[Federal Register Volume 64, Number 128 (Tuesday, July 6, 1999)]
[Notices]
[Pages 36368-36389]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-16945]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Publication of OIG Compliance Program Guidance for the Durable 
Medical Equipment, Prosthetics, Orthotics and Supply Industry

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice sets forth the recently issued 
Compliance Program Guidance for the Durable Medical Equipment, 
Prosthetics, Orthotics and Supply Industry that has been developed by 
the Office of Inspector General in cooperation with, and with input 
from, the Health Care Financing Administration (HCFA), the Department 
of Justice (DOJ) and representatives of various trade associations and 
health care practice groups. The OIG has previously developed and 
published compliance program guidance focusing on hospitals, clinical 
laboratories, home health agencies, and third-party medical billing 
companies. We believe that the development and issuance of this 
compliance guidance will serve as a positive step towards promoting a 
higher level of ethical and lawful conduct throughout the entire health 
care industry.

FOR FURTHER INFORMATION CONTACT: Christine Pullifrone, Office of 
Counsel to the Inspector General, (202) 619-2078.

SUPPLEMENTARY INFORMATION:

Background

    The creation of compliance program guidances has been an important 
undertaking by the OIG in its effort to engage the health care 
community in combating fraud and abuse. In formulating this compliance 
guidance, the OIG has worked closely with HCFA, and has received input 
from interested parties and industry trade associations. The 4 
previously-issued compliance program guidances focused on the hospital 
industry, home health agencies, clinical laboratories and third-party 
medical billing companies. The development of these types of compliance 
program guidances are based on our belief that a health care provider 
can efficiently use internal controls to monitor adherence to 
applicable statutes, regulations and program requirements.

Guidance for the DMEPOS Industry

    On August 7, 1998, the OIG published a solicitation notice (63 FR 
42409) seeking information and recommendations for developing guidance 
for the durable medical equipment, prosthetics, orthotics and supply 
(DMEPOS) industry. In response to that solicitation notice, the OIG 
received numerous comments from various parts of the industry and from 
their representatives. We carefully considered those comments, as well 
as consulted with DOJ, HCFA and the durable medical equipment regional 
carriers in developing a draft compliance program guidance for the 
DMEPOS industry. In an effort to ensure that all parties had a 
reasonable opportunity to provide input into a final product, the draft 
guidance for the DMEPOS industry was published in the Federal Register 
on January 28, 1999 (64 FR 4436) for further comment and 
recommendations.

Elements for an Effective Compliance Program

    Through experience, the OIG has identified 7 fundamental elements 
applicable to an effective compliance program. They are:
     Implementing written policies, procedures and standards of 
conduct;
     Designating a compliance officer and compliance committee;
     Conducting effective training and education;
     Developing effective lines of communication;
     Enforcing standards through well-publicized disciplinary 
guidelines;
     Conducting internal monitoring and auditing; and
     Responding promptly to detected offenses and developing 
corrective action.
    Using these 7 elements, the OIG has identified specific areas of 
DMEPOS industry operations that may prove to be vulnerable to fraud and 
abuse. Like previously-issued OIG compliance guidance, adoption of the 
Compliance Program Guidance for the Durable Medical Equipment, 
Prosthetics, Orthotics and Supply Industry set forth below will be 
strictly voluntary.
    A reprint of the newly-issued compliance program guidance follows:

Office of Inspector General's Compliance Program Guidance for the 
Durable Medical Equipment, Prosthetics, Orthotics and Supply 
Industry (June 1999)

I. Introduction

    The Office of Inspector General (OIG) of the Department of Health 
and Human

[[Page 36369]]

Services (HHS) continues in its efforts to promote voluntarily 
developed and implemented compliance programs for the health care 
industry. The following compliance program guidance is intended to 
assist suppliers 1 of durable medical equipment,2 
prosthetics,3 orthotics,4 and supplies 
5 (DMEPOS) and their agents and subcontractors (referred to 
collectively in this document as DMEPOS suppliers) develop effective 
internal controls that promote adherence to applicable Federal and 
State law, and the program requirements of Federal, State and private 
health plans.6 The adoption and implementation of voluntary 
compliance programs significantly advance the prevention of fraud, 
abuse, and waste in these health care plans while at the same time 
further the fundamental mission of all DMEPOS suppliers, which is to 
provide quality items, service, and care to patients.
---------------------------------------------------------------------------

    \1\ The term ``supplier'' is defined in this document as an 
entity or individual, including a physician or Part A provider, that 
sells or rents Part B covered DMEPOS items and meets the Medicare 
supplier standards. See 42 CFR 424.57(a).
    \2\ The term ``durable medical equipment'' is applied in this 
document as defined in 42 U.S.C. 1395x(n).
    \3\ The term ``prosthetics'' and ``prosthetic devices'' are 
applied in this document as defined in 42 U.S.C. 1395x(s)(9) and 
(s)(8), respectively.
    \4\ The term ``orthotics'' is applied in this document as 
defined in 42 U.S.C. 1395x(s)(9).
    \5\ The term ``supplies'' includes home dialysis supplies and 
equipment as described in 42 U.S.C. 1395x(s)(2)(f); surgical 
dressings and other devices as described in 42 U.S.C. 1395x(s)(5); 
immunosuppressive drugs as described in 42 U.S.C. 1395x(s)(2)(J); 
and any other items or services designated by the Health Care 
Financing Administration (HCFA).
    \6\ The OIG recognizes that not every supplier provides durable 
medical equipment, prosthetics, orthotics and supplies. However, a 
compliance program incorporating the elements in this guidance can 
be used by all suppliers regardless of the items/services they 
provide.
---------------------------------------------------------------------------

    Within this document, the OIG first provides its general views on 
the value and fundamental principles of DMEPOS suppliers' compliance 
programs, and then provides the specific elements that each DMEPOS 
supplier should consider when developing and implementing an effective 
compliance program. While this document presents basic procedural and 
structural guidance for designing a compliance program, it is not in 
itself a compliance program. Rather, it is a set of guidelines to be 
considered by a DMEPOS supplier interested in implementing a compliance 
program.
    The OIG recognizes the size-differential that exists between 
operations of the different DMEPOS suppliers and organizations that 
compose the DMEPOS industry. Appropriately, this guidance is pertinent 
for all DMEPOS suppliers, regardless of size (in terms of employees and 
gross revenue); number of locations; type of equipment provided; or 
corporate structure. The applicability of the recommendations and 
guidelines provided in this document depends on the circumstances of 
each individual DMEPOS supplier. However, regardless of a DMEPOS 
supplier's size or structure, the OIG believes that every DMEPOS 
supplier can and should strive to accomplish the objectives and 
principles underlying all of the compliance policies and procedures 
recommended within this guidance.
    Fundamentally, compliance efforts are designed to establish a 
culture within a DMEPOS supplier that promotes prevention, detection, 
and resolution of instances of conduct that do not conform to Federal 
and State law, and Federal, State and private payor health care program 
requirements, as well as the DMEPOS supplier's ethical and business 
policies. In practice, the compliance program should effectively 
articulate and demonstrate the DMEPOS supplier's commitment to ethical 
conduct. Benchmarks that demonstrate implementation and achievements 
are essential to any effective compliance program. Eventually, a 
compliance program should become part of the fabric of routine DMEPOS 
supplier operations.
    Specifically, compliance programs guide a DMEPOS supplier's 
owner(s), governing body (e.g., board of directors or trustees), chief 
executive officer (CEO), president, vice president(s), managers, sales 
representatives, billing personnel, and other employees in the 
efficient management and operation of a DMEPOS supplier. They are 
especially critical as an internal quality assurance control in the 
reimbursement and payment areas, where claims and billing operations 
are often the source of fraud and abuse, and therefore, historically 
have been the focus of Government regulation, scrutiny, prosecution and 
sanctions.
    It is incumbent upon a DMEPOS supplier's owner(s), corporate 
officers, and managers to provide ethical leadership to the 
organization and to assure that adequate systems are in place to 
facilitate ethical and legal conduct. Employees, managers, and the 
Government will focus on the words and actions of a DMEPOS supplier's 
leadership as a measure of the organization's commitment to compliance. 
Indeed, many DMEPOS suppliers have adopted mission statements 
articulating their commitment to high ethical standards. A formal 
compliance program, as an additional element in this process, offers a 
DMEPOS supplier a further concrete method that may improve quality of 
service and reduce waste. Compliance programs also provide a central 
coordinating mechanism for furnishing and disseminating information and 
guidance on applicable Federal and State statutes, regulations, and 
Federal, State and private health care program requirements.
    Implementing an effective compliance program requires a substantial 
commitment of time, energy, and resources by senior management and the 
DMEPOS supplier's governing body.7 Superficial programs that 
simply have the appearance of compliance without being wholeheartedly 
adopted and implemented by the DMEPOS supplier or programs that are 
hastily constructed and implemented without appropriate ongoing 
monitoring will likely be ineffective and could expose the DMEPOS 
supplier to greater liability than no program at all. Although it may 
require significant additional resources or reallocation of existing 
resources to implement an effective compliance program, the long term 
benefits of implementing the program significantly outweigh the costs. 
Undertaking a voluntary compliance program is a beneficial investment 
that advances both the DMEPOS supplier's organization and the stability 
and solvency of the Medicare program.
---------------------------------------------------------------------------

    \7\ Recent case law suggests that the failure of a corporate 
Director to attempt in good faith to institute a compliance program 
in certain situations may be a breach of a Director's fiduciary 
obligation. See, e.g., In re Caremark International Inc. Derivative 
Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996).
---------------------------------------------------------------------------

A. Benefits of a Compliance Program

    The OIG believes an effective compliance program provides a 
mechanism that brings the public and private sectors together to reach 
mutual goals of reducing fraud and abuse, improving operational 
quality, improving the quality of health care services and reducing the 
cost of health care. Attaining these goals provides positive results to 
the DMEPOS supplier, the Government and individual citizens alike. In 
addition to fulfilling its legal duty to ensure that it is not 
submitting false or inaccurate claims to Government and private payors, 
a DMEPOS supplier may gain numerous additional benefits by voluntarily 
implementing an effective compliance program. These benefits may 
include:
     The formulation of effective internal controls to assure 
compliance

[[Page 36370]]

with Federal and State statutes, rules, and regulations, and Federal, 
State and private payor health care program requirements, and internal 
guidelines;
     A concrete demonstration to employees and the community at 
large of the DMEPOS supplier's strong commitment to honest and 
responsible corporate conduct;
     The ability to obtain an accurate assessment of employee 
and contractor behavior relating to fraud and abuse;
     An increased likelihood of identification and prevention 
of criminal and unethical conduct;
     The ability to more quickly and accurately react to 
employees' operational compliance concerns and the capability to 
effectively target resources to address those concerns;
     Improvement of the quality, efficiency, and consistency of 
providing services;
     Increased efficiency on the part of employees;
     A centralized source for distributing information on 
health care statutes, regulations, policies, and other program 
directives regarding fraud and abuse and related issues;
     Improved internal communication;
     A methodology that encourages employees to report 
potential problems;
     Procedures that allow the prompt, thorough investigation 
of alleged misconduct by corporate officers, managers, sales 
representatives, employees, independent contractors, consultants, 
clinicians and other health care professionals;
     Initiation of immediate, appropriate, and decisive 
corrective action;
     Early detection and reporting, minimizing the loss to the 
Government from false claims, and thereby reducing the DMEPOS 
supplier's exposure to civil damages and penalties, criminal sanctions, 
and administrative remedies, such as program exclusion; \8\ and
---------------------------------------------------------------------------

    \8\ The OIG, for example, will consider the existence of an 
effective compliance program that pre-dated any governmental 
investigation when addressing the appropriateness of administrative 
sanctions. However, the burden is on the DMEPOS supplier to 
demonstrate the operational effectiveness of a compliance program. 
Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a 
person who has violated the Act, but who voluntarily discloses the 
violation to the Government within 30 days of detection, in certain 
circumstances will be subject to not less than double, as opposed to 
treble, damages. See 31 U.S.C. 3729(a). Thus, the ability to react 
quickly when violations of the law are discovered may materially 
help reduce a DMEPOS supplier's liability.
---------------------------------------------------------------------------

     Enhancement of the structure of the DMEPOS supplier's 
operations and the consistency between: any related entities of the 
DMEPOS supplier; different departments within the DMEPOS supplier; the 
DMEPOS supplier's different locations; and the DMEPOS supplier's 
separate business units (e.g., franchises, subsidiaries).
    Overall, the OIG believes that an effective compliance program is a 
sound investment on the part of a DMEPOS supplier.
    The OIG recognizes that the implementation of a compliance program 
may not entirely eliminate fraud, abuse, and waste from the DMEPOS 
supplier's system. However, a sincere effort by the DMEPOS supplier to 
comply with applicable Federal and State statutes, rules, and 
regulations and Federal, State and private payor health care program 
requirements, through the establishment of an effective compliance 
program, significantly reduces the risk of unlawful or improper 
conduct.

B. Application of Compliance Program Guidance

    Given the diversity within the industry, there is no single 
``best'' DMEPOS supplier compliance program.9 The OIG 
understands the variances and complexities within the DMEPOS supplier 
industry and is sensitive to the differences among large national and 
regional DMEPOS supplier organizations, and small independent DMEPOS 
suppliers. However, elements of this guidance can be used by all DMEPOS 
suppliers, regardless of size (in terms of employees and gross 
revenue); number of locations; type of equipment provided; or corporate 
structure, to establish an effective compliance program. Similarly, a 
DMEPOS supplier or corporation that owns a DMEPOS supplier or provides 
DMEPOS supplies may incorporate these elements into its system-wide 
compliance or managerial structure. We recognize that some DMEPOS 
suppliers may not be able to adopt certain elements to the same 
comprehensive degree that others with more extensive resources may 
achieve. This guidance represents the OIG's suggestions on how a DMEPOS 
supplier, regardless of size, can best establish internal controls and 
monitor its conduct to correct and prevent fraudulent activities. By no 
means should the contents of this guidance be viewed as an exclusive 
discussion of the advisable elements of a compliance program. On the 
contrary, the OIG strongly encourages DMEPOS suppliers to develop and 
implement compliance elements that uniquely address the individual 
DMEPOS supplier's risk areas.
---------------------------------------------------------------------------

    \9\ This is particularly true in the context of DMEPOS 
suppliers, which include many small independent DMEPOS suppliers 
with limited financial resources, staff, and product lines as well 
as large DMEPOS supplier chains with extensive financial resources, 
staff, and product lines.
---------------------------------------------------------------------------

    The OIG believes that input and support by individuals and 
organizations that will utilize the tools set forth in this document is 
critical to the development and success of this compliance program 
guidance. In a continuing effort to collaborate closely with the 
private sector, the OIG placed a notice in the Federal Register 
soliciting recommendations and suggestions on what should be included 
in this Compliance Program Guidance.10 Further, the OIG 
published the draft Compliance Program Guidance for the DME, 
Prosthetics, Orthotics, and Supply Industry in the Federal Register for 
public comment.11 In addition, we considered previous OIG 
publications, such as Special Fraud Alerts, Advisory 
Opinions,12 the findings and recommendations in reports 
issued by OIG's Office of Audit Services and Office of Evaluation and 
Inspections, as well as the experience of past and recent fraud 
investigations related to DMEPOS suppliers conducted by OIG's Office of 
Investigations and the Department of Justice.
---------------------------------------------------------------------------

    \10\ See 63 FR 42409 (August 7, 1998), Notice for Solicitation 
of Information and Recommendations for Developing OIG Compliance 
Program Guidance for the Durable Medical Equipment Industry.
    \11\ See 64 FR 4435 (January 28, 1999): Draft Compliance Program 
Guidance for the DME, Prosthetics, Orthotics, and Supply Industry.
    \12\ The OIG periodically issues Advisory Opinions responding to 
specific inquiries from members of the public and Special Fraud 
Alerts setting forth activities that raise legal and enforcement 
issues. Special Fraud Alerts and Advisory Opinions, as well as the 
regulations governing the issuance of Advisory Opinions, can be 
obtained on the Internet at http://www.dhhs.gov/progorg/oig, in the 
Federal Register, or by contacting the OIG's Public Information Desk 
at 202-619-1142.
---------------------------------------------------------------------------

    As appropriate, this guidance may be modified and expanded as more 
information and knowledge is obtained by the OIG, and as changes in the 
statutes, rules, regulations, policies, and procedures of Federal, 
State, and private health plans occur. The OIG understands DMEPOS 
suppliers will need adequate time to react to these modifications and 
expansions and to make any necessary changes to their voluntary 
compliance programs. New compliance practices may eventually be 
incorporated into this guidance if the OIG discovers significant 
enhancements to better ensure an effective compliance program.
    The OIG recognizes that the development and implementation of 
compliance programs in DMEPOS suppliers often raise sensitive and

[[Page 36371]]

complex legal and managerial issues.13 However, the OIG 
wishes to offer what it believes is critical guidance for providers who 
are sincerely attempting to comply with the relevant health care 
statutes and regulations.
---------------------------------------------------------------------------

    \13\ Nothing stated within this document should be substituted 
for, or used in lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------

    At the end of each section, where applicable, the OIG has included 
ideas to help aid the small DMEPOS supplier in implementing the 
principles espoused in this guidance. There is no all inclusive 
definition of a small DMEPOS supplier. However, as previously 
mentioned, each DMEPOS supplier should tailor its compliance program 
according to its resources.

II. Compliance Program Elements

    The elements proposed by these guidelines are similar to those of 
the other OIG Compliance Program Guidances 14 and the OIG's 
corporate integrity agreements.15 The OIG believes that 
every DMEPOS supplier can benefit from the principles espoused in this 
guidance, which can be tailored to fit the needs and financial 
realities of a particular DMEPOS supplier.
---------------------------------------------------------------------------

    \14\ See 63 FR 70138 (December 18, 1998) for the Compliance 
Program Guidance for Third Party Medical Billing Companies; 63 FR 
42410 (August 7, 1998) for the Compliance Program Guidance for Home 
Health Agencies; 63 FR 45076 (August 24, 1998) for the Compliance 
Program Guidance for Clinical Laboratories, as revised; 63 FR 8987 
(February 23, 1998) for the Compliance Program Guidance for 
Hospitals. These documents are also located on the Internet at 
http://www.dhhs.gov/progorg/oig.
    \15\ Corporate integrity agreements are executed as part of a 
civil settlement between a health care provider and the Government 
to resolve a case based on allegations of health care fraud or 
abuse. These OIG-imposed programs are in effect for a period of 
three to five years and require many of the elements included in 
this compliance program guidance.
---------------------------------------------------------------------------

    The OIG believes that every effective compliance program must begin 
with a formal commitment 16 by the DMEPOS supplier's 
governing body to include all of the applicable elements listed below, 
which are based on the seven steps of the Federal Sentencing 
Guidelines.17 The OIG recognizes full implementation of all 
elements may not be immediately feasible for all DMEPOS suppliers. 
However, as a first step, a good faith and meaningful commitment on the 
part of the DMEPOS supplier, especially the owner(s), governing body, 
president, vice president(s), CEO, and managing employees, will 
substantially contribute to the program's successful implementation. As 
the compliance program is implemented, that commitment should cascade 
down through the management to every employee of the DMEPOS supplier.
---------------------------------------------------------------------------

    \16\ A formal commitment may include a resolution by the board 
of directors, owner(s) or president, where applicable. A formal 
commitment should include the allocation of adequate resources to 
ensure that each of the elements is addressed.
    \17\ See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(k). The Federal 
Sentencing Guidelines are detailed policies and practices for the 
Federal criminal justice system that prescribe the appropriate 
sanctions for offenders convicted of Federal crimes.
---------------------------------------------------------------------------

    At a minimum, comprehensive compliance programs should include the 
following seven elements:
    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures that promote the 
DMEPOS supplier's commitment to compliance (e.g., by including 
adherence to the compliance program as an element in evaluating 
managers and employees) and address specific areas of potential fraud, 
such as the claims development and submission process, completing 
certificates of medical necessity (CMNs), and financial relationships 
with physicians and/or other persons authorized 18 to order 
DMEPOS;
---------------------------------------------------------------------------

    \18\ In some instances, persons other than the treating 
physician (e.g., nurse practitioner, physician assistant, clinical 
nurse specialist) may be authorized to order DMEPOS for Medicare 
beneficiaries if permitted under State law and in accordance with 
HCFA policies. A DMEPOS supplier should be aware of any persons, 
other than the treating physician, who are authorized to order 
DMEPOS.
---------------------------------------------------------------------------

    (2) The designation of a compliance officer and other appropriate 
bodies, (e.g., a corporate compliance committee), charged with the 
responsibility for operating and monitoring the compliance program, and 
who report directly to the CEO and the governing body; 19
---------------------------------------------------------------------------

    \19\ The integral functions of the compliance officer and the 
corporate compliance committee in implementing an effective 
compliance program are discussed throughout this compliance program 
guidance. However, the OIG recognizes that the differences in the 
sizes and structures of DMEPOS suppliers will result in differences 
in the ways in which compliance programs are set up. It is important 
that a DMEPOS supplier structures its compliance program in such a 
way that the program facilitates implementation of the key functions 
of the corporate compliance officer and the corporate compliance 
committee discussed within this document. See section II.B and 
accompanying notes.
---------------------------------------------------------------------------

    (3) The development and implementation of regular, effective 
education and training for all affected employees; 20
---------------------------------------------------------------------------

    \20\ Education and training programs for DMEPOS suppliers should 
be detailed and comprehensive. They should cover specific billing 
procedures, sales and marketing practices, as well as the general 
areas of compliance. See section II.C and accompanying notes.
---------------------------------------------------------------------------

    (4) The development of effective lines of communication between the 
compliance officer and all employees, including a process, such as a 
hotline or other reporting system, to receive complaints, and the 
adoption of procedures to protect the anonymity of complainants and to 
protect callers from retaliation;
    (5) The use of audits and/or other risk evaluation techniques to 
monitor compliance, identify problem areas, and assist in the reduction 
of identified problem areas; 21
---------------------------------------------------------------------------

    \21\ For example, spot-checking the work of coding and billing 
personnel periodically and conducting periodic post-payment claim 
review should be elements of an effective compliance program. See 
section II.E and accompanying notes.
---------------------------------------------------------------------------

    (6) The development of appropriate disciplinary mechanisms to 
enforce standards and the development of policies addressing (i) 
employees who have violated internal compliance policies, applicable 
statutes, regulations, or Federal, State or private payor health care 
program requirements and (ii) the employment of sanctioned and other 
specified individuals; 22 and
---------------------------------------------------------------------------

    \22\ The term ``Federal health care program'' is applied in this 
document as defined in 42 U.S.C. 1320a-7b(f), and includes any plan 
or program that provides health benefits, whether directly, through 
insurance, or otherwise, which is funded directly in whole or in 
part, by the United States Government (i.e., via programs such as 
Medicare, Federal Employees' Compensation Act, Black Lung, or the 
Longshore and Harbor Worker's Compensation Act) or any State health 
plan (e.g., Medicaid, or a program receiving funds from block grants 
for social services or child health services). Also, for the purpose 
of this document, the term ``Federal health care program 
requirements'' refers to the statutes, regulations, rules 
requirements, directives, and instructions governing Medicare, 
Medicare, Medicaid, and all other Federal health care programs.
---------------------------------------------------------------------------

    (7) The development of policies to respond to detected offenses and 
to initiate corrective action to prevent similar offenses.

A. Written Policies and Procedures

    Every compliance program should require the development and 
distribution of written compliance policies, standards, and practices 
that identify specific areas of risk and vulnerability to the 
individual DMEPOS supplier. These policies, standards, and practices 
should be developed under the direction and supervision of the 
compliance officer and the compliance committee (if such a committee is 
practicable for the DMEPOS supplier) and, at a minimum, should be 
provided to all individuals who are affected by the particular policy 
at issue, including the DMEPOS supplier's agents and independent 
contractors who may affect billing decisions.23
---------------------------------------------------------------------------

    \23\ According to the Federal Sentencing Guidelines, an 
organization must have established compliance standards and 
procedures to be followed by its employees and other agents in order 
to receive sentencing credit for an ``effective'' compliance 
program. The Federal Sentencing Guidelines define ``agent'' as ``any 
individual, including a director, an officer, an employee, or an 
independent contractor, authorized to act on behalf of the 
organization.'' See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(d).

---------------------------------------------------------------------------

[[Page 36372]]

    In addition to these general policies, it may be necessary to 
implement individual policies for the different components of the 
DMEPOS supplier.
1. Standards of Conduct
    The OIG recommends that the DMEPOS supplier develop standards of 
conduct for all affected employees that include a clearly delineated 
commitment to compliance by the DMEPOS supplier's senior management, 
24 including any related entities or affiliated providers 
operating under the DMEPOS supplier's control, 25 and other 
health care professionals (e.g., nurses, licensed pharmacists, 
physicians, and respiratory therapists). The standards of conduct 
should function in the same fashion as a constitution, i.e., as a 
foundational document that details the fundamental principles, values, 
and framework for action within the DMEPOS supplier. The standards 
should articulate the DMEPOS supplier's commitment to comply with all 
Federal and State statutes, rules, regulations and Federal, State and 
private payor health care program requirements, with an emphasis on 
preventing fraud and abuse. They should explicitly state the 
organization's mission, goals, and ethical principles relative to 
compliance and clearly define the DMEPOS supplier's commitment to 
compliance and its expectations for all DMEPOS supplier owners, 
governing body members, presidents, vice presidents, corporate 
officers, managers, sales representatives, employees, and, where 
appropriate, independent contractors and other agents. These standards 
should promote integrity, support objectivity, and foster trust. 
Standards should not only address compliance with statutes and 
regulations, but should also set forth broad principles that guide 
employees in conducting business professionally and properly.
---------------------------------------------------------------------------

    \24\ The OIG strongly encourages high-level involvement by a 
DMEPOS supplier's owner(s), governing body, CEO, president, vice 
president(s), as well as other personnel, as appropriate, in the 
development of the standards of conduct. Such involvement should 
help communicate a strong and explicit organizational commitment to 
compliance goals and standards.
    \25\ E.g., pharmacies, billing services, and manufacturers.
---------------------------------------------------------------------------

    The standards should be distributed to, and comprehensible by, all 
affected employees (e.g., translated into other languages when 
necessary and written at appropriate reading levels). Further, to 
assist in ensuring that employees continuously meet the expected high 
standards set forth in the standards of conduct, any employee handbook 
delineating or expanding upon these standards should be regularly 
updated as applicable statutes, regulations, and Federal, State, and 
private payor health care program requirements are modified and/or 
clarified.26
---------------------------------------------------------------------------

    \26\ The OIG recognizes that not all statutes, rules, 
regulations, standards, policies, and procedures need to be 
communicated to all employees. However, the OIG believes that the 
bulk of the standards that relate to complying with fraud and abuse 
laws and other ethical areas should be addressed and made part of 
all affected employees' training. A DMEPOS supplier must decide 
whether additional educational programs should be targeted to 
specific categories of employees based on job functions and areas of 
responsibility.
---------------------------------------------------------------------------

    When employees first begin working for the DMEPOS supplier, and 
each time new standards of conduct are issued, the OIG suggests 
employees be asked to sign a statement certifying that they have 
received, read, understood, and will abide by the standards of conduct. 
The employee's certification should be retained by the DMEPOS supplier 
in the employee's personnel file, and available for review by the 
compliance officer.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
operate professionally and ethically. The OIG recognizes that small 
DMEPOS suppliers may not have formal written standards of conduct. 
However, such unwritten standards of conduct (e.g., the manner in which 
the DMEPOS supplier conducts its business) should be relayed to each 
employee. Employees should attest, in writing, that they understand and 
will abide by these standards.
2. Written Policies for Risk Areas
    As part of its commitment to compliance, the DMEPOS supplier should 
establish a comprehensive set of written policies and procedures that 
take into consideration the particular statutes, rules, regulations, 
and program instructions applicable to each function of the DMEPOS 
supplier.27 In contrast to the standards of conduct, which 
are designed to be a clear and concise collection of fundamental 
standards, the written policies should articulate specific procedures 
personnel should follow.
---------------------------------------------------------------------------

    \27\ A DMEPOS supplier can conduct focus groups, composed of 
managers from various departments, to solicit their concerns and 
ideas about compliance risks that may be incorporated into the 
DMEPOS supplier's policies and procedures. Such employee 
participation in the development of the DMEPOS supplier's compliance 
program can enhance its credibility and foster employee acceptance 
of the program.
---------------------------------------------------------------------------

    Consequently, we recommend that the individual policies and 
procedures be coordinated with the appropriate training and educational 
programs with an emphasis on areas of special concern that have been 
identified by the OIG.28 Some of the special areas of OIG 
concern include: 29
---------------------------------------------------------------------------

    \28\ A DMEPOS supplier's compliance program should require that 
the legal staff, compliance officer, or other appropriate personnel 
carefully consider any and all Special Fraud Alerts and Advisory 
Opinions issued by the OIG that relate to DMEPOS suppliers. See note 
12. Moreover, the compliance program should address the 
ramifications of failing to cease and correct any conduct criticized 
in such a Special Fraud Alert or Advisory Opinion, if applicable to 
the DMEPOS supplier, or to take reasonable action to prevent such 
conduct from reoccurring in the future. If appropriate, a DMEPOS 
supplier should take the steps described in section II.G regarding 
investigations, reporting, and correction of identified problems.
    \29\ The OIG Work Plan details the various projects the OIG 
currently intends to address in the fiscal year. It should be noted 
that the priorities in the Work Plan are subject to modification and 
revision as the year progresses and does not represent a complete or 
final list of areas of concern to the OIG. The Work Plan is 
currently available on the Internet at http://www.dhhs.gov/progorg/
oig.
---------------------------------------------------------------------------

     Billing for items or services not provided; 30
---------------------------------------------------------------------------

    \30\ Billing for items or services not provided involves 
submitting a claim representing that the DMEPOS supplier provided an 
item or service or part of an item or service that the patient did 
not receive. It may also include not fulfilling a contractual 
agreement, for example, when the DMEPOS supplier has agreed to 
service the rental equipment and does not fulfill this obligation.
---------------------------------------------------------------------------

     Billing for services that the DMEPOS supplier believes may 
be denied; 31
---------------------------------------------------------------------------

    \31\ Billing for services that may be denied involves seeking 
reimbursement for a service that is not covered by Medicare or does 
not meet the Medicare coverage criteria as documented by the 
patient's current medical condition. See 42 U.S.C. 1395y(a)(1)(A). 
The OIG recognizes that DMEPOS suppliers cannot make medical 
necessity determinations and may not be aware if an item or service 
will be denied in every instance. However, civil money penalties 
(CMPs) and administrative sanctions may be imposed against any 
person who submits a claim for services ``that [the] person knows or 
should know are not medically necessary.'' See 42 U.S.C. 1320a-
7a(a). Such conduct may also result in liability under civil and 
criminal laws. HCFA does allow DMEPOS suppliers to submit claims 
when the DMEPOS supplier believes the item or service may not be 
covered, provided, however, that the supplier ``note[s] on the claim 
[its] belief that the service is noncovered and that it is being 
submitted at the beneficiary's insistence.'' See Medicare Carriers 
Manual, section 3043. If the DMEPOS supplier believes the item or 
service may be denied for any reason (e.g., not covered, not 
medically necessary), the DMEPOS supplier may have the beneficiary 
sign a written notice accepting financial responsibility if the item 
or service is denied (see Medicare Carriers Manual, section 7300.5). 
The DMEPOS supplier should include modifier ``GA'' on the claim for 
such item or service. This modifier indicates the beneficiary has 
signed a written notice. If the beneficiary signed an advance 
written notice, the DMEPOS supplier may directly bill the 
beneficiary for the denied item or service. (See section II.A.3.i 
for further discussion on written notices). See also discussion in 
section II.A.3.a and accompanying notes.

---------------------------------------------------------------------------

[[Page 36373]]

     Billing patients for denied chargs without a signed 
written notice; \32\
---------------------------------------------------------------------------

    \32\ This includes, but is not limited to, billing the patient 
for items or services denied as not medically necessary by the 
payor, where there has been no written notice signed by the patient, 
the written notice has been inappropriately obtained or the written 
notice was drafted inappropriately. See Medicare Carrier Manual, 
section 7300.5A, regarding the requirements for written notice.
---------------------------------------------------------------------------

     Duplicate billing; 33
---------------------------------------------------------------------------

    \33\ Duplicate billing occurs when more than one claim for 
payment is submitted for the same patient, for the same service, for 
the same date of service (by the same or different DMEPOS supplier), 
or the same claim is submitted to more than one payor as primary 
Although duplicate billing can occur due to simple error (which does 
not create civil or criminal liability), fraudulent duplicate 
billing is often evidenced by systematic or repeated double billing, 
and creates liability under criminal, civil, and administrative law, 
particularly if any overpayment is not promptly refunded. See note 
72.
---------------------------------------------------------------------------

     Billing for items or services not ordered; 34
---------------------------------------------------------------------------

    \34\ Billing for items or services not ordered involves seeking 
reimbursement for items or services provided, but not ordered by the 
treating physician or other authorized person.
---------------------------------------------------------------------------

     Using a billing agent whose compensation arrangement 
violates the reassignment rule; 35
---------------------------------------------------------------------------

    \35\ If a billing agent receives payment on behalf of a DMEPOS 
supplier, the billing agent's compensation may not be related in any 
way to the dollar amounts billed or collected. See 42 U.S.C. 
1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual, section 3060.
---------------------------------------------------------------------------

     Upcoding; 36
---------------------------------------------------------------------------

    \36\ Upcoding involves selecting a code to maximize 
reimbursement when such code is not the most appropriate descriptor 
of the service (e.g., billing for a more expensive piece of 
equipment when a less expensive piece of equipment is provided).
---------------------------------------------------------------------------

     Unbundling items or supplies; 37
---------------------------------------------------------------------------

    \37\ Unbundling items or supplies involves billing for 
individual components when a specific HCFA Common Procedure Coding 
System (HCPCS) code provides for the components to be billed as a 
unit (e.g., providing a wheelchair and billing the individual parts 
of the wheelchair, rather than the wheeelchair as a whole).
---------------------------------------------------------------------------

     Billing for new equipment and providing used equipment; 
38
---------------------------------------------------------------------------

    \38\ The DMEPOS supplier must indicate on the Medicare claim 
form, through the use of modifiers, whether the item provided is new 
or used. The modifier for providing new equipment is ``NU.'' The 
modifies for providing used equipment is ``UE.'' A knowing failure 
to correctly document the item provided would constitute falsifying 
information on the claim form and many constitute a violation of the 
False Claims Act. See 31 U.S.C. 3729.
---------------------------------------------------------------------------

     Continuing to bill for rental items after they are no 
longer medically necessary; 39
---------------------------------------------------------------------------

    \39\ Once a rental item is no longer medically necessary, the 
DMEPOS supplier required to discontinue billing the payor for it. 
The OIG recognizes that DMEPOS suppliers cannot make medical 
necessity determinations and may not be aware that a rental item is 
no longer medically necessary for a particular patient. As a result, 
the OIG recommends that the DMEPOS supplier periodically contact the 
treating physician or other authorized person to ensure the rental 
item continues to be medically necessary. In addition, the OIG 
recommends that the DMEPOS supplier pick up such equipment from the 
patient in a timely manner. If the DMEPOS supplier bills for a 
rental item after it is no longer medically necessary, the DMEPOS 
supplier is financially responsible for that item and must remit any 
overpayments for that item. See 42 U.S.C. 1320a-7b(a)(3), which 
provides criminal penalties for failure to disclose an overpayment.
---------------------------------------------------------------------------

     Resubmission of denied claims with different information 
in an attempt to be improperly reimbursed; 40
---------------------------------------------------------------------------

    \40\ This practice involves the DMEPOS supplier improperly 
changing information on a previously denied claim and continuing to 
resubmit the claim in an attempt to receive payment. For example, a 
DMEPOS supplier may submit a claim using the accurate HCPCS code for 
the item or service provided and the claim is subsequently denied. 
It is improper to change the HCPCS code to HCPCS code that the 
DMEPOS supplier believes is reimbursable, when such item or service 
was not provided.
---------------------------------------------------------------------------

     Refusing to submit a claim to Medicare for which payment 
is made on a reasonable charge or fee schedule basis; 41
---------------------------------------------------------------------------

    \41\ This practice involves a DMEPOS supplier not submitting a 
claim on behalf of the beneficiary for items or services that are 
Medicare benefits and are reimbursable under the Medicare program. 
See 42 U.S.C 1395w-4(g)(4).
---------------------------------------------------------------------------

     Inadequate management and oversight of contracted 
services, which results in improper billing; 42
---------------------------------------------------------------------------

    \42\ The OIG recommends that the DMEPOS supplier create internal 
mechanisms to ensure that the use of contractors does not lead to 
improper billing practices.
---------------------------------------------------------------------------

     Charge limitations; 43
---------------------------------------------------------------------------

    \43\ A DMEPOS supplier should ensure that its billing personnel 
are informed of the different payment rules of all the Federal, 
State, and private health care programs it bills. The supplier 
should be aware that billing for items or services furnished 
substantially in excess of the supplier's usual charges may result 
in exclusion and other sanctions. See 42 U.S.C. 1320a-7(b)(6)(A). 
See also OIG Ad. Op. 98-8 (1998).
---------------------------------------------------------------------------

     Providing and/or billing for substantially excessive 
amounts of DMEPOS items or supplies; 44
---------------------------------------------------------------------------

    \44\ This practice, which constitutes overulitization, involves 
providing and/or billing for substantially more items or supplies 
that are reasonable and necessary for the needs of each individual 
patient. The OIG recognizes that DMEPOS suppliers cannot make 
medical necessity determinations. The medical need for an item must 
be determined by the physician or other authorized person who is 
treating the patient. However, the DMEPOS supplier must ensure that 
the patient's condition meets coverage, payment and utilization 
criteria as established in the payor's medical policies. If the 
DMEPOS supplier is providing and/or billing for substantially 
excessive amounts of DMEPOS items or supplies, the DMEPOS supplier 
is financially responsible for remitting any overpayments relating 
to those items or supplies. The OIG recommends that if a DMEPOS 
supplier is providing and billing for a large number of items or 
supplies for the same patient, it may periodically want to contact 
the treating physician or other authorized person to confirm the 
medical necessity of the items or supplies. Such contact with the 
physician's office should be documented. The practice of billing for 
substantially excessive amounts of items or supplies may lead to 
exclusion from Federal health care programs and other sanctions. See 
42 U.S.C. 1320a-7(b)(6)(B).
---------------------------------------------------------------------------

     Providing and/or billing for an item or service that does 
not meet the quality and standard of the DMEPOS item claimed; 
45
---------------------------------------------------------------------------

    \45\ This practice involves providing and./or billing for an 
item or service that does not meet the definition and/or requirement 
of the item or service ordered by the treating physician or other 
authorized person. Generally, such items are inferior in quality, 
and therefore do not meet the definition of what was ordered and/or 
billed. Sometimes this may mean that certin equipment was never 
cleared by the Food and Drug Administration, as required by law. 
This practice may lead to billing for items that are not reasonable 
and necessary. A DMEPOS supplier should ensure that the iterm or 
services it furnishes meet professionally recognized minimum 
standards of health care.
---------------------------------------------------------------------------

     Capped rentals; 46
---------------------------------------------------------------------------

    \46\ See discussion in section II.A.3.k and accompanying notes.
---------------------------------------------------------------------------

     Failure to monitor medical necessity on an on-going basis; 
47
---------------------------------------------------------------------------

    \47\ In order for a patient to continue to receive items or 
supplies (e.g., rental equipment, supplies for an on-going 
condition) and for the DMEPOS supplier to receive Medicare 
reimbursement, the patient must meet the medical necessity criteria 
for that specific item or supply on an on-going basis. The item or 
supply furnished by the DMEPOS supplier should be replaced or 
adjusted, in a timely manner, to reflect changes in the patient's 
condition. The OIG recognizes that a DMEPOS supplier cannot make 
medical necessity determinations and may not be aware when a 
patient's condition changes. However, if a DMEPOS supplier is 
billing for items or services that are no longer medically 
necessary, the supplier is financially responsible for remitting any 
overpayments relating to those items or services. The OIG recommends 
that if a DMEPOS supplier is providing the same items or supplies to 
a patient on a regular basis, it may periodically want to contact 
the treating physician or other authorized person to confirm that 
the items or supplies continue to be medically necessary. Such 
contact with the physician's office should be documented.
---------------------------------------------------------------------------

     Delivering or billing for certain items or supplies prior 
to receiving a physician's order and/or appropriate CMN; 48
---------------------------------------------------------------------------

    \48\ This practice involves a DMEPOS supplier delivering to the 
patient, and/or billing the payor for, items or supplies that have 
not yet been ordered by the treating physician or other authorized 
person. Medicare requires written orders for certain items before 
delivery. See, e.g., 42 CFR 410.38.
---------------------------------------------------------------------------

     Falsifying information on the claim form, CMN, and/or 
accompanying documentation; 49
---------------------------------------------------------------------------

    \49\ This practice invovles supplying false information to be 
included on the claim form, the CMN, or other accompanying 
documentation. The information reported on these documents should 
accurately reflect the patient's information, including medical 
information, and the items or services ordere by the treating 
physician or other authorized person and provided by the DMEPOS 
supplier. See, e.g., 18 U.S.C. 1035, which provides criminal 
penalties for falsifying information on such documentation.

---------------------------------------------------------------------------

[[Page 36374]]

     Completing portions of CMNs reserved for completion only 
by the treating physician or other authorized person; 50
---------------------------------------------------------------------------

    \50\ This practice involves not completing the CMN in compliance 
with Medicare regulations (i.e., sections B and D should never be 
completed by the supplier). Instructions for completing the CMN can 
be found on the back of the form. See Medicare Carriers Manual, 
section 3312, which provides instructions on how to complete the CMN 
and the CMPs that may be assessed for improper completion of the 
CMN. See also 42 U.S.C. 1395m(j)(2); section II.A.3.c and 
accompanying notes for further discussion on CMNs. Such conduct may 
also result in liability under civil and criminal laws.
---------------------------------------------------------------------------

     Altering medical records; 51
---------------------------------------------------------------------------

    \51\ This practice involves falsifying information on a 
patient's medical records to justify reimbursement for an item or 
service.
---------------------------------------------------------------------------

     Manipulating the patient's diagnosis in an attempt to 
receive improper payment; 52
---------------------------------------------------------------------------

    \52\ This practice involves altering the treating physician's or 
other authorized person's diagnosis in an attempt to receive 
reimbursement for a particular item or service. A DMEPOS supplier 
should not claim the patient has a particular medical condition in 
order to qualify for an item for which the patient would not 
otherwise qualify.
---------------------------------------------------------------------------

     Failing to maintain medical necessity documentation; 
53
---------------------------------------------------------------------------

    \53\ This practice involves failing to ensure that the medical 
necessity documentation requirements for the item or service billed 
are properly met (e.g., failing to maintain the physician orders or 
CMNs or failing to ensure that CMNs contain adequate and correct 
information). See Medicare Carriers Manual, section 4105.2 for 
evidence of medical necessity. See also sections II.A.3.b and 
II.A.3.c regarding physician orders and CMNs, respectively.
---------------------------------------------------------------------------

     Inappropriate use of place of service codes; 54
---------------------------------------------------------------------------

    \54\ This practice involves indicating on the claim form that 
the place of service is a location other than where the service was 
provided. For example, the patient resides in a skilled nursing 
facility (SNF) and a DMEPOS supplier submits a claim with the place 
of service as the patient's home. Provided that the DMEPOS items or 
services are ordered, provided, reasonable and necessary given the 
clinical condition of the patient, the items or services may be 
covered if the beneficiary resides at home. However, such items may 
not be covered if the beneficiary resides in a SNF. See Medicare 
Carriers Manual, section 2100.3 for the definition of a 
beneficiary's home.
---------------------------------------------------------------------------

     Cover letters that encourage physicians to order medically 
unnecessary items or services; 55
---------------------------------------------------------------------------

    \55\ See discussion in section II.A.3.m.
---------------------------------------------------------------------------

     Improper use of the ZX modifier; 56
---------------------------------------------------------------------------

    \56\ This practice involves the improper use of the ZX modifier, 
relating to maintaining medical necessity documentation. See 
discussion in section II.A.3.l.
---------------------------------------------------------------------------

     Routine waiver of deductibles and coinsurance; 
57
---------------------------------------------------------------------------

    \57\ Throughout this document, the term ``deductibles and 
coinsurance'' refers to Medicare as well as to any other health 
insurance program requiring deductibles and coinsurance. See 
discussion in section II.A.3.j and accompanying notes.
---------------------------------------------------------------------------

     Providing incentives to actual or potential referral 
sources (e.g., physicians, hospitals, patients, skilled nursing 
facilities, home health agencies or others) that may violate the anti-
kickback statute or other similar Federal or State statute or 
regulation; 58
---------------------------------------------------------------------------

    \58\ Examples of arrangements that may run afoul of the anti-
kickback statute include practices in which a DMEPOS supplier pays a 
fee to a physician for each CMN the physician signs, provides free 
gifts to physicians for signing CMNs, provides inducements to 
beneficiaries, and/or provides items or services for free or below 
fair market value to providers or beneficiaries of Federal health 
care programs. See 42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b(b); 
60 FR 40847 (August 10, 1995). See also discussion in section II.A.4 
and accompanying notes.
---------------------------------------------------------------------------

     Compensation programs that offer incentives for items or 
services ordered and revenue generated; 59
---------------------------------------------------------------------------

    \59\ Compensation programs that offer incentives for items or 
services ordered or the revenue they generate may lead to the 
ordering of medically unnecessary items or supplies and/or the 
``dumping'' of such items or supplies in a facility or in a 
beneficiary's home (e.g., mail order supply companies that continue 
to send the patient supplies when the supplies are no longer 
medically necessary).
---------------------------------------------------------------------------

     Joint ventures between parties, one of whom can refer 
Medicare or Medicaid business to the other; 60
---------------------------------------------------------------------------

    \60\ Equally troubling to the OIG is the proliferation of 
business arrangements that may violate the anti-kickback statute or 
other similar Federal and State statute or regulation. Such 
arrangements are generally established between those in a position 
to refer business, such as physicians, and those providing items or 
services, such as DMEPOS suppliers, for which a Federal health care 
program pays. Sometimes established as ``joint ventures,'' these 
arrangements may take a variety of forms. The OIG currently has a 
number of investigations and audits underway that focus on such 
areas of concern. The OIG has also issued a Special Fraud Alert on 
Joint Venture Arrangements. This Special Fraud Alert can be found at 
59 FR 65372 (December 19, 1994) or on the Internet at http://
www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

     Billing for items or services furnished pursuant to a 
prohibited referral under the Stark physician self-referral law; 
61
---------------------------------------------------------------------------

    \61\ Under the Stark physician self-referral law, if a physician 
(or an immediate family member of such physician) has a prohibited 
financial relationship with a DMEPOS supplier, the physician may not 
make a referral to the DMEPOS supplier and the DMEPOS supplier may 
not bill for furnishing DMEPOS items or supplies for which payment 
may be made under the Federal health care programs. See 42 U.S.C. 
1395nn.
---------------------------------------------------------------------------

     Improper telemarketing practices; 62
---------------------------------------------------------------------------

    \62\ See 42 U.S.C. 1395m(a)(17) or Pub.L. 103-432, section 
132(a) for the prohibition on telemarketing. See also discussion in 
section II.A.5 and accompanying notes.
---------------------------------------------------------------------------

     Improper patient solicitation activities and high-pressure 
marketing of noncovered or unnecessary services; 63
---------------------------------------------------------------------------

    \63\ The DMEPOS supplier should not utilize prohibited or 
inappropriate conduct to carry out its initiatives and activities 
designed to maximize business growth and patient retention. Many 
cases against DMEPOS suppliers have involved the DMEPOS supplier 
giving the beneficiary free gifts such as angora underwear, 
microwaves and air conditioners in exchange for providing and 
billing for unnecessary items. Any marketing information offered by 
the DMEPOS supplier should be clear, correct, non-deceptive, and 
fully informative. See discussion in section II.A.5 and accompanying 
notes.
---------------------------------------------------------------------------

     Co-location of DMEPOS items and supplies with the referral 
source; 64
---------------------------------------------------------------------------

    \64\ In this situation, a physician allows a DMEPOS supplier to 
stock inventory (the storage space may or may not be rented by the 
DMEPOS supplier) in a physician's office. When such items and 
supplies are dispensed to the patient, Medicare is then billed. 
Although such arrangements are not prohibited per se, the OIG 
believes that such arrangements may potentially raise anti-kickback 
and self-referral issues, particularly when the DMEPOS supplier pays 
the physician an amount above fair market value to rent the space.
---------------------------------------------------------------------------

     Non-compliance with the Federal, State and private payor 
supplier standards; 65
---------------------------------------------------------------------------

    \65\ A DMEPOS supplier should have appropriate personnel 
acknowledge they have reviewed and will abide by the Medicare 
supplier standards. In addition, a DMEPOS supplier should ensure it 
is meeting individual State and private payor supplier standards. 
See 42 CFR 424.57 for the Medicare supplier standards.
---------------------------------------------------------------------------

     Providing false information on the Medicare DMEPOS 
supplier enrollment form; 66
---------------------------------------------------------------------------

    \66\ Criminal penalties may be imposed against an individual who 
knowingly and willfully makes or causes to be made any false 
statements or representations of a material fact in any application 
for any benefit or payment under a Federal health care program. See 
42 U.S.C. 1320a-7b(a)(1). See also 31 U.S.C. 3729(a) (``any person 
who * * * knowingly makes, uses, or causes to be made or used, a 
false record or statement to get a false or fraudulent claim paid or 
approved by the Government * * * is liable to the United States 
Government for a civil penalty of not less than $5,000 and not more 
than $10,000, plus 3 times the amount of damages which the 
Government sustains because of the act of that person * * *'')
---------------------------------------------------------------------------

     Not notifying the National Supplier Clearinghouse in a 
timely manner of changes to the information previously provided on the 
DMEPOS supplier enrollment form; 67
---------------------------------------------------------------------------

    \67\ By signing the DMEPOS supplier enrollment application, a 
DMEPOS supplier certifies it will notify the Medicare contractor of 
any changes in its enrollment information within 30 days of the 
effective date of the change.
---------------------------------------------------------------------------

     Misrepresenting a person's status as an agent or 
representative of Medicare; 68
---------------------------------------------------------------------------

    \68\ It is unlawful for a DMEPOS supplier to represent itself as 
a Medicare representative. See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------

     Knowing misuse of a supplier number, which results in 
improper billing; 69
---------------------------------------------------------------------------

    \69\ This practice may involve, but is not limited to, using 
another DMEPOS supplier's billing number.
---------------------------------------------------------------------------

     Failing to meet individual payor requirements; 
70
---------------------------------------------------------------------------

    \70\ A DMEPOS supplier should be aware of the requirements of 
any payor they bill, especially in those situations where there is a 
primary and secondary payor.

---------------------------------------------------------------------------

[[Page 36375]]

     Performing tests on a beneficiary to establish medical 
necessity; 71
---------------------------------------------------------------------------

    \71\ E.g., Medicare does not permit DMEPOS suppliers to perform 
oxygen tests (e.g., oximetry tests and arterial blood gas tests) to 
qualify patients for oxygen and oxygen supplies. See Medicare 
Coverage Issues Manual, section 60-4. See also discussion in section 
II.A.3.o.
---------------------------------------------------------------------------

     Failing to refund overpayments to a health care program; 
72
---------------------------------------------------------------------------

    \72\ An overpayment is the amount of money received in excess of 
the amount due and payable under a health care program. Examples of 
overpayments include, but are not limited to, instances where a 
DMEPOS supplier is: (i) paid twice for the same service, for the 
same beneficiary; or (ii) paid for services that were provided but 
not ordered by the treating physician or other authorized person. 
The OIG strongly recommends that the DMEPOS supplier institute 
procedures to detect overpayments and to promptly remit such 
overpayments to the affected payor. See 42 U.S.C. 1320a-7b(a)(3). 
See also 18 U.S.C. 669 and 31 U.S.C. 3729(a)(7).
---------------------------------------------------------------------------

     Failing to refund overpayments to patients; 73
---------------------------------------------------------------------------

    \73\ If a patient is also due money when a DMEPOS supplier 
identifies an overpayment to a health care program, the DMEPOS 
supplier should make a prompt refund to the patient. See 42 U.S.C. 
1395m(j)(4) on limitation of patient liability for non-assigned 
claims that are denied due to medical necessity. See also 42 U.S.C. 
1395pp(h) on limitation of patient liability for assigned claims 
that are denied due to medical necessity.
---------------------------------------------------------------------------

     Improper billing resulting from a lack of communication 
between the DMEPOS supplier, the physician, and the patient; 
74
---------------------------------------------------------------------------

    \74\ A lack of communication between the DMEPOS supplier, 
physician, and patient may result in the DMEPOS supplier 
inappropriately billing for items or supplies (e.g., supplies for an 
on-going condition or rental equipment that are no longer medically 
necessary). See discussion in section II.A.3.n.
---------------------------------------------------------------------------

     Improper billing resulting from a lack of communication 
between different departments within the DMEPOS supplier; 75 
and
---------------------------------------------------------------------------

    \75\ A lack of communication between the different departments 
of a DMEPOS supplier may result in the DMEPOS supplier filing 
incorrect claims and/or equipment delivery problems.
---------------------------------------------------------------------------

     Employing persons excluded from participation in Federal 
health care programs.76
---------------------------------------------------------------------------

    \76\ This involves hiring or contracting with individuals or 
entities who have been excluded from participation in Federal health 
care programs or any other Federal procurement or non-procurement 
program. See section II.F.2.
---------------------------------------------------------------------------

    A DMEPOS supplier's prior history of noncompliance with applicable 
statutes, regulations, and Federal, State or private health care 
program requirements may indicate additional types of risk areas where 
the DMEPOS supplier may be vulnerable and that may require policies and 
procedures to prevent recurrence.77 Additional risk areas 
should be assessed by the DMEPOS supplier and incorporated into its 
written policies and procedures and training programs developed as part 
of its compliance program.
---------------------------------------------------------------------------

    \77\ ``Recurrence of misconduct similar to that which an 
organization has previously committed casts doubt on whether it took 
all reasonable steps to prevent such misconduct'' and is a 
significant factor in the assessment of whether a compliance program 
is effective. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(k)(iii).
---------------------------------------------------------------------------

    The OIG believes sound operating policies are essential to all 
DMEPOS suppliers, regardless of size. The OIG recommends that small 
DMEPOS suppliers focus on the risk areas most potentially problematic 
to its business operations. The OIG recognizes some small DMEPOS 
suppliers may not have the resources to independently develop a 
comprehensive set of written policies and procedures pertaining to such 
risk areas. In this case, the OIG recommends that the small DMEPOS 
supplier create a manual that is accessible to all employees. Such a 
manual should contain the specific statutes, regulations, and DMERC 
instructions and bulletins that address the DMEPOS supplier's 
identified risk areas. The goal of this manual is to provide employees 
direction so they can properly address any concerns/issues/questions 
that may arise.
3. Claims Development and Submission
a. Medical Necessity
    The OIG recommends that the DMEPOS supplier's compliance program 
communicate to physicians and other persons authorized to order items 
and services that claims submitted for items and services will only be 
paid if the item or service is ordered, provided, covered, reasonable 
and necessary for the patient, given his or her clinical condition. The 
DMEPOS suppliers should take all reasonable steps to ensure they are 
not submitting claims for services that are not: (i) covered; (ii) 
reasonable; and (iii) necessary.78 The DMEPOS suppliers must 
keep the treating physician's or other authorized person's signed and 
dated order or CMN on file for all DMEPOS items and 
services.79 Upon a payor's request, the DMEPOS supplier must 
be able to provide documentation, such as physician orders, completed 
original CMNs,80 proof of delivery, written confirmation of 
verbal orders and any other documentation to support the medical 
necessity of an item or service the DMEPOS supplier has provided and 
billed to a Federal or private health care program.81 
Because the DMEPOS supplier is responsible for producing documentation 
upon request, the DMEPOS supplier may want to send a written notice to 
its clients who write orders and refer patients concerning payors' 
documentation requirements.
---------------------------------------------------------------------------

    \78\ See note 31.
    \79\ See Medicare Carrier Manual, section 3312. See also 
Medicare Carrier Manual, section 4105.2 regarding what information 
must be included on the physician's order.
    \80\ An original CMN is that in which Section B was completed by 
the treating physician or other authorized person and contains the 
original signature of the treating physician or other authorized 
person.
    \81\ In order to ensure correct reimbursement, the payor may 
conduct a post-payment audit of a DMEPOS supplier's claims. Such 
audits may require that the DMEPOS supplier submit documentation to 
substantiate that the items or services were ordered by the treating 
physician or other authorized person, provided, covered, reasonable 
and necessary. See 42 CFR 424.5(a)(6).
---------------------------------------------------------------------------

    As a preliminary matter, the OIG recognizes that physicians and 
other authorized persons must be able to order any items or services 
that they believe are appropriate for the treatment of their patients. 
However, Medicare and other Government and private health care plans 
will only pay for those services that are covered and that meet the 
appropriate medical necessity standards (e.g., ordered, provided, 
reasonable, necessary, and meeting criteria established by medical 
review policies). ``No payment may be made under Part A or Part B for 
any expenses incurred for items or services * * * which are not 
reasonable and necessary for the diagnosis or treatment of an illness 
or injury or to improve the functioning of a malformed body member.'' 
82 Therefore, DMEPOS suppliers should be aware that Medicare 
may deny payment for an item or service that the treating physician or 
other authorized person believes is appropriate, but which does not 
meet the Medicare coverage criteria or where the documentation does not 
support that the item or service was reasonable and necessary for the 
patient. The OIG recommends that the DMEPOS supplier advise its clients 
that claims for items or services submitted for Federal, State or 
private payor reimbursement must meet program requirements 
83 or the claims may be denied.
---------------------------------------------------------------------------

    \82\ See 42 U.S.C. 1395y(a)(1)(A).
    \83\ See note 31.
---------------------------------------------------------------------------

    The DMEPOS supplier should take steps to ensure compliance with the 
applicable statutes, regulations and the requirements of Federal, State 
and private health plans. The OIG recognizes that DMEPOS suppliers do 
not and cannot treat patients or make medical necessity determinations. 
However, the DMEPOS supplier must take steps to ensure that the 
beneficiary's condition meets coverage, payment and utilization 
criteria established in medical policies before it submits a claim to 
Federal, State or private health plans. In order to help

[[Page 36376]]

ensure compliance, the OIG recommends that DMEPOS supplier personnel 
understand the coverage and payment criteria of each payor they bill. 
To help aid supplier personnel, the DMEPOS supplier's compliance 
officer may want to create a clear, comprehensive summary of the 
``medical necessity'' standards or coverage criteria and applicable 
rules of the various Government and private plans. This summary should 
be disseminated and explained to the appropriate DMEPOS supplier 
personnel.
    We also recommend that DMEPOS suppliers formulate internal control 
mechanisms through their written policies and procedures to ensure the 
medical necessity of the items or services they provide. Such policies 
and procedures may include periodic claim reviews, both prior and 
subsequent to billing for items and services. Such a procedure will 
verify that patients are receiving and the DMEPOS supplier is being 
paid for items and/or services that are ordered, provided, covered, 
reasonable and necessary. The DMEPOS supplier may choose to incorporate 
this claims review function into pre-existing quality assurance 
mechanisms.
b. Physician Orders
    The DMEPOS supplier's written policies and procedures should state 
that the DMEPOS supplier will not bill for an item or service unless 
and until it has been ordered by the treating physician or other 
authorized person. For all Medicare reimbursed DMEPOS items or 
services, the DMEPOS supplier must receive a written order from the 
patient's treating physician or other authorized person. Such written 
order must be received prior to billing Medicare. When the DMEPOS 
supplier receives a verbal order, the DMEPOS supplier should document 
the verbal order and must have the treating physician or other 
authorized person confirm it in writing prior to billing.
    The written policies and procedures should also state, for items 
requiring a written order prior to delivery, that the order must be 
received by the DMEPOS supplier before it delivers the equipment to the 
patient and before it bills the payor.84
---------------------------------------------------------------------------

    \84\ See 42 CFR 410.38.
---------------------------------------------------------------------------

c. Certificate of Medical Necessity 85
    For some DMEPOS items and services, the DMEPOS supplier must 
receive a signed CMN from the treating physician or other authorized 
person. Currently, CMNs are required for Medicare reimbursement for 
fourteen items. 86 The CMN must be retained in the DMEPOS 
supplier's records before it can submit a claim for payment to the 
Medicare program. Although faxed CMNs are permitted in order to submit 
the claim, the DMERCs have the authority to request the original CMN 
from the DMEPOS supplier at any time.87
---------------------------------------------------------------------------

    \85\ As defined in 42 U.S.C. 1395m(j)(2)(B). See also OIG 
Special Fraud Alert regarding Physician Liability for Certifications 
in the Provision of Medical Equipment and Supplies and Home Health 
Services, 64 FR 1813 (January 12, 1999). Special Fraud Alerts are 
available on the OIG website.
    \86\ Items or services requiring CMNs are as follows: Home 
oxygen therapy (HCFA form 484); Hospital beds (HCFA form 841); 
Support surfaces (HCFA form 842); Motorized wheelchairs (HCFA form 
843) (Section C continuation, HCFA form 854); Manual wheelchairs 
(HCFA form 844) (Section C continuation, HCFA form 854); Continuous 
positive airway pressure (CPAP) devices (HCFA form 845); Lymphedema 
pumps (pneumatic compression devices) (HCFA form 846); Osteogenesis 
stimulators (HCFA form 847); Transcutaneous electrical nerve 
stimulators (TENS) (HCFA form 848); Seat lift mechanisms (HCFA form 
849); Power operated vehicles (HCFA form 850); Infusion pumps (HCFA 
form 851); Parenteral nutrition (HCFA form 852); and Enteral 
nutrition (HCFA form 853).
    \87\ See HCFA Program Memorandum B-99-23 (April 1999).
---------------------------------------------------------------------------

    Each CMN has four sections: A, B, C, and D. Section A may be 
completed by the DMEPOS supplier. Section B may not be completed by the 
DMEPOS supplier.88 Section B may only be completed by the 
treating physician, a non-physician clinician involved in the care of 
the patient or a physician employee who is knowledgeable about the 
patient's treatment. If section B is completed by a physician's 
employee, the section must be reviewed by the treating physician or 
other person authorized to sign section D of the CMN 89 to 
ensure the information's accuracy. Section C must be completed by the 
DMEPOS supplier prior to the CMN being furnished to the treating 
physician or other authorized person for signature.90 
Section D is the attestation statement and may only be signed by the 
treating physician or other person authorized to sign section 
D.91 The DMEPOS supplier's written policies and procedures 
on completing CMNs should reflect these standards.
---------------------------------------------------------------------------

    \88\ A supplier who knowingly and willfully completes section B 
of the form is, at a minimum, subject to a CMP of up to $1,000 for 
each form or document completed in such manner. See 42 U.S.C. 
1395m(j)(2). That supplier may also face civil and criminal 
liability.
    \89\ See HCFA Program Memorandum B-98-47 (November, 1998), which 
discusses who is authorized to sign section D of the CMN.
    \90\ A supplier who knowlingly and willfully fails to include, 
in section C, the fee schedule amount and the supplier's charge for 
the equipment or supplies being furnished may be subject to a CMP up 
to $1,000 for each form or document so distributed. See 42 U.S.C. 
1395m(j)(2).
    \91\ Physicians or persons authorized to sign section D (see 
note 89), should only sign CMNs in which sections A-C are completed 
and correct. Signature and date stamps are not acceptable. See 
Medicare Carriers Manual, section 3312.
---------------------------------------------------------------------------

    The DMEPOS supplier should take all reasonable steps to ensure that 
each section of the CMN is completed in accordance with the above 
guidelines. The OIG recommends that the DMEPOS supplier's written 
policies and procedures, at a minimum, provide that the DMEPOS 
supplier:
     Does not forward blank CMNs to the treating physician or 
other authorized person for signature;
     Does not complete section B (Medical Necessity) of the 
CMN;
     Does not alter or add any information on the CMN after 
receiving the completed and signed CMN from the physician or other 
authorized person; 92
---------------------------------------------------------------------------

    \92\ There have been many investigations centering on DMEPOS 
suppliers who alter information in order to affect their 
reimbursement (e.g., altering diagnosis code, altering HCPCS code of 
service provided).
---------------------------------------------------------------------------

     Does not sign the CMN for the treating physician or other 
authorized person;
     Does not urge physicians or other authorized persons to 
order equipment or supplies that exceed what is reasonable and 
necessary for the patient;
     Does not deliver an item that requires a written order 
from the treating physician or other authorized person prior to 
receiving the written order; 93
---------------------------------------------------------------------------

    \93\ See 42 U.S.C. 1395m(a)(11)(B). See also 42 CFR 410.38.
---------------------------------------------------------------------------

     Does not submit a claim for DMEPOS items or services prior 
to receiving a written order or CMN from the treating physician or 
other authorized person;
     Does not submit a claim for DMEPOS items or services until 
the CMN is properly and correctly completed by the treating physician 
or other authorized person;
     Maintains completed and signed CMNs in its files;
     Consults with the treating physician or other authorized 
person who signed the CMN when there is a question on the order;
     Properly complete sections A and C of the CMN and then 
forward the CMN to the treating physician or other authorized person 
for his/her review, information, and signature; and
     Only submit claims for services that the treating 
physician or other authorized person attests in section D are ordered 
and medically necessary for the patient.

[[Page 36377]]

d. Billing
    The DMEPOS supplier should provide in its written policies and 
procedures that it will only submit to Medicare or other Federal, State 
or private payor health care plans claims that are properly completed, 
accurate, and correctly identify the item or service ordered by the 
treating physician or other authorized person and furnished to the 
patient. Also, prior to submitting the claim, the DMEPOS supplier 
should take all reasonable steps to ensure the item or service being 
claimed was provided, covered, reasonable and necessary.
    The written policies and procedures should also clarify that a 
DMEPOS supplier cannot submit bills or receive payment for drugs used 
in conjunction with DMEPOS, unless the DMEPOS supplier is licensed to 
dispense the drug.94
---------------------------------------------------------------------------

    \94\ See Medicare Program Memoranda B-98-6 (February, 1998) and 
B-98-18 (May, 1998).
---------------------------------------------------------------------------

e. Selection of HCPCS Codes
    The DMEPOS supplier's written policies and procedures should state 
that only the HCPCS code that most accurately describes the item or 
service ordered and provided should be billed. The OIG views knowing 
``upcoding'' (i.e., the selection of a code to maximize reimbursement 
when such a code is not the most appropriate descriptor of the service) 
as raising, among other things, false claims issues under the Civil 
False Claims Act.95 To ensure code accuracy, the OIG 
recommends that the DMEPOS supplier include a requirement in its 
policies and procedures that the codes be reviewed (random sample or 
certain codes) by individuals with technical expertise in coding before 
claims containing such codes are submitted to the affected payor. If a 
DMEPOS supplier has questions regarding the appropriate code to be 
used, it should contact the Statistical Analysis Durable Medical 
Equipment Carrier's (SADMERC) HCPCS coding help line.96
---------------------------------------------------------------------------

    \95\ See 31 U.S.C. 3729, which provides for the imposition of 
penalties of $5,000 to $10,000 per false claim, plus up to three 
times the amount of damages suffered by the Federal Government 
because of the false claim.
    \96\ The phone number for the SADMERC's HCPCS coding help line 
is 803-736-6809. The hours of operation are Monday through Friday 
from 9:00 am to 4:00 pm, EST. Based on the information provided by 
the DMEPOS supplier, the SADMERC will aid the DMEPOS supplier in 
choosing the most accurate code for the item or service ordered and 
supplied. However, the DMEPOS supplier should be aware that 
assigning a HCPCS code to an item or service does not necessarily 
guarantee reimbursement.
---------------------------------------------------------------------------

f. Valid Supplier Numbers
    The DMEPOS supplier should ensure that appropriate personnel are 
knowledgeable in (1) completing the HCFA 855S supplier application; 
97 and (2) complying with the Federal requirements of 42 CFR 
424.57(e) for updating supplier number applications.
---------------------------------------------------------------------------

    \97\ By signing the certification statement on the enrollment 
application, the applicant agrees that he/she has read, understood, 
meets and will continue to meet the supplier standards and will be 
disenrolled from the program if any standards are not met or 
violated.
---------------------------------------------------------------------------

    The written policies and procedures should state that the DMEPOS 
supplier should not bill any other Federal, State or private payor 
health care plan without obtaining the necessary billing numbers and 
that the billing numbers will be used correctly.98
---------------------------------------------------------------------------

    \98\ E.g., if a DMEPOS supplier has more than one location, the 
supplier number of the location that filled the physician's or other 
authorized person's order will be used on the claim form.
---------------------------------------------------------------------------

    Prior to applying for a valid supplier number, a DMEPOS supplier 
providing services to Medicare beneficiaries must meet the supplier 
standards.99 The DMEPOS supplier should take all affirmative 
steps to ensure that no claims for Medicare reimbursement are submitted 
prior to the DMEPOS supplier being issued a valid supplier number by 
the National Supplier Clearinghouse. A DMEPOS supplier should not have 
more than one Medicare supplier number unless it is appropriate to 
identify subsidiary or regional entities under the supplier's ownership 
or control.100
---------------------------------------------------------------------------

    \99\ See 42 CFR 424.57.
    \100\ See 42 U.S.C. 1395m(j)(1)(D).
---------------------------------------------------------------------------

g. Mail Order Suppliers
    We recommend that any DMEPOS supplier who engages in the mail order 
supply business clearly articulate its protocol for this segment of its 
business in the company's written policies and procedures.
    Mail order supplies should only be delivered in accordance with the 
treating physician's or other authorized person's orders. Regularly 
shipping supplies without such orders may lead to providing supplies 
substantially in excess of the patient's needs.101 We also 
recommend that the supplier utilize a tracking system so it will be 
able to determine whether or not the patient received the supplies and 
will be able to track the location of an item or supply at any given 
time.
---------------------------------------------------------------------------

    \101\ See note 44.
---------------------------------------------------------------------------

h. Assignment
    If a DMEPOS supplier accepts Medicare assignment, its written 
policies and procedures should state that it will not charge Medicare 
beneficiaries more than the amounts allowed under the Medicare fee 
schedule, including coinsurance and deductibles. If the beneficiary 
pays the DMEPOS supplier prior to the DMEPOS supplier submitting the 
claim, the DMEPOS supplier should ensure it is not charging the 
beneficiary more than the coinsurance on the allowed amount under the 
fee schedule. In the event that the DMEPOS supplier collects excess 
payments from a Medicare beneficiary, it should have mechanisms in 
place to promptly refund the overpayment to the beneficiary. The DMEPOS 
supplier should be knowledgeable about the Medicare rules and 
instructions for accepting assignment and receiving direct payment from 
beneficiaries for items or services.
    If a DMEPOS supplier chooses not to accept Medicare assignment, it 
is still responsible for submitting claims to Medicare on behalf of 
beneficiaries.102
---------------------------------------------------------------------------

    \102\ See 42 U.S.C. 1395w-4(g)(4).
---------------------------------------------------------------------------

    If the DMEPOS supplier chooses to utilize a billing agent, the 
DMEPOS supplier should ensure it is complying with all of the relevant 
statutes and requirements governing such an arrangement.103 
The OIG strongly recommends that the DMEPOS supplier coordinate closely 
with the billing company to establish compliance responsibilities. Once 
the responsibilities have been clearly delineated, they should be 
formalized in the written contract between the DMEPOS supplier and the 
billing agent. The OIG recommends that the contract enumerate those 
functions that are shared responsibilities and those that are the sole 
responsibility of either the billing agent or the DMEPOS supplier.
---------------------------------------------------------------------------

    \103\ See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare 
Carriers Manual, section 3060. See also OIG Ad. Op. 98-1 (1998) and 
OIG Ad. Op. 98-4 (1998).
---------------------------------------------------------------------------

i. Liability Issues
    The OIG recommends that DMEPOS suppliers avoid submitting claims 
for items or services that the DMEPOS supplier believes are not covered 
by Medicare. However, HCFA does permit a DMEPOS supplier to submit a 
claim for an item or service that the DMEPOS supplier believes is not 
covered if (i) the beneficiary insists that the DMEPOS supplier submit 
the claim, and (ii) the DMEPOS supplier notes on the claims its belief 
that the service is noncovered and that it is being submitted at the 
beneficiary's insistence (e.g., submitted for a Medicare determination 
of

[[Page 36378]]

coverage and/or to obtain a denial notice in order to bill other 
insurers).104
---------------------------------------------------------------------------

    \104\ See Medicare Carriers Manual, section 3043.
---------------------------------------------------------------------------

    A DMEPOS supplier or Medicare beneficiary is not liable for payment 
on assigned claims where the beneficiary did not know, and could not 
reasonably have been expected to know, that the payment for such 
services would not be made.105 However, when the DMEPOS 
supplier knew, or could have been expected to know, the items or 
services would be denied, the liability for improperly paid items or 
services rests with the DMEPOS supplier.106
---------------------------------------------------------------------------

    \105\ See 42 U.S.C. 1395pp.
    \106\ Id.
---------------------------------------------------------------------------

    In order to protect itself from financial responsibility in such 
situations (i.e., situations in which the beneficiary is insisting that 
a claim be submitted to Medicare notwithstanding the DMEPOS supplier's 
belief that Medicare does not cover the service), the DMEPOS supplier 
must inform the patient prior to furnishing the item or service of the 
DMEPOS supplier's belief that the claim to Medicare will be denied. In 
this situation, the DMEPOS supplier should ask the patient to sign a 
written notice.107 The written notice must be in writing, 
must clearly identify the particular item or service, must state that 
the payment for the particular item or service likely will be denied, 
and must give the reason(s) for the belief that payment is likely to be 
denied. It is the beneficiary's decision whether or not to sign the 
written notice. If the beneficiary does sign the written notice, the 
DMEPOS supplier should: (1) include the appropriate modifier on the 
claim form; (2) maintain the written notice in its files; and (3) be 
able to produce the written notice to the DMERC, upon request.
---------------------------------------------------------------------------

    \107\ See Medicare Carriers Manual, section 7300.5.
---------------------------------------------------------------------------

    If the DMEPOS supplier improperly bills the beneficiary, Medicare 
will indemnify the beneficiary for any payments the beneficiary made to 
the DMEPOS supplier, and collect the indemnification amount from the 
DMEPOS supplier as an overpayment.
    Routine notices to beneficiaries that do no more than state that 
denial of payment is possible are not considered acceptable evidence of 
written notice. Notices should not be given to beneficiaries unless 
there is some genuine doubt regarding the likelihood of payment as 
evidenced by the reasons stated on the written notice. Giving notice 
for all claims, items or services is not an acceptable practice.
    The OIG recommends that the DMEPOS supplier include the foregoing 
liability issues in its written policies and procedures.
j. Routine Waiver of Deductibles and Coinsurance
    Routine waivers of deductibles and coinsurance may result in false 
claims, CMPs for inducements to beneficiaries, and violations of the 
anti-kickback statute or similar Federal or State statute or 
regulations.108 In addition to the potential problems 
regarding kickbacks, false claims, and CMPs, the OIG has programmatic 
concerns when DMEPOS suppliers routinely waive deductibles and 
coinsurance. When DMEPOS suppliers forgive financial obligations for 
reasons other than genuine financial hardship of a particular patient, 
they may be inducing the patient to use items or services that are 
unnecessary, simply because they are free. Such usage may also lead to 
overutilization. DMEPOS suppliers are permitted to waive the Medicare 
coinsurance amounts for cases of financial need.109 We 
recommend that the DMEPOS supplier develop and maintain written 
criteria documenting its policy for determining financial need and 
consistently apply this criteria to all cases.\110\ A good faith effort 
must be made to collect deductibles and coinsurance.\111\
---------------------------------------------------------------------------

    \108\ See 59 FR 31157 (December 19, 1994) or the OIG website at 
http://www.dhhs.gov/progorg/oig for the OIG Special Fraud Alert on 
Medicare Deductibles and Copayments. See also 31 U.S.C. 3729-3733; 
42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b.
    \109\ See Medicare Carriers Manual, section 5520
    \110\ What constitutes ``financial need'' varies depending on 
the circumstances. However, the OIG believes it is important that a 
DMEPOS supplier make determinations of financial need on an 
individualized, case by case, basis in accordance with a reasonable 
set of income guidelines uniformly applied in all cases. The 
guidelines should be based on objective criteria and appropriate for 
the applicable locality. It is not appropriate to apply inflated 
income guidelines that result in waivers of copayments for persons 
not in genuine financial need.
    \111\ See 42 CFR 413.80; Provider Reimbursement Manual, Part I, 
sections 308 and 310.
---------------------------------------------------------------------------

    The DMEPOS supplier's written policies and procedures should state 
that it will not routinely waive deductibles and coinsurance for 
Medicare beneficiaries. The OIG recommends that such policies and 
procedures should include, but not be limited to, statements that 
DMEPOS supplier personnel are prohibited from: advertising an intent to 
waive deductibles or coinsurance for Medicare beneficiaries; 
advertising an intent to discount services for Medicare beneficiaries; 
or giving unsolicited advice to Medicare beneficiaries that they need 
not pay.
k. Capped Rentals
    The DMEPOS supplier's written policies and procedures should 
address Government and private payor requirements when providing rental 
equipment to beneficiaries (e.g., the purchase option 112 
and servicing and maintenance 113). The DMEPOS supplier must 
offer a purchase option to beneficiaries during the 10th continuous 
rental month.114 The DMEPOS supplier should clearly, 
accurately, and non-deceptively discuss the pros and cons of the 
different options with the beneficiary. If the beneficiary does not 
accept the purchase option, the DMEPOS supplier must continue to 
provide the item. After the 15th continuous month of receiving rental 
payments from Medicare, providing the item or service continues to be 
medically necessary, the DMEPOS supplier must continue to provide the 
item without charge to the beneficiary or Medicare.
---------------------------------------------------------------------------

    \112\ See 42 CFR 414.229(d).
    \113\ See 42 CFR 414.229(e).
    \114\ DMEPOS suppliers must offer beneficiaries the option of 
purchasing power-driven wheelchairs at the time the DMEPOS supplier 
first furnishes the item See 42 CFR 414.229(d)(1).
---------------------------------------------------------------------------

    However, the DMEPOS supplier may submit additional claims for the 
maintenance and servicing fees associated with the rental 
item.115 The DMEPOS supplier should ensure it is performing 
basic safety and operational function checks after use by each patient, 
and is performing routine and preventative maintenance on equipment. 
The DMEPOS supplier must ensure it has qualified staff or contractors 
to service, set up, and instruct the patient on the proper use of the 
equipment. The DMEPOS supplier should ensure it maintains current 
service manuals for all the equipment it supplies. In addition, the OIG 
recommends that the DMEPOS supplier's policies and procedures establish 
an internal control system that allows the DMEPOS supplier to track the 
location of each piece of equipment at any given time.
---------------------------------------------------------------------------

    \115\ See 42 CFR 414.229(e).
---------------------------------------------------------------------------

    The policies and procedures should also address the guidelines for 
determining continuous use and criteria for a new rental 
period.116 If a beneficiary dies during a rental period, the 
DMEPOS supplier may receive the entire monthly rental 
payment.117 However, if the DMEPOS supplier continues to 
bill for the item because it did not receive notice of the 
beneficiary's death until the following

[[Page 36379]]

month, any payments received for rental items the month after the 
beneficiary dies are considered an overpayment and must promptly be 
refunded. The DMEPOS supplier should create internal mechanisms to 
ensure the correct rental month appears on the claim and the correct 
modifier is used.
---------------------------------------------------------------------------

    \116\ See 42 CFR 414.230.
    \117\ See Medicare Carriers Manual, section 4105.3.
---------------------------------------------------------------------------

    In addition, the DMEPOS supplier should ensure it is not submitting 
claims for rental equipment when the beneficiary is residing in an 
institution. The OIG is aware that some DMEPOS suppliers bring DMEPOS 
items to beneficiaries residing in an institution, just prior to the 
beneficiary's discharge, in order to train the beneficiary on how to 
use the item or to fit the item for the beneficiary. Once the DMEPOS 
supplier has trained or fitted the beneficiary, the DMEPOS supplier 
should take the item and deliver it to the beneficiary's home on the 
date of discharge. As a result, the DMEPOS supplier should file the 
claim for this item with the date of delivery/date of service as the 
date the beneficiary is discharged from the institution. If the DMEPOS 
supplier delivers the item to the beneficiary in the institution prior 
to the beneficiary's discharge to be used by the beneficiary while in 
the institution, the item should be included in the institution's cost 
and the DMEPOS supplier should not submit the claim. The DMEPOS 
supplier may not submit the claim prior to the beneficiary's date of 
discharge.
l. ZX Modifier
    The ZX modifier is used on the claim form to indicate that the 
DMEPOS supplier is maintaining medical necessity documentation in its 
files. Such documentation only needs to be submitted to the DMERC upon 
request.
    The DMEPOS supplier should create internal mechanisms to ensure the 
proper use of the ZX modifier. Improper use of the modifier may result 
in the submission of false claims. The OIG recommends that the DMEPOS 
supplier's written policies and procedures address the DMEPOS 
supplier's protocol for using the ZX modifier.118
---------------------------------------------------------------------------

    \118\ See relevant DMERC supplier manual(s) for guidelines on 
proper use.
---------------------------------------------------------------------------

m. Cover Letters
    Cover letters are commonly used by the DMEPOS supplier as a method 
of communication between the DMEPOS supplier and the treating physician 
or other authorized person. The cover letter is not a form required or 
regulated by the Government. As a result, the DMERCs do not base 
Medicare denials solely on what may be considered inappropriate use of 
cover letters. However, the OIG is concerned that cover letters may 
influence or direct a physician's or other authorized person's answers 
on the CMN, particularly the questions relating to the patient's 
medical condition.119 It is the treating physician's or 
other authorized person's responsibility to determine both the medical 
need for, and the utilization of, health care services. The OIG 
encourages the DMEPOS supplier to include language in its cover letter 
to remind treating physicians and other authorized persons of their 
responsibilities in properly completing CMNs.
---------------------------------------------------------------------------

    \119\ Encouraging physicians or other authorized persons to 
order unwanted items or supplies may result in submitting claims for 
items or services that are not reasonable or necessary. The OIG is 
aware of instances where the DMEPOS supplier has copied the CMN, 
complieted section B of the copy, and used this completed copy as 
its cover letter to physicians.
---------------------------------------------------------------------------

n. Communication
    The OIG suggests that the DMEPOS supplier create mechanisms that 
increase the communication among treating physicians or other 
authorized persons who refer business to the DMEPOS supplier, the 
patients, and the DMEPOS supplier. We recommend that such mechanisms be 
included in the DMEPOS supplier's written policies and procedures. Such 
mechanisms may include: (i) the DMEPOS supplier periodically calling 
the patient to ensure the equipment is still being used and is 
operating properly; or (ii) periodically calling the treating physician 
to ensure the provided items continue to be medically necessary for a 
patient.
    In addition, we recommend the DMEPOS supplier create mechanisms to 
ensure communication between different departments (e.g., sales and 
billing) in order to prevent the filing of incorrect claims.
o. Oxygen and Oxygen Equipment
    The OIG recommends that the written policies and procedures for 
DMEPOS suppliers furnishing oxygen state that the DMEPOS supplier will 
ensure that initial claims for oxygen therapy include the written 
results of an arterial blood gas study or oximetry test (on the CMN) 
that has been ordered and evaluated by the patient's treating 
physician. Further, the written policies and procedures should provide 
for the DMEPOS supplier to maintain such test results and any other 
independent diagnostic treatment facility (IDTF) documents supporting 
the patient's medical necessity for the oxygen. The OIG recommends that 
the DMEPOS supplier have the IDTFs, from which it receives test 
results, submit, all raw test results to the treating physician for the 
physician's benefit, and not just a summary of the results. The written 
policies and procedures should provide that a DMEPOS supplier is not 
qualified to conduct the blood gas study or to prescribe the oxygen 
therapy.120
---------------------------------------------------------------------------

    \120\ See Coverage Issues Manual, section 60-4.
---------------------------------------------------------------------------

    The OIG also recommends, for patient safety purposes, that the 
rental of oxygen include established maintenance safeguards and that 
steps are taken to ensure the equipment is properly maintained, as 
maintenance is included in the rental price of the equipment.
    When submitting an oxygen or oxygen equipment claim for 
reimbursement, the DMEPOS supplier must ensure it is complying with the 
payment rules.121
---------------------------------------------------------------------------

    \121\ See 42 CFR 414.226.
---------------------------------------------------------------------------

4. Anti-Kickback and Self-Referral Concerns
    The DMEPOS supplier should have policies and procedures in place 
with respect to compliance with Federal and State laws, including the 
anti-kickback statute, as well as the Stark physician self-referral 
law.122 Such policies should provide that:
---------------------------------------------------------------------------

    \122\ Towards this end, the DMEPOS supplier should, among other 
things, obtain copies of all relevant OIG regulations, Special Fraud 
Alerts, and Advisory Opinions (these documents are located on the 
Internet at http://www.dhhs.gov/progorg/oig), and ensure that the 
DMEPOS supplier's policies reflect the guidance provided by the OIG. 
See 42 U.S.C. 1395nn(a) for the Stark physician referral laws. See 
also 42 U.S.C. 1320a-7b for prohibited activities under the anti-
kickback statute.
---------------------------------------------------------------------------

     All of the DMEPOS supplier's contracts and arrangements 
with actual or potential referral sources (e.g., physicians) are 
reviewed by counsel and comply with all applicable statutes and 
regulations, including the anti-kickback statute and the Stark 
physician self-referral law; 123
---------------------------------------------------------------------------

    \123\ If the DMEPOS supplier questions an arrangement into which 
it may enter, it should consider asking the OIG for an Advisory 
Opionion regarding the anti-kickback statute of HCFA for an Advisory 
Opinion regarding Stark. See 62 FR 7350 (February 19, 1997) and 63 
FR 38,311 (July 16, 1998) for instructions on how to submit an 
Advisory Opinion to the OIG. These instructions are also located on 
the Internet at http://www.dhhs.gov/progorg/oig. See 63 FR 1645 
(January 9, 1998) on how to submit an Advisory Opinion to HCFA.
---------------------------------------------------------------------------

     The DMEPOS supplier will not submit or cause to be 
submitted to health care programs claims for patients who were referred 
to the DMEPOS supplier pursuant to contracts or financial arrangements 
that were designed to induce such referrals in violation of the anti-
kickback statute or similar Federal or State statute or regulation or 
that otherwise violate the Stark physician self-referral law;

[[Page 36380]]

     A DMEPOS supplier does not offer a physician or other 
referral source more than fair market value for space rented to store 
items or supplies (i.e., consignment closet); and
     The DMEPOS supplier does not offer or provide gifts, free 
services, or other incentives or things of value to patients, relatives 
of patients, physicians, home health agencies, nursing homes, 
hospitals, contractors, assisted living facilities, or other potential 
referral sources for the purpose of inducing referrals in violation of 
the anti-kickback statute or similar Federal or State statute or 
regulation.124
---------------------------------------------------------------------------

    \124\ See 42 U.S.C. 1320a-7a(a)(5), which provides for CMPs for 
improper inducements to beneficiaries.
---------------------------------------------------------------------------

    Further, the OIG recommends that the written policies and 
procedures should specifically reference and take into account the 
OIG's safe harbor regulations, which describe those payment practices 
that are immune from criminal and administrative prosecution under the 
anti-kickback statute.125
---------------------------------------------------------------------------

    \125\ See 42 CFR 1001.952. Simply because an arrangement does 
not meet a safe harbor does not necessarily mean it is illegal.
---------------------------------------------------------------------------

    The OIG believes all DMEPOS suppliers, regardless of size, should 
be concerned with potential anti-kickback and Stark violations. As a 
result, all DMEPOS suppliers should be knowledgeable about, and 
compliant with, the anti-kickback statute, the Stark physician self-
referral law and other relevant Federal and State statutes or 
regulations.
    Although all DMEPOS suppliers are responsible for ensuring 
compliance with these provisions, the OIG recognizes that the small 
DMEPOS supplier may not have the resources to implement the suggestions 
in this section to the same extent as a large DMEPOS supplier. 
Therefore, the smaller DMEPOS supplier may need to employ a slightly 
different mechanism to ensure compliance. For example, the small DMEPOS 
supplier may want to choose a sample of contracts or financial 
arrangements to review on a periodic basis.
5. Marketing
    Where marketing is permitted, the DMEPOS supplier's compliance 
program should require honest, straightforward, fully informative and 
non-deceptive marketing. It is in the best interest of patients, DMEPOS 
suppliers, physicians and health care programs that physicians or other 
persons authorized to order DMEPOS fully understand the services 
offered by the DMEPOS supplier, the items or services that will be 
provided when ordered, and the financial consequences for Medicare as 
well as other payors for the items or services ordered. The OIG 
recommends that if the DMEPOS supplier services a large number of non-
English speaking patients, it should ensure that its marketing 
materials are available in those other languages. The DMEPOS supplier's 
written policies and procedures should ensure that its marketing 
information is clear, correct, and fully informative.
    Salespeople must not offer physicians, patients or other potential 
referral sources incentives, in cash or in kind, for their 
business.126 Similarly, they must not engage in any 
marketing activity that either explicitly or implicitly implies that 
Medicare beneficiaries are not obligated to pay their coinsurance or 
can receive ``free'' services.127 In addition, DMEPOS 
suppliers must not promote items or services to patients or physicians 
that are not reasonable or necessary for the treatment of the 
individual patient. The OIG suggests that the DMEPOS supplier's written 
policies and procedures create internal mechanisms to avoid these 
situations.
---------------------------------------------------------------------------

    \126\ See anti-kickback statute discussion in section II.A.4.
    \127\ See discussion in section II.A.3.j.
---------------------------------------------------------------------------

    With respect to marketing and sales, the OIG has a longstanding 
concern that percentage compensation arrangements for sales and 
marketing personnel may increase the risk of such persons violating the 
anti-kickback statute.128 The OIG recommends that the DMEPOS 
supplier monitor its sales representatives on a regular basis (e.g., 
rotate sales staff or send a sales manager on some sales calls).
---------------------------------------------------------------------------

    \128\ See e.g., 42 U.S.C. 1320a-7b(B); OIG Ad. Op. 98-10 (1998); 
section II.A.4.
---------------------------------------------------------------------------

    The DMEPOS suppliers are prohibited from making unsolicited 
telephone contacts to Medicare beneficiaries.129 We suggest 
that the DMEPOS supplier's written policies and procedures reflect this 
prohibition.
---------------------------------------------------------------------------

    \129\ See 42 U.S.C. 1395m(a)(17), Pub.L. 103-432, section 
132(a).
---------------------------------------------------------------------------

    The DMEPOS suppliers are also prohibited from using symbols, 
emblems, or names in reference to Social Security or Medicare in a 
manner that they know or should know would convey the false impression 
that an item is approved, endorsed, or authorized by the Social 
Security Administration, HCFA, or the Department of Health and Human 
Services or that the supplier has some connection with, or 
authorization from, any of these agencies.130
---------------------------------------------------------------------------

    \130\ See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------

    The OIG believes marketing strategies employed by all DMEPOS 
suppliers, regardless of size, should be clear, correct, honest, 
straightforward, non-deceptive and fully informative. In addition, all 
DMEPOS suppliers should inform their sales people of potential anti-
kickback concerns, the telemarketing law, and the prohibition on 
inappropriately using references to Social Security and Medicare. 
Although the small DMEPOS supplier may not have extensive written 
policies and procedures, every DMEPOS supplier should ensure that its 
employees are clear on what is permitted and prohibited with regard to 
marketing.
6. Retention of Records
    The DMEPOS supplier's compliance program should provide for the 
implementation of a records system. The DMEPOS supplier should ensure 
that records are maintained for the length of time required by Federal 
and State law and private payors, or by the DMEPOS supplier's record 
retention policies, whichever is longer. This system should establish 
policies and procedures regarding the creation, distribution, 
retention, storage, retrieval, and destruction of 
documents.131 The three types of documents developed under 
this system should include: (1) all records and documentation (e.g., 
billing and claims documentation) required either by Federal or State 
law and the program requirements of Federal, State, and private health 
plans; (2) records listing the persons responsible for implementing 
each part of the compliance program; and (3) all records necessary to 
protect the integrity of the DMEPOS supplier's compliance process and 
confirm the effectiveness of the program.132 The 
documentation necessary to satisfy the third requirement includes, but 
is not limited to: evidence of adequate employee training; reports from 
the DMEPOS supplier's hotline; results of any investigation conducted 
as a consequence of a hotline call; modifications to the compliance 
program; self-disclosure; all written notifications to physicians and 
payors; 133 and the results of the DMEPOS supplier's 
auditing and monitoring efforts.
---------------------------------------------------------------------------

    \131\ This records system should be tailored to fit the 
individual needs and financial resources of the DMEPOS supplier.
    \132\The creation and retention of such documents and reports 
may raise a variety of legal issues, such as patient privacy and 
confidentiality. These issues are best discussed with legal counsel.
    \133\ This should include notifications regarding inappropriate 
claims and overpayments.
---------------------------------------------------------------------------

    All DMEPOS suppliers, regardless of size, must retain documents 
required by the health plans in which they

[[Page 36381]]

participate. In case of a future Government investigation, the OIG 
recommends that all DMEPOS suppliers retain documents relating to the 
implementation of their compliance programs.
7. Compliance as an Element of a Performance Plan
    The DMEPOS supplier's compliance program should require that the 
promotion of, and adherence to, the elements of the compliance program 
be a factor in evaluating the performance of all employees. Employees 
should be periodically trained in new compliance policies and 
procedures. In addition, all managers and supervisors should:
     Discuss with all supervised employees and relevant 
contractors the compliance policies and legal requirements applicable 
to their function;
     Inform all supervised personnel that strict compliance 
with these policies and requirements is a condition of employment; and
     Disclose to all supervised personnel that the DMEPOS 
supplier will take disciplinary action up to and including termination 
for violation of these policies or requirements.
    In addition to making performance of these duties an element in 
evaluations, the compliance officer or DMEPOS supplier management 
should include a policy that managers and supervisors will be 
sanctioned for failing to instruct adequately their subordinates or for 
failing to detect noncompliance with applicable policies and legal 
requirements, where reasonable diligence on the part of the manager or 
supervisor would have led to the discovery of any problems or 
violations.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
ensure their employees understand the importance of compliance. If the 
small DMEPOS supplier does not have a formal performance evaluation 
structure, it should informally convey the employee's compliance 
responsibilities and the importance of these responsibilities.

B. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer
    Every DMEPOS supplier should designate a compliance officer to 
serve as the focal point for compliance activities. The compliance 
officer should be a person of high integrity. This responsibility may 
be the individual's sole duty or added to other management 
responsibilities, depending upon the size and resources of the DMEPOS 
supplier and the complexity of the task. When a compliance officer has 
other duties, the other duties should not be in conflict with the 
compliance goals.134
---------------------------------------------------------------------------

    \134\ E.g., companies should not choose a sales manager who may 
be pressured to achieve high sales, which might result in a conflict 
with compliance goals.
---------------------------------------------------------------------------

    Designating a compliance officer with the appropriate authority is 
critical to the success of the program, necessitating the appointment 
of a high-level official in the DMEPOS supplier with direct access to 
the DMEPOS supplier's owner(s), president or CEO, governing body, all 
other senior management, and legal counsel.135 The 
compliance officer should be highly enough placed in the company so 
that he or she can exercise independent judgment without fear of 
reprisal, and so that employees will know that bringing a problem to 
that person's attention is not a wasted exercise. The compliance 
officer should have sufficient funding and staff to fully perform his 
or her responsibilities. Coordination and communication are the key 
functions of the compliance officer with regard to planning, 
implementing, and monitoring the compliance program.
---------------------------------------------------------------------------

    \135\ The OIG believes that it is not advisable for the 
compliance function to be subordinate to the DMEPOS supplier's 
general counsel, comptroller or similar DMEPOS supplier financial 
officer. Free standing compliance functions help to ensure 
independent and objective legal reviews and financial analyses of 
the institution's compliance efforts and activities. By separating 
the compliance function from the key management positions of general 
counsel or chief financial officer (where the size and structure of 
the DMEPOS supplier make this a feasible option), a system of checks 
and balances is established to more effectively achieve the goals of 
the compliance program.
---------------------------------------------------------------------------

    The compliance officer's primary responsibilities should include:
     Overseeing and monitoring the implementation of the 
compliance program; 136
---------------------------------------------------------------------------

    \136\ For DMEPOS supplier chains, the OIG encourages 
coordination with each DMEPOS supplier location through the use of a 
headquarter's compliance officer, communicating with parallel 
positions in each facility or regional office, as appropriate.
---------------------------------------------------------------------------

     Reporting on a regular basis to the DMEPOS supplier's 
owner(s), governing body, CEO, president, and compliance committee (if 
applicable) on the progress of implementation, and assisting these 
components in establishing methods to improve the DMEPOS supplier's 
efficiency and quality of services, and to reduce the DMEPOS supplier's 
vulnerability to fraud, abuse, and waste;
     Periodically revising the program in light of changes in 
the organization's needs, and in the statutes, rules, regulations, and 
requirements of Federal, State, and private payor health care plans;
     Reviewing employees' certifications that they have 
received, read, understood, and will abide by the standards of conduct;
     Developing, coordinating, and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program, and seeks to ensure that all 
appropriate employees and managers are knowledgeable of, and comply 
with, pertinent Federal, State and private payor health care program 
requirements;
     Ensuring independent contractors and agents who provide 
services (e.g., billing companies, delivery services and sources of 
referrals, i.e., physicians and others) to the DMEPOS supplier are 
aware of the requirements of the DMEPOS supplier's compliance program 
with respect to coverage, billing, marketing, and kickbacks, among 
other things;
     Coordinating personnel issues with the DMEPOS supplier's 
Human Resources/Personnel office (or its equivalent). The OIG 
recommends that the DMEPOS supplier check the List of Excluded 
Individuals/Entities,137 and the General Services 
Administration's List of Parties Excluded from Federal Procurement and 
Nonprocurement Programs 138 to ensure employees and 
independent contractors have not been excluded or debarred from 
participating in Federal programs.139 Depending upon State 
requirements or DMEPOS supplier policy, the Compliance Officer may also 
conduct a criminal background check of employees;
---------------------------------------------------------------------------

    \137\ The List of Excluded Individuals/Entities is an OIG-
produced report available on the Internet at http://www.dhhs.gov/
progorg/oig. It is updated on a regular basis to reflect the status 
of individuals and entities who have been excluded from 
participation in all Federal health care programs (individuals/
entities excluded before August 5, 1997 were only excluded from 
participation in Medicare, Medicaid, Title V and Title XX programs). 
The DMEPOS supplier can download the List of Excluded Individuals/
Entities and the subsequent monthly exclusion and reinstatement 
supplements or can use the online search feature.
    \138\ The List of Parties Excluded from Federal Procurment and 
Nonprocurement programs is a GSA-produced report available on the 
Internet at http://www.arnet.bov/epls.
    \139\ The OIG recognizes that a DMEPOS supplier cannot make 
medical necessity determinations and may not be aware when a 
patient's condition changes. However, a DMEPOS supplier should be 
aware that if it submits a claim in which an excluded physician 
provided the referral, Medicare will deny payment.
---------------------------------------------------------------------------

     Assisting the DMEPOS supplier's financial management in 
coordinating internal compliance review and monitoring activities, 
including annual or periodic reviews of departments;

[[Page 36382]]

     Independently investigating and acting on matters related 
to compliance, including the flexibility to design and coordinate 
internal investigations (e.g., responding to reports of problems or 
suspected violations) and any resulting corrective action (e.g., making 
necessary improvements to DMEPOS supplier policies and practices, 
taking appropriate disciplinary action, etc.) with all DMEPOS supplier 
departments, independent contractors, and health care professionals;
     Developing policies and programs that encourage managers 
and employees to report suspected fraud and other improprieties without 
fear of retaliation; and
     Continuing the momentum of the compliance program and the 
accomplishment of its objectives long after the initial years of 
implementation.140
---------------------------------------------------------------------------

    \140\ Periodic on-site visits of DMEPOS supplier operations, 
bulletins with compliance updates and reminders, distribution of 
audiotapes or videotapes on different risk areas, lectures at 
management and employee meetings, circulation of recent health care 
articles covering fraud and abuse, and innovative changes to 
compliance training are various examples of approaches and 
techniques the compliance officer can employ for the purpose of 
ensuring continued interest in the compliance program and the DMEPOS 
supplier's commitment to its policies and principles.
---------------------------------------------------------------------------

    The compliance officer must have the authority to review all 
documents and other information that are relevant to compliance 
activities, including, but not limited to, patient records (where 
appropriate), billing records, and DMEPOS supplier records concerning 
the marketing efforts of the DMEPOS supplier and the DMEPOS supplier's 
arrangements with other parties, including employees, home health 
agencies, skilled nursing facilities, and treating physicians or other 
authorized persons. This policy enables the compliance officer to 
review contracts and obligations (seeking the advice of legal counsel, 
where appropriate) that may contain referral and payment provisions 
that could violate the anti-kickback statute, as well as the Stark 
physician self-referral prohibition or other statutory or regulatory 
requirements.
    In addition, the compliance officer should be copied on the results 
of all internal audit reports and work closely with key managers to 
identify aberrant trends in the coding and billing areas. The 
compliance officer should ascertain patterns that require a change in 
policy and forward these issues to the compliance committee to remedy 
the problem. The compliance officer should have full authority to stop 
the processing of claims that he or she believes are problematic until 
such time as the issue in question has been resolved.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
have a compliance officer or contact who possesses a high degree of 
integrity, is knowledgeable about the rules, regulations, and policies 
under which the DMEPOS supplier operates and has sufficient authority 
to exercise independent judgment. A small DMEPOS supplier may not have 
the need or the resources to hire/appoint a full time compliance 
officer. However, each DMEPOS supplier should have a person in its 
organization (this person may have other functional responsibilities) 
who can oversee the DMEPOS supplier's compliance with respect to 
applicable statutes, rules, regulations, and policies. The structure 
and comprehensiveness of the DMEPOS supplier's compliance program will 
help determine the responsibilities of each individual compliance 
officer.
2. Compliance Committee
    The OIG recommends, where feasible, that a compliance committee be 
established to advise the compliance officer and assist in the 
implementation of the compliance program.141 When assembling 
a team of people to serve as the DMEPOS supplier's compliance 
committee, the DMEPOS supplier should include individuals with a 
variety of skills.142 The OIG strongly recommends that the 
compliance officer manage the compliance committee. Once a DMEPOS 
supplier chooses the people that will accept the responsibilities 
vested in members of the compliance committee, the DMEPOS supplier must 
train these individuals on the policies and procedures of the 
compliance program, as well as how to discharge their duties.
---------------------------------------------------------------------------

    \141\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities in the 
organization, such as operations, billing, coding, marketing, and 
human resources, as well as employees and managers of key operating 
units. These individuals should have the requisite seniority and 
comprehensive experience within their respective departments to 
implement any necessary changes to the DMEPOS supplier's policies 
and procedures as recommended by the committee. A compliance 
committee for a DMEPOS supplier that is part of another organization 
(e.g., home health agency) might benefit from the participation of 
officials from other departments in the organization, such as the 
accounting and billing departments.
    \142\ A DMEPOS supplier should expect its compliance committee 
members and compliance officer to demonstrate high integrity, good 
judgment, assertiveness, and an approachable demeanor, while 
eliciting the respect and trust of employees of the DMEPOS supplier. 
The DMEPOS supplier's compliance committee members should also have 
significant professional experience working with billing, 
documentation, and auditing principles.
---------------------------------------------------------------------------

    The committee's responsibilities should include:
     Analyzing the organization's regulatory environment, the 
legal requirements with which it must comply,143 and 
specific risk areas;
---------------------------------------------------------------------------

    \143\ This includes, but is not limited to, the civil False 
Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes, 
18 U.S.C. 287, 1001; the fraud and abuse provisions of the Balanced 
Budget Act of 1997, Pub.L. 105-33; the Health Insurance Portability 
and Accountability Act of 1996, Pub.L. 104-191; and compliance with 
the Medicare supplier standards, 42 CFR 424.57.
---------------------------------------------------------------------------

     Assessing existing policies and procedures that address 
these risk areas for possible incorporation into the compliance 
program;
     Working with appropriate DMEPOS supplier departments to 
develop standards of conduct and policies and procedures that promote 
allegiance to the DMEPOS supplier's compliance program;
     Recommending and monitoring, in conjunction with the 
relevant departments, the development of internal systems and controls 
to carry out the organization's standards, policies, and procedures as 
part of its daily operations; 144
---------------------------------------------------------------------------

    \144\ With respect to national DMEPOS supplier chains, this may 
include fostering coordination and communication between those 
employees responsible for compliance at headquarters and those 
responsible for compliance at the individual supplier branches.
---------------------------------------------------------------------------

     Determining the appropriate strategy/approach to promote 
compliance with the program and detection of any potential violations, 
such as through hotlines and other fraud reporting mechanisms;
     Developing a system to solicit, evaluate, and respond to 
complaints and problems; and
     Monitoring internal and external audits and investigations 
for the purpose of identifying troublesome issues and deficient areas 
experienced by the DMEPOS supplier, and implementing corrective and 
preventive action.
    The committee may also address other functions as the compliance 
concept becomes part of the overall DMEPOS supplier's operating 
structure and daily routine.
    The compliance committee is an extension of the compliance officer 
and provides the organization with increased oversight. The OIG 
recognizes that small DMEPOS suppliers may not have the resources or 
the need to establish a compliance committee. However, when potential 
problems are identified, the OIG recommends that the small DMEPOS 
supplier create a

[[Page 36383]]

``taskforce,'' if appropriate, to address the problem. The members of 
the taskforce may vary depending upon the issue.

C. Conducting Effective Training and Education

1. Initial Training in Compliance
    The proper education and training of corporate officers, managers, 
employees and the continual retraining of current personnel at all 
levels, are significant elements of an effective compliance program. In 
order to ensure the appropriate information is being disseminated to 
the correct individuals, the training should be separated into 
sessions. All employees should attend the general session on 
compliance, and employees whose job primarily focuses on submission of 
claims for reimbursement, or who are involved in sales and marketing, 
should receive additional training on these particular subjects. In 
addition, the OIG recommends that the DMEPOS supplier inform 
physicians, independent contractors, and significant agents that it has 
implemented a compliance program.
a. General Sessions
    The OIG recommends, as part of its compliance program, that the 
DMEPOS supplier require all affected personnel to attend training on an 
annual basis, including appropriate training in Federal and State 
statutes, regulations and guidelines, HCFA manual instructions, DMERC 
medical review policies, the policies of private payors, and training 
in corporate ethics. The general training session should emphasize the 
DMEPOS supplier's commitment to compliance with these legal 
requirements and policies.
    These training programs should include sessions highlighting the 
DMEPOS supplier's compliance program, summarizing fraud and abuse 
statutes and regulations, Federal, State and private payor health care 
program requirements, claim submission procedures and marketing 
practices that reflect current legal and program standards. The DMEPOS 
supplier must take steps to communicate effectively its standards and 
procedures to all affected employees (e.g., by requiring participation 
in training programs and disseminating publications that explain 
specific requirements in a practical manner).145 DMEPOS 
suppliers may also wish to offer such training sessions to interested 
independent contractors and physicians. Managers of specific 
departments can assist in identifying areas that require training and 
in carrying out such training.146 Training New employees 
should be targeted for training early in their 
employment.147
---------------------------------------------------------------------------

    \145\ OIG publications such as Special Fraud Alerts, audit and 
inspection reports, and Advisory Opinions, as well as the annual OIG 
Work Plan, are readily available from the OIG and could be the basis 
for standards, educational courses and programs.
    \146\ Significant variations in functions and responsibilities 
of different departments may create the need for training materials 
that are tailored to the compliance concerns associated with 
particular operations and duties. instructors may come from outside 
or inside the organization.
    \147\ Certain positions, such as those involving developing and 
submitting claims, as well as sales and marketing, create a greater 
organizational legal exposure, and therefore require specialized 
training. The DMEPOS supplier should fill such positions with 
individuals who have the appropriate educational background, 
training, experience, and credentials.
---------------------------------------------------------------------------

    As part of the initial training, the standards of conduct should be 
distributed to all employees.148 At the end of this training 
session, every employee should be required to sign and date a statement 
that reflects his or her knowledge of and commitment to the standards 
of conduct. This attestation should be retained in the employee's 
personnel file.
---------------------------------------------------------------------------

    \148\ Where the DMEPOS supplier has a culturally diverse 
employee base, the standards of conduct should be translated into 
other languages and written at appropriate reading levels.
---------------------------------------------------------------------------

    Further, to assist in ensuring that employees continuously meet the 
expected high standards of conduct, any employee handbook delineating 
or expanding upon these standards should be regularly updated as 
applicable statutes, regulations and Federal health care program 
requirements are modified.149 The DMEPOS supplier should 
provide an additional attestation in the modified standards that 
stipulates the employee's knowledge of and commitment to the 
modifications.
---------------------------------------------------------------------------

    \149\ The OIG recognizes that not all standards, policies and 
procedures need to be communicated to all employees. However, the 
OIG believes that the bulk of the standards that relate to complying 
with fraud and abuse laws and other ethical areas should be 
addressed and made part of all employees' training. A DMEPOS 
supplier should determine the additional training to provide 
categories of employees based upon their job responsibilites.
---------------------------------------------------------------------------

b. Claim Development and Billing Training
    In addition to specific training in the risk areas identified in 
section II.A.2, above, primary training to appropriate corporate 
officers, managers and other claim development and billing staff should 
include such topics as:
     Specific Government and private payor reimbursement 
principles; 150
---------------------------------------------------------------------------

    \150\ Government, in this context, includes the appropriate 
Medicare DMERC(s).
---------------------------------------------------------------------------

     Providing and billing DMEPOS items or services without 
proper authorization;
     Proper documentation of services rendered, including the 
correct application of official ICD-9 and HCPCS coding rules and 
guidelines;
     Improper alterations to documentation (e.g., patient 
records, CMNs);
     Compliance with the Federal, State and private payor 
supplier standards; and
     Duty to report misconduct.
    Clarifying and emphasizing these areas of concern through training 
and educational programs are particularly relevant to a DMEPOS 
supplier's billing and coding personnel, in that the pressure to meet 
business goals may render employees vulnerable to engaging in 
prohibited practices.
c. Sales and Marketing Training
    In addition to specific training in the risk areas identified in 
section II.A.2, above, primary training to sales and marketing 
personnel should include such topics as:
     General prohibition on paying or receiving renumeration to 
induce referrals;
     Routine waiver of deductibles and/or coinsurance;
     Disguising referral fees as salaries;
     Offering free items or services to induce referrals;
     High pressure marketing of noncovered or unnecessary 
services;
     Improper patient solicitation; and
     Duty to report misconduct.
    Clarifying and emphasizing these areas of concern through training 
and educational programs are particularly relevant to a DMEPOS 
supplier's sales and marketing personnel, in that the pressure to meet 
business goals may render employees vulnerable to engaging in 
prohibited practices.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
ensure that their employees are well trained and are abiding by the 
applicable statutes, regulations, and policies. Each employee should 
know the procedures or who to consult when confronted with a particular 
situation.
2. Format of the Training Program
    The OIG suggests that all relevant levels of personnel be made part 
of various educational and training programs of the DMEPOS 
supplier.151

[[Page 36384]]

Employees should be required to have a minimum number of educational 
hours per year, as appropriate, as part of their employment 
obligations.152 For example, as discussed above, employees 
involved in billing functions should be required to attend periodic 
training in applicable reimbursement coverage and documentation of 
records.153
---------------------------------------------------------------------------

    \151\ In addition, where feasible, the OIG recommends that a 
DMEPOS supplier afford outside contractors and its physician clients 
the opportunity to participate in the DMEPOS supplier's compliance 
training and educational programs, or develop their own programs 
that complement the DMEPOS supplier's standards of conduct, 
compliance requirements and other rules and practices.
    \152\ Currently, the OIG is monitoring a significant number of 
corporate integrity agreements that require many of these training 
elements. The OIG usually requires a minimum of one to three hours 
annually for basic training in compliance areas. Additional training 
is required for specially fields such as billing, coding, sales and 
marketing.
    \153\ Appropriate coding and billing depends upon the quality 
and completeness of documentation. Therefore, the OIG believes that 
the DMEPOS supplier must foster an environment where interactive 
communication is encouraged.
---------------------------------------------------------------------------

    A variety of teaching methods, such as interactive training and 
training in several different languages, particularly where a DMEPOS 
supplier has a culturally diverse staff, should be implemented so that 
all affected employees are knowledgeable about the DMEPOS supplier's 
standards of conduct and procedures for alerting senior management to 
problems and concerns.154 Targeted training should be 
provided to corporate officers, managers and other employees whose 
actions affect the accuracy of the claims submitted to the Government, 
such as employees involved in the coding, billing, sales, and marketing 
processes. All training materials should be designed to take into 
account the skills, knowledge and experience of the individual 
trainees. Given the complexity and interdependent relationships of many 
departments, it is important for the compliance officer to supervise 
and coordinate the training program.
---------------------------------------------------------------------------

    \154\ Post training tests can be used to assess the success of 
training provided and employee comprehension of the DMEPOS 
supplier's policies and procedures.
---------------------------------------------------------------------------

    The OIG recommends that attendance and participation in training 
programs be made a condition of continued employment and that failure 
to comply with training requirements should result in disciplinary 
action, including possible termination, when such failure is serious. 
Adherence to the provisions of the compliance program, such as training 
requirements, should be a factor in the annual evaluation of each 
employee. The DMEPOS supplier should retain adequate records of its 
training of employees, including attendance logs and material 
distributed at training sessions.
    The OIG recognizes the format of the training program will vary 
depending upon the resources of the DMEPOS supplier. For example, a 
small DMEPOS supplier may want to create a video for each type of 
training session so new employees can receive training in a timely 
manner.
3. Continuing Education on Compliance Issues
    It is essential that compliance issues remain at the forefront of 
the DMEPOS supplier's priorities. The OIG recommends that the DMEPOS 
supplier's compliance program address the need for periodic 
professional education courses for DMEPOS supplier personnel. In 
particular, the DMEPOS supplier should ensure that coding personnel 
receive annual professional training on the updated codes for the 
current year and have knowledge of the SADMERC's HCPCS coding helpline. 
155
---------------------------------------------------------------------------

    \155\ See  note 96.
---------------------------------------------------------------------------

    In order to maintain a sense of seriousness about compliance in a 
DMEPOS supplier's operations, the DMEPOS supplier must continue to 
disseminate the compliance message. One effective mechanism for 
maintaining a consistent presence of the compliance message is to 
publish a monthly newsletter to address compliance concerns. This would 
allow the DMEPOS supplier to address specific examples of problems the 
company encountered during its ongoing audits and risk analyses, while 
reinforcing the DMEPOS supplier's firm commitment to the general 
principles of compliance and ethical conduct. The newsletter could also 
include the risk areas published by the OIG in its Special Fraud 
Alerts. Finally, the DMEPOS supplier could use the newsletter as a 
mechanism to address areas of ambiguity in the coding and billing 
process and/or its sales and marketing practices. The DMEPOS supplier 
should maintain its newsletters in a central location to document the 
guidance offered, and provide new employees with access to guidance 
previously provided.
    The OIG believes it is important that all DMEPOS suppliers, 
regardless of size, maintain knowledgeable employees. The OIG 
recognizes that regularly sending employees to continuing education 
classes or publishing newsletters may not be feasible for small DMEPOS 
suppliers. Small DMEPOS suppliers may have their employees meet on a 
regular basis to discuss information in the DMERC's Medicare bulletin 
(e.g., coding changes, procedural changes, policy changes, etc.). Such 
regularly held meetings will help demonstrate the DMEPOS supplier's 
commitment to compliance.

D. Developing Effective Lines of Communication

1. Access to the Compliance Officer
    An open line of communication between the compliance officer and 
DMEPOS supplier employees is equally important to the successful 
implementation of a compliance program and the reduction of any 
potential for fraud, abuse, and waste. Written confidentiality and non-
retaliation policies should be developed and distributed to all 
employees to encourage communication and the reporting of incidents of 
potential fraud. 156 The compliance committee should also 
develop several independent reporting paths for an employee to report 
fraud, waste, or abuse so that such reports cannot be diverted by 
supervisors or other personnel.
---------------------------------------------------------------------------

    \156\ The OIG believes that whistleblowers should be protected 
against retaliation, a concept embodied in the provisions of the 
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees 
sue their employers under the False Claims Act's qui tam provisions 
out of frustration because of the company's failure to take action 
when a questionable, fraudulent, or abusive situation was brought to 
the attention of senior corporate officials.
---------------------------------------------------------------------------

    The OIG encourages the establishment of a procedure for personnel 
to seek clarification from the compliance officer or members of the 
compliance committee in the event of any confusion or question 
regarding a DMEPOS supplier policy, practice or procedure. Questions 
and responses should be documented and dated and, if appropriate, 
shared with other staff so that standards, policies, practices, and 
procedures can be updated and improved to reflect any necessary changes 
or clarifications. The compliance officer may want to solicit employee 
input in developing these communication and reporting systems.
2. Hotlines and Other Forms of Communication
    The OIG encourages the use of hotlines,157 e-mails, 
written memoranda, newsletters, suggestion boxes, and other forms of 
information exchange to maintain these open lines of 
communication.158 If the DMEPOS

[[Page 36385]]

supplier establishes a hotline, the telephone number should be made 
readily available to all employees and independent contractors, 
possibly by circulating the number on wallet cards or conspicuously 
posting the telephone number in common work areas.159 
Employees should be permitted to report matters on an anonymous basis. 
Matters reported through the hotline or other communication sources 
that suggest substantial violations of compliance policies, Federal, 
State or private payor health care program requirements, regulations, 
or statutes should be documented and investigated promptly to determine 
their veracity. A log should be maintained by the compliance officer 
that records such calls, including the nature of any investigation and 
its results.160 Such information should be included in 
reports to the owner(s), governing body, CEO, president, and compliance 
committee.161 Further, while the DMEPOS supplier should 
always strive to maintain the confidentiality of an employee's 
identity, it should also explicitly communicate that there may be a 
point where the individual's identity may become known or may have to 
be revealed.
---------------------------------------------------------------------------

    \157\ The OIG recognizes that it may not be financially feasible 
for a small DMEPOS supplier to maintain a telephone hotline 
dedicated to receiving calls solely on compliance issues. These 
companies may want to explore alternative methods, e.g., outsourcing 
the hotline or establishing a written method of confidential 
disclosure.
    \158\ In addition to methods of communication used by current 
employees, an effective employee exit interview program could be 
designed to solicit information from departing employees regarding 
potential misconduct and suspected violations of DMEPOS supplier 
policies and procedures.
    \159\ DMEPOS suppliers should also post in a prominent, 
available area the HHS-OIG Hotline telephone number, 1-800-447-8477 
(1-800-HHS-TIPS), in addition to any company hotline number that may 
be posted.
    \160\ To efficiently and accurately fulfill such an obligation, 
a DMEPOS supplier should create an intake form for all compliance 
issues identified through reporting mechanisms. The form could 
include information concerning the date that the potential problem 
was reported, the internal investigative methods utilized, the 
results of the investigation, any corrective action implemented, any 
disciplinary measures imposed, and any overpayments returned.
    \161\ Information obtained over the hotline may provide valuable 
insight into management practices and operations, whether reported 
problems are actual or perceived.
---------------------------------------------------------------------------

    The OIG recognizes that assertions of fraud and abuse by employees 
who may have participated in illegal conduct or committed other 
malfeasance raise numerous complex legal and management issues that 
should be examined on a case-by-case basis. The compliance officer 
should work closely with legal counsel, who can provide guidance 
regarding such issues.
    The OIG recognizes that protecting anonymity may be infeasible for 
small DMEPOS suppliers. However, the OIG believes all DMEPOS supplier 
employees, when seeking answers to questions or reporting potential 
instances of fraud and abuse, should know who to consult and should be 
able to do so without fear of retribution.

E. Auditing and Monitoring

    An ongoing evaluation process is critical to a successful 
compliance program. The OIG believes that an effective program should 
incorporate thorough monitoring of its implementation and regular 
reporting to the DMEPOS supplier's corporate officers.162 
Compliance reports created by this ongoing monitoring, including 
reports of suspected noncompliance, should be maintained by the 
compliance officer and shared with the DMEPOS supplier's corporate 
officers and the compliance committee. The extent and frequency of the 
audit function may vary depending on factors such as the size of the 
DMEPOS supplier, the resources available to the DMEPOS supplier, the 
DMEPOS supplier's prior history of noncompliance, and the risk factors 
that are prevalent in a particular DMEPOS supplier.
---------------------------------------------------------------------------

    \162\ Even when a DMEPOS supplier is owned by a larger corporate 
entity, the regular auditing and monitoring of the compliance 
activities of an individual DMEPOS supplier location must be a key 
feature in any annual review. Appropriate reports on audit findings 
should be periodically provided and explained to a parent 
organization's senior staff and officers.
---------------------------------------------------------------------------

    Although many monitoring techniques are available, one effective 
tool to promote and ensure compliance is the performance of regular, 
periodic compliance audits by internal or external auditors who have 
expertise in Federal and State health care statutes, rules, 
regulations, and Federal, State and private payor health care program 
requirements. The audits should focus on the different departments 
within the DMEPOS supplier, including external relationships with 
third-party contractors. At a minimum, these audits should be designed 
to address the DMEPOS supplier's compliance with laws governing 
kickback arrangements, the physician self-referral prohibition, 
pricing, contracts, claim development and submission, reimbursement, 
sales and marketing. In addition, the audits and reviews should examine 
the DMEPOS supplier's compliance with the Federal, State and private 
payor supplier standards and the specific rules and policies that have 
been the focus of particular attention on the part of the Medicare 
DMERCs, and law enforcement, as evidenced by educational and other 
communications from OIG Special Fraud Alerts, Advisory Opinions, OIG 
audits and evaluations, and law enforcement's 
initiatives.163 In addition, the DMEPOS supplier should 
focus on any areas of specific concern identified within that DMEPOS 
supplier and those that may have been identified by any entity, whether 
Federal, State, private or internal.
---------------------------------------------------------------------------

    \163\ See also section II.A.2.
---------------------------------------------------------------------------

    Monitoring techniques may include sampling protocols that permit 
the compliance officer to identify and review variations from an 
established baseline.164 Significant variations from the 
baseline should trigger a reasonable inquiry to determine the cause of 
the deviation. If the inquiry determines that the deviation occurred 
for legitimate, explainable reasons, the compliance officer and DMEPOS 
supplier management may want to limit any corrective action or take no 
action. If it is determined that the deviation was caused by improper 
procedures, misunderstanding of rules, including fraud and systemic 
problems, the DMEPOS supplier should take prompt steps to correct the 
problem.165 Any overpayments discovered as a result of such 
deviations should be returned promptly to the affected payor. The OIG 
recommends sending the payor the following information with the 
overpayment: (1) that the refund is being made pursuant to a voluntary 
compliance program; (2) a description of the complete causes and 
circumstances surrounding the overpayment; (3) the methodology by which 
the overpayment was determined; (4) the amount of the overpayment; and 
(5) any claim-specific information, reviewed as part of the self-audit, 
used to determine the overpayment (e.g., beneficiary health insurance 
claims number, claim number, date of service, and payment date). 
Inclusion of such information with the overpayment will aid the payor 
in making the adjustment and may prevent it from requesting additional 
information.
---------------------------------------------------------------------------

    \164\ The OIG recommends that when a compliance program is 
established in a DMEPOS supplier, the compliance officer, with the 
assistance of department managers, should take a ``snapshot'' of 
operations from a compliance perspective. This assessment can be 
undertaken by outside consultants, law or accounting firms, or 
internal staff, with authoritative knowledge of health care 
compliance requirements. This ``snapshot,'' often used as part of 
benchmarking analyses, becomes a baseline for the compliance officer 
and other managers to judge the DMEPOS supplier's progress in 
reducing or eliminating potential areas of vulnerability.
    \165\ In addition, when appropriate, as referenced in section 
II.G.2, below, reports of fraud or systemic problems should also be 
made to the appropriate governmental authority.
---------------------------------------------------------------------------

    An effective compliance program should also incorporate periodic 
(at least annual) reviews of whether the

[[Page 36386]]

program's compliance elements have been satisfied, e.g., whether there 
has been appropriate dissemination of the program's standards, 
training, ongoing educational programs, and disciplinary actions, among 
other elements.166 This process will verify actual 
conformance by all departments with the compliance program and may 
identify the necessity for improvements to be made to the compliance 
program, as well as the DMEPOS supplier's operations. Such reviews 
could support a determination that appropriate records have been 
created and maintained to document the implementation of an effective 
program.167 However, when monitoring discloses that 
deviations were not detected in a timely manner due to program 
deficiencies, appropriate modifications must be implemented. Such 
evaluations, when developed with the support of management, can help 
ensure compliance with the DMEPOS supplier's policies and procedures.
---------------------------------------------------------------------------

    \166\ One way to assess the knowledge, awareness, and 
perceptions of a DMEPOS supplier's employees is through the use of a 
validated survey instrument (e.g., employee questionnaires, 
interviews, or focus groups).
    \167\ Such records should include, but not be limited to, logs 
of hotline calls, logs of training attendees, training agenda and 
materials, and summaries of corrective action and improvements with 
respect to DMEPOS supplier policies as a result of compliance 
activities.
---------------------------------------------------------------------------

    As part of the review process, the compliance officer or reviewers 
should consider techniques such as:
     Testing billing staff on their knowledge of reimbursement 
coverage criteria and official coding guidelines (e.g., present 
hypothetical scenarios of situations experienced in daily practice and 
assess responses);
     On-site visits to all facilities and locations;
     Ongoing risk analysis and vulnerability assessments of the 
DMEPOS supplier's operations;
     Assessment of existing relationships with physicians, and 
other potential referral sources;
     Unannounced audits, mock surveys, and investigations;
     Examination of the DMEPOS supplier's complaint logs;
     Checking personnel records to determine whether any 
individuals who have been reprimanded for compliance issues in the past 
are among those currently engaged in improper conduct;
     Interviews with personnel involved in management, 
operations, sales and marketing, claim development and submission, and 
other related activities;
     Questionnaires developed to solicit impressions of the 
DMEPOS supplier's employees;
     Interviews with physicians or other authorized persons who 
order services provided by the DMEPOS supplier;
     Interviews with independent contractors who provide 
services to the DMEPOS supplier;
     Reviews of medical necessity documentation (e.g., 
physicians orders, CMNs), and other documents that support claims for 
reimbursement;
     Validation of qualifications of physicians or other 
authorized persons who order services provided by the DMEPOS supplier;
     Evaluation of written materials and documentation 
outlining the DMEPOS supplier's policies and procedures; and
     Utilization/trend analyses that uncover deviations, 
positive or negative, for specific HCPCS codes or types of items over a 
given period.
    The reviewers should:
     Possess the qualifications and experience necessary to 
adequately identify potential issues with the subject matter to be 
reviewed;
     Be objective and independent of line management;\168\
---------------------------------------------------------------------------

    \168\ The OIG recognizes that DMEPOS suppliers that are small in 
size and have limited resources may not be able to use internal 
reviewers who are not part of line management or hire outside 
reviewers.
---------------------------------------------------------------------------

     Have access to existing audit and health care resources, 
relevant personnel, and all relevant areas of operation;
     Present written evaluative reports on compliance 
activities to the owner(s), president, CEO, governing body, and members 
of the compliance committee on a regular basis, but not less than 
annually; and
     Specifically identify areas where corrective actions are 
needed.
    We recommend that these audit reports be prepared and submitted to 
the compliance officer and senior management to ensure they are aware 
of the results. We suggest the reports specifically identify areas 
where corrective actions are needed. With these reports, DMEPOS 
supplier management can take whatever steps are necessary to correct 
past problems and prevent them from recurring. In certain cases, 
subsequent reviews or studies would be advisable to ensure that the 
recommended corrective actions have been implemented successfully.
    A DMEPOS supplier should document its efforts to comply with 
applicable Federal and State statutes, rules, and regulations, and 
Federal, State and private payor health care program requirements. For 
example, where a DMEPOS supplier, in its efforts to comply with a 
particular statute, regulation or program requirement, requests advice 
from a Government agency (including a Medicare DMERC) charged with 
administering a Federal health care program, the DMEPOS supplier should 
document and retain a record of the request and any written or oral 
response, including the identity and position of the individual 
providing the response. The DMEPOS suppliers should take the same steps 
when requesting advice from private payors. This step is extremely 
important if the DMEPOS supplier intends to rely on that response to 
guide it in future decisions, actions, or claim reimbursement requests 
or appeals. A log of oral inquiries between the DMEPOS supplier and 
third parties will help the organization document its attempts at 
compliance. In addition, the DMEPOS supplier should maintain records 
relevant to the issue of whether its reliance was ``reasonable'' and 
whether it exercised due diligence in developing procedures and 
practices to implement the advice.
    The OIG recommends that all DMEPOS suppliers, regardless of size, 
conduct audits to ensure compliance with the applicable statutes, 
regulations and policies. The OIG recognizes that the small DMEPOS 
supplier may not have the resources to audit its operations to the 
extent suggested previously in this section. At a minimum, the OIG 
recommends that the small DMEPOS supplier conduct an internal audit. 
The DMEPOS supplier may choose to review a random sample of claims 
based on the risk areas it identified. We recommend that the DMEPOS 
supplier conduct an initial baseline audit and periodically conduct 
follow-up audits. If problems were identified in the baseline audit, 
the DMEPOS supplier may want to re-audit the same issue, at a later 
date, in order to measure the effectiveness of any corrective action(s) 
implemented as a result of the DMEPOS supplier's compliance program. 
The DMEPOS supplier should document the results of all audits it 
conducts. The DMEPOS supplier may want to use the OIG's Audit Process 
handbook to help design the audit.\169\
---------------------------------------------------------------------------

    \169\ The Audit Process handbook can be downloaded from the OIG 
Office of Audit Services' webpage at http://www.hhs.gov/progorg/oas.
---------------------------------------------------------------------------

    The extent of a DMEPOS supplier's audit should depend on the DMEPOS 
supplier's identified risk areas and resources. If the DMEPOS supplier 
comes under Government scrutiny in the future, the Government will 
assess whether or not the DMEPOS supplier developed a comprehensive 
audit based upon identified risk areas and resources.

[[Page 36387]]

If the Government determines that the DMEPOS supplier failed to develop 
an adequate audit program, given its resources, the Government will be 
less likely to afford the DMEPOS supplier favorable treatment under its 
various enforcement authorities.

F. Enforcing Standards Through Well-Publicized Disciplinary Guidelines

1. Discipline Policy and Actions
    An effective compliance program should include guidance regarding 
disciplinary action for corporate officers, managers, independent 
agents and other DMEPOS supplier employees who have failed to comply 
with the DMEPOS supplier's standards of conduct, policies and 
procedures, Federal and State statutes, rules, and regulations or 
Federal, State or private payor health care program requirements. It 
should also address disciplinary actions for those who have engaged in 
wrongdoing, which has the potential to impair the DMEPOS supplier's 
status as a reliable, honest, and trustworthy health care provider.
    The OIG believes that the compliance program should include a 
written policy statement setting forth the degrees of disciplinary 
actions that may be imposed upon corporate officers, managers, 
independent agents and other DMEPOS supplier employees for failing to 
comply with the DMEPOS supplier's standards, policies, and applicable 
statutes and regulations. Intentional or reckless noncompliance should 
subject transgressors to significant sanctions. Such sanctions could 
include oral warnings, suspension, termination, or other sanctions, as 
appropriate. Each situation must be considered on a case-by-case basis 
to determine the appropriate sanction. The written standards of conduct 
should elaborate on the procedures for handling disciplinary problems 
and specify those who will be responsible for taking appropriate 
action. Some disciplinary actions can be handled by managers, while 
others may have to be resolved by the owner(s), president or CEO. 
Disciplinary action may be appropriate where a responsible employee's 
failure to detect a violation is attributable to his or her negligence 
or reckless conduct. Personnel should be advised by the DMEPOS supplier 
that disciplinary action will be taken on a fair and equitable basis. 
Managers and supervisors should be made aware that they have a 
responsibility to discipline employees in an appropriate and consistent 
manner.
    It is vital to publish and disseminate the range of disciplinary 
standards for improper conduct and to educate corporate officers, 
managers, and other DMEPOS supplier employees regarding these 
standards. The consequences of noncompliance should be consistently 
applied and enforced, in order for the disciplinary policy to have the 
required deterrent effect. All levels of employees should be subject to 
the same types of disciplinary action for the commission of similar 
offenses. The commitment to compliance applies to all personnel levels 
within a DMEPOS supplier. The OIG believes that corporate officers, 
managers, and supervisors should be held accountable for failing to 
comply with, or for the foreseeable failure of their subordinates to 
adhere to, the applicable standards, statutes, rules, regulations and 
procedures.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
consistently apply the consequences of non-compliance. The OIG 
recognizes that small DMEPOS suppliers may not have a written document 
detailing the disciplinary actions for non-compliance. However, all 
employees should be clearly informed of such consequences.
2. New Employee Policy
    For all new employees who have discretionary authority to make 
decisions that may involve compliance with the law or compliance 
oversight, DMEPOS suppliers should conduct a reasonable and prudent 
background investigation, including a reference check,170 as 
part of every such employment application. The application should 
specifically require the applicant to disclose any criminal conviction, 
as defined by 42 U.S.C. 1320a-7(i), or exclusion action. Pursuant to 
the compliance program, the DMEPOS supplier's policies should prohibit 
the employment of individuals who have been recently convicted of a 
criminal offense related to health care or who are listed as debarred, 
excluded, or otherwise ineligible for participation in Federal health 
care programs (as defined in 42 U.S.C. 1320a-7b(f)).171 In 
addition, pending the resolution of any criminal charges or proposed 
debarment or exclusion, the OIG recommends that such employees should 
be removed from direct responsibility for, or involvement with, the 
DMEPOS supplier's business operations related to any Federal health 
care program. In addition, we recommend that the DMEPOS supplier remove 
such employee from any position(s) for which the employee's salary or 
the items or services rendered by the employee are paid in whole or 
part, directly or indirectly, by Federal health care programs or 
otherwise with Federal funds.172 If resolution of the matter 
results in conviction, debarment, or exclusion, then the DMEPOS 
supplier should remove the individual from direct responsibility for or 
involvement with all Federal health care programs. Similarly, if an 
independent contractor or a referring physician or other authorized 
person is debarred or excluded from participation in Federal health 
care programs, and the DMEPOS supplier is aware of it, the DMEPOS 
supplier should not involve that individual/entity in the Federal 
health care portion of its business.
---------------------------------------------------------------------------

    \170\ See notes 137 and 138. Since the employees of DMEPOS 
suppliers have access to potentially vulnerable people and their 
property, DMEPOS suppliers should also strictly scrutinize whether 
they should employ individuals who have been convicted of crimes of 
neglect, violence or financial misconduct.
    \171\ Likewise, DMEPOS supplier compliance programs should 
establish standards prohibiting the execution of contracts with 
companies that have been recently convicted of a criminal offense 
related to health care or that are listed by a Federal agency as 
debarred, excluded, or otherwise ineligible for participation in 
Federal health care programs. See notes 137 and 138.
    \172\ Prospective employees who have been officially reinstated 
into the Medicare and Medicaid programs by the OIG may be considered 
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------

    The OIG believes all DMEPOS suppliers, regardless of size, should 
ensure that they do not employ or contract with anyone who has been 
debarred, excluded or is otherwise ineligible to participate in Federal 
health care programs.

G. Responding to Detected Offenses and Developing Corrective Action 
Initiatives

1. Violations and Investigations
    Violations of a DMEPOS supplier's compliance program, failures to 
comply with applicable Federal or State statutes, rules, regulations or 
Federal, State or private payor health care program requirements, and 
other types of misconduct threaten a DMEPOS supplier's status as a 
reliable, honest and trustworthy health care provider. Detected but 
uncorrected misconduct can seriously endanger the mission, reputation, 
and legal status of the DMEPOS supplier. Consequently, upon reports or 
reasonable indications of suspected noncompliance, it is important that 
the compliance officer or other management officials immediately 
investigate the conduct in question to determine whether a material 
violation of applicable law, rules or program instructions or the 
requirements of the compliance program has occurred, and if so, take 
decisive steps to correct the

[[Page 36388]]

problem.173 As appropriate, such steps may include an 
immediate referral to criminal and/or civil law enforcement 
authorities, a corrective action plan,174 a report to the 
Government,175 and the return of any overpayments, if 
applicable.
---------------------------------------------------------------------------

    \173\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a 
health care program is not solely determinative of whether or not 
the conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss at all, but corrective action and 
reporting are still necessary to protect the integrity of the 
applicable program and its beneficiaries.
    \174\ Advice from the DMEPOS supplier's in-house counsel or an 
outside law firm may be sought to determine the extent of the DMEPOS 
supplier's liability and to plan the appropriate course of action.
    \175\ The OIG currently maintains a provider self-disclosure 
protocol that encourages providers to report suspected fraud. The 
concept of voluntary self-disclosure is premised on a recognition 
that the Government alone cannot protect the integrity of the 
Medicare and other Federal health care programs. Health care 
providers must be willing to police themselves, correct underlying 
problems, and work with the Government to resolve these matters. The 
self-disclosure protocol is located on the OIG's web site at http://
www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------

    Where potential fraud or False Claims Act liability is not 
involved, the OIG recommends that the DMEPOS supplier promptly return 
any overpayments to the affected payor as they are discovered. However, 
even if the overpayment detection and return process is working and is 
being monitored by the DMEPOS supplier, the OIG still believes that the 
compliance officer needs to be made aware of these overpayments, 
violations, or deviations that may reveal trends or patterns indicative 
of a systemic problem.
    Depending upon the nature of the alleged violations, an internal 
investigation will probably include interviews and a review of relevant 
documents, such as submitted claims and CMNs. The DMEPOS supplier 
should consider engaging outside auditors or health care experts to 
assist in an investigation. Records of the investigation should contain 
documentation of the alleged violation, a description of the 
investigative process (including the objectivity of the investigators 
and methodologies utilized), copies of interview notes and key 
documents, a log of the witnesses interviewed, the documents reviewed, 
and the results of the investigation (e.g., any disciplinary action 
taken and any corrective action implemented). Although any action taken 
as the result of an investigation will necessarily vary depending upon 
the DMEPOS supplier and the situation, DMEPOS suppliers should strive 
for some consistency by utilizing sound practices and disciplinary 
protocols.176 Further, after a reasonable period, the 
compliance officer should review the circumstances that formed the 
basis for the investigation to determine whether similar problems have 
been uncovered or modifications of the compliance program are necessary 
to prevent and detect other inappropriate conduct or violations.
---------------------------------------------------------------------------

    \176\ The parameters of a claim review subject to an internal 
investigation will depend on the circumstances surrounding the 
issue(s) identified. By limiting the scope of an internal audit to 
current billing, a DMEPOS supplier may fail to identify major 
problems and deficiencies in operations, as well as be subject to 
certain liability.
---------------------------------------------------------------------------

    If an investigation of an alleged violation is undertaken and the 
compliance officer believes the integrity of the investigation may be 
at stake because of the presence of employees under investigation, 
those subjects should be removed from their current work activity until 
the investigation is completed (unless an internal or Government-led 
undercover operation known to the DMEPOS supplier is in effect). In 
addition, the compliance officer should take appropriate steps to 
secure or prevent the destruction of documents or other evidence 
relevant to the investigation. If the DMEPOS supplier determines 
disciplinary action is warranted, it should be prompt and imposed in 
accordance with the DMEPOS supplier's written standards of disciplinary 
action.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
ensure that they are responsive to investigating allegations of 
potential misconduct.
2. Reporting
    If the compliance officer, compliance committee or other management 
official discovers credible evidence of misconduct from any source and, 
after a reasonable inquiry, has reason to believe that the misconduct 
may violate criminal, civil, or administrative law, then the DMEPOS 
supplier should promptly report the existence of misconduct to the 
appropriate Federal and State authorities 177 within a 
reasonable period, but not more than 60 days 178 after 
determining that there is credible evidence of a 
violation.179 Prompt reporting will demonstrate the DMEPOS 
supplier's good faith and willingness to work with governmental 
authorities to correct and remedy the problem. In addition, reporting 
such conduct will be considered a mitigating factor by the OIG in 
determining administrative sanctions (e.g., penalties, assessments, and 
exclusion), if the reporting provider becomes the target of an OIG 
investigation.180
---------------------------------------------------------------------------

    \177\ Appropriate Federal and State authorities include the 
Office of Inspector General, Department of Health and Human 
Services; the Criminal and Civil Divisions of the Department of 
Justice; the U.S. Attorney in the relevant district(s); and the 
other investigative arms for the agencies administering the affected 
Federal or State health care programs, such as: the State Medicaid 
Fraud Control Unit; the Defense Criminal Investigative Service; the 
Department of Veterans Affairs; the Office of Inspector General, 
U.S. Department of Labor (which has primary criminal jurisdiction 
over FECA, Black Lung and Longshore programs); and the Office of 
Inspector General, U.S. Office of Personnel Management (which has 
primary jurisdiction over the Federal Employee Health Benefits 
Program).
    \178\ In contrast, to qualify for the ``not less than double 
damages'' provision of the False Claims Act, the report must be 
provided to the Government within thirty (30) days after the date 
when the DMEPOS supplier first obtained the information. See 31 
U.S.C. 3729(a).
    \179\ The OIG believes that some violations may be so serious 
that they warrant immediate notification to governmental 
authorities, prior to, or simultaneous with, commencing an internal 
investigation, e.g., if the conduct: (1) is a clear violation of 
criminal law; (2) has a significant adverse effect on the quality of 
care provided to program beneficiaries (in addition to any other 
legal obligations regarding quality of care); or (3) indicates 
evidence of a systemic failure to comply with applicable laws, rules 
or program instructions or an existing corporate integrity 
agreement, regardless of the financial impact on Federal health care 
programs.
    \180\ The OIG has published criteria setting forth those factors 
that the OIG takes into consideration in determining whether it is 
appropriate to exclude a health care provider from program 
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of 
various fraud and abuse laws. See 62 FR 67392 (December 24, 1997).
---------------------------------------------------------------------------

    When reporting misconduct to the Government, a DMEPOS supplier 
should provide all evidence relevant to the alleged violation of 
applicable Federal or State law(s) and potential cost impact. The 
compliance officer, with advice of counsel, and with guidance from the 
governmental authorities, could be requested to continue to investigate 
the reported violation. Once the investigation is completed, the 
compliance officer should be required to notify the appropriate 
governmental authority of the outcome of the investigation, including a 
description of the impact of the alleged violation on the operation of 
the applicable health care programs or their beneficiaries. If the 
investigation ultimately reveals that criminal, civil, or 
administrative violations have occurred, the appropriate Federal and 
State authorities 181 should be notified immediately.
---------------------------------------------------------------------------

    \181\ See note 177.
---------------------------------------------------------------------------

    The OIG believes all DMEPOS suppliers, regardless of size, should 
ensure that they are reporting the results of any overpayments or 
violations to the appropriate entity.

[[Page 36389]]

3. Corrective Actions
    As previously stated, the DMEPOS supplier should take appropriate 
corrective action, including prompt identification of any overpayment 
to the affected payor and the imposition of proper disciplinary action. 
If potential fraud or violations of the False Claims Act are involved, 
any repayment of the overpayment should be made as part of the 
discussion with the Government following a report of the matter to law 
enforcement authorities. Otherwise, the overpayment should be promptly 
refunded to the affected payor. The OIG recommends that the overpayment 
refund include the information as outlined in section II.E. Failure to 
disclose overpayments within a reasonable period of time could be 
interpreted as an intentional or knowing attempt to conceal the 
overpayment from the Government, thereby establishing an independent 
basis for a criminal or civil violation with respect to the DMEPOS 
supplier, as well as any individuals who may have been involved. For 
this reason, DMEPOS supplier compliance programs should emphasize that 
overpayments obtained from Medicare or other Federal health care 
programs should be promptly disclosed and returned to the payor that 
made the erroneous payment.
    The OIG believes all DMEPOS suppliers, regardless of size, should 
take appropriate corrective action to remedy the identified deficiency.

III. Conclusion

    Through this document, the OIG has attempted to provide a 
foundation to the process necessary to develop an effective and cost-
efficient DMEPOS supplier compliance program. As previously stated, 
however, each program must be tailored to fit the needs and resources 
of an individual DMEPOS supplier, depending upon its size; number of 
locations; type of equipment provided; or corporate structure. The 
Federal and State health care statutes, rules, and regulations and 
Federal, State and private payor health care program requirements, 
should be integrated into every DMEPOS supplier's compliance program.
    The OIG recognizes that the health care industry in this country, 
which reaches millions of beneficiaries and expends about a trillion 
dollars annually, is constantly evolving. In particular, legislation 
has been passed that creates additional Medicare program participation 
requirements, such as requiring DMEPOS suppliers to purchase surety 
bonds and expanding the Medicare supplier standards.182 As 
stated throughout this guidance, compliance is a dynamic process that 
helps to ensure that DMEPOS suppliers and other health care providers 
are better able to fulfill their commitment to ethical behavior, as 
well as meet the changes and challenges being imposed upon them by 
Congress and private insurers. Ultimately, it is OIG's hope that a 
voluntarily created compliance program will enable DMEPOS suppliers to 
meet their goals, improve the quality of service to patients, and 
substantially reduce fraud, waste, and abuse, as well as the cost of 
health care, to Federal State and private health insurers.

    \182\ See 63 FR 2926 (January 20, 1998).
---------------------------------------------------------------------------

    Dated: June 29, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-16945 Filed 7-2-99; 8:45 am]
BILLING CODE 4150-04-P