[Federal Register Volume 64, Number 121 (Thursday, June 24, 1999)]
[Notices]
[Pages 33869-33887]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-16072]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Draft OIG Compliance Program Guidance for Certain Medicare+Choice 
Organizations

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice and comment period.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice seeks the comments of interested 
parties on draft compliance program guidance developed by the Office of 
Inspector General for Medicare+Choice Organizations that offer 
Coordinated Care Plans (M+CO/CCPs). Through this notice, the OIG is 
setting forth its general views on the value and fundamental principles 
of M+CO/CCP compliance programs, and the specific elements that each 
M+CO/CCP should consider when developing and implementing an effective 
compliance program.

DATES: To assure consideration, comments must be delivered to the 
address provided below by no later than 5 p.m. on July 26, 1999.

ADDRESSES: Please mail or deliver written comments to the following 
address: Office of Inspector General, Department of Health and Human 
Services, Attention: OIG-4N-CPG, Room 5246, Cohen Building, 330 
Independence Avenue, S.W., Washington, D.C. 20201.
    We do not accept comments by facsimile (FAX) transmission. In 
commenting, please refer to file code OIG-4N-CPG. Comments received 
timely will be available for public inspection as they are received, 
generally beginning approximately 2 weeks after publication of a 
document, in Room 5541 of the Office of Inspector General at 330 
Independence Avenue, S.W., Washington, D.C. 20201 on Monday through 
Friday of each week from 8:00 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT: Susan Lemanski or Barbara 
Frederickson, (202) 619-2078, Office of Counsel to the Inspector 
General.

SUPPLEMENTARY INFORMATION:

[[Page 33870]]

Background

    The creation of compliance program guidance has become a major 
initiative of the OIG in its efforts to engage the private health care 
community in addressing and fighting fraud and abuse. In the last 
several years, the OIG has developed and issued the following 
compliance program guidance directed at various segments of the health 
care industry:
     Clinical Laboratories (62 FR 9435; March 3, 1997, as 
amended in 63 FR 45076; August 24, 1998),
     Hospitals (63 FR 8987; February 23, 1998),
     Home Health Agencies (63 FR 42410; August 7, 1998), and
     Third-Party Medical Billing Companies (63 FR 70138; 
December 18, 1998).
    In addition, the OIG published a draft compliance guidance for 
Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry 
(64 FR 4435; January 28, 1999). The guidance can also be found on the 
OIG web site at http://www.dhhs.gov/progorg/oig.
    On September 22, 1998, the OIG published a solicitation notice 
seeking information and recommendations for developing formal guidance 
for M+CO/CCPs (63 FR 50577). In response to that solicitation notice, 
the OIG received 5 comments from various parts of the industry and 
their representatives. In developing this notice for formal public 
comment, we have considered those comments, as well as previous OIG 
publications, such as other compliance program guidances, Special Fraud 
Alerts, reports issued by the OIG's Office of Audit Services and Office 
of Evaluation and Inspections. We also took into account past and 
recent fraud investigations conducted by the OIG's Office of 
Investigations and the Department of Justice, and have consulted 
directly with HCFA.

Elements Addressed in the Draft M+CO/CCP Guidance

    This draft of M+CO/CCP guidance contains the following 7 elements 
that the OIG has determined are fundamental to an effective compliance 
program:
     Implementing written policies, procedures and standards of 
conduct;
     Designating a compliance officer and compliance committee;
     Conducting effective training and education;
     Developing effective lines of communication;
     Conducting internal monitoring and auditing;
     Enforcing standards through well-publicized disciplinary 
guidelines; and
     Responding promptly to detected offenses and developing 
corrective action.
    These elements are contained in the other guidances issued by the 
OIG, indicated above. As with the other guidances, this draft 
compliance program guidance represents the OIG's suggestions on how 
M+CO/CCPs can best establish internal controls and monitoring to 
correct and prevent fraudulent activities. The contents of this 
guidance should not be viewed as mandatory or as an exclusive 
discussion of the advisable elements of a compliance program. While 
elements put forth in this draft compliance guidance are similar to 
elements HCFA has included in its conditions to contract as an M+C 
organization, the guidance is intended to present voluntary guidance to 
the industry, and not represent binding standards for M+CO/CCPs.

Public Input and Comment in Developing Final Guidance

    In an effort to ensure that all parties have an opportunity to 
provide input into the OIG's guidance, we are publishing this guidance 
in draft form. We welcome any comments from interested parties 
regarding this guidance.'
    We will consider all comments that are received within the above-
cited time frame, incorporate any recommendations as appropriate, and 
will prepare and publish a final version of the M+CO/CCP guidance.

Draft Compliance Program Guidance for M+CO/CCPs (June 1999)

I. Introduction

    In its ongoing effort to work collaboratively with the health care 
industry to achieve the mutual goals of quality health care and the 
elimination of fraud, waste and abuse, the Office of Inspector General 
(OIG) of the Department of Health and Human Services (HHS) has 
encouraged voluntarily developed and implemented compliance programs 
for the health care industry. As a demonstration of the OIG's 
commitment to compliance, the OIG has issued recommendations, in the 
form of compliance program guidances, that provide suggestions 
regarding how specific segments of the industry can best implement 
compliance programs.1
---------------------------------------------------------------------------

    \1\ See 64 FR 4435 (1/28/99) for the draft compliance program 
guidance for the durable medical equipment, prosthetics, orthotics 
and suppliers industry; 63 FR. 70138 (12/18/98) for compliance 
program guidance for third-party medical billing companies; 63 FR 
45076 (8/24/98) for compliance program guidance for clinical 
laboratories; 63 FR 42410 (8/7/98) for compliance program guidance 
for home health agencies; and 63 FR 8987 (2/23/98) for compliance 
program guidance for hospitals. These documents are also located on 
the Internet at http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    As a result of the changing nature of the health care delivery 
system and the growing trend toward reliance on the managed care 
industry in the provision of such health care delivery, the OIG 
believes it is appropriate to issue a guidance focusing on 
Medicare+Choice organizations 2 offering coordinated care 
plans 3 (Medicare+Choice organizations). The OIG believes 
that the implementation of compliance plans in the managed care 
industry can provide a mechanism for further improving the quality, 
productivity and efficiency of the health care industry as a whole. 
This guidance is intended to assist Medicare+Choice organizations and 
their agents and subcontractors in developing effective internal 
controls that promote adherence to applicable Federal and State law and 
the program requirements of Federal health plans.
---------------------------------------------------------------------------

    \2\ A Medicare+Choice organization is defined as a public or 
private entity organized and licensed by a State as a risk-bearing 
entity (with the exception of provider-sponsored organizations 
receiving waivers) that is certified by the Health Care Financing 
Administration (HCFA) as meeting the Medicare+Choice contract 
requirements. See 42 CFR 422.2.
    \3\ For the purposes of this compliance program guidance, a 
``coordinated care plan'' is a plan that includes a network of 
providers that are under contract or arrangement with the 
organization to deliver the benefit package approved by HCFA. See 42 
U.S.C. 1395w-28(a)(1); 42 CFR 422.4.
---------------------------------------------------------------------------

    While the regulations implementing the Medicare+Choice program, or 
Part C, require a Medicare+Choice organization to establish a 
compliance plan,4 the OIG's program guidance is voluntary 
and simply is intended to provide assistance for Medicare+Choice 
organizations looking for additional direction in the development and 
implementation of a compliance program. As such, this guidance 
addresses the OIG's view on comprehensive compliance programs 
pertaining to Medicare+Choice organizations.
---------------------------------------------------------------------------

    \4\ The regulations require that any plan contracting with HCFA 
implement a compliance plan that encompasses the elements detailed 
in the Federal Sentencing Guidelines. See 42 CFR 422.501(b)(vi). 
HCFA will release an operational policy letter addressing the 
compliance requirements detailed in the regulation. In response to 
concerns from industry representatives on the short time frame for 
implementing a compliance plan, HCFA delayed the actual 
implementation date of the compliance plan until January 1, 2000.
---------------------------------------------------------------------------

    The OIG formulated this guidance specifically for Medicare+Choice 
organizations because these organizations are well-defined and somewhat 
limited in the statutory and regulatory jurisdiction of the States, as 
evidenced by the pre-emption

[[Page 33871]]

provisions.5 In this guidance, we have focused our attention 
on Federal health care regulations governing marketing, enrollment, 
disenrollment, underutilization, data collection, anti-kickback statute 
and anti-dumping, rather than providing instruction on all aspects of 
regulatory compliance. The OIG encourages managed care organizations to 
read the guidance with the whole organization in mind, applying the 
guidance to whatever departments or divisions, including private-sector 
managed care areas, that are deemed appropriate. Indeed, many of the 
suggestions in this guidance can be used by managed care organizations 
that do not contract with HCFA. In particular, entities that 
participate in other public health care programs, such as Medicaid, may 
want to look to the general principles in this document to assist them 
in developing compliance programs.
---------------------------------------------------------------------------

    \5\ See 42 U.S.C. 1395w-26(b)(3); 42 CFR 422.402. The Federal 
preemption provisions in the Medicare+Choice regulations cover: (1) 
any State statutes, regulations, contract requirements, or any other 
standards that would otherwise apply to Medicare+Choice 
organizations only to the extent that such State laws are 
inconsistent with the standards under 42 CFR part 422; and (2) State 
laws that are specifically preempted in 42 CFR 422.402(b).
---------------------------------------------------------------------------

    Within this document, the OIG first provides its general views on 
the value and fundamental principles of Medicare+Choice organizations' 
compliance programs, and then provides specific elements that each 
Medicare+Choice organization should consider when developing and 
implementing an effective compliance program.
    Fundamentally, compliance efforts are designed to establish a 
culture within an organization that promotes prevention, detection and 
resolution of instances of conduct that do not conform to Federal and 
State law and Federal health care program requirements, as well as the 
Medicare+Choice organization's ethical and business policies. In 
practice, the compliance program should effectively articulate and 
demonstrate the organization's commitment to legal and ethical conduct. 
Eventually, a compliance program should become part of the fabric of a 
Medicare+Choice organization's routine operations.
    It is incumbent upon a Medicare+Choice organization's officers and 
managers to provide ethical leadership to the organization and to 
assure adequate systems and resources are in place to facilitate and 
promote ethical and legal conduct. Employees, managers and the 
Government will focus on the words and actions (including decisions 
made on resources devoted to compliance) of a Medicare+Choice 
organization's leadership as a measure of the organization's commitment 
to compliance. Indeed, many organizations have adopted mission 
statements articulating their commitment to high ethical standards.
    Implementing an effective compliance program requires a substantial 
commitment of time, energy and resources by senior management and the 
Medicare+Choice organization's governing body. Superficial programs 
that simply purport to comply with the elements discussed and described 
in this guidance, or programs hastily constructed and implemented 
without appropriate ongoing monitoring, will likely be ineffective and 
could expose the Medicare+Choice organization to greater liability than 
no program at all. Although an effective compliance program may require 
significant additional resources or a reallocation of existing 
resources, the long term benefits of implementing such a program 
significantly outweigh the costs. Undertaking a compliance program is a 
beneficial investment that advances the Medicare+Choice organization, 
the health of Medicare+Choice enrollees and the stability and solvency 
of the Medicare program.
A. Benefits of a Compliance Program
    The OIG believes an effective compliance program provides a 
mechanism that brings the public and private sectors together to reach 
mutual goals of reducing fraud and abuse, improving operational 
quality, improving the quality of health care and reducing the costs of 
health care. Attaining these goals provides positive results to 
business, Government, individual citizens and Medicare beneficiaries 
alike. In addition to fulfilling its legal duty to ensure that it is 
not submitting false or inaccurate information to the Government or 
providing substandard care to Medicare beneficiaries, a Medicare+Choice 
organization may gain numerous additional benefits by implementing an 
effective compliance program. These benefits may include:
     The formulation of effective internal controls to assure 
compliance with Federal regulations and internal guidelines;
     Improved collaboration, communication and cooperation 
between health care providers and the Medicare+Choice organization, as 
well as within the Medicare+Choice organization itself;
     Improved communication with and satisfaction of 
Medicare+Choice enrollees;
     The ability to more quickly and accurately react to 
employees' operational compliance concerns and the capability to 
effectively target resources to address those concerns;
     A concrete demonstration to employees and the community at 
large of the Medicare+Choice organization's strong commitment to honest 
and responsible corporate conduct;
     The ability to obtain an accurate assessment of employee 
and contractor behavior relating to fraud and abuse;
     Improved (clinical and non-clinical) quality of care and 
service;
     Improved assessment tools that could affect many or all of 
the Medicare+Choice organization's divisions or departments;
     Increased likelihood of identification and prevention of 
unlawful and unethical conduct;
     A centralized source for distributing information on 
health care statutes, regulations and other program directives related 
to fraud and abuse;
     An environment that encourages employees to report 
potential problems;
     Procedures that allow the prompt, thorough investigation 
of possible misconduct by corporate officers, managers, employees and 
independent contractors;
     An improved relationship with the Center for Health Plans 
and Providers (CHPP) at HCFA;
     Early detection and reporting, minimizing the loss to the 
Government from false claims, and thereby reducing the Medicare+Choice 
organization's exposure to civil damages and penalties, criminal 
sanctions, and administrative remedies, such as program exclusion; 
6 and
---------------------------------------------------------------------------

    \6\ The OIG, for example, will consider the existence of an 
effective compliance program that pre-dated any governmental 
investigation when addressing the appropriateness of administrative 
sanctions. However, the burden is on the Medicare+Choice 
organization to demonstrate the operational effectiveness of a 
compliance program. Further, the False Claims Act, 31 U.S.C. 3729-
3733, provides that a person who has violated the Act, but who 
voluntarily discloses the violation to the Government within thirty 
days of detection, in certain circumstances will be subject to not 
less than double, as opposed to treble, damages. See 31 U.S.C. 
3729(a). In addition, an organization will receive sentencing credit 
for an ``effective'' compliance program under the Federal Sentencing 
Guidelines. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8C2.5. Thus, the ability to react quickly when 
violations of the law are discovered may materially reduce the 
Medicare+Choice organization's liability.
---------------------------------------------------------------------------

     An enhancement of the structure of the Medicare+Choice 
organization's separate business units.
    Overall, the OIG believes that an effective compliance program is a 
sound

[[Page 33872]]

business investment that has the potential of enhancing the efficiency 
and effectiveness of the Medicare+Choice organization. It may also 
improve the Medicare+Choice organization's financial structure by 
addressing not only fraud and abuse concerns, but efficiency and 
productivity concerns in other operational areas.
    The OIG recognizes the implementation of an effective compliance 
program may not entirely eliminate fraud, abuse and waste from an 
organization. However, a sincere effort by a Medicare+Choice 
organization to comply with applicable Federal and State standards, 
through the establishment of an effective compliance program, 
significantly reduces the probability of unlawful or improper conduct.
B. Application of Compliance Program Guidance
    Before explaining the specific elements of a compliance program, it 
is important to emphasize several aspects of this document: its 
voluntary nature, its applicability to Medicare+Choice organizations 
that offer coordinated care plans, the collaborative nature by which it 
was developed, and its evolving nature.
    First, it should be re-emphasized that while the regulations 
implementing the Medicare+Choice program, or Part C, require a 
Medicare+Choice organization to establish a compliance plan, including 
specified elements, 7 this program guidance is voluntary. 
Although this document presents basic procedural and structural 
guidance for designing a compliance program, it is not in itself a 
compliance program. Rather, it is a set of guidelines for consideration 
by a Medicare+Choice organization interested in obtaining specific 
information on implementing a compliance program. This guidance 
represents the OIG's suggestions on how a Medicare+Choice organization 
can establish internal controls and monitor company conduct to correct 
and prevent fraudulent activities.
---------------------------------------------------------------------------

    \7\ See note 4.
---------------------------------------------------------------------------

    It is critical for the Medicare+Choice organization to assess its 
own organization and determine its needs with regard to compliance with 
applicable Federal and State statutes and Federal health care program 
requirements. By no means should the contents of this guidance be 
viewed as an exclusive discussion of the advisable components of a 
compliance program. On the contrary, the OIG strongly encourages 
Medicare+Choice organizations to develop and implement compliance 
components that uniquely address the individual organization's risk 
areas.
    Implementing a compliance program in the managed care industry is a 
complicated venture. There are significant variances and complexities 
among Medicare+Choice organizations in terms of the type of services 
and the manner in which these services are provided to the respective 
members. For example, some Medicare+Choice organizations cover broad 
service areas, while others are focused on a particular geographic 
region. Similarly, the range of benefits covered differ among plans. 
Clearly, these differences may give rise to different substantive 
policies to ensure effective compliance. Furthermore, some 
Medicare+Choice organizations are relatively small (such as provider-
sponsored organizations (PSOs)), while others are fully integrated and 
offer Medicare+Choice plans 8 in a wide variety of areas. 
Finally, the availability of resources for any one Medicare+Choice 
organization can differ vastly.
---------------------------------------------------------------------------

    \8\ A ``Medicare+Choice plan,'' as defined in this guidance, 
refers to health benefits coverage offered under a policy or 
contract by a Medicare+Choice organization that includes a specific 
set of health benefits offered at a uniform premium and uniform 
level of cost sharing to all Medicare beneficiaries residing in the 
service area of the Medicare+Choice plan. See 42 CFR 422.2.
---------------------------------------------------------------------------

    Notwithstanding these differences, this guidance is pertinent for 
all Medicare+Choice organizations, large or small, regardless of the 
type of services provided. The applicability of the recommendations and 
guidelines provided in this document may depend on the circumstances 
and resources of each particular Medicare+Choice organization. However, 
regardless of the organization's size and structure, the OIG believes 
every Medicare+Choice organization can and should strive to accomplish 
the objectives and major principles underlying all of the compliance 
policies and procedures recommended within this guidance.
    The OIG recognizes that the success of the compliance program 
guidance hinges on thoughtful and practical comments from those 
individuals and organizations that will utilize the tools set forth in 
this document. In a continuing effort to collaborate closely with the 
private sector, the OIG solicited input and support from the public in 
the development of this compliance program guidance. 9 
Further, we took into consideration previous OIG publications, such as 
Special Fraud Alerts, the recent findings and recommendations in 
reports issued by OIG's Office of Audit Services (OAS) and Office of 
Evaluation and Inspections (OEI), 10 comments from HCFA, as 
well as the experience of past and recent fraud investigations related 
to managed care organizations 11 conducted by OIG's Office 
of Investigations (OI) and the Department of Justice.
---------------------------------------------------------------------------

    \9\ See Solicitation of Information and Recommendations for 
Developing the OIG Compliance Program Guidance for Certain 
Medicare+Choice Organizations. 63 FR 50577 (9/22/98).
    \10\ Special Fraud Alerts are available on the OIG website at 
http://www.dhhs.gov/progorg/oig. The recent findings and 
recommendations of OAS and OEI can be located on the Internet at 
http://www.hhs.gov/progorg/oas/cats/hcfa.html and http://
www.hhs.gov/progorg/oei, respectively.
    \11\ These investigations include findings based upon Medicare 
risk-based Health Maintenance Organizations as defined in 42 U.S.C. 
1395mm.
---------------------------------------------------------------------------

    As appropriate, this guidance may be modified and expanded as more 
information and knowledge is obtained by the OIG, and as changes in the 
law, and in the rules, policies and procedures of the Federal and State 
plans occur. The OIG understands Medicare+Choice organizations will 
need adequate time to react to these modifications and expansions and 
to make any necessary changes to their voluntary compliance programs. 
New compliance practices may eventually be incorporated into this 
guidance if the OIG discovers significant enhancements to better ensure 
an effective compliance program. We recognize the development and 
implementation of compliance programs in Medicare+Choice organizations 
often raise sensitive and complex legal and managerial issues. 
12 However, the OIG wishes to offer what it believes is 
critical guidance for those who are sincerely attempting to comply with 
the relevant health care statutes and regulations.
---------------------------------------------------------------------------

    \12\ Nothing stated herein should be substituted for, or used in 
lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------

II. Compliance Program Elements

    The elements proposed by these guidelines are similar to those of 
the other OIG Compliance Program Guidances 13 and our 
corporate integrity agreements. 14 As noted above, the 
elements represent a guide that can be tailored to fit the needs and 
financial realities of a particular Medicare+Choice organization, large 
or

[[Page 33873]]

small, regardless of the type of services offered.
---------------------------------------------------------------------------

    \13\ See note 1.
    \14\ Corporate integrity agreements are executed as part of a 
civil settlement agreement between the health care provider and the 
Government to resolve a case based on allegations of health care 
fraud or abuse. These OIG-imposed programs are in effect for a 
period of three to five years and require many of the elements 
included in this compliance guidance.
---------------------------------------------------------------------------

    Every effective compliance program must begin with a formal 
commitment 15 by the Medicare+Choice organization's 
governing body to include all of the applicable elements listed below. 
A good faith and meaningful commitment on the part of the 
Medicare+Choice organization's administration, especially the governing 
body and the chief executive officer (CEO), will substantially 
contribute to the program's successful implementation. These elements 
are based on the seven steps of the Federal Sentencing Guidelines. 
16 We believe every Medicare+Choice organization can 
implement all of the recommended elements and expand upon them, as 
appropriate.
---------------------------------------------------------------------------

    \15\ Formal commitment may include a resolution by the board of 
directors, where applicable. A formal commitment does include the 
allocation of adequate resources to ensure that each of the elements 
is addressed.
    \16\ See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing 
Guidelines are detailed policies and practices for the Federal 
criminal justice system that prescribe appropriate sanctions for 
offenders convicted of Federal crimes.
---------------------------------------------------------------------------

    At a minimum, comprehensive compliance programs should include the 
following seven elements:
    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures, that promote the 
Medicare+Choice organization's commitment to compliance and that 
address specific areas of potential fraud (e.g., the marketing process, 
and underutilization);
    (2) The designation of a chief compliance officer and other 
appropriate bodies, e.g., a corporate compliance committee, charged 
with the responsibility of operating and monitoring the compliance 
program and who report directly to the CEO and the governing body;
    (3) The development and implementation of regular, effective 
education and training programs for all affected employees;
    (4) The development of effective lines of communication between the 
compliance officer and all employees, including a process, such as a 
hotline, to receive complaints (and the adoption of procedures to 
protect the anonymity of complainants and to protect callers from 
retaliation);
    (5) The use of audits or other risk evaluation techniques to 
monitor compliance and assist in the reduction of identified problem 
areas;
    (6) The development of disciplinary mechanisms to consistently 
enforce standards and the development of policies addressing dealings 
with sanctioned and other specified individuals; and
    (7) The development of policies to respond to detected offenses and 
to initiate corrective action to prevent similar offenses.
A. Written Policies and Procedures
    Every compliance program should require the development and 
distribution of written compliance policies, standards and practices 
that identify specific areas of risk and vulnerability to the 
Medicare+Choice organization. These policies should be developed under 
the direction and supervision of the chief compliance officer and the 
compliance committee and, at a minimum, should be provided to all 
individuals who are affected by the particular policy at issue, 
including the Medicare+Choice organization's agents and independent 
contractors.17
---------------------------------------------------------------------------

    \17\ According to the Federal Sentencing Guidelines, an 
organization must have established compliance standards to be 
followed by its employees and other agents in order to receive 
sentencing credit. The Guidelines define ``agent'' as ``any 
individual, including a director, an officer, an employee, or an 
independent contractor, authorized to act on behalf of the 
organization.'' See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------

    Medicare+Choice organizations maintain ultimate responsibility for 
adhering to and otherwise fully complying with all terms and conditions 
of their contract with HCFA.18 It is with this in mind that 
the OIG strongly recommends that the Medicare+Choice organization 
coordinate with its first tier and downstream providers to establish 
compliance responsibilities,19 in addition to the 
contractual responsibilities required by HCFA.20 For 
example, OIG recommends that the Medicare+Choice organization 
coordinate with its contracting providers regarding the steps that 
should be taken by the providers to verify and confirm to the 
Medicare+Choice organization the accuracy of information and data 
submitted to the Medicare+Choice organization concerning patient 
encounters and fee-for-service claims. Once the responsibilities have 
been clearly delineated, they should be formalized in legally 
enforceable written arrangement between the health care provider and 
the Medicare+Choice organization. The OIG recommends this document 
enumerate those functions that are shared responsibilities and those 
that are the sole responsibility of the Medicare+Choice organization.
---------------------------------------------------------------------------

    \18\ See 42 CFR 422.502(i).
    \19\ At a minimum, the Medicare+Choice organization should send 
a copy of its compliance program manual to all of its health care 
providers. The Medicare+Choice organization should also coordinate 
with its health care providers in the development of a training 
program, an audit plan and policies for investigating misconduct.
    \20\ See 42 CFR 422.502(i)(3)-(4).
---------------------------------------------------------------------------

1. Standards of Conduct
    Medicare+Choice organizations should develop standards of conduct 
for all affected employees that include a clearly delineated commitment 
to compliance by the organization's senior management and its 
divisions. To help communicate a strong and explicit organizational 
commitment to compliance goals and standards, the Medicare+Choice 
organization's governing body, CEO, chief operating officer (COO), 
general counsel, chief financial officer (CFO) and other senior 
officials should be directly involved in the development of standards 
of conduct.
    The standards should function in the same fashion as a 
constitution, i.e., as a foundational document that details the 
fundamental principles, values and framework for action within an 
organization, as well as the organization's mission and goals. The 
standards should also articulate the Medicare+Choice organization's 
commitment to comply with all Federal and State standards, with an 
emphasis on preventing fraud and abuse. The standards should not only 
address compliance with statutes and regulations, but should also set 
forth broad principles that guide employees in conducting business 
professionally and properly. In short, the standards should promote 
integrity, support objectivity and foster trust. Furthermore, a 
Medicare+Choice organization's standards of conduct should reflect a 
commitment to the highest quality health care delivery, as evidenced by 
its quality, reliability and timeliness.
2. Written Policies for Risk Areas
    As part of its commitment to compliance, Medicare+Choice 
organizations should establish a comprehensive set of written policies 
that address all applicable statutes, rules and program instructions 
that apply to each function or department of the Medicare+Choice 
organization.21 The

[[Page 33874]]

policies should address specific areas of concern, such as marketing 
practices and data collection and submission processes. In contrast to 
the standards of conduct, which are designed to be a clear and concise 
collection of fundamental standards, the written policies should 
articulate specific procedures personnel should follow when performing 
their duties.
---------------------------------------------------------------------------

    \21\ This includes, but is not limited to, the Medicare+Choice 
provisions and the fraud and abuse provisions of the Balanced Budget 
Act of 1997, Pub.L. 105-33; the civil False Claims Act, 31 U.S.C. 
3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001; 
the fraud and abuse provisions of the Health Insurance Portability 
and Accountability Act of 1996 (HIPAA), Pub.L. 104-191; and the 
civil monetary penalties in the Social Security Act, 42 U.S.C. 
1320a-7a and 42 U.S.C. 395w-27(g). See also 42 CFR 422.1-422.312.
---------------------------------------------------------------------------

    In order to determine what policies and procedures are needed, the 
OIG recommends that Medicare+Choice organizations conduct a 
comprehensive self-administered risk analysis or contract for an 
independent risk analysis by experienced health care consulting 
professionals. This risk analysis should identify and rank the various 
compliance and business risks the company may experience in its daily 
operations. A Medicare+Choice organization's prior history of 
noncompliance with applicable statutes, regulations and Federal health 
care program requirements may indicate additional types of risk areas 
where the organization may be vulnerable and may require necessary 
policy measures to prevent avoidable recurrence.22
---------------------------------------------------------------------------

    \22\ ``Recurrence of misconduct similar to that which an 
organization has previously committed casts doubt on whether it took 
all reasonable steps to prevent such misconduct'' and is a 
significant factor in the assessment of whether a compliance program 
is effective. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(7)(ii).
---------------------------------------------------------------------------

    The fact that Medicare+Choice organizations may be both providers 
and insurers of health care increases the number and type of risk areas 
to which a Medicare+Choice organization must be attuned, as well as the 
type of auditing and monitoring procedures that must be implemented, in 
the development of its compliance efforts. For example, an individual 
Medicare+Choice organization may contract with a variety of providers 
with different specialities and, consequently, must consider a variety 
of different risk areas.
    The regulations and operational policies issued by HCFA that 
implement the Medicare+Choice program are very comprehensive and should 
serve as the basis for the policies and procedures of a Medicare+Choice 
organization.23 The legal and policy requirements that 
organizations must meet to qualify as a Medicare+Choice organization 
are articulated in documentation promulgated by HCFA and other Federal 
agencies and should be considered de facto risk areas. Included among 
these risk areas are: (1) The election process; (2) benefits and 
beneficiary protections; (3) quality assurance; (4) premiums and cost 
sharing; (5) solvency, licensure and other State regulatory issues; (6) 
claims processing; and (7) appeals and grievance procedures. Given the 
detailed nature of the rules and regulations, we have not attempted in 
this document to identify each and every policy that should be 
established by a Medicare+Choice organization. Rather, based on a 
review OIG audits, investigations and evaluations, we have identified 
the following areas of particular concern to OIG that the 
Medicare+Choice organization should consider in developing its written 
policies and procedures: 24
---------------------------------------------------------------------------

    \23\ Medicare+Choice organizations should regularly access the 
HCFA managed care website for updates on operational policies and 
procedures. Operational Policy Letters can be located on HCFA's 
website at http://www.hcfa.gov/medicare/mgd-ops.htm.
    \24\ Medicare+Choice organizations may also want to consult the 
OIG's Work Plan when conducting the risk assessment. The OIG Work 
Plan details the various projects the OIG currently intends to 
address in the fiscal year. It should be noted that the priorities 
in the Work Plan are subject to modification and revision as the 
year progresses and the Work Plan does not represent a complete or 
final list of areas of concern to the OIG. The Work Plan is 
currently available on the Internet at http://www.dhhs.gov/progorg/
oig.
---------------------------------------------------------------------------

     Marketing materials and personnel;
     Selective marketing and enrollment;
     Disenrollment;
     Underutilization and quality of care;
     Data collection and submission processes;
     Anti-kickback statute and other inducements; and
     Anti-dumping statute.
    As note above, the list is not all-encompassing and the 
Medicare+Choice organization should conduct additional surveys and 
statistical analysis specifically tailored to the organization's 
beneficiary population and organizational structure.25
---------------------------------------------------------------------------

    \25\ Although many of these areas apply specifically to 
Medicare+Choice organizations, many of the areas identified below 
have analogous issues in non-Medicare organizations. Medicare+Choice 
organizations that provide private managed care products should 
establish additional policies and procedures for risk areas that 
apply specifically to those areas. Some overlap with Medicare+Choice 
policies will likely occur, however Medicare+Choice organizations 
should segregate any policies and procedures for which HCFA has 
instituted specific reporting requirements for the Medicare 
population.
---------------------------------------------------------------------------

    The following sections provide specific guidance regarding the 
types of policies that should be implemented by Medicare+Choice 
organizations.
a. Marketing Materials and Personnel
    While each Medicare+Choice organization must comply with all of 
HCFA's detailed requirements relating to marketing their 
plans,26 OIG is particularly concerned that organizations 
have policies regarding: (1) the completeness and accuracy of the 
marketing materials; and (2) marketing personnel.
---------------------------------------------------------------------------

    \26\ Medicare+Choice organizations should ensure that they 
conform to fair marketing standards as set forth in the statute, the 
Medicare Managed Care National Marketing Guide (Marketing 
Guide)(which can be located on the HCFA Managed Care website at 
http://www.hcfa.gov/medicare/mgd-ops.htm) and all HCFA Operational 
Policy Letters affecting marketing matters.
---------------------------------------------------------------------------

    Accurate and useful information is crucial to the success of the 
Medicare+Choice program. OIG is very concerned that Medicare+Choice 
organizations correctly and completely describe plan information in any 
marketing materials or other materials distributed to individuals once 
enrolled in the plan. Medicare+Choice organizations that misrepresent 
or falsify information submitted to HCFA, individuals or entities are 
subject to civil monetary penalties (CMPs).27
---------------------------------------------------------------------------

    \27\ 42 U.S.C. 1395w-27(g).
---------------------------------------------------------------------------

    The submission of inaccurate or misleading information is of 
particular concern in light of the recent study conducted by the 
General Accounting Office (GAO) that examined 16 managed care 
organizations and found that all organizations had distributed 
materials containing inaccurate or incomplete benefit 
information.28 It should be noted that HCFA had reviewed and 
approved the materials from all the organizations in the GAO study. 
Given this finding, Medicare+Choice organizations should take special 
care to ensure that all marketing materials are accurate, 
notwithstanding whether the materials have been approved by 
HCFA.29
---------------------------------------------------------------------------

    \28\ ``Medicare+Choice: New Standards Could Improve Accuracy and 
Usefulness of Plan Literature.'' (GAO/HEHS-99-92)(April 1999).
    \29\ Medicare+Choice organizations may not distribute marketing 
materials or election forms unless they are approved by HCFA. 42 CFR 
422.80.
---------------------------------------------------------------------------

    HCFA considers marketing materials to include any material used by 
a Medicare+Choice organization to contact a Medicare beneficiary. As 
such, marketing materials go beyond the public's general conception of 
marketing materials and include general circulation brochures, 
leaflets, newspapers, magazines, television, radio, billboards, yellow 
pages, the Internet, slides and charts, and leaflets for distribution 
by providers. Such materials also include membership communication 
materials such as membership rules, subscriber agreements, or 
confirmation of enrollment.30 Accordingly,

[[Page 33875]]

Medicare+Choice organizations should carefully scrutinize all of these 
materials for completeness, accuracy and compliance with HCFA rules.
---------------------------------------------------------------------------

    \30\ 42 CFR 422.80(b).
---------------------------------------------------------------------------

    In verifying that marketing materials meet all HCFA requirements, 
Medicare+Choice organizations should ensure that the materials contain 
an adequate written description of rules, procedures, basic benefits 
and services, and an explanation of the grievance and appeals 
process.31 Of particular concern to HCFA and OIG is that the 
concept of ``lock-in'' is clearly explained in all marketing material. 
Many Medicare beneficiaries are unfamiliar with the notion that managed 
care may limit their health care provider choices. Describing the 
process of selecting a primary care physician and the limitations that 
this places on a Medicare+Choice enrollee's choice of provider will 
significantly reduce the unmet expectations of Medicare beneficiaries.
---------------------------------------------------------------------------

    \31\ 42 CFR 422.80(c).
---------------------------------------------------------------------------

    Another important concept to include in the marketing materials is 
the fact that the beneficiary may be terminated from enrollment in the 
plan due to the decision of the Medicare+Choice organization not to 
renew its contract with HCFA, or due to HCFA's decision to refuse to 
renew the contract.32 This termination can affect the 
enrollee's 33 eligibility for supplemental insurance and 
other benefits.
---------------------------------------------------------------------------

    \32\ 42 CFR 422.80(c)(3).
    \33\ Periodic on-site visits of the Medicare+Choice 
organization's operations, bulletins with compliance updates and 
reminders, distribution of audiotapes or videotapes on different 
risk areas, lectures at management and employee meetings, 
circulation of recent health care articles covering fraud and abuse 
and innovative changes to compliance training are various examples 
of approaches and techniques the compliance officer can employ for 
the purpose of ensuring continued interest in the compliance program 
and the Medicare+Choice organization's commitment to its principles 
and policies.
---------------------------------------------------------------------------

    Second, in light of the critical role that marketing personnel play 
in representing the plan to Medicare enrollees, the Medicare+Choice 
organization must take all appropriate steps to ensure that marketing 
personnel are presenting clear, complete and accurate information to 
potential enrollees. To that end, OIG strongly encourages 
Medicare+Choice organizations to employ their own marketing personnel, 
as opposed to contracting these responsibilities to outside 
entities.34 This provides the Medicare+Choice organization 
the necessary control to ensure that these individuals meet all HCFA 
guidelines. Similarly, it safeguards Medicare beneficiaries from 
practices that could seriously endanger their access to health care to 
which they are entitled, and their ability to acquire accurate and 
complete information regarding their health care options.
---------------------------------------------------------------------------

    \34\ It should be noted that Medicare+Choice organizations have 
ultimate responsibility for the acts and omissions of its marketing 
agents. See 42 CFR 422.502(i).
---------------------------------------------------------------------------

    Medicare+Choice organizations should also be aware that OIG and 
HCFA strongly discourage the use of physicians as marketing agents for 
several reasons: (1) physicians are usually not fully aware of 
membership plan benefits and costs; (2) physicians may not be the best 
source of membership information about their patients; (3) when a 
physician acts outside his or her traditional role as care provider, 
the physician's patients may be confused as to when the physician is 
acting as an agent of the plan, and when the physician is acting to 
further the interests of the patient; and (4) a physician's knowledge 
of a patient's health status increases the potential for discriminating 
in favor of Medicare beneficiaries with positive health status when 
acting as a marketing agent.35 Therefore, the organization 
should develop procedures to prevent the use of physicians in this way.
---------------------------------------------------------------------------

    \35\ See Marketing Guide, Chapter IV.
---------------------------------------------------------------------------

b. Selective Marketing and Enrollment
    OIG is very concerned about the practice known as ``cherry-
picking,'' or selective marketing,36 in which 
Medicare+Choice organizations discriminate in the marketing and 
enrollment process based upon an enrollee's degree of risk for costly 
or prolonged treatment.37 Except for individuals who have 
been medically determined to have end-stage renal disease, a 
Medicare+Choice organization may not deny, limit or condition the 
coverage or furnishing of benefits to individuals eligible to enroll in 
a Medicare+Choice plan offered by the organization on the basis of any 
factor that is related to health status, including, but not limited to, 
the following: (1) Medical condition (including mental illness); (2) 
claims experience; (3) receipt of health care; (4) medical history; (5) 
genetic information; (6) evidence of insurability; and (7) 
disability.38 Engaging in practices that would reasonably be 
expected to have the effect of denying or discouraging enrollment by 
eligible individuals whose medical condition or history indicates the 
need for substantial future medical services subjects the 
Medicare+Choice organization to a CMP.39
---------------------------------------------------------------------------

    \36\ OIG is also concerned about a similar problem, known as 
``gerrymandering,'' which is an attempt to eliminate certain high 
dollar risk areas from the Medicare+Choice organization's service 
area. Medicare+Choice organizations should be sure to have policies 
in place to prohibit such practices.
    \37\ Although the Medicare+Choice program has attempted to 
alleviate many of the selective marketing practices through the use 
of risk adjustment, the phase-in period for risk-adjustment 
virtually assures that this will remain a troubling issue at least 
through 2004.
    \38\ See 42 U.S.C. 1395w-22(b)(1); 42 CFR 422.110.
    \39\ 42 U.S.C. 1857(g)(1)(D).
---------------------------------------------------------------------------

    Certain types of practices clearly fall into the category of 
cherry-picking and Medicare+Choice organizations should implement 
policies to prohibit such practices. For example, organizations should 
prohibit employees from conducting medical screening, i.e., asking the 
beneficiary medical questions prior to enrollment.40 In a 
1996 survey, the OIG found that such screening for health status at 
application was reported by 18 percent of beneficiaries. While this 
represented a reduction from the 1993 level of 43 percent, it still 
represents a potentially serious problem.41
---------------------------------------------------------------------------

    \40\ This screening can be done in a number of ways, such as by 
using cards or coupons requesting medical and other information as 
part of a survey to potential enrollees.
    \41\ ``Beneficiary Perspectives of Medicare Risk HMOs 1996.'' 
(OEI-06-95-00430) (March 1998).
---------------------------------------------------------------------------

    Another way in which Medicare+Choice organizations may 
inappropriately target healthier beneficiaries is by marketing their 
plans in places where healthy enrollees would be more likely to be 
present, such as at health and exercise clubs, or in areas that are 
difficult to access for people with disabilities (e.g., upper floors of 
buildings that do not have elevators).42 Similarly, 
organizations may inappropriately provide inducements to potential 
enrollees in a way that would encourage younger, healthier 
beneficiaries to enroll in the plan. For example, the offering of free 
gym memberships or kayaking or other sporting lessons would appeal to a 
healthy class of enrollees and discriminate against those who would not 
be interested in such activities.43
---------------------------------------------------------------------------

    \42\ In fact, Medicare+Choice organizations are required to 
allocate part of their resources to marketing to the Medicare 
population with disabilities and beneficiaries aged 65 and over. 42 
CFR 422.80(e)(2)(i).
    \43\ The statute prohibits the provision of cash or other 
monetary rebates as an inducement for enrollment in the plan. See 42 
U.S.C. 1395w-21(h)(4)(A). However, HCFA allows Medicare+Choice 
organizations to give Medicare beneficiaries nominal value gifts, 
provided that the plan offers these gifts whether or not the 
beneficiary enrolls in the plan. HCFA defines nominal value as an 
item having little or no resale value (generally, less than $10), 
which cannot be readily converted into cash. See Marketing Guide, 
Chapter II. The use of inducements is also discussed in Section 
II.B.2.f.--Anti-kickback and Other Inducements.

---------------------------------------------------------------------------

[[Page 33876]]

    Other examples of cherry-picking would be: (1) attempts to give 
enrollment priority to newly eligible Medicare beneficiaries (who are 
theoretically younger and healthier); (2) the tracking of costs 
incurred by enrollees who were enrolled in different settings (e.g., at 
the health fair, or at a health club), which could be used to target 
healthier enrollees in the future; or (3) re-enrollment campaigns 
targeting past plan subscribers who had low medical costs. There are 
many other subtle ways in which a Medicare+Choice organization may try 
to enroll healthy patient populations and the organization should 
implement policies to prohibit such practices.
c. Disenrollment
    In general, Medicare+Choice organizations are prohibited from 
disenrolling, or requesting or encouraging (either by action or 
inaction) an individual to disenroll from any plan it 
offers.44 If a Medicare+Choice organization acts to expel or 
refuses to reenroll an individual in violation of the statute, a civil 
monetary penalty can be imposed on the organization.45 OIG 
is particularly concerned about disenrollment in light of its recent 
review, which revealed that there was a problem with disenrollment of 
beneficiaries just prior to receiving expensive inpatient 
services.46
---------------------------------------------------------------------------

    \44\ Medicare+Choice organizations are entitled to disenroll 
individuals under certain circumstances, e.g., failure to pay 
premiums or engagement in disruptive behavior. 42 CFR 422.74.
    \45\ 42 U.S.C. 1857(g)(1)(C).
    \46\ ``Review of Inpatient Services Performed on Beneficiaries 
After Disenrolling from Medicare Managed Care.'' (A-07098-01256) 
(May 1999).
---------------------------------------------------------------------------

    In this review, OIG found that Medicare paid for inpatient hospital 
services amounting to $224 million in fee-for-service (FFS) payments 
within three months of beneficiaries' disenrollment from six risk plans 
during 1991 through 1996. Had these beneficiaries not disenrolled, 
Medicare would have paid the HMOs $20 million in monthly capitation 
payments. Had the beneficiaries remained in the HMOs, Medicare would 
have saved $204 million in expenditures. Included in the Medicare FFS 
payments were $41 million for beneficiaries who disenrolled, had FFS 
procedures performed, and then reenrolled into another or the same 
managed care plan.
    While this study did not identify the reasons for the disenrollment 
as part of this review, one partial explanation of the review is that 
some managed care plans may be encouraging sicker beneficiaries to 
disenroll as a way to avert their own costs at a high cost to the 
Medicare system.
    Each Medicare+Choice organization must implement policies to ensure 
that inappropriate disenrollment does not occur. Such policies should 
include clarification of when it is appropriate for medical personnel 
to discuss the concept of disenrollment. Generally speaking, OIG 
believes it would be inappropriate for medical personnel to initiate 
discussion of disenrollment or to promote disenrollment except in the 
rare circumstance where the Medicare+Choice organization cannot provide 
the covered medical items or services needed by the patient.
d. Underutilization and Quality of Care
    Medicare+Choice organizations must ensure that all covered services 
are available and accessible to all enrollees.47 OIG views 
the inappropriate withholding or delay of services, known as 
underutilization or ``stinting,'' as a serious concern.48 
Examples of practices that can lead to underutilization and poor 
quality include the failure to employ or contract with sufficient 
institutional and individual providers to accommodate all enrollees, 
the failure to provide geographically reachable services to enrollees, 
the delay in approving or failure to approve referrals for covered 
services, the establishment of utilization review procedures that are 
so burdensome that an enrollee could not reasonably be expected to 
fulfill the requirements, and the categorical denial of payment of 
claims.
---------------------------------------------------------------------------

    \47\ 42 U.S.C. 1395w-22.
    \48\ Medicare+Choice organizations can be subject to sanction 
for failing substantially to provide medically necessary items and 
services that are required to be provided, if the failure has 
adversely affected (or has the substantial likelihood of adversely 
affecting) the individual. 42 U.S.C. 1395w-27(g)(1)(A).
---------------------------------------------------------------------------

    There are a wide variety of policies that a Medicare+Choice 
organization should implement to be sure it is providing all medically 
necessary services to its enrollees. The regulations and guidelines 
that implement the Medicare+Choice program contain numerous provisions 
that deal with this issue. While we have not attempted to develop a 
comprehensive list in this document, we would like to highlight three 
types of policies that Medicare+Choice organizations should develop 
that may help address underutilization and quality of care.
    First, Medicare+Choice organizations should have policies that 
prohibit interference with health care professionals' advice to 
enrollees. Also known as the ``gag rule,'' this prohibition extends to 
advice regarding the patient's health status, medical care, and 
treatment options, the risks, benefits and consequences of treatment or 
non-treatment, or the opportunity for the individual to refuse 
treatment and to express preferences about future treatment 
options.49 Failure to comply with this requirement can lead 
to sanctions.50
---------------------------------------------------------------------------

    \49\ 42 U.S.C. 1395w-22(j)(3), 42 C.F.R. Sec. 422.206.
    \50\ 42 U.S.C. 1395w-27(g)(1)(F).
---------------------------------------------------------------------------

    Second, Medicare+Choice organizations should be sure, to the extent 
that they utilize physician incentive plans (PIPs) in their payment 
arrangements with individual physicians or physician groups, that they 
comply with all applicable regulations. The PIPs raise utilization 
concerns because they are defined as ``any compensation arrangement 
that may directly or indirectly have the effect of reducing or limiting 
services provided to plan enrollees.'' 51 Any PIP operated 
by a Medicare+Choice organization must comply with the following 
requirements. First, it may make no payments to physicians (such as 
offerings of monetary value, including, but not limited to, stock 
options or waivers of debt 52) to reduce or limit medically 
necessary services. Second, if the PIP puts a physician or physician 
group at ``substantial financial risk'' 53 for referral 
services, the Medicare+Choice organization must: (1) survey current and 
previously enrolled members to assess access to and satisfaction with 
the quality of services; and (2) assure that there is adequate and 
appropriate stop-loss protection.54 Finally, Medicare+Choice 
organizations must disclose certain information regarding their PIPs. 
These disclosure requirements apply to direct contracting arrangements, 
as well as subcontracting arrangements.55
---------------------------------------------------------------------------

    \51\ See 42 CFR 422.208.
    \52\ See 42 U.S.C. 1395w-22(j)(4); 42 CFR 422.208.
    \53\ ``Substantial financial risk'' threshold is set at 25 
percent of potential payments for covered services, regardless of 
the frequency of assessment (i.e., collection) or distribution of 
payments. See 42 CFR 422.208.
    \54\ See 42 CFR 422.208(c).
    \55\ See 42 CFR 422.210(a).
---------------------------------------------------------------------------

    In general, Medicare+Choice organizations should take all necessary 
steps to ensure that they comply with the Guidance on Disclosure of 
Physician Incentive Plan, the Guidance on Surveys required by the 
Physician Incentive Plan Regulation and the Physician Incentive Plan 
Regulation Requirements.56
---------------------------------------------------------------------------

    \56\ These documents can be found on the HCFA managed care 
website at http://www.hcfa.gov/medicare/mgd-ops.htm. Disclosure 
forms can be located at HCFA's website at http://www.hcfa.gov/
medicare/physincp/pip-info.htm. Medicare+Choice organizations may 
elect paperless PIP disclosure. The PIP Data Entry Software is 
available on the Internet at http://www.fu.com/HPMS.

---------------------------------------------------------------------------

[[Page 33877]]

    Finally, OIG is aware of cases in which beneficiaries have received 
covered services from individuals that were not appropriately licensed. 
Given the serious quality of care implications of this type of 
practice, OIG is particularly concerned that Medicare+Choice 
organizations have procedures for the selection of providers, including 
criteria for the credentialing of providers. This process should 
include an application, verification of information and a site visit, 
where applicable.57 The information that must be verified 
includes that the individual has a valid license to practice, clinical 
privileges in good standing and appropriate educational qualifications.
---------------------------------------------------------------------------

    \57\ 42 CFR 422.204.
---------------------------------------------------------------------------

e. Data Collection and Submission Processes
    The regulations implementing the Medicare+Choice program contain 
numerous requirements relating to the data collection and submission 
process, ranging from a requirement for an effective system for 
receiving, controlling, and processing election forms 58 to 
requirements for the timely submission of disenrollment 
notices.59 These requirements cover the gamut of 
requirements with which a Medicare+Choice organization must comply and 
are too detailed to enumerate in this document. Medicare+Choice 
organizations should establish a policy that all required submissions 
to HCFA be accurate, timely and complete and that all appropriate 
reporting requirements are met.60
---------------------------------------------------------------------------

    \58\ 42 CFR 422.60(e).
    \59\ 42 CFR 422.66(b)(3)(i).
    \60\ On a related topic, Medicare+Choice organizations should 
also be sure that their computer systems are Year 2000 (Y2K) 
compliant. A May 1999 OIG report indicates that based on a survey of 
Medicare managed care organizations, only 22 percent were Y2K ready, 
with two-thirds of the remainder reporting that they will be ready 
by December 31, 1999. The majority of the respondents were unaware 
of the Y2K readiness of their subcontractors. ``Y2K Readiness of 
Managed Care Organizations.'' (OEI-005-98-00590) (May 1999).
---------------------------------------------------------------------------

    OIG is particularly concerned that Medicare+Choice organizations 
submit accurate information when that data determines the amount of 
payment received from HCFA. The regulations require that when a 
Medicare+Choice organization requests payment under the contract, the 
CEO or CFO must certify the accuracy, completeness and truthfulness of 
relevant data, including enrollment data, encounter data, and 
information provided as part of an adjusted community rate (ACR) 
proposal.61 When a Medicare+Choice organization submits this 
type of data to HCFA, it is making a ``claim'' for capitation payment 
in the amount dictated by the data submitted, or in the case of the ACR 
submission, a ``claim'' to retain the portion of the capitation amount 
that is under the ACR amount, rather than providing additional 
benefits. When a Medicare+Choice organization is claiming payment (or 
the right to retain payment) based upon information submitted to HCFA, 
it must take responsibility for having taken reasonable steps to assure 
the accuracy of this information. The attestation forms developed by 
HCFA for this purpose require certification that the information 
submitted is true and accurate based on best knowledge, information, 
and belief.
---------------------------------------------------------------------------

    \61\ 42 CFR 422.502(l) and (m). See Contract for Year 2000, 
Attachments A, B and C.
---------------------------------------------------------------------------

    The requirement that the CEO or CFO certify as to the accuracy, 
completeness and truthfulness of data, based on best knowledge, 
information and belief, does not constitute an absolute guarantee of 
accuracy. Rather, it creates a duty on the Medicare+Choice organization 
to put in place an information collection and reporting system 
reasonably designed to yield accurate information. Furthermore, the 
Medicare+Choice organization must conduct audits and spot checks of 
this system to verify whether it is yielding accurate information.
    The knowing submission of false information to HCFA can lead to 
serious criminal or civil penalties.62 Medicare+Choice 
organizations should be sure to implement policies so that the 
enrollment, encounter and ACR data submitted to HCFA is accurate, 
complete and truthful. While information from a variety of sources can 
affect this data, Medicare+Choice organizations should take note of two 
reports issued by the OIG that have found problems in two pieces of 
this data.
---------------------------------------------------------------------------

    \62\ Falsification of documentation in any application for any 
benefit or payment under a Federal health care program is a Federal 
offense punishable by not more than $25,000 or imprisonment for 5 
years, or both. See 42 U.S.C. 1320a-7b. In addition, a CMP can be 
imposed for the misrepresentation or falsification of information 
submitted to HCFA under Medicare+Choice. See 42 U.S.C. 1395w-
27(g)(1)(E).
---------------------------------------------------------------------------

    First, OIG recommends that Medicare+Choice organizations have 
policies and procedures in place that ensure that the administrative 
component of the ACR is calculated accurately.63 As part of 
this process, Medicare+Choice organizations should have clearly defined 
criteria for claiming reimbursement for their administrative costs. 
These costs should not include any costs that are directly associated 
with furnishing patient care. All such costs should be allocated to the 
applicable operating component. The OIG has articulated serious 
concerns about the methodology used by managed care organizations in 
computing their administrative rate on the ACR proposal.64 
For example, computing an administrative rate based on the use of a 
medical utilization factor could generate a payment that is almost 
three times what would be charged on the commercial side. The OIG 
believes that the allocation of ``administration'' should be determined 
in accordance with the Medicare program's longstanding principle that 
Medicare only pay its applicable or fair share of needed costs.
---------------------------------------------------------------------------

    \63\ The administrative component of the ACR covers any 
management, financial or other costs that are incurred by or 
allocated to a business unit for the management or administration of 
the business unit as a whole.
    \64\ See e.g., ``Administrative Costs Submitted by Risk-Based 
Health Maintenance Organizations on the Adjusted Community Rate 
Proposals are Highly Inflated.'' (A-14-97-00202) (July 1998).
---------------------------------------------------------------------------

    Second, OIG recommends that Medicare+Choice organizations have 
adequate internal controls in place to ensure that the institutional 
status of beneficiaries is reported accurately.65 A recent 
report issued by OIG estimated that risk-based HMOs received Medicare 
overpayments of $22.2 million for beneficiaries incorrectly classified 
as institutionalized.66 The incorrect classification was 
largely due to deficiencies in the HMOs internal controls in two areas: 
(1) Verification of beneficiaries' institutional status; and (2) 
reporting of institutional beneficiaries to HCFA. The results were 
based on audits of eight statistically selected HMOs.
---------------------------------------------------------------------------

    \65\ This will remain a concern until risk adjustment is fully 
implemented.
    \66\ ``Review of Medicare Managed Care Payments for 
Beneficiaries with Institutional Status.'' (A-05-98-00046) (April 
1999).
---------------------------------------------------------------------------

f. Anti-kickback Statute and Other Inducements
    The anti-kickback statute provides criminal penalties for 
individuals or entities that knowingly and willfully offer, pay, 
solicit or receive remuneration to induce the referral of business 
reimbursable under a Federal health care program (including Medicare 
and Medicaid).67 The anti-

[[Page 33878]]

kickback statute potentially applies to many managed care arrangements 
because a common strategy of these arrangements is to offer physicians, 
hospitals and other providers increased patient volume in return for 
substantial fee discounts. Because discounts to managed care 
organizations can constitute ``remuneration'' within the meaning of the 
anti-kickback statute, a number of health care providers have expressed 
concern that many relatively innocuous, or even beneficial, commercial 
managed care arrangements implicate the statute and may subject them to 
criminal prosecution and administrative sanctions.
---------------------------------------------------------------------------

    \67\ 42 U.S.C. 1320a-7b(b). If it is determined that a party has 
violated the anti-kickback statute, the individual or entity can be 
excluded from participation in the Medicare and other Federal health 
care programs (as defined in 42 U.S.C. 1320a-7b(f)). 42 U.S.C. 
1320a-7(b)(7). In addition, there is an administrative CMP provision 
for violating the anti-kickback statute. 42 U.S.C. 1320a-7a(a)(7).
---------------------------------------------------------------------------

    The OIG recognizes that when managed care organizations are paid a 
capitated amount for all of the services they provide regardless of the 
dates, frequency or type of services, there is no incentive for them to 
overutilize. In any event, even if overutilization occurs, the Federal 
health care programs are not at risk for these increased costs. 
Accordingly, OIG will be issuing a safe harbor from the anti-kickback 
statute that will provide protection for certain financial arrangements 
between managed care organizations (including Medicare+Choice 
organizations offering coordinated care plans) and individuals or 
entities with whom they contract for the provision of health care items 
or services, where a Federal health care program pays such 
organizations on a capitated basis.68
---------------------------------------------------------------------------

    \68\ This safe harbor was developed in accordance with section 
216 of HIPAA and section 14 of the Medicare and Medicaid Patient and 
Program Protection Act of 1987 (Pub. L. 100-93) through a negotiated 
rulemaking process that began in the spring of 1997. For a more 
detailed description of the negotiated rulemaking, see the Committee 
Statement of the Negotiated Rulemaking Committee on the Shared Risk 
Exception (January 22, 1998), which can be found on the Internet at 
http://www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    In general, the safe harbor protects payments between managed care 
organizations (including Medicare+Choice organizations offering 
coordinated care plans) and individuals or entities with which it has 
direct contracts to provide or arrange for the provision of items or 
services.69 While this is a broad exception, there are three 
important limitations.
---------------------------------------------------------------------------

    \69\ In addition, arrangements between direct contractors and 
all subcontractors or successive tiers of subcontractors are 
protected, as long as the arrangement is for the provision of health 
care items or services that are covered by the arrangement between 
the direct contractor and the managed care organization and the 
arrangement meets the requirements applicable to arrangements 
between the direct contractor and the managed care organization.
---------------------------------------------------------------------------

    The first significant limitation is that there is no protection if 
the financial arrangements under the managed care agreement are 
implicitly or explicitly part of a broader agreement to steer fee-for-
service Federal health care program business to the entity giving the 
discount to induce the referral of managed care business. Specifically, 
we understand that most managed care organizations have multiple 
relationships with their contractors and subcontractors for the 
provision of services for various product lines, including non-federal 
HMOs, preferred provider organizations (PPOs) and point of service 
networks. Consequently, although neither a managed care organization 
receiving a capitated payment from a Federal health care program nor 
its contractors or subcontractors has an incentive to overutilize items 
or services or pass additional costs back to the Federal health care 
programs under the capitated arrangement, we are concerned that a 
managed care organization or contractor may offer (or be offered) a 
reduced rate for its items or services in the Federal capitated 
arrangement in order to have the opportunity to participate in other 
product lines that do not have stringent payment or utilization 
constraints. This practice is a form of a practice known as 
``swapping;'' in the case of managed care arrangements, low capitation 
rates could be traded for access to additional fee-for-service lines of 
business. We are concerned when these discounts are in exchange for 
access to fee-for-service lines of business, where there is an 
incentive to overutilize services provided to Federal health care 
program beneficiaries.
    For example, we would have concerns where an HMO with a Medicare 
risk contract under Medicare Part C also has an employer-sponsored PPO 
that includes retirees and requires participating providers to accept a 
low capitation rate for the Medicare HMO risk patients in exchange for 
access to the Medicare fee-for-service patients in the PPO. Although in 
such circumstances the cost to the Medicare program for the risk-based 
HMO beneficiaries will not be increased, there may be increased 
expenditures for Medicare beneficiaries in the PPO arrangement, because 
the providers may have an incentive to increase services to the 
Medicare enrollees in the PPO to offset the discounted rates to the 
Medicare HMO. Accordingly, such arrangements could violate the anti-
kickback statute and should not be protected.
    A second limitation on the regulatory safe harbor protection is 
that it only applies to remuneration for health care items and services 
and those items or services reasonably related to the provision of 
health care items and services. It does not cover marketing services or 
any services provided prior to a beneficiary's enrollment in a health 
plan.
    Finally, the broad protection is limited to risk-based managed care 
plans that do not claim any payment from a Federal health care program 
other than the capitated amount set forth in the managed care 
organization's agreement with the Federal health care program. Where 
the managed care plan, its contractors or its subcontractors are 
permitted to seek additional payments from any of the Federal health 
care programs, the regulatory safe harbor protection is significantly 
more limited. For example, protection is not extended to arrangements 
with subcontractors when the contract under section 1876 of the Social 
Security Act is cost-based or where the prime contract is protected 
solely because the contracting entity is a Federally-qualified HMO. In 
the first instance, reimbursement from the Federal health care program 
is based on costs, and in the latter case, services for Medicare 
enrollees are reimbursed on a fee-for-services basis. In both 
instances, reimbursement will increase with utilization, thus providing 
the same incentive to overutilize as any fee-for-service payment 
methodology.
    While the new safe harbor will provide protection from the anti-
kickback statute for most arrangements between Medicare+Choice 
organizations and their contractors, Medicare+Choice organizations 
should also have policies in place that ensure that any incentives 
offered to beneficiaries and potential beneficiaries do not run afoul 
of the anti-kickback statute or the new civil monetary penalty relating 
to incentives to beneficiaries.70 The CMP was enacted in 
section 231(h) of HIPAA (42 U.S.C. 320a-7a(a)(5)) and imposes sanctions 
against individuals or entities that offer remuneration to a program 
beneficiary that they know, or should know, will influence the 
beneficiary's decision to order or receive items or services from a 
particular provider, practitioner or

[[Page 33879]]

supplier reimbursable by Medicare or the State health care programs.
---------------------------------------------------------------------------

    \70\ Our concerns regarding the use of inducements in a manner 
that leads to enrollment of only healthy beneficiaries, such as 
offering memberships to exercise clubs for purposes of patient 
screening, is discussed above in Section II.B.2.b.-Selective 
Marketing and Enrollment.
---------------------------------------------------------------------------

    Pending the publication of the final rule implementing this CMP, we 
can provide the following guidance. It is our view that organizations 
that provide incentives to Federal health care program beneficiaries to 
enroll in a plan are not offering remuneration to induce the enrollees 
to use a particular provider, practitioner or supplier. Accordingly, we 
anticipate that organizations that provide incentives to enroll in a 
plan will not be subject to sanctions under this provision. However, 
incentives provided by organizations to induce a beneficiary to use a 
particular provider, practitioner or supplier once the beneficiary has 
enrolled in a plan are within the purview of this CMP and are 
prohibited if they do not meet an exception. For example, incentives 
given to beneficiaries by a particular physician group within the 
physician panel of a Medicare+Choice organization to encourage the 
beneficiary to use that physician group over another physician in the 
panel would be prohibited.
g. Anti-Dumping
    The OIG and HCFA believe that there may be special concerns 
regarding the provision of emergency services to enrollees of 
Medicare+Choice plans. The anti-dumping statute 71 imposes 
specific obligations on Medicare-participating hospitals that offer 
emergency services to individuals presenting themselves at the hospital 
seeking possible emergency treatment. While the obligations under the 
anti-dumping statute prohibit a hospital from inquiring into the 
patient's method of payment or insurance status, it has come to our 
attention that many hospitals routinely seek authorization from a 
Medicare+Choice enrollee's primary care physician or from the 
Medicare+Choice organization when a Medicare+Choice enrollee requests 
emergency services. The OIG and HCFA are cognizant that many managed 
care organizations require their enrollees to seek prior authorization 
for some medical services, including emergency services and that there 
are circumstances when patients should be informed of their potential 
financial liability. However, both the OIG and HCFA have concerns that 
a Medicare+Choice enrollee may be unduly influenced by hospital 
personnel to leave the hospital without obtaining necessary 
care.72
---------------------------------------------------------------------------

    \71\ See 42 U.S.C. 1395dd. A separate provision prohibits 
Medicare+Choice organizations requiring enrollees to obtain prior 
authorization for emergency services. See 42 U.S.C. 1395w-
22(d)(1)(E).
    \72\ OIG and HCFA have issued a proposed Special Advisory 
Bulletin on this topic. See 63 FR. 67486 (12/7/98).
---------------------------------------------------------------------------

    It is the view of OIG and HCFA that the anti-dumping statute 
requires that notwithstanding the terms of any managed care contractual 
arrangements, the provisions of the anti-dumping statute govern the 
obligations of hospitals to screen and provide stabilizing treatment to 
any patient presenting at an emergency facility. No contract between a 
hospital and managed care organization can excuse the hospital from the 
anti-dumping statute obligations. Once a Medicare+Choice enrollee comes 
to the hospital that offers emergency services, the law requires that 
the hospital must provide the services required under the anti-dumping 
statute without regard to the patient's insurance status or any prior 
authorization of such insurance. All Medicare+Choice organizations 
should have policies in place to ensure that these requirements are 
met.
    Medicare+Choice organizations should be particularly careful of 
these requirements in the event that they participate in the so-called 
``dual staffing'' of emergency departments. Dual staffing refers to the 
situation where hospitals have entered into arrangements allowing a 
managed care organization to station its own physicians in the 
hospital's emergency department for the purpose of screening and 
treating managed care enrollees. Implementation of dual staffing raises 
some concerns under the anti-dumping statute, particularly where 
different procedures and protocols have been established for each 
staff.
3. Retention of Records and Information Systems
    Medicare+Choice organizations' compliance programs should provide 
for the implementation of a records retention system. This system 
should establish policies and procedures regarding the creation, 
distribution, retention, storage, retrieval and destruction of 
documents. The three types of documents developed under this system 
should include: (1) All records and documentation required by either 
Federal or State law and the program requirements of Federal and State 
health plans; (2) records listing the persons responsible for 
implementing each part of the compliance plan; and (3) all records 
necessary to protect the integrity of the Medicare+Choice 
organization's compliance process and confirm the effectiveness of the 
program. The documentation necessary to satisfy the third requirement 
includes: evidence of adequate employee training; reports from the 
Medicare+Choice organization's hotline; results of any investigation 
conducted as a consequence of a hotline call; modifications to the 
compliance program; self-disclosure; all written notifications to 
providers regarding compliance activities; 73 and the 
results of the Medicare+Choice organization's auditing and monitoring 
efforts.
---------------------------------------------------------------------------

    \73\ This should include notifications regarding quality of care 
issues; confusing or inaccurate encounter data; and termination of 
the contract.
---------------------------------------------------------------------------

    In light of the increasing reliance on electronic data interchange 
by the health care industry, Medicare+Choice organizations should take 
particular care in establishing procedures for maintaining the 
integrity of its data collection systems. This should include 
procedures for regularly backing-up data (either by diskette, 
restricted system or tape) collected in connection with all aspects of 
the Medicare+Choice program requirements.
4. Compliance as an Element of a Performance Plan
    Compliance programs should require that the promotion of, and 
adherence to, the elements of the compliance program be a factor in 
evaluating the performance of all employees. Employees should be 
periodically trained in new compliance policies and procedures. 
Policies should require that managers:
     Discuss with all supervised employees and relevant 
contractors the compliance policies and legal requirements applicable 
to their function;
     Inform all supervised personnel that strict compliance 
with these policies and requirements is a condition of employment; and
     Disclose to all supervised personnel that the 
Medicare+Choice organization will take disciplinary action up to and 
including termination for violation of these policies or requirements.
    In addition to making performance of these duties an element in 
evaluations, the compliance officer or company management should 
include a policy that managers and supervisors will be sanctioned for 
failure to instruct adequately their subordinates or for failure to 
detect noncompliance with applicable policies and legal requirements, 
where reasonable diligence on the part of the manager or supervisor 
should have led to the discovery of any problems or violations.

[[Page 33880]]

B. Designation of a Compliance Officer and a Compliance Committee
1. Compliance Officer
    Every Medicare+Choice organization should designate a compliance 
officer to serve as the focal point for compliance activities. This 
responsibility may be the individual's sole duty or added to other 
management responsibilities, depending upon the size and resources of 
the Medicare+Choice organization and the complexity of the task.
    Designating a compliance officer with the appropriate authority is 
critical to the success of the program, necessitating the appointment 
of a high-level official in the Medicare+Choice organization with 
direct access to the company's governing body, the CEO and all other 
senior management and legal counsel.74 While it is important 
that the compliance officer have appropriate authority, we are not 
suggesting that the compliance officer should have programmatic 
responsibility for the various aspects of the Medicare+Choice program. 
For example, the compliance officer should have full authority to stop 
the submission of data that he or she believes is problematic until 
such time as the issue in question has been resolved. In addition, the 
compliance officer should be copied on the results of all internal 
audit reports and work closely with key managers to identify aberrant 
trends in the areas that require certification. The compliance officer 
must have the authority to review all documents and other information 
that are relevant to compliance activities, including, but not limited 
to, beneficiary records (where appropriate) and records concerning the 
marketing efforts of the facility and the Medicare+Choice organization 
arrangements with other parties, including employees, professionals on 
staff, relevant independent contractors, suppliers, agents, 
supplemental staffing entities and physicians. This policy enables the 
compliance officer to review contracts and obligations (seeking the 
advice of legal counsel, where appropriate) that may contain referral 
and payment provisions that could violate statutory or regulatory 
requirements.
---------------------------------------------------------------------------

    \74\ The OIG believes that it is not advisable for the 
compliance function to be subordinate to the Medicare+Choice 
organization's general counsel, comptroller or similar company 
financial officer. Free-standing compliance functions help to ensure 
independent legal reviews and financial analyses of the 
institution's compliance activities. By separating the compliance 
function from the key management positions of general counsel or CFO 
(where the size and structure of the organization make this a 
feasible option), a system of checks and balances is established to 
more effectively achieve the compliance program's goals.
---------------------------------------------------------------------------

    Coordination and communication are the key functions of the 
compliance officer with regard to planning, implementing and monitoring 
the compliance program. With this in mind, the OIG recommends the 
Medicare+Choice organization's compliance officer closely coordinate 
compliance functions with providers' compliance officers.
    The compliance officer should have sufficient funding and staff to 
fully perform his or her responsibilities. These duties should include:
     Overseeing and monitoring the implementation of the 
compliance program; 75
---------------------------------------------------------------------------

    \75\ For multi-site Medicare+Choice organizations, the OIG 
encourages coordination with each facility owned by the 
Medicare+Choice organization through the use of compliance liaisons 
at each site.
---------------------------------------------------------------------------

     Reporting on a regular basis to the Medicare+Choice 
organization's governing body, CEO and compliance committee on the 
progress of implementation and assisting these components in 
establishing methods to improve the Medicare+Choice organization's 
efficiency and quality of services and to reduce the Medicare+Choice 
organization's vulnerability to fraud, abuse and waste;
     Periodically revising the program in light of changes in 
the organization's needs and in the law and policies and procedures of 
Government and private payor health plans;
     Reviewing employees' certifications stating that they have 
received, read and understood the standards of conduct;
     Developing, coordinating and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program and seeks to ensure that all 
appropriate employees and management are knowledgeable of, and comply 
with, pertinent Federal and State standards;
     Coordinating personnel issues with the Medicare+Choice 
organization's human resources/personnel office (or its equivalent) to 
ensure that providers and employees do not appear in the List of 
Excluded Individuals/Entities and the GSA list of debarred contractors; 
76
---------------------------------------------------------------------------

    \76\ See note 94.
---------------------------------------------------------------------------

     Assisting the Medicare+Choice organization's management in 
coordinating internal compliance review and monitoring activities, 
including annual or periodic reviews of departments;
     Independently investigating and acting on matters related 
to compliance, including the flexibility to design and coordinate 
internal investigations (e.g., responding to reports of problems or 
suspected violations) and any resulting corrective action with all 
departments, providers and sub-providers, agents and, if appropriate, 
independent contractors;
     Developing policies and programs that encourage managers 
and employees to report suspected fraud and other improprieties without 
fear of retaliation; and
     Continuing the momentum of the compliance program and the 
accomplishment of its objectives long after the initial years of 
implementation.
2. Compliance Committee
    The OIG recommends that a compliance committee be established to 
advise the compliance officer and assist in the implementation of the 
compliance program.77 When assembling a team of people to 
serve as the Medicare+Choice organization's compliance committee, the 
company should include individuals with a variety of 
skills.78 The OIG strongly recommends that the compliance 
officer manage the compliance committee. Once a managed care 
organization chooses the people that will accept the responsibilities 
vested in members of the compliance committee, the organization must 
train these individuals on the policies and procedures of the 
compliance program.
---------------------------------------------------------------------------

    \77\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities in the 
organization, such as operations, finance, audit, human resources, 
utilization review, medicine, claims processing, information 
systems, legal, marketing, enrollment and disenrollment as well as 
employees and managers of key operating units. These individuals 
should have the requisite seniority and comprehensive experience 
within their respective departments to implement any necessary 
changes in the company's policies and procedures.
    \78\ A Medicare+Choice organization should expect its compliance 
committee members and compliance officer to demonstrate high 
integrity, good judgment, assertiveness and an approachable 
demeanor, while eliciting the respect and trust of employees of the 
organization. The compliance committee members should also have 
significant professional experience in working with quality 
assurance, enrollment, marketing, clinical records and auditing 
principles.
---------------------------------------------------------------------------

    The committee's responsibilities should include:
     Analyzing the organization's regulatory environment, the 
legal requirements with which it must comply and specific risk areas;
     Assessing existing policies and procedures that address 
these areas for possible incorporation into the compliance program;
     Working with appropriate departments, as well as 
affiliated providers, to develop standards of

[[Page 33881]]

conduct and policies and procedures that promote allegiance to the 
organization's compliance program;
     Recommending and monitoring, in conjunction with the 
relevant departments, the development of internal systems and controls 
to carry out the organization's standards, policies and procedures as 
part of its daily operations;
     Determining the appropriate strategy/approach to promote 
compliance with the program and detection of any potential violations, 
such as through hotlines and other fraud reporting mechanisms;
     Developing a system to solicit, evaluate and respond to 
complaints and problems; and
     Monitoring internal and external audits and investigations 
for the purpose of identifying troublesome issues and deficient areas 
experienced by the Medicare+Choice organization and implementing 
corrective and preventive action.
    The committee may also address other functions as the compliance 
concept becomes part of the overall operating structure and daily 
routine.
C. Conducting Effective Training and Education
    The proper education and training of corporate officers, managers, 
employees and the continual retraining of current personnel at all 
levels are significant elements of an effective compliance program. 
Where feasible, the Medicare+Choice organization should afford outside 
contractors and its provider clients the opportunity to participate in 
the organization's compliance training and educational programs. The 
contractors and provider clients should be encouraged to develop their 
own compliance programs that complement the Medicare+Choice 
organization's compliance program.
1. Formal Training Programs
    In order to ensure the appropriate information is being 
disseminated to the correct individuals, the Medicare+Choice 
organization training program should include both a general session and 
specialized sessions on specific risk areas. All employees should 
attend the general session on compliance. Employees whose job 
responsibilities implicate specific risk areas (e.g., marketing or 
capitated reimbursement rules) should attend the specialized sessions.
    The OIG recommends attendance and participation at training 
programs be made a condition of continued employment and that failure 
to comply with training requirements should result in disciplinary 
action, including possible termination, when such failure is serious. 
The Medicare+Choice organization should retain adequate records of its 
training of employees, including attendance logs and material 
distributed at training sessions. New employees should be targeted for 
training early in their employment, and to the extent that they perform 
complicated tasks with greater organizational legal exposure, should be 
monitored closely until all training is completed.
a. General Sessions
    As part of their compliance programs, Medicare+Choice organizations 
should require all affected employees to attend annual training that 
emphasizes the organization's commitment to compliance with all Federal 
and State statutes and requirements, and the policies of private 
payors. This training should highlight the organization's compliance 
program, summarize fraud and abuse statutes and regulations, Federal 
and State health care program requirements, documentation requirements 
for data submission and marketing practices that reflect current legal 
and program standards.
    As part of the initial training, the standards of conduct should be 
distributed to all employees. Every employee, as well as contracted 
consultants, should be required to sign and date a statement that 
reflects the employee's knowledge of, and commitment to the standards 
of conduct. This attestation should be retained in the employee's 
personnel file. For contracted consultants, the attestation should 
become part of the contract and remain in the file that contains such 
documentation. To ensure that employees continuously meet the expected 
high standards set forth in the code of conduct, any employee handbook 
delineating or expanding upon these standards of conduct should be 
regularly updated as applicable statutes, regulations and Federal 
health care program requirements are modified.79 
Medicare+Choice organizations should provide an additional attestation 
in the modified standards that stipulates the employee's knowledge of, 
and commitment to, the modifications.
---------------------------------------------------------------------------

    \79\ While the OIG recognizes that not all standards, policies 
and procedures need to be communicated to all employees, it believes 
that the bulk of the standards that relate to complying with fraud 
and abuse laws and other ethical areas should be addressed and made 
part of all employees' training.
---------------------------------------------------------------------------

b. Specialized Training
    Because Medicare+Choice organizations are responsible for 
compliance in all of the risk areas mentioned in section II.A. above, 
the OIG recommends Medicare+Choice organizations require individuals 
who are involved in the risk areas to receive specialized training. For 
example, marketing employees should receive training on the marketing, 
enrollment, disenrollment and anti-kickback policies. All employees who 
work with beneficiaries or providers regarding medical services should 
receive appropriate training on the risks associated with under-
utilization. Those employees who are involved in developing enrollment, 
encounter and ACR data should receive training on HCFA policies in 
these areas. Clarifying and emphasizing these areas of concern through 
training and educational programs are particularly relevant to a 
Medicare+Choice organization's marketing and financial personnel, in 
that the pressure to meet business goals may render these employees 
particularly vulnerable to engaging in prohibited practices.
    The OIG recommends Medicare+Choice organizations' compliance 
programs address the need for periodic professional education courses 
for personnel. Such courses would be in addition to the internal 
training sessions provided by the organization. For example, the 
Medicare+Choice organization should ensure that data submission 
personnel receive annual professional training on the updated policies, 
requirements and directives for the current year.
c. Format of the Training Program
    The OIG suggests all relevant levels of personnel be made part of 
various educational and training programs of the Medicare+Choice 
organization. Employees should be required to have a minimum number of 
educational hours per year, as appropriate, as part of their employment 
responsibilities. A variety of teaching methods, such as interactive 
training and training in several different languages (including the 
translation of standards of conducts and other materials), particularly 
where a Medicare+Choice organization has a culturally diverse staff, 
should be implemented so that all affected employees are knowledgeable 
about the institution's standards of conduct and procedures for 
alerting senior management to problems and concerns. In addition, the 
materials should be written at appropriate reading levels for targeted 
employees. All training

[[Page 33882]]

materials should be designed to take into account the skills, knowledge 
and experience of the individual trainees. Post-training tests can be 
used to assess the success of training provided and employee 
comprehension of the billing company's policies and procedures.
2. Informal and Ongoing Compliance Training
    It is essential that compliance issues remain at the forefront of 
the Medicare+Choice organization's priorities. The organization must 
demonstrate its commitment by continuing to disseminate the compliance 
message. One effective mechanism to achieve this goal is to publish a 
monthly compliance newsletter. This would allow the Medicare+Choice 
organization to address specific examples of problems the company 
encountered during its ongoing audits and risk analysis, while 
reinforcing the company's firm commitment to the general principles of 
compliance and ethical conduct. The newsletter could also include the 
risk areas identified in current OIG publications or investigations. 
Finally, the Medicare+Choice organization could use the newsletter as a 
mechanism to address areas of ambiguity in the marketing, utilization 
review and data submission process, and to notify employees of 
significant legal or regulatory developments. The Medicare+Choice 
organization should maintain its newsletters in a central location to 
document the guidance offered and provide new employees with access to 
guidance previously provided. Other written materials, such as posters, 
fliers or articles in other company publications, could also be used to 
disseminate the compliance message.
    Another effective method of maintaining the presence of the 
compliance message is to maintain a website devoted to compliance 
issues. This could be linked to the homepage of the organization. Many 
organizations have chosen to maintain these sites internally on the 
Intranet to alleviate any confidentiality concerns. The Intranet (or 
Internet) also facilitates the use of hypertext links that allow the 
organization to maintain a centralized source on statutory, regulatory 
and other program guidance disseminated by HCFA,80 the OIG, 
the Department of Justice and the Congress. These links, along with any 
other webpages that the Medicare+Choice organization deems pertinent 
and useful can be assembled on a single site that can, by hypertext 
link, provide access to all of these useful resources.
---------------------------------------------------------------------------

    \80\ HCFA's Medicare+Choice webpage is located at http://
www.hcfa.gov/medicare/mgdcar1.htm.
---------------------------------------------------------------------------

D. Developing Effective Lines of Communication
    An open line of communication between the compliance officer and 
Medicare+Choice organization personnel, as well as among the 
organization, health care providers and enrollees, is critical to the 
successful implementation of a compliance program and the reduction of 
any potential for fraud, abuse and waste. Each organization should have 
in place both a mechanism for the reporting of improper conduct, as 
well a mechanism for more routine types of communication among the 
compliance officer and relevant groups.
1. Hotline or Other System for Reports of Potential Misconduct
    Each Medicare+Choice organization should have in place a hotline or 
other mechanism 81 through which employees, enrollees or 
other parties can report potential violations of the organization's 
compliance policies or of Federal or State health care program 
requirements. In any event, several independent reporting paths should 
be created for an employee to report fraud, waste or abuse so that such 
reports cannot be diverted by supervisors or other personnel. If the 
organization establishes a hotline, the telephone number should be made 
readily available to all employees, enrollees and independent 
contractors, by circulating the number on wallet cards or conspicuously 
posting the telephone number in common work areas.82
---------------------------------------------------------------------------

    \81\ The OIG recognizes that it may not be financially feasible 
for a small Medicare+Choice organization to maintain a telephone 
hotline dedicated to receiving calls solely on compliance issues. 
These companies may explore alternative methods, e.g., contracting 
with an independent source to provide hotline services or 
establishing a written method of confidential disclosure.
    \82\ Medicare+Choice organizations should also post in a 
prominent, available area the HHS-OIG Hotline telephone number, 1-
800-447-8477 (1-800-HHS-TIPS), in addition to any organization's 
hotline number that may be posted.
---------------------------------------------------------------------------

    Matters reported through the hotline or other communication sources 
that suggest violations of compliance policies, Federal and State 
health care program requirements, regulations or statutes should be 
documented and investigated promptly to determine their veracity. A log 
should be maintained by the compliance officer that records such calls, 
including the nature of any investigation and its results.83 
Such information should be included in reports to the governing body, 
the CEO and compliance committee.
---------------------------------------------------------------------------

    \83\ To efficiently and accurately fulfill such an obligation, 
the Medicare+Choice organization should create an intake form for 
all compliance issues identified through reporting mechanisms. The 
form could include information concerning the date the potential 
problem was reported, the internal investigative methods utilized, 
the results of any investigation, any corrective action implemented, 
any disciplinary measures imposed and any overpayments and monies 
returned.
---------------------------------------------------------------------------

    Employees, enrollees and providers should be permitted to report 
matters on a confidential basis. To encourage such reporting, written 
confidentiality and non-retaliation policies should be developed and 
distributed to all employees, enrollees and providers to encourage 
communication and the reporting of incidents of potential 
fraud.84 While the Medicare+Choice organization should 
always strive to maintain the confidentiality of the reporter's 
identity, the policies should explicitly communicate that there may be 
a point where the individual's identity may become known or may have to 
be revealed.
---------------------------------------------------------------------------

    \84\ The OIG believes that whistleblowers should be protected 
against retaliation, a concept embodied in the provisions of the 
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees 
sue their employers under the False Claims Act's qui tam provisions 
out of frustration because of the company's failure to take action 
when a questionable, fraudulent or abusive situation was brought to 
the attention of senior corporate officials.
---------------------------------------------------------------------------

    The OIG recognizes that assertions of fraud and abuse by those who 
may have participated in illegal conduct or committed other malfeasance 
raise numerous complex legal and management issues that should be 
examined on a case-by-case basis. The compliance officer should work 
closely with legal counsel to obtain guidance on these issues.
2. Routine Communication/Access to the Compliance Officer
    While it is crucial that Medicare+Choice organizations have 
effective systems in place for the reporting of suspected misconduct, 
it is equally important that the compliance officer foster more routine 
communication both among its employees and among its health care 
providers and enrollees.
    With respect to its own employees, the OIG encourages the 
establishment of procedures for personnel to seek clarification from 
the compliance officer or members of the compliance committee in the 
event of any confusion or question regarding a company policy, practice 
or procedure. Questions and responses should be documented and dated 
and, if appropriate, shared with other staff so that standards, 
policies, practices and procedures can be updated and improved to 
reflect any

[[Page 33883]]

necessary changes or clarifications. The compliance officer may want to 
solicit employee input in developing these communication and reporting 
systems. The methods discussed above relating to ongoing training and 
education are an integral part of this communication.85
---------------------------------------------------------------------------

    \85\ In addition to methods of communication used by current 
employees, an effective employee exit interview program could be 
designed to solicit information from departing employees regarding 
potential misconduct and suspected violations of the Medicare+Choice 
organization's policy and procedures.
---------------------------------------------------------------------------

    The communication and coordination function of the compliance 
program serves an even more critical role in the context of the managed 
care environment because the managed care entity serves as an 
intermediary between the health care provider and the 
enrollee.86 In fact, the raison d'etre of a managed care 
organization is to coordinate the care of its enrollees. As with 
providers, communications with beneficiaries and communications with 
HCFA (and its designees) must demonstrate the highest level of 
integrity, honesty and judgment. The Medicare+Choice organization 
should implement methods to encourage communication among its enrollees 
and providers. For example, a Medicare+Choice organization should 
communicate the results of audits, disenrollment surveys, utilization 
data and quality of care determinations to its contracting suppliers 
and providers in order to facilitate open discussion regarding 
appropriate health care delivery.
---------------------------------------------------------------------------

    \86\ An ``enrollee'' is defined in this compliance program 
guidance as any Medicare+Choice eligible individual who has elected 
a Medicare+Choice plan offered by a Medicare+Choice organizations. 
See 42 CFR 422.2.
---------------------------------------------------------------------------

E. Auditing and Monitoring
    An ongoing evaluation process is critical to a successful 
compliance program. The OIG believes an effective program should 
incorporate thorough monitoring of its implementation and regular 
reporting to senior company officers.87 Compliance reports 
created by this ongoing monitoring, including reports of suspected 
noncompliance, should be maintained by the compliance officer and 
reviewed with the Medicare+Choice organization's senior management and 
the compliance committee. The extent and frequency of the audit 
function may vary depending on factors such as the size of the company, 
the resources available to the company, the company's prior history of 
noncompliance and the risk factors that are prevalent in a particular 
organization.
---------------------------------------------------------------------------

    \87\ Even when a facility is owned by a larger corporate entity, 
the regular auditing and monitoring of the compliance activities of 
an individual facility must be a key feature in any annual review. 
Appropriate reports on audit findings should be periodically 
provided and explained to a parent-organization's senior staff and 
officers.
---------------------------------------------------------------------------

    Although many monitoring techniques are available, one effective 
tool to promote and ensure compliance is the performance of regular, 
periodic compliance audits by internal or external auditors who have 
expertise in Federal and State health care statutes, regulations and 
Federal health care program requirements. The audits should focus on 
the Medicare+Choice organization's programs or divisions, including 
external relationships with third-party contractors, specifically those 
with substantive exposure to Government enforcement actions. The audits 
should be sure to cover the range of programmatic requirements of the 
Medicare+Choice program. In particular, the audits should focus on the 
risk areas identified earlier in this document, especially the data and 
information which affects payments by Medicare. Finally, the 
Medicare+Choice organization should focus on any areas of specific 
concern identified within that organization and those that may have 
been identified by any outside agency, whether Federal or State.
    Monitoring techniques may include sampling protocols that permit 
the compliance officer to identify and review variations from an 
established baseline.88 Significant variations from the 
baseline should trigger a reasonable inquiry to determine the cause of 
the deviation. If the inquiry determines that the deviation occurred 
for legitimate, explainable reasons, the compliance officer or manager 
may want to limit any corrective action or take no action. If it is 
determined that the deviation was caused by improper procedures, 
misunderstanding of rules, including fraud and systemic problems, the 
Medicare+Choice organization should take prompt steps to correct the 
problem.89 Any overpayments discovered as a result of such 
deviations should be reported promptly to HCFA (or its designees), with 
appropriate documentation and a thorough explanation of the reason for 
the overpayment.90
---------------------------------------------------------------------------

    \88\ The OIG recommends that when a compliance program is 
established in a Medicare+Choice organization, the compliance 
officer, with the assistance of department managers, take a 
``snapshot'' of the organization's operations from a compliance 
perspective. This assessment can be undertaken by outside 
consultants, law or accounting firms, or internal staff, with 
authoritative knowledge of health care compliance requirements. This 
``snapshot,'' often used as part of bench marking analysis, becomes 
a baseline for the compliance officer and other managers to judge 
the Medicare+Choice organization's progress in reducing or 
eliminating potential areas of vulnerability. Medicare+Choice 
organizations should track statistical data on utilization review 
and quality data based on customer satisfaction and renewal data. 
This will facilitate identification of problem areas and elimination 
of potential areas of abusive or fraudulent conduct.
    \89\ Prompt steps to correct the problem include contacting the 
appropriate provider in situations where the provider's actions 
contributed to the problem.
    \90\ In addition, when appropriate, as referenced in section 
G.2, below, reports of fraud or systemic problems should also be 
made to the appropriate governmental authority.
---------------------------------------------------------------------------

    An effective compliance program should also incorporate periodic 
(at a minimum, annual) reviews of whether the program's compliance 
elements have been satisfied, e.g., whether there has been appropriate 
dissemination of the program's standards, training, ongoing educational 
programs and disciplinary actions.91 This process will 
verify actual conformance by all departments with the compliance 
program. Such reviews may support a determination that appropriate 
records have been created and maintained to document the implementation 
of an effective program.
---------------------------------------------------------------------------

    \91\ One way to assess the knowledge, awareness and perceptions 
of the Medicare+Choice organization's staff is through the use of a 
validated survey instrument (e.g., employee questionnaires, 
interviews or focus groups).
---------------------------------------------------------------------------

    The reviewers involved in any audits should:
     Possess the qualifications and experience necessary to 
adequately identify potential issues with the subject matter to be 
reviewed;
     Be independent of line management;
     Have access to existing audit and health care resources, 
relevant personnel and all relevant areas of operation;
     Resent written evaluative reports on compliance activities 
to the CEO, governing body members of the compliance committee and its 
provider clients on a regular basis, but not less than annually; and
     Specifically identify areas where corrective actions are 
needed.
    In the Medicare+Choice context, a variety of different methods will 
be necessary to adequately monitor and evaluate the ongoing operations 
of the Medicare+Choice organization. In general, OIG recommends the use 
of techniques such as on-site visits, questionnaires (for providers, 
enrollees and employees), and trend analyses, to name just 
several.92 Because the

[[Page 33884]]

auditing and monitoring function is very different and much more 
complex in the managed care context than in any other segment of the 
health care industry, we have provided additional guidance on the 
methods to be used in evaluating selected risk areas.
---------------------------------------------------------------------------

    \92\ Medicare+Choice organizations may want to consult HCFA's 
Contractor Performance Monitoring System Manual to get additional 
ideas for monitoring methods. In addition, organizations may want to 
consult the OAS website for information on conducting audits, 
including information on statistical sampling (RAT-STATS). See note 
10.
---------------------------------------------------------------------------

1. Marketing/Enrollment/Disenrollment
    Developing a system for evaluating the compliance of the marketing, 
enrollment and disenrollment functions of a Medicare+Choice 
organization requires innovative techniques. Each Medicare+Choice 
organization will have to develop an individualized method as to how to 
obtain this data. Some of the methods that the OIG suggests include: 
the use of secret shoppers; surveying current enrollees; 93 
and conducting exit interviews with former enrollees (particularly 
those that disenrolled just prior to obtaining an expensive service) on 
their experience with the Medicare+Choice marketing and enrollment 
process. Once this data is collected, it must be maintained in a format 
that can be accessed readily.
---------------------------------------------------------------------------

    \93\ It should be noted, while this method may be less 
expensive, it may not provide unbiased data, particularly in the 
area of selective marketing. In fact, in the selective marketing 
area, the data may be skewed significantly in favor of the 
Medicare+Choice organization.
---------------------------------------------------------------------------

    In an effort to integrate the monitoring function with its training 
function, Medicare+Choice organizations may wish to test their 
marketing staff on their knowledge of the company's policies and 
procedures, as well as the Federal and State statutes that govern the 
marketing process. This assessment can be developed to take on many 
formats. Many companies have customized interactive software to test 
employees' knowledge of relevant policies and procedures. It may also 
be formulated in the traditional written version.
    Methods used to monitor marketing agents include the analysis of 
disenrollment data to identify marketing agents with high and low 
percentages of member disenrollments within a set number of days (e.g., 
90 days). In addition, Medicare+Choice organizations may want to 
establish enrollment verification systems requiring that a different 
individual from the sales agent meet with beneficiaries who have 
applied for enrollment to ensure that they understand restrictions of 
the plan, such as the lock-in provision.
    Finally, it is essential for all marketing materials to be reviewed 
by the general counsel's office to ensure that they do not mislead, 
confuse or misrepresent any aspect of the plan. Similarly, they should 
also be examined by the claims processing department and utilization 
review office for consistency with the policies, procedures and 
practices of these departments.
2. Underutilization and Quality of Care
    Procedures for tracking and reporting utilization review data are 
vital to the success of any compliance endeavor. Medicare+Choice 
organizations should periodically review the service areas that are 
part of the Medicare+Choice organization to ensure that enrollees are 
receiving adequate access to care. In reviewing service areas, 
Medicare+Choice organizations should collect data on the number of 
primary care physicians in the service area, the number and type of 
specialists in the service area, the waiting time for appointments, the 
telephone access to the Medicare+Choice organization and the problems 
associated with the coordination of care. All of this data should be 
maintained in a database in a format that can be used to generate 
statistical data and analysis.
    Medicare+Choice organizations should ensure that there are adequate 
systems in place to monitor underutilization and inappropriate denials. 
Such procedures include collecting data on utilization patterns and 
detecting aberrant patterns. This data should be checked against 
utilization rates in the industry. This function could be performed by 
a medical affairs department that is responsible for regular review of 
claims, the payment system, encounter data and medical record review to 
assess the degree to which care is under (or over) utilized.
    Similarly, the Medicare+Choice organization should survey its 
enrollees on utilization patterns and whether they felt they were 
subjected to inadequate health care services or inappropriate denials. 
Such survey results should be reviewed and investigated, when 
appropriate. Generally, these may be skewed in favor of the 
Medicare+Choice organization if the enrollees are current members. 
Presumably, if an enrollee was truly dissatisfied with the 
Medicare+Choice organization's attitude toward enrollee rights, the 
enrollee would have disenrolled from the plan. As a result, a 
Medicare+Choice organization should evaluate both current enrollee 
satisfaction surveys and exit interview surveys of former enrollees.
    Medicare+Choice organizations have a good source of information 
regarding utilization issues, simply by tracking the type of appeals 
and grievances they receive from beneficiaries. This information should 
be tracked in a database that can be easily accessed by type of 
grievance or appeal and results.
3. Data Collection and Submission Processes
    Given the importance of the enrollment, encounter and ACR data, the 
Medicare+Choice organization should develop ways to audit this 
information to assure its accuracy. For example, encounter data should 
be sampled periodically to determine its accuracy and reliability. As a 
part of that process, Medicare+Choice organizations must detail in 
their contractual relationships with providers the access that they 
will need to the provider's medical record documentation.
4. Anti-Kickback and Other Inducements
    Medicare+Choice organizations should periodically review their 
contractual documents and discussions with providers to ensure that 
``swapping'' is not occurring, which would cause such relationships to 
fall outside the applicable safe harbor. In addition, contracts with 
marketing personnel should be reviewed by legal counsel to be sure they 
do not violate applicable statutes and regulations.
    F. Enforcing Standards Through Well-Publicized Disciplinary 
Guidelines and Policies Regarding Dealings With Ineligible Persons
    The OIG recommends that all Medicare +Choice organizations' 
compliance programs include several key policies in the area of 
personnel/human resources. The first deals with the establishment and 
consistent application of appropriate disciplinary policies to deal 
with improper conduct and the second deals with the employment of 
certain ineligible individuals.
1. Consistent Enforcement of Disciplinary Policies
    An effective compliance program should include guidance regarding 
disciplinary action for all employees who have failed to comply with 
the Medicare+Choice organization's standards of conduct, policies and 
procedures, Federal health care program requirements, or Federal and 
State laws, or those who have otherwise engaged in wrongdoing. It is 
vital to publish and disseminate the range of possible disciplinary 
actions for improper

[[Page 33885]]

conduct and to educate officers and other staff regarding these 
standards. Employees should be advised that disciplinary action may be 
appropriate where a responsible employee's failure to detect a 
violation is attributable to his or her negligence or reckless conduct. 
The sanctions could range from oral warnings to suspension, termination 
or other sanctions, as appropriate. While each situation must be 
considered on a case-by-case basis to determine the appropriate 
sanction, intentional or reckless noncompliance should subject 
transgressors to significant sanctions.
    The written standards of conduct should elaborate on the procedures 
for handling disciplinary problems and identify who will be responsible 
for taking appropriate action. For example, while disciplinary actions 
can be handled by department managers, others may have to be resolved 
by a more senior official of the organization. Personnel should be 
advised by the organization that disciplinary action will be taken on a 
fair and equitable basis, that is, all levels of employees should be 
subject to similar disciplinary action for the commission of similar 
offenses. Managers and supervisors should be held accountable to 
implement the disciplinary policy consistently so that the policy will 
have the required deterrent effect.
2. Employment of and Contracting With Ineligible Persons
    All Medicare+Choice organizations should use care when delegating 
substantial discretionary authority to make decisions that may involve 
compliance with the law or compliance oversight. In particular, the 
organization should ensure that it does not delegate such 
responsibilities to individuals or entities that it knows, or should 
have known, have a propensity to engage in inappropriate or improper 
conduct. Pursuant to the compliance program, Medicare+Choice 
organization's policies should prohibit the employment of or 
contracting with individuals or entities who have been recently 
convicted of a criminal offense related to health care or who are 
listed as debarred, excluded or otherwise ineligible for participation 
in Federal health care programs. The policies should require the 
Medicare+Choice organization to utilize Government resources to 
determine whether such individuals or entities are debarred or 
excluded. These resources should be used for both potential employees 
(as part of the employment application process, which should also 
include a reasonable and prudent background investigation), and should 
be used to periodically check existing employees and contractors.
    Lists of debarred and excluded individuals and entities are 
currently maintained by both the OIG and the General Services 
Administration.94 By approximately January 2000, the 
Healthcare Integrity Protection Data Bank (HIPDB) will be available to 
Medicare+Choice organizations (for a nominal fee) to use in conducting 
these checks on employees and contractors.95 The HIPDB is an 
electronic data collection program that will collect, store and 
disseminate reports on practitioners, providers and suppliers that have 
been the subject of health care related final adverse actions in 
criminal, civil and administrative proceedings. The final adverse 
actions to be reported to the HIPDB include criminal convictions or 
civil judgments related to the delivery of health care, actions by 
Federal or State agencies responsible for licensing or certification of 
health care providers, suppliers and practitioners, and exclusions from 
Federal or State health care programs.
---------------------------------------------------------------------------

    \94\ OIG's List of Excluded Individuals/Entities is available on 
the Internet at http://www.dhhs.gov/progorg/oig and the General 
Services Administration list of debarred contractors is available on 
the Internet at http://www.arnet.gov/epls.
    \95\ See 42 U.S.C. 1320a-7e.
---------------------------------------------------------------------------

    Pending the resolution of any known criminal charges or proposed 
debarment or exclusion, the OIG recommends that such individuals should 
be removed from direct responsibility for, or involvement in, any 
Federal health care program.96 Similarly, with regard to 
current employees or independent contractors, if resolution of the 
matter results in conviction, debarment or exclusion, then the 
Medicare+Choice organization should remove the individual from direct 
responsibility for, or involvement with, the organization's business 
operations related to Federal health care programs. In addition, they 
should remove such person from any position for which the person's 
salary or other items or services rendered, ordered, or prescribed by 
the person are paid in whole or part, directly or indirectly, by 
Federal health care programs or otherwise with Federal funds, at least 
until such time as the person is reinstated into participation in the 
Federal health care programs.
---------------------------------------------------------------------------

    \96\ Prospective employees who have been officially reinstated 
into the Medicare and Medicaid programs by the OIG may be considered 
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------

G. Responding to Detected Offenses and Developing Corrective Action 
Initiatives
    Violations of the Medicare+Choice organization's compliance 
program, failures to comply with applicable Federal or State law, rules 
and program instructions and other types of misconduct threaten a 
Medicare+Choice organization's status as a reliable, honest and 
trustworthy company. Detected but uncorrected misconduct can seriously 
endanger the mission, reputation and legal status of the organization. 
Consequently, upon reports or reasonable indications of suspected 
noncompliance, it is important that the chief compliance officer or 
other management officials promptly investigate the conduct in question 
to determine whether a material violation of applicable law, rule or 
program instruction or the requirements of the compliance program has 
occurred, and if so, take steps to correct the problem.97 As 
appropriate, such steps may include an immediate referral to criminal 
and/or civil law enforcement authorities, a corrective action plan, a 
report to the Government,98 and the notification to the 
provider of any discrepancies or overpayments, if applicable.
---------------------------------------------------------------------------

    \97\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a 
health care program is not solely determinative of whether or not 
the conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss at all, but corrective action and 
reporting are still necessary to protect the integrity of the 
applicable program and its beneficiaries.
    \98\ The OIG currently maintains a provider self-disclosure 
protocol that encourages providers to report suspected fraud. The 
concept of self-disclosure is premised on a recognition that the 
Government alone cannot protect the integrity of the Medicare and 
other Federal health care programs. Health care providers must be 
willing to police themselves, correct underlying problems and work 
with the Government to resolve these matters. The self-disclosure 
protocol can be located on the OIG's website at http://www.dhhs.gov/
progorg/oig.
---------------------------------------------------------------------------

    The Medicare+Choice organization should document its efforts to 
comply with applicable statutes, regulations and Federal health care 
program requirements. For example, where a Medicare+Choice 
organization, in its efforts to comply with a particular statute, 
regulation or program requirement, requests advice from a Government 
agency charged with administering a Federal health care program, the 
Medicare+Choice organization should document and retain a record of the 
request and any written or oral response. This step is extremely 
important if the Medicare+Choice organization intends to rely on that 
response to guide it in future decisions, actions or appeals. A log of 
oral inquiries between the Medicare+Choice organization and third 
parties will help the organization document its attempts at compliance. 
In

[[Page 33886]]

addition, the Medicare+Choice organization should maintain records 
relevant to the issue of whether its reliance was ``reasonable,'' and 
whether it exercised due diligence in developing procedures to 
implement the advice.
1. Violations and Investigations
    Depending upon the nature of the alleged violations, an internal 
investigation will probably include interviews and a review of relevant 
documents. Medicare+Choice organizations should consider engaging 
outside counsel, auditors or health care experts to assist in an 
investigation. Records of the investigation should contain 
documentation of the alleged violation, a description of the 
investigative process (including the objectivity of the investigators 
and methodologies utilized), copies of interview notes and key 
documents, a log of the witnesses interviewed and the documents 
reviewed, the results of the investigation, e.g., any disciplinary 
action taken and any corrective action implemented. Although any action 
taken as the result of an investigation will necessarily vary depending 
upon the Medicare+Choice organization and the situation, 
Medicare+Choice organizations should strive for some consistency by 
utilizing sound practices and disciplinary protocols. Further, after a 
reasonable period, the compliance officer should review the 
circumstances that formed the basis for the investigation to determine 
whether similar problems have been uncovered or modifications of the 
compliance program are necessary to prevent and detect other 
inappropriate conduct or violations.
    If an investigation of an alleged violation is undertaken and the 
compliance officer believes the integrity of the investigation may be 
at stake because of the presence of employees under investigation, 
those subjects should be removed from their current work activity until 
the investigation is completed (unless an internal or Government-led 
undercover operation known to the Medicare+Choice organization is in 
effect). In addition, the compliance officer should take appropriate 
steps to secure or prevent the destruction of documents or other 
evidence relevant to the investigation. If the Medicare+Choice 
organization determines disciplinary action is warranted, it should be 
prompt and imposed in accordance with the organization's written 
standards of disciplinary action.
2. Reporting
    If the compliance officer, compliance committee or a management 
official discovers credible evidence of misconduct from any source and, 
after reasonable inquiry, has reason to believe that the misconduct may 
violate criminal, civil or administrative law,99 then the 
Medicare+Choice organization should report the existence of misconduct 
promptly to the appropriate Government authority 100 within 
a reasonable period, but not more than 60 days after determining that 
there is credible evidence of a violation. Prompt reporting will 
demonstrate the Medicare+Choice organization's good faith and 
willingness to work with governmental authorities to correct and remedy 
the problem. In addition, reporting such conduct will be considered a 
mitigating factor by the OIG in determining administrative sanctions 
(e.g., penalties, assessments and exclusion), if the reporting company 
becomes the target of an OIG investigation.101
---------------------------------------------------------------------------

    \99\ When making the determination of credible misconduct, the 
Medicare+Choice organization should consider, among other statutes, 
18 U.S.C. 669 [holding an individual(s) criminally liable for 
knowingly and willfully embezzling, stealing or otherwise converting 
to the use of any person other than the rightful owner or 
intentionally misapplying any of the monies, funds * * * premiums, 
credits, property or assets of a health care benefit program] and 18 
U.S.C. 2 [establishing criminal liability for an individual(s) who 
commits an offense against the United States or aids, abets, 
counsels, commands, induces or procures its commission as punishable 
as the principle]. In making this determination, the Medicare+Choice 
organization should also consider the civil False Claims Act, 31 
U.S.C. 3729, which imposes treble damages and penalties on those 
(including subcontractors) who knowingly submit false claims for 
Federal funds, or cause their submission, or who knowingly prepare 
false records or statements to get such false claims paid. Under the 
civil False Claims Act, ``knowingly'' means that a person ``has 
actual knowledge of the information, acts in deliberate ignorance of 
the truth or falsity of the information, or acts in reckless 
disregard of the truth or falsity of the information, and no proof 
of specific intent to defraud is required.'' 31 U.S.C. 3729.
    \100\ Appropriate Federal and/or State authorities include the 
Office of Inspector General of the Department of Health and Human 
Services, the Criminal and Civil Divisions of the Department of 
Justice, the U.S. Attorneys in the relevant districts, and the other 
investigative arms for agencies administering the affected Federal 
or State health care programs, such as the State Medicaid Fraud 
Control Unit, the Defense Criminal Investigative Service, the 
Department of Veterans Affairs, the Office of Inspector General, 
U.S. Department of Labor (which has primary criminal jurisdiction 
over FECA, Black Lung and Longshore programs) and the Office of 
Inspector General, U.S. Office of Personnel Management (which has 
primary jurisdiction over the Federal Employees Health Benefit 
Program).
    \101\ The OIG has published criteria setting forth those factors 
that the OIG takes into consideration in determining whether it is 
appropriate to exclude a health care provider from program 
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of 
various fraud and abuse laws. See 62 FR 67392 (12/24/97).
---------------------------------------------------------------------------

3. Reporting Procedure
    When reporting misconduct to the Government, a Medicare+Choice 
organization should provide all evidence relevant to the alleged 
violation of applicable Federal or State law(s) and any potential cost 
impact. The compliance officer, with guidance from the governmental 
authorities, could be requested to continue to investigate the reported 
violation. Once the investigation is completed, the compliance officer 
should be required to notify the appropriate governmental authority of 
the outcome of the investigation, including a description of the impact 
of the alleged violation on the operation of the applicable health care 
programs or their beneficiaries. If the investigation ultimately 
reveals criminal, civil or administrative violations have occurred, the 
appropriate Federal and State officials 102 should be 
notified immediately.
---------------------------------------------------------------------------

    \102\ See note 100.
---------------------------------------------------------------------------

4. Corrective Actions
    As previously stated, Medicare+Choice organizations should take 
appropriate corrective action, including prompt identification of any 
overpayment, repayment of the overpayment, modification to policies or 
manuals and the imposition of proper disciplinary action, if 
applicable. Failure to notify authorities of an overpayment within a 
reasonable period of time could be interpreted as an intentional 
attempt to conceal the overpayment from the Government, thereby 
establishing an independent basis for a criminal violation with respect 
to the Medicare+Choice organization, as well as any individuals who may 
have been involved.103 For this reason, Medicare+Choice 
compliance programs should ensure that overpayments are identified 
quickly and promptly return overpayments obtained from Medicare or 
other Federal health care programs.104
---------------------------------------------------------------------------

    \103\ See 42 U.S.C. 1320a-7b(a)(3).
    \104\ If a Medicare+Choice organization needs further guidance 
regarding normal repayment channels, the organization should consult 
with the CHPP. The CHPP may require certain information (e.g., 
alleged violation or issue causing overpayment, description of 
overpayment, description of the internal investigative process with 
methodologies used to determine any overpayments, disciplinary 
actions taken and corrective actions taken) to be submitted with 
return of any overpayments, and that such repayment information be 
submitted to a specific department or individual in the carrier or 
intermediary's organization. Interest will be assessed, when 
appropriate. See 42 CFR 405.376.

---------------------------------------------------------------------------

[[Page 33887]]

III. Conclusion

    Through this document, the OIG has attempted to provide a 
foundation for the development of effective and comprehensive 
Medicare+Choice compliance programs. These principles can also be used 
by entities to develop compliance programs applicable to other Federal 
and health care programs, as well as for their private lines of 
business. As previously stated, however, each program must be tailored 
to fit the needs and resources of an individual organization, depending 
upon its particular corporate structure, mission and employee 
composition. The statutes, regulations and guidelines of the Federal 
and State health insurance programs, as well as the policies and 
procedures of the private health plans, should be integrated into every 
Medicare+Choice organization's compliance program.
    The OIG recognizes that the health care industry, which reaches 
millions of beneficiaries and expends about a trillion dollars 
annually, is constantly evolving. In no area of the industry is this 
more evident than in the growing area of managed care, particularly 
Medicare managed care. As a result, the time is right for 
Medicare+Choice organizations to implement strong, voluntary compliance 
programs. Compliance is a dynamic process that helps to ensure 
Medicare+Choice organizations are better able to fulfill their 
commitment to ethical behavior and to meet the changes and challenges 
being imposed upon them by the Congress and private insurers. It is 
OIG's hope that voluntarily created compliance programs will enable 
Medicare+Choice organizations to meet their goals of providing 
efficient and quality health care and at the same time, substantially 
reduce fraud, waste and abuse.

    Dated: June 18, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-16072 Filed 6-23-99; 8:45 am]
BILLING CODE 4150-04-P