompassing and the
Medicare+Choice organization should conduct additional surveys and
statistical analysis specifically tailored to the organization's
beneficiary population and organizational structure.25
---------------------------------------------------------------------------
\25\ Although many of these areas apply specifically to
Medicare+Choice organizations, many of the areas identified below
have analogous issues in non-Medicare organizations. Medicare+Choice
organizations that provide private managed care products should
establish additional policies and procedures for risk areas that
apply specifically to those areas. Some overlap with Medicare+Choice
policies will likely occur, however Medicare+Choice organizations
should segregate any policies and procedures for which HCFA has
instituted specific reporting requirements for the Medicare
population.
---------------------------------------------------------------------------
The following sections provide specific guidance regarding the
types of policies that should be implemented by Medicare+Choice
organizations.
a. Marketing Materials and Personnel
While each Medicare+Choice organization must comply with all of
HCFA's detailed requirements relating to marketing their
plans,26 OIG is particularly concerned that organizations
have policies regarding: (1) the completeness and accuracy of the
marketing materials; and (2) marketing personnel.
---------------------------------------------------------------------------
\26\ Medicare+Choice organizations should ensure that they
conform to fair marketing standards as set forth in the statute, the
Medicare Managed Care National Marketing Guide (Marketing
Guide)(which can be located on the HCFA Managed Care website at
http://www.hcfa.gov/medicare/mgd-ops.htm) and all HCFA Operational
Policy Letters affecting marketing matters.
---------------------------------------------------------------------------
Accurate and useful information is crucial to the success of the
Medicare+Choice program. OIG is very concerned that Medicare+Choice
organizations correctly and completely describe plan information in any
marketing materials or other materials distributed to individuals once
enrolled in the plan. Medicare+Choice organizations that misrepresent
or falsify information submitted to HCFA, individuals or entities are
subject to civil monetary penalties (CMPs).27
---------------------------------------------------------------------------
\27\ 42 U.S.C. 1395w-27(g).
---------------------------------------------------------------------------
The submission of inaccurate or misleading information is of
particular concern in light of the recent study conducted by the
General Accounting Office (GAO) that examined 16 managed care
organizations and found that all organizations had distributed
materials containing inaccurate or incomplete benefit
information.28 It should be noted that HCFA had reviewed and
approved the materials from all the organizations in the GAO study.
Given this finding, Medicare+Choice organizations should take special
care to ensure that all marketing materials are accurate,
notwithstanding whether the materials have been approved by
HCFA.29
---------------------------------------------------------------------------
\28\ ``Medicare+Choice: New Standards Could Improve Accuracy and
Usefulness of Plan Literature.'' (GAO/HEHS-99-92)(April 1999).
\29\ Medicare+Choice organizations may not distribute marketing
materials or election forms unless they are approved by HCFA. 42 CFR
422.80.
---------------------------------------------------------------------------
HCFA considers marketing materials to include any material used by
a Medicare+Choice organization to contact a Medicare beneficiary. As
such, marketing materials go beyond the public's general conception of
marketing materials and include general circulation brochures,
leaflets, newspapers, magazines, television, radio, billboards, yellow
pages, the Internet, slides and charts, and leaflets for distribution
by providers. Such materials also include membership communication
materials such as membership rules, subscriber agreements, or
confirmation of enrollment.30 Accordingly,
[[Page 33875]]
Medicare+Choice organizations should carefully scrutinize all of these
materials for completeness, accuracy and compliance with HCFA rules.
---------------------------------------------------------------------------
\30\ 42 CFR 422.80(b).
---------------------------------------------------------------------------
In verifying that marketing materials meet all HCFA requirements,
Medicare+Choice organizations should ensure that the materials contain
an adequate written description of rules, procedures, basic benefits
and services, and an explanation of the grievance and appeals
process.31 Of particular concern to HCFA and OIG is that the
concept of ``lock-in'' is clearly explained in all marketing material.
Many Medicare beneficiaries are unfamiliar with the notion that managed
care may limit their health care provider choices. Describing the
process of selecting a primary care physician and the limitations that
this places on a Medicare+Choice enrollee's choice of provider will
significantly reduce the unmet expectations of Medicare beneficiaries.
---------------------------------------------------------------------------
\31\ 42 CFR 422.80(c).
---------------------------------------------------------------------------
Another important concept to include in the marketing materials is
the fact that the beneficiary may be terminated from enrollment in the
plan due to the decision of the Medicare+Choice organization not to
renew its contract with HCFA, or due to HCFA's decision to refuse to
renew the contract.32 This termination can affect the
enrollee's 33 eligibility for supplemental insurance and
other benefits.
---------------------------------------------------------------------------
\32\ 42 CFR 422.80(c)(3).
\33\ Periodic on-site visits of the Medicare+Choice
organization's operations, bulletins with compliance updates and
reminders, distribution of audiotapes or videotapes on different
risk areas, lectures at management and employee meetings,
circulation of recent health care articles covering fraud and abuse
and innovative changes to compliance training are various examples
of approaches and techniques the compliance officer can employ for
the purpose of ensuring continued interest in the compliance program
and the Medicare+Choice organization's commitment to its principles
and policies.
---------------------------------------------------------------------------
Second, in light of the critical role that marketing personnel play
in representing the plan to Medicare enrollees, the Medicare+Choice
organization must take all appropriate steps to ensure that marketing
personnel are presenting clear, complete and accurate information to
potential enrollees. To that end, OIG strongly encourages
Medicare+Choice organizations to employ their own marketing personnel,
as opposed to contracting these responsibilities to outside
entities.34 This provides the Medicare+Choice organization
the necessary control to ensure that these individuals meet all HCFA
guidelines. Similarly, it safeguards Medicare beneficiaries from
practices that could seriously endanger their access to health care to
which they are entitled, and their ability to acquire accurate and
complete information regarding their health care options.
---------------------------------------------------------------------------
\34\ It should be noted that Medicare+Choice organizations have
ultimate responsibility for the acts and omissions of its marketing
agents. See 42 CFR 422.502(i).
---------------------------------------------------------------------------
Medicare+Choice organizations should also be aware that OIG and
HCFA strongly discourage the use of physicians as marketing agents for
several reasons: (1) physicians are usually not fully aware of
membership plan benefits and costs; (2) physicians may not be the best
source of membership information about their patients; (3) when a
physician acts outside his or her traditional role as care provider,
the physician's patients may be confused as to when the physician is
acting as an agent of the plan, and when the physician is acting to
further the interests of the patient; and (4) a physician's knowledge
of a patient's health status increases the potential for discriminating
in favor of Medicare beneficiaries with positive health status when
acting as a marketing agent.35 Therefore, the organization
should develop procedures to prevent the use of physicians in this way.
---------------------------------------------------------------------------
\35\ See Marketing Guide, Chapter IV.
---------------------------------------------------------------------------
b. Selective Marketing and Enrollment
OIG is very concerned about the practice known as ``cherry-
picking,'' or selective marketing,36 in which
Medicare+Choice organizations discriminate in the marketing and
enrollment process based upon an enrollee's degree of risk for costly
or prolonged treatment.37 Except for individuals who have
been medically determined to have end-stage renal disease, a
Medicare+Choice organization may not deny, limit or condition the
coverage or furnishing of benefits to individuals eligible to enroll in
a Medicare+Choice plan offered by the organization on the basis of any
factor that is related to health status, including, but not limited to,
the following: (1) Medical condition (including mental illness); (2)
claims experience; (3) receipt of health care; (4) medical history; (5)
genetic information; (6) evidence of insurability; and (7)
disability.38 Engaging in practices that would reasonably be
expected to have the effect of denying or discouraging enrollment by
eligible individuals whose medical condition or history indicates the
need for substantial future medical services subjects the
Medicare+Choice organization to a CMP.39
---------------------------------------------------------------------------
\36\ OIG is also concerned about a similar problem, known as
``gerrymandering,'' which is an attempt to eliminate certain high
dollar risk areas from the Medicare+Choice organization's service
area. Medicare+Choice organizations should be sure to have policies
in place to prohibit such practices.
\37\ Although the Medicare+Choice program has attempted to
alleviate many of the selective marketing practices through the use
of risk adjustment, the phase-in period for risk-adjustment
virtually assures that this will remain a troubling issue at least
through 2004.
\38\ See 42 U.S.C. 1395w-22(b)(1); 42 CFR 422.110.
\39\ 42 U.S.C. 1857(g)(1)(D).
---------------------------------------------------------------------------
Certain types of practices clearly fall into the category of
cherry-picking and Medicare+Choice organizations should implement
policies to prohibit such practices. For example, organizations should
prohibit employees from conducting medical screening, i.e., asking the
beneficiary medical questions prior to enrollment.40 In a
1996 survey, the OIG found that such screening for health status at
application was reported by 18 percent of beneficiaries. While this
represented a reduction from the 1993 level of 43 percent, it still
represents a potentially serious problem.41
---------------------------------------------------------------------------
\40\ This screening can be done in a number of ways, such as by
using cards or coupons requesting medical and other information as
part of a survey to potential enrollees.
\41\ ``Beneficiary Perspectives of Medicare Risk HMOs 1996.''
(OEI-06-95-00430) (March 1998).
---------------------------------------------------------------------------
Another way in which Medicare+Choice organizations may
inappropriately target healthier beneficiaries is by marketing their
plans in places where healthy enrollees would be more likely to be
present, such as at health and exercise clubs, or in areas that are
difficult to access for people with disabilities (e.g., upper floors of
buildings that do not have elevators).42 Similarly,
organizations may inappropriately provide inducements to potential
enrollees in a way that would encourage younger, healthier
beneficiaries to enroll in the plan. For example, the offering of free
gym memberships or kayaking or other sporting lessons would appeal to a
healthy class of enrollees and discriminate against those who would not
be interested in such activities.43
---------------------------------------------------------------------------
\42\ In fact, Medicare+Choice organizations are required to
allocate part of their resources to marketing to the Medicare
population with disabilities and beneficiaries aged 65 and over. 42
CFR 422.80(e)(2)(i).
\43\ The statute prohibits the provision of cash or other
monetary rebates as an inducement for enrollment in the plan. See 42
U.S.C. 1395w-21(h)(4)(A). However, HCFA allows Medicare+Choice
organizations to give Medicare beneficiaries nominal value gifts,
provided that the plan offers these gifts whether or not the
beneficiary enrolls in the plan. HCFA defines nominal value as an
item having little or no resale value (generally, less than $10),
which cannot be readily converted into cash. See Marketing Guide,
Chapter II. The use of inducements is also discussed in Section
II.B.2.f.--Anti-kickback and Other Inducements.
---------------------------------------------------------------------------
[[Page 33876]]
Other examples of cherry-picking would be: (1) attempts to give
enrollment priority to newly eligible Medicare beneficiaries (who are
theoretically younger and healthier); (2) the tracking of costs
incurred by enrollees who were enrolled in different settings (e.g., at
the health fair, or at a health club), which could be used to target
healthier enrollees in the future; or (3) re-enrollment campaigns
targeting past plan subscribers who had low medical costs. There are
many other subtle ways in which a Medicare+Choice organization may try
to enroll healthy patient populations and the organization should
implement policies to prohibit such practices.
c. Disenrollment
In general, Medicare+Choice organizations are prohibited from
disenrolling, or requesting or encouraging (either by action or
inaction) an individual to disenroll from any plan it
offers.44 If a Medicare+Choice organization acts to expel or
refuses to reenroll an individual in violation of the statute, a civil
monetary penalty can be imposed on the organization.45 OIG
is particularly concerned about disenrollment in light of its recent
review, which revealed that there was a problem with disenrollment of
beneficiaries just prior to receiving expensive inpatient
services.46
---------------------------------------------------------------------------
\44\ Medicare+Choice organizations are entitled to disenroll
individuals under certain circumstances, e.g., failure to pay
premiums or engagement in disruptive behavior. 42 CFR 422.74.
\45\ 42 U.S.C. 1857(g)(1)(C).
\46\ ``Review of Inpatient Services Performed on Beneficiaries
After Disenrolling from Medicare Managed Care.'' (A-07098-01256)
(May 1999).
---------------------------------------------------------------------------
In this review, OIG found that Medicare paid for inpatient hospital
services amounting to $224 million in fee-for-service (FFS) payments
within three months of beneficiaries' disenrollment from six risk plans
during 1991 through 1996. Had these beneficiaries not disenrolled,
Medicare would have paid the HMOs $20 million in monthly capitation
payments. Had the beneficiaries remained in the HMOs, Medicare would
have saved $204 million in expenditures. Included in the Medicare FFS
payments were $41 million for beneficiaries who disenrolled, had FFS
procedures performed, and then reenrolled into another or the same
managed care plan.
While this study did not identify the reasons for the disenrollment
as part of this review, one partial explanation of the review is that
some managed care plans may be encouraging sicker beneficiaries to
disenroll as a way to avert their own costs at a high cost to the
Medicare system.
Each Medicare+Choice organization must implement policies to ensure
that inappropriate disenrollment does not occur. Such policies should
include clarification of when it is appropriate for medical personnel
to discuss the concept of disenrollment. Generally speaking, OIG
believes it would be inappropriate for medical personnel to initiate
discussion of disenrollment or to promote disenrollment except in the
rare circumstance where the Medicare+Choice organization cannot provide
the covered medical items or services needed by the patient.
d. Underutilization and Quality of Care
Medicare+Choice organizations must ensure that all covered services
are available and accessible to all enrollees.47 OIG views
the inappropriate withholding or delay of services, known as
underutilization or ``stinting,'' as a serious concern.48
Examples of practices that can lead to underutilization and poor
quality include the failure to employ or contract with sufficient
institutional and individual providers to accommodate all enrollees,
the failure to provide geographically reachable services to enrollees,
the delay in approving or failure to approve referrals for covered
services, the establishment of utilization review procedures that are
so burdensome that an enrollee could not reasonably be expected to
fulfill the requirements, and the categorical denial of payment of
claims.
---------------------------------------------------------------------------
\47\ 42 U.S.C. 1395w-22.
\48\ Medicare+Choice organizations can be subject to sanction
for failing substantially to provide medically necessary items and
services that are required to be provided, if the failure has
adversely affected (or has the substantial likelihood of adversely
affecting) the individual. 42 U.S.C. 1395w-27(g)(1)(A).
---------------------------------------------------------------------------
There are a wide variety of policies that a Medicare+Choice
organization should implement to be sure it is providing all medically
necessary services to its enrollees. The regulations and guidelines
that implement the Medicare+Choice program contain numerous provisions
that deal with this issue. While we have not attempted to develop a
comprehensive list in this document, we would like to highlight three
types of policies that Medicare+Choice organizations should develop
that may help address underutilization and quality of care.
First, Medicare+Choice organizations should have policies that
prohibit interference with health care professionals' advice to
enrollees. Also known as the ``gag rule,'' this prohibition extends to
advice regarding the patient's health status, medical care, and
treatment options, the risks, benefits and consequences of treatment or
non-treatment, or the opportunity for the individual to refuse
treatment and to express preferences about future treatment
options.49 Failure to comply with this requirement can lead
to sanctions.50
---------------------------------------------------------------------------
\49\ 42 U.S.C. 1395w-22(j)(3), 42 C.F.R. Sec. 422.206.
\50\ 42 U.S.C. 1395w-27(g)(1)(F).
---------------------------------------------------------------------------
Second, Medicare+Choice organizations should be sure, to the extent
that they utilize physician incentive plans (PIPs) in their payment
arrangements with individual physicians or physician groups, that they
comply with all applicable regulations. The PIPs raise utilization
concerns because they are defined as ``any compensation arrangement
that may directly or indirectly have the effect of reducing or limiting
services provided to plan enrollees.'' 51 Any PIP operated
by a Medicare+Choice organization must comply with the following
requirements. First, it may make no payments to physicians (such as
offerings of monetary value, including, but not limited to, stock
options or waivers of debt 52) to reduce or limit medically
necessary services. Second, if the PIP puts a physician or physician
group at ``substantial financial risk'' 53 for referral
services, the Medicare+Choice organization must: (1) survey current and
previously enrolled members to assess access to and satisfaction with
the quality of services; and (2) assure that there is adequate and
appropriate stop-loss protection.54 Finally, Medicare+Choice
organizations must disclose certain information regarding their PIPs.
These disclosure requirements apply to direct contracting arrangements,
as well as subcontracting arrangements.55
---------------------------------------------------------------------------
\51\ See 42 CFR 422.208.
\52\ See 42 U.S.C. 1395w-22(j)(4); 42 CFR 422.208.
\53\ ``Substantial financial risk'' threshold is set at 25
percent of potential payments for covered services, regardless of
the frequency of assessment (i.e., collection) or distribution of
payments. See 42 CFR 422.208.
\54\ See 42 CFR 422.208(c).
\55\ See 42 CFR 422.210(a).
---------------------------------------------------------------------------
In general, Medicare+Choice organizations should take all necessary
steps to ensure that they comply with the Guidance on Disclosure of
Physician Incentive Plan, the Guidance on Surveys required by the
Physician Incentive Plan Regulation and the Physician Incentive Plan
Regulation Requirements.56
---------------------------------------------------------------------------
\56\ These documents can be found on the HCFA managed care
website at http://www.hcfa.gov/medicare/mgd-ops.htm. Disclosure
forms can be located at HCFA's website at http://www.hcfa.gov/
medicare/physincp/pip-info.htm. Medicare+Choice organizations may
elect paperless PIP disclosure. The PIP Data Entry Software is
available on the Internet at http://www.fu.com/HPMS.
---------------------------------------------------------------------------
[[Page 33877]]
Finally, OIG is aware of cases in which beneficiaries have received
covered services from individuals that were not appropriately licensed.
Given the serious quality of care implications of this type of
practice, OIG is particularly concerned that Medicare+Choice
organizations have procedures for the selection of providers, including
criteria for the credentialing of providers. This process should
include an application, verification of information and a site visit,
where applicable.57 The information that must be verified
includes that the individual has a valid license to practice, clinical
privileges in good standing and appropriate educational qualifications.
---------------------------------------------------------------------------
\57\ 42 CFR 422.204.
---------------------------------------------------------------------------
e. Data Collection and Submission Processes
The regulations implementing the Medicare+Choice program contain
numerous requirements relating to the data collection and submission
process, ranging from a requirement for an effective system for
receiving, controlling, and processing election forms 58 to
requirements for the timely submission of disenrollment
notices.59 These requirements cover the gamut of
requirements with which a Medicare+Choice organization must comply and
are too detailed to enumerate in this document. Medicare+Choice
organizations should establish a policy that all required submissions
to HCFA be accurate, timely and complete and that all appropriate
reporting requirements are met.60
---------------------------------------------------------------------------
\58\ 42 CFR 422.60(e).
\59\ 42 CFR 422.66(b)(3)(i).
\60\ On a related topic, Medicare+Choice organizations should
also be sure that their computer systems are Year 2000 (Y2K)
compliant. A May 1999 OIG report indicates that based on a survey of
Medicare managed care organizations, only 22 percent were Y2K ready,
with two-thirds of the remainder reporting that they will be ready
by December 31, 1999. The majority of the respondents were unaware
of the Y2K readiness of their subcontractors. ``Y2K Readiness of
Managed Care Organizations.'' (OEI-005-98-00590) (May 1999).
---------------------------------------------------------------------------
OIG is particularly concerned that Medicare+Choice organizations
submit accurate information when that data determines the amount of
payment received from HCFA. The regulations require that when a
Medicare+Choice organization requests payment under the contract, the
CEO or CFO must certify the accuracy, completeness and truthfulness of
relevant data, including enrollment data, encounter data, and
information provided as part of an adjusted community rate (ACR)
proposal.61 When a Medicare+Choice organization submits this
type of data to HCFA, it is making a ``claim'' for capitation payment
in the amount dictated by the data submitted, or in the case of the ACR
submission, a ``claim'' to retain the portion of the capitation amount
that is under the ACR amount, rather than providing additional
benefits. When a Medicare+Choice organization is claiming payment (or
the right to retain payment) based upon information submitted to HCFA,
it must take responsibility for having taken reasonable steps to assure
the accuracy of this information. The attestation forms developed by
HCFA for this purpose require certification that the information
submitted is true and accurate based on best knowledge, information,
and belief.
---------------------------------------------------------------------------
\61\ 42 CFR 422.502(l) and (m). See Contract for Year 2000,
Attachments A, B and C.
---------------------------------------------------------------------------
The requirement that the CEO or CFO certify as to the accuracy,
completeness and truthfulness of data, based on best knowledge,
information and belief, does not constitute an absolute guarantee of
accuracy. Rather, it creates a duty on the Medicare+Choice organization
to put in place an information collection and reporting system
reasonably designed to yield accurate information. Furthermore, the
Medicare+Choice organization must conduct audits and spot checks of
this system to verify whether it is yielding accurate information.
The knowing submission of false information to HCFA can lead to
serious criminal or civil penalties.62 Medicare+Choice
organizations should be sure to implement policies so that the
enrollment, encounter and ACR data submitted to HCFA is accurate,
complete and truthful. While information from a variety of sources can
affect this data, Medicare+Choice organizations should take note of two
reports issued by the OIG that have found problems in two pieces of
this data.
---------------------------------------------------------------------------
\62\ Falsification of documentation in any application for any
benefit or payment under a Federal health care program is a Federal
offense punishable by not more than $25,000 or imprisonment for 5
years, or both. See 42 U.S.C. 1320a-7b. In addition, a CMP can be
imposed for the misrepresentation or falsification of information
submitted to HCFA under Medicare+Choice. See 42 U.S.C. 1395w-
27(g)(1)(E).
---------------------------------------------------------------------------
First, OIG recommends that Medicare+Choice organizations have
policies and procedures in place that ensure that the administrative
component of the ACR is calculated accurately.63 As part of
this process, Medicare+Choice organizations should have clearly defined
criteria for claiming reimbursement for their administrative costs.
These costs should not include any costs that are directly associated
with furnishing patient care. All such costs should be allocated to the
applicable operating component. The OIG has articulated serious
concerns about the methodology used by managed care organizations in
computing their administrative rate on the ACR proposal.64
For example, computing an administrative rate based on the use of a
medical utilization factor could generate a payment that is almost
three times what would be charged on the commercial side. The OIG
believes that the allocation of ``administration'' should be determined
in accordance with the Medicare program's longstanding principle that
Medicare only pay its applicable or fair share of needed costs.
---------------------------------------------------------------------------
\63\ The administrative component of the ACR covers any
management, financial or other costs that are incurred by or
allocated to a business unit for the management or administration of
the business unit as a whole.
\64\ See e.g., ``Administrative Costs Submitted by Risk-Based
Health Maintenance Organizations on the Adjusted Community Rate
Proposals are Highly Inflated.'' (A-14-97-00202) (July 1998).
---------------------------------------------------------------------------
Second, OIG recommends that Medicare+Choice organizations have
adequate internal controls in place to ensure that the institutional
status of beneficiaries is reported accurately.65 A recent
report issued by OIG estimated that risk-based HMOs received Medicare
overpayments of $22.2 million for beneficiaries incorrectly classified
as institutionalized.66 The incorrect classification was
largely due to deficiencies in the HMOs internal controls in two areas:
(1) Verification of beneficiaries' institutional status; and (2)
reporting of institutional beneficiaries to HCFA. The results were
based on audits of eight statistically selected HMOs.
---------------------------------------------------------------------------
\65\ This will remain a concern until risk adjustment is fully
implemented.
\66\ ``Review of Medicare Managed Care Payments for
Beneficiaries with Institutional Status.'' (A-05-98-00046) (April
1999).
---------------------------------------------------------------------------
f. Anti-kickback Statute and Other Inducements
The anti-kickback statute provides criminal penalties for
individuals or entities that knowingly and willfully offer, pay,
solicit or receive remuneration to induce the referral of business
reimbursable under a Federal health care program (including Medicare
and Medicaid).67 The anti-
[[Page 33878]]
kickback statute potentially applies to many managed care arrangements
because a common strategy of these arrangements is to offer physicians,
hospitals and other providers increased patient volume in return for
substantial fee discounts. Because discounts to managed care
organizations can constitute ``remuneration'' within the meaning of the
anti-kickback statute, a number of health care providers have expressed
concern that many relatively innocuous, or even beneficial, commercial
managed care arrangements implicate the statute and may subject them to
criminal prosecution and administrative sanctions.
---------------------------------------------------------------------------
\67\ 42 U.S.C. 1320a-7b(b). If it is determined that a party has
violated the anti-kickback statute, the individual or entity can be
excluded from participation in the Medicare and other Federal health
care programs (as defined in 42 U.S.C. 1320a-7b(f)). 42 U.S.C.
1320a-7(b)(7). In addition, there is an administrative CMP provision
for violating the anti-kickback statute. 42 U.S.C. 1320a-7a(a)(7).
---------------------------------------------------------------------------
The OIG recognizes that when managed care organizations are paid a
capitated amount for all of the services they provide regardless of the
dates, frequency or type of services, there is no incentive for them to
overutilize. In any event, even if overutilization occurs, the Federal
health care programs are not at risk for these increased costs.
Accordingly, OIG will be issuing a safe harbor from the anti-kickback
statute that will provide protection for certain financial arrangements
between managed care organizations (including Medicare+Choice
organizations offering coordinated care plans) and individuals or
entities with whom they contract for the provision of health care items
or services, where a Federal health care program pays such
organizations on a capitated basis.68
---------------------------------------------------------------------------
\68\ This safe harbor was developed in accordance with section
216 of HIPAA and section 14 of the Medicare and Medicaid Patient and
Program Protection Act of 1987 (Pub. L. 100-93) through a negotiated
rulemaking process that began in the spring of 1997. For a more
detailed description of the negotiated rulemaking, see the Committee
Statement of the Negotiated Rulemaking Committee on the Shared Risk
Exception (January 22, 1998), which can be found on the Internet at
http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
In general, the safe harbor protects payments between managed care
organizations (including Medicare+Choice organizations offering
coordinated care plans) and individuals or entities with which it has
direct contracts to provide or arrange for the provision of items or
services.69 While this is a broad exception, there are three
important limitations.
---------------------------------------------------------------------------
\69\ In addition, arrangements between direct contractors and
all subcontractors or successive tiers of subcontractors are
protected, as long as the arrangement is for the provision of health
care items or services that are covered by the arrangement between
the direct contractor and the managed care organization and the
arrangement meets the requirements applicable to arrangements
between the direct contractor and the managed care organization.
---------------------------------------------------------------------------
The first significant limitation is that there is no protection if
the financial arrangements under the managed care agreement are
implicitly or explicitly part of a broader agreement to steer fee-for-
service Federal health care program business to the entity giving the
discount to induce the referral of managed care business. Specifically,
we understand that most managed care organizations have multiple
relationships with their contractors and subcontractors for the
provision of services for various product lines, including non-federal
HMOs, preferred provider organizations (PPOs) and point of service
networks. Consequently, although neither a managed care organization
receiving a capitated payment from a Federal health care program nor
its contractors or subcontractors has an incentive to overutilize items
or services or pass additional costs back to the Federal health care
programs under the capitated arrangement, we are concerned that a
managed care organization or contractor may offer (or be offered) a
reduced rate for its items or services in the Federal capitated
arrangement in order to have the opportunity to participate in other
product lines that do not have stringent payment or utilization
constraints. This practice is a form of a practice known as
``swapping;'' in the case of managed care arrangements, low capitation
rates could be traded for access to additional fee-for-service lines of
business. We are concerned when these discounts are in exchange for
access to fee-for-service lines of business, where there is an
incentive to overutilize services provided to Federal health care
program beneficiaries.
For example, we would have concerns where an HMO with a Medicare
risk contract under Medicare Part C also has an employer-sponsored PPO
that includes retirees and requires participating providers to accept a
low capitation rate for the Medicare HMO risk patients in exchange for
access to the Medicare fee-for-service patients in the PPO. Although in
such circumstances the cost to the Medicare program for the risk-based
HMO beneficiaries will not be increased, there may be increased
expenditures for Medicare beneficiaries in the PPO arrangement, because
the providers may have an incentive to increase services to the
Medicare enrollees in the PPO to offset the discounted rates to the
Medicare HMO. Accordingly, such arrangements could violate the anti-
kickback statute and should not be protected.
A second limitation on the regulatory safe harbor protection is
that it only applies to remuneration for health care items and services
and those items or services reasonably related to the provision of
health care items and services. It does not cover marketing services or
any services provided prior to a beneficiary's enrollment in a health
plan.
Finally, the broad protection is limited to risk-based managed care
plans that do not claim any payment from a Federal health care program
other than the capitated amount set forth in the managed care
organization's agreement with the Federal health care program. Where
the managed care plan, its contractors or its subcontractors are
permitted to seek additional payments from any of the Federal health
care programs, the regulatory safe harbor protection is significantly
more limited. For example, protection is not extended to arrangements
with subcontractors when the contract under section 1876 of the Social
Security Act is cost-based or where the prime contract is protected
solely because the contracting entity is a Federally-qualified HMO. In
the first instance, reimbursement from the Federal health care program
is based on costs, and in the latter case, services for Medicare
enrollees are reimbursed on a fee-for-services basis. In both
instances, reimbursement will increase with utilization, thus providing
the same incentive to overutilize as any fee-for-service payment
methodology.
While the new safe harbor will provide protection from the anti-
kickback statute for most arrangements between Medicare+Choice
organizations and their contractors, Medicare+Choice organizations
should also have policies in place that ensure that any incentives
offered to beneficiaries and potential beneficiaries do not run afoul
of the anti-kickback statute or the new civil monetary penalty relating
to incentives to beneficiaries.70 The CMP was enacted in
section 231(h) of HIPAA (42 U.S.C. 320a-7a(a)(5)) and imposes sanctions
against individuals or entities that offer remuneration to a program
beneficiary that they know, or should know, will influence the
beneficiary's decision to order or receive items or services from a
particular provider, practitioner or
[[Page 33879]]
supplier reimbursable by Medicare or the State health care programs.
---------------------------------------------------------------------------
\70\ Our concerns regarding the use of inducements in a manner
that leads to enrollment of only healthy beneficiaries, such as
offering memberships to exercise clubs for purposes of patient
screening, is discussed above in Section II.B.2.b.-Selective
Marketing and Enrollment.
---------------------------------------------------------------------------
Pending the publication of the final rule implementing this CMP, we
can provide the following guidance. It is our view that organizations
that provide incentives to Federal health care program beneficiaries to
enroll in a plan are not offering remuneration to induce the enrollees
to use a particular provider, practitioner or supplier. Accordingly, we
anticipate that organizations that provide incentives to enroll in a
plan will not be subject to sanctions under this provision. However,
incentives provided by organizations to induce a beneficiary to use a
particular provider, practitioner or supplier once the beneficiary has
enrolled in a plan are within the purview of this CMP and are
prohibited if they do not meet an exception. For example, incentives
given to beneficiaries by a particular physician group within the
physician panel of a Medicare+Choice organization to encourage the
beneficiary to use that physician group over another physician in the
panel would be prohibited.
g. Anti-Dumping
The OIG and HCFA believe that there may be special concerns
regarding the provision of emergency services to enrollees of
Medicare+Choice plans. The anti-dumping statute 71 imposes
specific obligations on Medicare-participating hospitals that offer
emergency services to individuals presenting themselves at the hospital
seeking possible emergency treatment. While the obligations under the
anti-dumping statute prohibit a hospital from inquiring into the
patient's method of payment or insurance status, it has come to our
attention that many hospitals routinely seek authorization from a
Medicare+Choice enrollee's primary care physician or from the
Medicare+Choice organization when a Medicare+Choice enrollee requests
emergency services. The OIG and HCFA are cognizant that many managed
care organizations require their enrollees to seek prior authorization
for some medical services, including emergency services and that there
are circumstances when patients should be informed of their potential
financial liability. However, both the OIG and HCFA have concerns that
a Medicare+Choice enrollee may be unduly influenced by hospital
personnel to leave the hospital without obtaining necessary
care.72
---------------------------------------------------------------------------
\71\ See 42 U.S.C. 1395dd. A separate provision prohibits
Medicare+Choice organizations requiring enrollees to obtain prior
authorization for emergency services. See 42 U.S.C. 1395w-
22(d)(1)(E).
\72\ OIG and HCFA have issued a proposed Special Advisory
Bulletin on this topic. See 63 FR. 67486 (12/7/98).
---------------------------------------------------------------------------
It is the view of OIG and HCFA that the anti-dumping statute
requires that notwithstanding the terms of any managed care contractual
arrangements, the provisions of the anti-dumping statute govern the
obligations of hospitals to screen and provide stabilizing treatment to
any patient presenting at an emergency facility. No contract between a
hospital and managed care organization can excuse the hospital from the
anti-dumping statute obligations. Once a Medicare+Choice enrollee comes
to the hospital that offers emergency services, the law requires that
the hospital must provide the services required under the anti-dumping
statute without regard to the patient's insurance status or any prior
authorization of such insurance. All Medicare+Choice organizations
should have policies in place to ensure that these requirements are
met.
Medicare+Choice organizations should be particularly careful of
these requirements in the event that they participate in the so-called
``dual staffing'' of emergency departments. Dual staffing refers to the
situation where hospitals have entered into arrangements allowing a
managed care organization to station its own physicians in the
hospital's emergency department for the purpose of screening and
treating managed care enrollees. Implementation of dual staffing raises
some concerns under the anti-dumping statute, particularly where
different procedures and protocols have been established for each
staff.
3. Retention of Records and Information Systems
Medicare+Choice organizations' compliance programs should provide
for the implementation of a records retention system. This system
should establish policies and procedures regarding the creation,
distribution, retention, storage, retrieval and destruction of
documents. The three types of documents developed under this system
should include: (1) All records and documentation required by either
Federal or State law and the program requirements of Federal and State
health plans; (2) records listing the persons responsible for
implementing each part of the compliance plan; and (3) all records
necessary to protect the integrity of the Medicare+Choice
organization's compliance process and confirm the effectiveness of the
program. The documentation necessary to satisfy the third requirement
includes: evidence of adequate employee training; reports from the
Medicare+Choice organization's hotline; results of any investigation
conducted as a consequence of a hotline call; modifications to the
compliance program; self-disclosure; all written notifications to
providers regarding compliance activities; 73 and the
results of the Medicare+Choice organization's auditing and monitoring
efforts.
---------------------------------------------------------------------------
\73\ This should include notifications regarding quality of care
issues; confusing or inaccurate encounter data; and termination of
the contract.
---------------------------------------------------------------------------
In light of the increasing reliance on electronic data interchange
by the health care industry, Medicare+Choice organizations should take
particular care in establishing procedures for maintaining the
integrity of its data collection systems. This should include
procedures for regularly backing-up data (either by diskette,
restricted system or tape) collected in connection with all aspects of
the Medicare+Choice program requirements.
4. Compliance as an Element of a Performance Plan
Compliance programs should require that the promotion of, and
adherence to, the elements of the compliance program be a factor in
evaluating the performance of all employees. Employees should be
periodically trained in new compliance policies and procedures.
Policies should require that managers:
Discuss with all supervised employees and relevant
contractors the compliance policies and legal requirements applicable
to their function;
Inform all supervised personnel that strict compliance
with these policies and requirements is a condition of employment; and
Disclose to all supervised personnel that the
Medicare+Choice organization will take disciplinary action up to and
including termination for violation of these policies or requirements.
In addition to making performance of these duties an element in
evaluations, the compliance officer or company management should
include a policy that managers and supervisors will be sanctioned for
failure to instruct adequately their subordinates or for failure to
detect noncompliance with applicable policies and legal requirements,
where reasonable diligence on the part of the manager or supervisor
should have led to the discovery of any problems or violations.
[[Page 33880]]
B. Designation of a Compliance Officer and a Compliance Committee
1. Compliance Officer
Every Medicare+Choice organization should designate a compliance
officer to serve as the focal point for compliance activities. This
responsibility may be the individual's sole duty or added to other
management responsibilities, depending upon the size and resources of
the Medicare+Choice organization and the complexity of the task.
Designating a compliance officer with the appropriate authority is
critical to the success of the program, necessitating the appointment
of a high-level official in the Medicare+Choice organization with
direct access to the company's governing body, the CEO and all other
senior management and legal counsel.74 While it is important
that the compliance officer have appropriate authority, we are not
suggesting that the compliance officer should have programmatic
responsibility for the various aspects of the Medicare+Choice program.
For example, the compliance officer should have full authority to stop
the submission of data that he or she believes is problematic until
such time as the issue in question has been resolved. In addition, the
compliance officer should be copied on the results of all internal
audit reports and work closely with key managers to identify aberrant
trends in the areas that require certification. The compliance officer
must have the authority to review all documents and other information
that are relevant to compliance activities, including, but not limited
to, beneficiary records (where appropriate) and records concerning the
marketing efforts of the facility and the Medicare+Choice organization
arrangements with other parties, including employees, professionals on
staff, relevant independent contractors, suppliers, agents,
supplemental staffing entities and physicians. This policy enables the
compliance officer to review contracts and obligations (seeking the
advice of legal counsel, where appropriate) that may contain referral
and payment provisions that could violate statutory or regulatory
requirements.
---------------------------------------------------------------------------
\74\ The OIG believes that it is not advisable for the
compliance function to be subordinate to the Medicare+Choice
organization's general counsel, comptroller or similar company
financial officer. Free-standing compliance functions help to ensure
independent legal reviews and financial analyses of the
institution's compliance activities. By separating the compliance
function from the key management positions of general counsel or CFO
(where the size and structure of the organization make this a
feasible option), a system of checks and balances is established to
more effectively achieve the compliance program's goals.
---------------------------------------------------------------------------
Coordination and communication are the key functions of the
compliance officer with regard to planning, implementing and monitoring
the compliance program. With this in mind, the OIG recommends the
Medicare+Choice organization's compliance officer closely coordinate
compliance functions with providers' compliance officers.
The compliance officer should have sufficient funding and staff to
fully perform his or her responsibilities. These duties should include:
Overseeing and monitoring the implementation of the
compliance program; 75
---------------------------------------------------------------------------
\75\ For multi-site Medicare+Choice organizations, the OIG
encourages coordination with each facility owned by the
Medicare+Choice organization through the use of compliance liaisons
at each site.
---------------------------------------------------------------------------
Reporting on a regular basis to the Medicare+Choice
organization's governing body, CEO and compliance committee on the
progress of implementation and assisting these components in
establishing methods to improve the Medicare+Choice organization's
efficiency and quality of services and to reduce the Medicare+Choice
organization's vulnerability to fraud, abuse and waste;
Periodically revising the program in light of changes in
the organization's needs and in the law and policies and procedures of
Government and private payor health plans;
Reviewing employees' certifications stating that they have
received, read and understood the standards of conduct;
Developing, coordinating and participating in a
multifaceted educational and training program that focuses on the
elements of the compliance program and seeks to ensure that all
appropriate employees and management are knowledgeable of, and comply
with, pertinent Federal and State standards;
Coordinating personnel issues with the Medicare+Choice
organization's human resources/personnel office (or its equivalent) to
ensure that providers and employees do not appear in the List of
Excluded Individuals/Entities and the GSA list of debarred contractors;
76
---------------------------------------------------------------------------
\76\ See note 94.
---------------------------------------------------------------------------
Assisting the Medicare+Choice organization's management in
coordinating internal compliance review and monitoring activities,
including annual or periodic reviews of departments;
Independently investigating and acting on matters related
to compliance, including the flexibility to design and coordinate
internal investigations (e.g., responding to reports of problems or
suspected violations) and any resulting corrective action with all
departments, providers and sub-providers, agents and, if appropriate,
independent contractors;
Developing policies and programs that encourage managers
and employees to report suspected fraud and other improprieties without
fear of retaliation; and
Continuing the momentum of the compliance program and the
accomplishment of its objectives long after the initial years of
implementation.
2. Compliance Committee
The OIG recommends that a compliance committee be established to
advise the compliance officer and assist in the implementation of the
compliance program.77 When assembling a team of people to
serve as the Medicare+Choice organization's compliance committee, the
company should include individuals with a variety of
skills.78 The OIG strongly recommends that the compliance
officer manage the compliance committee. Once a managed care
organization chooses the people that will accept the responsibilities
vested in members of the compliance committee, the organization must
train these individuals on the policies and procedures of the
compliance program.
---------------------------------------------------------------------------
\77\ The compliance committee benefits from having the
perspectives of individuals with varying responsibilities in the
organization, such as operations, finance, audit, human resources,
utilization review, medicine, claims processing, information
systems, legal, marketing, enrollment and disenrollment as well as
employees and managers of key operating units. These individuals
should have the requisite seniority and comprehensive experience
within their respective departments to implement any necessary
changes in the company's policies and procedures.
\78\ A Medicare+Choice organization should expect its compliance
committee members and compliance officer to demonstrate high
integrity, good judgment, assertiveness and an approachable
demeanor, while eliciting the respect and trust of employees of the
organization. The compliance committee members should also have
significant professional experience in working with quality
assurance, enrollment, marketing, clinical records and auditing
principles.
---------------------------------------------------------------------------
The committee's responsibilities should include:
Analyzing the organization's regulatory environment, the
legal requirements with which it must comply and specific risk areas;
Assessing existing policies and procedures that address
these areas for possible incorporation into the compliance program;
Working with appropriate departments, as well as
affiliated providers, to develop standards of
[[Page 33881]]
conduct and policies and procedures that promote allegiance to the
organization's compliance program;
Recommending and monitoring, in conjunction with the
relevant departments, the development of internal systems and controls
to carry out the organization's standards, policies and procedures as
part of its daily operations;
Determining the appropriate strategy/approach to promote
compliance with the program and detection of any potential violations,
such as through hotlines and other fraud reporting mechanisms;
Developing a system to solicit, evaluate and respond to
complaints and problems; and
Monitoring internal and external audits and investigations
for the purpose of identifying troublesome issues and deficient areas
experienced by the Medicare+Choice organization and implementing
corrective and preventive action.
The committee may also address other functions as the compliance
concept becomes part of the overall operating structure and daily
routine.
C. Conducting Effective Training and Education
The proper education and training of corporate officers, managers,
employees and the continual retraining of current personnel at all
levels are significant elements of an effective compliance program.
Where feasible, the Medicare+Choice organization should afford outside
contractors and its provider clients the opportunity to participate in
the organization's compliance training and educational programs. The
contractors and provider clients should be encouraged to develop their
own compliance programs that complement the Medicare+Choice
organization's compliance program.
1. Formal Training Programs
In order to ensure the appropriate information is being
disseminated to the correct individuals, the Medicare+Choice
organization training program should include both a general session and
specialized sessions on specific risk areas. All employees should
attend the general session on compliance. Employees whose job
responsibilities implicate specific risk areas (e.g., marketing or
capitated reimbursement rules) should attend the specialized sessions.
The OIG recommends attendance and participation at training
programs be made a condition of continued employment and that failure
to comply with training requirements should result in disciplinary
action, including possible termination, when such failure is serious.
The Medicare+Choice organization should retain adequate records of its
training of employees, including attendance logs and material
distributed at training sessions. New employees should be targeted for
training early in their employment, and to the extent that they perform
complicated tasks with greater organizational legal exposure, should be
monitored closely until all training is completed.
a. General Sessions
As part of their compliance programs, Medicare+Choice organizations
should require all affected employees to attend annual training that
emphasizes the organization's commitment to compliance with all Federal
and State statutes and requirements, and the policies of private
payors. This training should highlight the organization's compliance
program, summarize fraud and abuse statutes and regulations, Federal
and State health care program requirements, documentation requirements
for data submission and marketing practices that reflect current legal
and program standards.
As part of the initial training, the standards of conduct should be
distributed to all employees. Every employee, as well as contracted
consultants, should be required to sign and date a statement that
reflects the employee's knowledge of, and commitment to the standards
of conduct. This attestation should be retained in the employee's
personnel file. For contracted consultants, the attestation should
become part of the contract and remain in the file that contains such
documentation. To ensure that employees continuously meet the expected
high standards set forth in the code of conduct, any employee handbook
delineating or expanding upon these standards of conduct should be
regularly updated as applicable statutes, regulations and Federal
health care program requirements are modified.79
Medicare+Choice organizations should provide an additional attestation
in the modified standards that stipulates the employee's knowledge of,
and commitment to, the modifications.
---------------------------------------------------------------------------
\79\ While the OIG recognizes that not all standards, policies
and procedures need to be communicated to all employees, it believes
that the bulk of the standards that relate to complying with fraud
and abuse laws and other ethical areas should be addressed and made
part of all employees' training.
---------------------------------------------------------------------------
b. Specialized Training
Because Medicare+Choice organizations are responsible for
compliance in all of the risk areas mentioned in section II.A. above,
the OIG recommends Medicare+Choice organizations require individuals
who are involved in the risk areas to receive specialized training. For
example, marketing employees should receive training on the marketing,
enrollment, disenrollment and anti-kickback policies. All employees who
work with beneficiaries or providers regarding medical services should
receive appropriate training on the risks associated with under-
utilization. Those employees who are involved in developing enrollment,
encounter and ACR data should receive training on HCFA policies in
these areas. Clarifying and emphasizing these areas of concern through
training and educational programs are particularly relevant to a
Medicare+Choice organization's marketing and financial personnel, in
that the pressure to meet business goals may render these employees
particularly vulnerable to engaging in prohibited practices.
The OIG recommends Medicare+Choice organizations' compliance
programs address the need for periodic professional education courses
for personnel. Such courses would be in addition to the internal
training sessions provided by the organization. For example, the
Medicare+Choice organization should ensure that data submission
personnel receive annual professional training on the updated policies,
requirements and directives for the current year.
c. Format of the Training Program
The OIG suggests all relevant levels of personnel be made part of
various educational and training programs of the Medicare+Choice
organization. Employees should be required to have a minimum number of
educational hours per year, as appropriate, as part of their employment
responsibilities. A variety of teaching methods, such as interactive
training and training in several different languages (including the
translation of standards of conducts and other materials), particularly
where a Medicare+Choice organization has a culturally diverse staff,
should be implemented so that all affected employees are knowledgeable
about the institution's standards of conduct and procedures for
alerting senior management to problems and concerns. In addition, the
materials should be written at appropriate reading levels for targeted
employees. All training
[[Page 33882]]
materials should be designed to take into account the skills, knowledge
and experience of the individual trainees. Post-training tests can be
used to assess the success of training provided and employee
comprehension of the billing company's policies and procedures.
2. Informal and Ongoing Compliance Training
It is essential that compliance issues remain at the forefront of
the Medicare+Choice organization's priorities. The organization must
demonstrate its commitment by continuing to disseminate the compliance
message. One effective mechanism to achieve this goal is to publish a
monthly compliance newsletter. This would allow the Medicare+Choice
organization to address specific examples of problems the company
encountered during its ongoing audits and risk analysis, while
reinforcing the company's firm commitment to the general principles of
compliance and ethical conduct. The newsletter could also include the
risk areas identified in current OIG publications or investigations.
Finally, the Medicare+Choice organization could use the newsletter as a
mechanism to address areas of ambiguity in the marketing, utilization
review and data submission process, and to notify employees of
significant legal or regulatory developments. The Medicare+Choice
organization should maintain its newsletters in a central location to
document the guidance offered and provide new employees with access to
guidance previously provided. Other written materials, such as posters,
fliers or articles in other company publications, could also be used to
disseminate the compliance message.
Another effective method of maintaining the presence of the
compliance message is to maintain a website devoted to compliance
issues. This could be linked to the homepage of the organization. Many
organizations have chosen to maintain these sites internally on the
Intranet to alleviate any confidentiality concerns. The Intranet (or
Internet) also facilitates the use of hypertext links that allow the
organization to maintain a centralized source on statutory, regulatory
and other program guidance disseminated by HCFA,80 the OIG,
the Department of Justice and the Congress. These links, along with any
other webpages that the Medicare+Choice organization deems pertinent
and useful can be assembled on a single site that can, by hypertext
link, provide access to all of these useful resources.
---------------------------------------------------------------------------
\80\ HCFA's Medicare+Choice webpage is located at http://
www.hcfa.gov/medicare/mgdcar1.htm.
---------------------------------------------------------------------------
D. Developing Effective Lines of Communication
An open line of communication between the compliance officer and
Medicare+Choice organization personnel, as well as among the
organization, health care providers and enrollees, is critical to the
successful implementation of a compliance program and the reduction of
any potential for fraud, abuse and waste. Each organization should have
in place both a mechanism for the reporting of improper conduct, as
well a mechanism for more routine types of communication among the
compliance officer and relevant groups.
1. Hotline or Other System for Reports of Potential Misconduct
Each Medicare+Choice organization should have in place a hotline or
other mechanism 81 through which employees, enrollees or
other parties can report potential violations of the organization's
compliance policies or of Federal or State health care program
requirements. In any event, several independent reporting paths should
be created for an employee to report fraud, waste or abuse so that such
reports cannot be diverted by supervisors or other personnel. If the
organization establishes a hotline, the telephone number should be made
readily available to all employees, enrollees and independent
contractors, by circulating the number on wallet cards or conspicuously
posting the telephone number in common work areas.82
---------------------------------------------------------------------------
\81\ The OIG recognizes that it may not be financially feasible
for a small Medicare+Choice organization to maintain a telephone
hotline dedicated to receiving calls solely on compliance issues.
These companies may explore alternative methods, e.g., contracting
with an independent source to provide hotline services or
establishing a written method of confidential disclosure.
\82\ Medicare+Choice organizations should also post in a
prominent, available area the HHS-OIG Hotline telephone number, 1-
800-447-8477 (1-800-HHS-TIPS), in addition to any organization's
hotline number that may be posted.
---------------------------------------------------------------------------
Matters reported through the hotline or other communication sources
that suggest violations of compliance policies, Federal and State
health care program requirements, regulations or statutes should be
documented and investigated promptly to determine their veracity. A log
should be maintained by the compliance officer that records such calls,
including the nature of any investigation and its results.83
Such information should be included in reports to the governing body,
the CEO and compliance committee.
---------------------------------------------------------------------------
\83\ To efficiently and accurately fulfill such an obligation,
the Medicare+Choice organization should create an intake form for
all compliance issues identified through reporting mechanisms. The
form could include information concerning the date the potential
problem was reported, the internal investigative methods utilized,
the results of any investigation, any corrective action implemented,
any disciplinary measures imposed and any overpayments and monies
returned.
---------------------------------------------------------------------------
Employees, enrollees and providers should be permitted to report
matters on a confidential basis. To encourage such reporting, written
confidentiality and non-retaliation policies should be developed and
distributed to all employees, enrollees and providers to encourage
communication and the reporting of incidents of potential
fraud.84 While the Medicare+Choice organization should
always strive to maintain the confidentiality of the reporter's
identity, the policies should explicitly communicate that there may be
a point where the individual's identity may become known or may have to
be revealed.
---------------------------------------------------------------------------
\84\ The OIG believes that whistleblowers should be protected
against retaliation, a concept embodied in the provisions of the
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees
sue their employers under the False Claims Act's qui tam provisions
out of frustration because of the company's failure to take action
when a questionable, fraudulent or abusive situation was brought to
the attention of senior corporate officials.
---------------------------------------------------------------------------
The OIG recognizes that assertions of fraud and abuse by those who
may have participated in illegal conduct or committed other malfeasance
raise numerous complex legal and management issues that should be
examined on a case-by-case basis. The compliance officer should work
closely with legal counsel to obtain guidance on these issues.
2. Routine Communication/Access to the Compliance Officer
While it is crucial that Medicare+Choice organizations have
effective systems in place for the reporting of suspected misconduct,
it is equally important that the compliance officer foster more routine
communication both among its employees and among its health care
providers and enrollees.
With respect to its own employees, the OIG encourages the
establishment of procedures for personnel to seek clarification from
the compliance officer or members of the compliance committee in the
event of any confusion or question regarding a company policy, practice
or procedure. Questions and responses should be documented and dated
and, if appropriate, shared with other staff so that standards,
policies, practices and procedures can be updated and improved to
reflect any
[[Page 33883]]
necessary changes or clarifications. The compliance officer may want to
solicit employee input in developing these communication and reporting
systems. The methods discussed above relating to ongoing training and
education are an integral part of this communication.85
---------------------------------------------------------------------------
\85\ In addition to methods of communication used by current
employees, an effective employee exit interview program could be
designed to solicit information from departing employees regarding
potential misconduct and suspected violations of the Medicare+Choice
organization's policy and procedures.
---------------------------------------------------------------------------
The communication and coordination function of the compliance
program serves an even more critical role in the context of the managed
care environment because the managed care entity serves as an
intermediary between the health care provider and the
enrollee.86 In fact, the raison d'etre of a managed care
organization is to coordinate the care of its enrollees. As with
providers, communications with beneficiaries and communications with
HCFA (and its designees) must demonstrate the highest level of
integrity, honesty and judgment. The Medicare+Choice organization
should implement methods to encourage communication among its enrollees
and providers. For example, a Medicare+Choice organization should
communicate the results of audits, disenrollment surveys, utilization
data and quality of care determinations to its contracting suppliers
and providers in order to facilitate open discussion regarding
appropriate health care delivery.
---------------------------------------------------------------------------
\86\ An ``enrollee'' is defined in this compliance program
guidance as any Medicare+Choice eligible individual who has elected
a Medicare+Choice plan offered by a Medicare+Choice organizations.
See 42 CFR 422.2.
---------------------------------------------------------------------------
E. Auditing and Monitoring
An ongoing evaluation process is critical to a successful
compliance program. The OIG believes an effective program should
incorporate thorough monitoring of its implementation and regular
reporting to senior company officers.87 Compliance reports
created by this ongoing monitoring, including reports of suspected
noncompliance, should be maintained by the compliance officer and
reviewed with the Medicare+Choice organization's senior management and
the compliance committee. The extent and frequency of the audit
function may vary depending on factors such as the size of the company,
the resources available to the company, the company's prior history of
noncompliance and the risk factors that are prevalent in a particular
organization.
---------------------------------------------------------------------------
\87\ Even when a facility is owned by a larger corporate entity,
the regular auditing and monitoring of the compliance activities of
an individual facility must be a key feature in any annual review.
Appropriate reports on audit findings should be periodically
provided and explained to a parent-organization's senior staff and
officers.
---------------------------------------------------------------------------
Although many monitoring techniques are available, one effective
tool to promote and ensure compliance is the performance of regular,
periodic compliance audits by internal or external auditors who have
expertise in Federal and State health care statutes, regulations and
Federal health care program requirements. The audits should focus on
the Medicare+Choice organization's programs or divisions, including
external relationships with third-party contractors, specifically those
with substantive exposure to Government enforcement actions. The audits
should be sure to cover the range of programmatic requirements of the
Medicare+Choice program. In particular, the audits should focus on the
risk areas identified earlier in this document, especially the data and
information which affects payments by Medicare. Finally, the
Medicare+Choice organization should focus on any areas of specific
concern identified within that organization and those that may have
been identified by any outside agency, whether Federal or State.
Monitoring techniques may include sampling protocols that permit
the compliance officer to identify and review variations from an
established baseline.88 Significant variations from the
baseline should trigger a reasonable inquiry to determine the cause of
the deviation. If the inquiry determines that the deviation occurred
for legitimate, explainable reasons, the compliance officer or manager
may want to limit any corrective action or take no action. If it is
determined that the deviation was caused by improper procedures,
misunderstanding of rules, including fraud and systemic problems, the
Medicare+Choice organization should take prompt steps to correct the
problem.89 Any overpayments discovered as a result of such
deviations should be reported promptly to HCFA (or its designees), with
appropriate documentation and a thorough explanation of the reason for
the overpayment.90
---------------------------------------------------------------------------
\88\ The OIG recommends that when a compliance program is
established in a Medicare+Choice organization, the compliance
officer, with the assistance of department managers, take a
``snapshot'' of the organization's operations from a compliance
perspective. This assessment can be undertaken by outside
consultants, law or accounting firms, or internal staff, with
authoritative knowledge of health care compliance requirements. This
``snapshot,'' often used as part of bench marking analysis, becomes
a baseline for the compliance officer and other managers to judge
the Medicare+Choice organization's progress in reducing or
eliminating potential areas of vulnerability. Medicare+Choice
organizations should track statistical data on utilization review
and quality data based on customer satisfaction and renewal data.
This will facilitate identification of problem areas and elimination
of potential areas of abusive or fraudulent conduct.
\89\ Prompt steps to correct the problem include contacting the
appropriate provider in situations where the provider's actions
contributed to the problem.
\90\ In addition, when appropriate, as referenced in section
G.2, below, reports of fraud or systemic problems should also be
made to the appropriate governmental authority.
---------------------------------------------------------------------------
An effective compliance program should also incorporate periodic
(at a minimum, annual) reviews of whether the program's compliance
elements have been satisfied, e.g., whether there has been appropriate
dissemination of the program's standards, training, ongoing educational
programs and disciplinary actions.91 This process will
verify actual conformance by all departments with the compliance
program. Such reviews may support a determination that appropriate
records have been created and maintained to document the implementation
of an effective program.
---------------------------------------------------------------------------
\91\ One way to assess the knowledge, awareness and perceptions
of the Medicare+Choice organization's staff is through the use of a
validated survey instrument (e.g., employee questionnaires,
interviews or focus groups).
---------------------------------------------------------------------------
The reviewers involved in any audits should:
Possess the qualifications and experience necessary to
adequately identify potential issues with the subject matter to be
reviewed;
Be independent of line management;
Have access to existing audit and health care resources,
relevant personnel and all relevant areas of operation;
Resent written evaluative reports on compliance activities
to the CEO, governing body members of the compliance committee and its
provider clients on a regular basis, but not less than annually; and
Specifically identify areas where corrective actions are
needed.
In the Medicare+Choice context, a variety of different methods will
be necessary to adequately monitor and evaluate the ongoing operations
of the Medicare+Choice organization. In general, OIG recommends the use
of techniques such as on-site visits, questionnaires (for providers,
enrollees and employees), and trend analyses, to name just
several.92 Because the
[[Page 33884]]
auditing and monitoring function is very different and much more
complex in the managed care context than in any other segment of the
health care industry, we have provided additional guidance on the
methods to be used in evaluating selected risk areas.
---------------------------------------------------------------------------
\92\ Medicare+Choice organizations may want to consult HCFA's
Contractor Performance Monitoring System Manual to get additional
ideas for monitoring methods. In addition, organizations may want to
consult the OAS website for information on conducting audits,
including information on statistical sampling (RAT-STATS). See note
10.
---------------------------------------------------------------------------
1. Marketing/Enrollment/Disenrollment
Developing a system for evaluating the compliance of the marketing,
enrollment and disenrollment functions of a Medicare+Choice
organization requires innovative techniques. Each Medicare+Choice
organization will have to develop an individualized method as to how to
obtain this data. Some of the methods that the OIG suggests include:
the use of secret shoppers; surveying current enrollees; 93
and conducting exit interviews with former enrollees (particularly
those that disenrolled just prior to obtaining an expensive service) on
their experience with the Medicare+Choice marketing and enrollment
process. Once this data is collected, it must be maintained in a format
that can be accessed readily.
---------------------------------------------------------------------------
\93\ It should be noted, while this method may be less
expensive, it may not provide unbiased data, particularly in the
area of selective marketing. In fact, in the selective marketing
area, the data may be skewed significantly in favor of the
Medicare+Choice organization.
---------------------------------------------------------------------------
In an effort to integrate the monitoring function with its training
function, Medicare+Choice organizations may wish to test their
marketing staff on their knowledge of the company's policies and
procedures, as well as the Federal and State statutes that govern the
marketing process. This assessment can be developed to take on many
formats. Many companies have customized interactive software to test
employees' knowledge of relevant policies and procedures. It may also
be formulated in the traditional written version.
Methods used to monitor marketing agents include the analysis of
disenrollment data to identify marketing agents with high and low
percentages of member disenrollments within a set number of days (e.g.,
90 days). In addition, Medicare+Choice organizations may want to
establish enrollment verification systems requiring that a different
individual from the sales agent meet with beneficiaries who have
applied for enrollment to ensure that they understand restrictions of
the plan, such as the lock-in provision.
Finally, it is essential for all marketing materials to be reviewed
by the general counsel's office to ensure that they do not mislead,
confuse or misrepresent any aspect of the plan. Similarly, they should
also be examined by the claims processing department and utilization
review office for consistency with the policies, procedures and
practices of these departments.
2. Underutilization and Quality of Care
Procedures for tracking and reporting utilization review data are
vital to the success of any compliance endeavor. Medicare+Choice
organizations should periodically review the service areas that are
part of the Medicare+Choice organization to ensure that enrollees are
receiving adequate access to care. In reviewing service areas,
Medicare+Choice organizations should collect data on the number of
primary care physicians in the service area, the number and type of
specialists in the service area, the waiting time for appointments, the
telephone access to the Medicare+Choice organization and the problems
associated with the coordination of care. All of this data should be
maintained in a database in a format that can be used to generate
statistical data and analysis.
Medicare+Choice organizations should ensure that there are adequate
systems in place to monitor underutilization and inappropriate denials.
Such procedures include collecting data on utilization patterns and
detecting aberrant patterns. This data should be checked against
utilization rates in the industry. This function could be performed by
a medical affairs department that is responsible for regular review of
claims, the payment system, encounter data and medical record review to
assess the degree to which care is under (or over) utilized.
Similarly, the Medicare+Choice organization should survey its
enrollees on utilization patterns and whether they felt they were
subjected to inadequate health care services or inappropriate denials.
Such survey results should be reviewed and investigated, when
appropriate. Generally, these may be skewed in favor of the
Medicare+Choice organization if the enrollees are current members.
Presumably, if an enrollee was truly dissatisfied with the
Medicare+Choice organization's attitude toward enrollee rights, the
enrollee would have disenrolled from the plan. As a result, a
Medicare+Choice organization should evaluate both current enrollee
satisfaction surveys and exit interview surveys of former enrollees.
Medicare+Choice organizations have a good source of information
regarding utilization issues, simply by tracking the type of appeals
and grievances they receive from beneficiaries. This information should
be tracked in a database that can be easily accessed by type of
grievance or appeal and results.
3. Data Collection and Submission Processes
Given the importance of the enrollment, encounter and ACR data, the
Medicare+Choice organization should develop ways to audit this
information to assure its accuracy. For example, encounter data should
be sampled periodically to determine its accuracy and reliability. As a
part of that process, Medicare+Choice organizations must detail in
their contractual relationships with providers the access that they
will need to the provider's medical record documentation.
4. Anti-Kickback and Other Inducements
Medicare+Choice organizations should periodically review their
contractual documents and discussions with providers to ensure that
``swapping'' is not occurring, which would cause such relationships to
fall outside the applicable safe harbor. In addition, contracts with
marketing personnel should be reviewed by legal counsel to be sure they
do not violate applicable statutes and regulations.
F. Enforcing Standards Through Well-Publicized Disciplinary
Guidelines and Policies Regarding Dealings With Ineligible Persons
The OIG recommends that all Medicare +Choice organizations'
compliance programs include several key policies in the area of
personnel/human resources. The first deals with the establishment and
consistent application of appropriate disciplinary policies to deal
with improper conduct and the second deals with the employment of
certain ineligible individuals.
1. Consistent Enforcement of Disciplinary Policies
An effective compliance program should include guidance regarding
disciplinary action for all employees who have failed to comply with
the Medicare+Choice organization's standards of conduct, policies and
procedures, Federal health care program requirements, or Federal and
State laws, or those who have otherwise engaged in wrongdoing. It is
vital to publish and disseminate the range of possible disciplinary
actions for improper
[[Page 33885]]
conduct and to educate officers and other staff regarding these
standards. Employees should be advised that disciplinary action may be
appropriate where a responsible employee's failure to detect a
violation is attributable to his or her negligence or reckless conduct.
The sanctions could range from oral warnings to suspension, termination
or other sanctions, as appropriate. While each situation must be
considered on a case-by-case basis to determine the appropriate
sanction, intentional or reckless noncompliance should subject
transgressors to significant sanctions.
The written standards of conduct should elaborate on the procedures
for handling disciplinary problems and identify who will be responsible
for taking appropriate action. For example, while disciplinary actions
can be handled by department managers, others may have to be resolved
by a more senior official of the organization. Personnel should be
advised by the organization that disciplinary action will be taken on a
fair and equitable basis, that is, all levels of employees should be
subject to similar disciplinary action for the commission of similar
offenses. Managers and supervisors should be held accountable to
implement the disciplinary policy consistently so that the policy will
have the required deterrent effect.
2. Employment of and Contracting With Ineligible Persons
All Medicare+Choice organizations should use care when delegating
substantial discretionary authority to make decisions that may involve
compliance with the law or compliance oversight. In particular, the
organization should ensure that it does not delegate such
responsibilities to individuals or entities that it knows, or should
have known, have a propensity to engage in inappropriate or improper
conduct. Pursuant to the compliance program, Medicare+Choice
organization's policies should prohibit the employment of or
contracting with individuals or entities who have been recently
convicted of a criminal offense related to health care or who are
listed as debarred, excluded or otherwise ineligible for participation
in Federal health care programs. The policies should require the
Medicare+Choice organization to utilize Government resources to
determine whether such individuals or entities are debarred or
excluded. These resources should be used for both potential employees
(as part of the employment application process, which should also
include a reasonable and prudent background investigation), and should
be used to periodically check existing employees and contractors.
Lists of debarred and excluded individuals and entities are
currently maintained by both the OIG and the General Services
Administration.94 By approximately January 2000, the
Healthcare Integrity Protection Data Bank (HIPDB) will be available to
Medicare+Choice organizations (for a nominal fee) to use in conducting
these checks on employees and contractors.95 The HIPDB is an
electronic data collection program that will collect, store and
disseminate reports on practitioners, providers and suppliers that have
been the subject of health care related final adverse actions in
criminal, civil and administrative proceedings. The final adverse
actions to be reported to the HIPDB include criminal convictions or
civil judgments related to the delivery of health care, actions by
Federal or State agencies responsible for licensing or certification of
health care providers, suppliers and practitioners, and exclusions from
Federal or State health care programs.
---------------------------------------------------------------------------
\94\ OIG's List of Excluded Individuals/Entities is available on
the Internet at http://www.dhhs.gov/progorg/oig and the General
Services Administration list of debarred contractors is available on
the Internet at http://www.arnet.gov/epls.
\95\ See 42 U.S.C. 1320a-7e.
---------------------------------------------------------------------------
Pending the resolution of any known criminal charges or proposed
debarment or exclusion, the OIG recommends that such individuals should
be removed from direct responsibility for, or involvement in, any
Federal health care program.96 Similarly, with regard to
current employees or independent contractors, if resolution of the
matter results in conviction, debarment or exclusion, then the
Medicare+Choice organization should remove the individual from direct
responsibility for, or involvement with, the organization's business
operations related to Federal health care programs. In addition, they
should remove such person from any position for which the person's
salary or other items or services rendered, ordered, or prescribed by
the person are paid in whole or part, directly or indirectly, by
Federal health care programs or otherwise with Federal funds, at least
until such time as the person is reinstated into participation in the
Federal health care programs.
---------------------------------------------------------------------------
\96\ Prospective employees who have been officially reinstated
into the Medicare and Medicaid programs by the OIG may be considered
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------
G. Responding to Detected Offenses and Developing Corrective Action
Initiatives
Violations of the Medicare+Choice organization's compliance
program, failures to comply with applicable Federal or State law, rules
and program instructions and other types of misconduct threaten a
Medicare+Choice organization's status as a reliable, honest and
trustworthy company. Detected but uncorrected misconduct can seriously
endanger the mission, reputation and legal status of the organization.
Consequently, upon reports or reasonable indications of suspected
noncompliance, it is important that the chief compliance officer or
other management officials promptly investigate the conduct in question
to determine whether a material violation of applicable law, rule or
program instruction or the requirements of the compliance program has
occurred, and if so, take steps to correct the problem.97 As
appropriate, such steps may include an immediate referral to criminal
and/or civil law enforcement authorities, a corrective action plan, a
report to the Government,98 and the notification to the
provider of any discrepancies or overpayments, if applicable.
---------------------------------------------------------------------------
\97\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a
health care program is not solely determinative of whether or not
the conduct should be investigated and reported to governmental
authorities. In fact, there may be instances where there is no
readily identifiable monetary loss at all, but corrective action and
reporting are still necessary to protect the integrity of the
applicable program and its beneficiaries.
\98\ The OIG currently maintains a provider self-disclosure
protocol that encourages providers to report suspected fraud. The
concept of self-disclosure is premised on a recognition that the
Government alone cannot protect the integrity of the Medicare and
other Federal health care programs. Health care providers must be
willing to police themselves, correct underlying problems and work
with the Government to resolve these matters. The self-disclosure
protocol can be located on the OIG's website at http://www.dhhs.gov/
progorg/oig.
---------------------------------------------------------------------------
The Medicare+Choice organization should document its efforts to
comply with applicable statutes, regulations and Federal health care
program requirements. For example, where a Medicare+Choice
organization, in its efforts to comply with a particular statute,
regulation or program requirement, requests advice from a Government
agency charged with administering a Federal health care program, the
Medicare+Choice organization should document and retain a record of the
request and any written or oral response. This step is extremely
important if the Medicare+Choice organization intends to rely on that
response to guide it in future decisions, actions or appeals. A log of
oral inquiries between the Medicare+Choice organization and third
parties will help the organization document its attempts at compliance.
In
[[Page 33886]]
addition, the Medicare+Choice organization should maintain records
relevant to the issue of whether its reliance was ``reasonable,'' and
whether it exercised due diligence in developing procedures to
implement the advice.
1. Violations and Investigations
Depending upon the nature of the alleged violations, an internal
investigation will probably include interviews and a review of relevant
documents. Medicare+Choice organizations should consider engaging
outside counsel, auditors or health care experts to assist in an
investigation. Records of the investigation should contain
documentation of the alleged violation, a description of the
investigative process (including the objectivity of the investigators
and methodologies utilized), copies of interview notes and key
documents, a log of the witnesses interviewed and the documents
reviewed, the results of the investigation, e.g., any disciplinary
action taken and any corrective action implemented. Although any action
taken as the result of an investigation will necessarily vary depending
upon the Medicare+Choice organization and the situation,
Medicare+Choice organizations should strive for some consistency by
utilizing sound practices and disciplinary protocols. Further, after a
reasonable period, the compliance officer should review the
circumstances that formed the basis for the investigation to determine
whether similar problems have been uncovered or modifications of the
compliance program are necessary to prevent and detect other
inappropriate conduct or violations.
If an investigation of an alleged violation is undertaken and the
compliance officer believes the integrity of the investigation may be
at stake because of the presence of employees under investigation,
those subjects should be removed from their current work activity until
the investigation is completed (unless an internal or Government-led
undercover operation known to the Medicare+Choice organization is in
effect). In addition, the compliance officer should take appropriate
steps to secure or prevent the destruction of documents or other
evidence relevant to the investigation. If the Medicare+Choice
organization determines disciplinary action is warranted, it should be
prompt and imposed in accordance with the organization's written
standards of disciplinary action.
2. Reporting
If the compliance officer, compliance committee or a management
official discovers credible evidence of misconduct from any source and,
after reasonable inquiry, has reason to believe that the misconduct may
violate criminal, civil or administrative law,99 then the
Medicare+Choice organization should report the existence of misconduct
promptly to the appropriate Government authority 100 within
a reasonable period, but not more than 60 days after determining that
there is credible evidence of a violation. Prompt reporting will
demonstrate the Medicare+Choice organization's good faith and
willingness to work with governmental authorities to correct and remedy
the problem. In addition, reporting such conduct will be considered a
mitigating factor by the OIG in determining administrative sanctions
(e.g., penalties, assessments and exclusion), if the reporting company
becomes the target of an OIG investigation.101
---------------------------------------------------------------------------
\99\ When making the determination of credible misconduct, the
Medicare+Choice organization should consider, among other statutes,
18 U.S.C. 669 [holding an individual(s) criminally liable for
knowingly and willfully embezzling, stealing or otherwise converting
to the use of any person other than the rightful owner or
intentionally misapplying any of the monies, funds * * * premiums,
credits, property or assets of a health care benefit program] and 18
U.S.C. 2 [establishing criminal liability for an individual(s) who
commits an offense against the United States or aids, abets,
counsels, commands, induces or procures its commission as punishable
as the principle]. In making this determination, the Medicare+Choice
organization should also consider the civil False Claims Act, 31
U.S.C. 3729, which imposes treble damages and penalties on those
(including subcontractors) who knowingly submit false claims for
Federal funds, or cause their submission, or who knowingly prepare
false records or statements to get such false claims paid. Under the
civil False Claims Act, ``knowingly'' means that a person ``has
actual knowledge of the information, acts in deliberate ignorance of
the truth or falsity of the information, or acts in reckless
disregard of the truth or falsity of the information, and no proof
of specific intent to defraud is required.'' 31 U.S.C. 3729.
\100\ Appropriate Federal and/or State authorities include the
Office of Inspector General of the Department of Health and Human
Services, the Criminal and Civil Divisions of the Department of
Justice, the U.S. Attorneys in the relevant districts, and the other
investigative arms for agencies administering the affected Federal
or State health care programs, such as the State Medicaid Fraud
Control Unit, the Defense Criminal Investigative Service, the
Department of Veterans Affairs, the Office of Inspector General,
U.S. Department of Labor (which has primary criminal jurisdiction
over FECA, Black Lung and Longshore programs) and the Office of
Inspector General, U.S. Office of Personnel Management (which has
primary jurisdiction over the Federal Employees Health Benefit
Program).
\101\ The OIG has published criteria setting forth those factors
that the OIG takes into consideration in determining whether it is
appropriate to exclude a health care provider from program
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of
various fraud and abuse laws. See 62 FR 67392 (12/24/97).
---------------------------------------------------------------------------
3. Reporting Procedure
When reporting misconduct to the Government, a Medicare+Choice
organization should provide all evidence relevant to the alleged
violation of applicable Federal or State law(s) and any potential cost
impact. The compliance officer, with guidance from the governmental
authorities, could be requested to continue to investigate the reported
violation. Once the investigation is completed, the compliance officer
should be required to notify the appropriate governmental authority of
the outcome of the investigation, including a description of the impact
of the alleged violation on the operation of the applicable health care
programs or their beneficiaries. If the investigation ultimately
reveals criminal, civil or administrative violations have occurred, the
appropriate Federal and State officials 102 should be
notified immediately.
---------------------------------------------------------------------------
\102\ See note 100.
---------------------------------------------------------------------------
4. Corrective Actions
As previously stated, Medicare+Choice organizations should take
appropriate corrective action, including prompt identification of any
overpayment, repayment of the overpayment, modification to policies or
manuals and the imposition of proper disciplinary action, if
applicable. Failure to notify authorities of an overpayment within a
reasonable period of time could be interpreted as an intentional
attempt to conceal the overpayment from the Government, thereby
establishing an independent basis for a criminal violation with respect
to the Medicare+Choice organization, as well as any individuals who may
have been involved.103 For this reason, Medicare+Choice
compliance programs should ensure that overpayments are identified
quickly and promptly return overpayments obtained from Medicare or
other Federal health care programs.104
---------------------------------------------------------------------------
\103\ See 42 U.S.C. 1320a-7b(a)(3).
\104\ If a Medicare+Choice organization needs further guidance
regarding normal repayment channels, the organization should consult
with the CHPP. The CHPP may require certain information (e.g.,
alleged violation or issue causing overpayment, description of
overpayment, description of the internal investigative process with
methodologies used to determine any overpayments, disciplinary
actions taken and corrective actions taken) to be submitted with
return of any overpayments, and that such repayment information be
submitted to a specific department or individual in the carrier or
intermediary's organization. Interest will be assessed, when
appropriate. See 42 CFR 405.376.
---------------------------------------------------------------------------
[[Page 33887]]
III. Conclusion
Through this document, the OIG has attempted to provide a
foundation for the development of effective and comprehensive
Medicare+Choice compliance programs. These principles can also be used
by entities to develop compliance programs applicable to other Federal
and health care programs, as well as for their private lines of
business. As previously stated, however, each program must be tailored
to fit the needs and resources of an individual organization, depending
upon its particular corporate structure, mission and employee
composition. The statutes, regulations and guidelines of the Federal
and State health insurance programs, as well as the policies and
procedures of the private health plans, should be integrated into every
Medicare+Choice organization's compliance program.
The OIG recognizes that the health care industry, which reaches
millions of beneficiaries and expends about a trillion dollars
annually, is constantly evolving. In no area of the industry is this
more evident than in the growing area of managed care, particularly
Medicare managed care. As a result, the time is right for
Medicare+Choice organizations to implement strong, voluntary compliance
programs. Compliance is a dynamic process that helps to ensure
Medicare+Choice organizations are better able to fulfill their
commitment to ethical behavior and to meet the changes and challenges
being imposed upon them by the Congress and private insurers. It is
OIG's hope that voluntarily created compliance programs will enable
Medicare+Choice organizations to meet their goals of providing
efficient and quality health care and at the same time, substantially
reduce fraud, waste and abuse.
Dated: June 18, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-16072 Filed 6-23-99; 8:45 am]
BILLING CODE 4150-04-P