[Federal Register Volume 64, Number 219 (Monday, November 15, 1999)]
[Notices]
[Pages 61893-61910]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-29632]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Publication of the OIG's Compliance Program Guidance for
Medicare+Choice Organizations Offering Coordinated Care Plans
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This Federal Register notice sets forth the Compliance Program
Guidance for Medicare+Choice Organizations Offering Coordinated Care
Plans (``Medicare+Choice organizations'') that was recently issued by
the Office of Inspector General (OIG). The OIG has previously developed
and published compliance program guidance focused on other areas of the
health care industry. We believe that the development and issuance of
this compliance program guidance for Medicare+Choice organizations will
continue to serve as a positive step toward promoting a high level of
ethical and lawful conduct throughout the entire health care industry.
FOR FURTHER INFORMATION CONTACT: Barbara Frederickson, Office of
Counsel to the Inspector General, (202) 619-2078.
SUPPLEMENTARY INFORMATION:
Background
The creation of compliance program guidance continues to be a major
initiative by the OIG in its effort to engage the health care community
in combating fraud and abuse. In formulating compliance guidance, the
OIG has worked closely with the Health Care Financing Administration
(HCFA), the Department of Justice (DOJ) and various sectors of the
health care industry to provide clear guidance to the industry. The
previously-issued compliance program guidances addressed six areas: the
hospital industry; home health agencies; clinical laboratories; third-
party medical billing companies; the durable medical equipment,
prosthetics, orthotics and supply industry; and hospices. The
development of these compliance program guidances is based on our
belief that a health care provider can use internal controls to more
efficiently monitor adherence to applicable statutes, regulations and
program requirements.
Guidance for Medicare+Choice Organizations
On September 22, 1998, the OIG published a solicitation notice
seeking information and recommendations for developing formal guidance
for Medicare+Choice organizations (63 FR 50577). In response to that
solicitation notice, the OIG received five comments from the industry
and their representatives. After careful consideration of those initial
comments, and in an effort to ensure that all parties had a reasonable
opportunity to provide input into a final product, the OIG published
draft guidance for Medicare+Choice organizations on June 24, 1999 (64
FR 33869) for further comment and recommendations. A total of 16
timely-filed comments were received for consideration by the OIG in
response to the publication of that draft guidance.
Elements for an Effective Compliance Program
Through experience, the OIG has identified seven fundamental
elements to an effective compliance guidance program that are being
reflected in this latest issuance. They are:
Implementing written policies, procedures and standards of
conduct;
Designating a compliance officer and a compliance
committee;
Conducting effective training and education;
Developing effective lines of communication;
Enforcing standards through well-publicized disciplinary
guidelines and developing policies addressing dealings with sanctioned
individuals;
Conducting internal monitoring and auditing; and
Responding promptly to detected offenses, developing
corrective action, and reporting to the Government.
The OIG is offering specific compliance measures that may be
implemented by Medicare+Choice organizations in an effort to curtail or
eliminate fraud and abuse. While HCFA regulations require
Medicare+Choice organizations to implement compliance programs,
adoption of the Compliance Program Guidance for Medicare+Choice
Organizations Offering Coordinated Care Plans set forth below is
voluntary.
A reprint of this newly-issued compliance program guidance follows:
Office of Inspector General's Compliance Program Guidance for
Medicare+Choice Organizations Offering Coordinated Care Plans
(November 1999)
I. Introduction
In its ongoing effort to work collaboratively with the health care
industry to achieve the mutual goals of quality health care and the
elimination of fraud, waste and abuse, the Office of Inspector General
(OIG) of the Department of Health and Human Services (HHS) encourages
voluntarily developed and implemented compliance programs for the
health care industry. Fundamentally, compliance efforts are designed to
establish a culture within an organization that promotes prevention,
detection and resolution of instances of conduct that do not conform to
Federal and State law and Federal health care program requirements, as
well as the organization's ethical and business policies. In practice,
the compliance program should effectively articulate and demonstrate
the organization's commitment to legal and ethical conduct.
As a demonstration of the OIG's commitment to compliance, the OIG
has issued recommendations, in the form of compliance program
guidances, that provide suggestions regarding how specific segments of
the industry can
[[Page 61894]]
best implement compliance programs.\1\ As a result of the changing
nature of the health care delivery system and the growing trend toward
reliance on the managed care industry in the provision of health care
in the Medicare context, the OIG believes it is appropriate to issue a
guidance focusing on Medicare+Choice organizations \2\ offering
coordinated care plans \3\ (Medicare+Choice organizations). The OIG
formulated this guidance specifically for Medicare+Choice organizations
because these organizations are well-defined and are subject to a
comprehensive regulatory structure.\4\ In addition, Congress envisioned
an important role for Medicare+Choice organizations, demonstrated by
the substantial amount of Federal funds received by these
organizations.
---------------------------------------------------------------------------
\1\ See 64 FR 58419 (10/29/99) for the draft compliance program
guidance for nursing facilities; 64 FR 54031 (10/5/99) for the
compliance program guidance for hospices; 64 FR 36368 (7/6/99) for
the compliance program guidance for the durable medical equipment,
prosthetics, orthotics and suppliers industry; 63 FR 70138 (12/18/
98) for the compliance program guidance for third-party medical
billing companies; 63 FR 45076 (8/24/98) for the compliance program
guidance for clinical laboratories; 63 FR 42410 (8/7/98) for the
compliance program guidance for home health agencies; and 63 FR 8987
(2/23/98) for the compliance program guidance for hospitals.
These documents are also located on the Internet at http://
www.hhs.gov/oig/.
\2\ A Medicare+Choice organization is defined as a public or
private entity organized and licensed by a State as a risk-bearing
entity (with the exception of provider-sponsored organizations
receiving waivers) that is certified by the Health Care Financing
Administration (HCFA) as meeting the Medicare+Choice contract
requirements (42 CFR 422.2).
\3\ For the purposes of this compliance program guidance, a
``coordinated care plan'' is a plan that includes a network of
providers that are under contract or arrangement with the
organization to deliver the benefit package approved by HCFA (42
U.S.C. 1395w-28(a)(1); 42 CFR 422.4).
\4\ In this guidance, we have focused our attention on
regulations applicable to Medicare+Choice organizations governing
marketing, enrollment, disenrollment, underutilization, data
collection, anti-kickback statute and emergency services, rather
than providing instruction on all aspects of regulatory compliance.
---------------------------------------------------------------------------
The OIG encourages Medicare+Choice organizations to read the
guidance with the whole organization in mind, applying the guidance to
whatever departments or divisions, including private-sector managed
care areas, that are deemed appropriate by that organization. Indeed,
many of the suggestions in this guidance can be used by managed care
organizations that do not contract with HCFA to provide a
Medicare+Choice plan. In particular, entities that participate in other
public health care programs, such as Medicaid, may want to look to the
general principles in this document to assist them in developing
compliance programs.
While the regulations implementing the Medicare+Choice program, or
Part C, require a Medicare+Choice organization to establish a
compliance plan,\5\ the OIG's program guidance is voluntary and simply
is intended to provide assistance for Medicare+Choice organizations
looking for additional direction in the development of internal
controls that promote adherence to applicable Federal and State law.
The OIG first provides its general views on the value and fundamental
principles of Medicare+Choice organizations' compliance programs, and
then provides specific elements that each Medicare+Choice organization
should consider when developing and implementing an effective
compliance program.
---------------------------------------------------------------------------
\5\ The regulations require that any plan contracting with HCFA
implement a compliance plan that encompasses the elements detailed
in the Federal Sentencing Guidelines. 42 CFR 422.501(b)(vi). HCFA
will release an operational policy letter addressing the compliance
requirements detailed in the regulation. In response to concerns
from industry representatives on the short time frame for
implementing a compliance plan, HCFA delayed the actual
implementation date of the compliance plan until January 1, 2000.
---------------------------------------------------------------------------
A. Benefits of a Compliance Plan
The OIG believes an effective compliance program provides a
mechanism that brings the public and private sectors together to reach
mutual goals of reducing fraud and abuse, improving operational
quality, and ensuring the provision of high quality cost-effective
care. Attaining these goals benefits business, Government, individual
citizens and Medicare beneficiaries alike. In addition to fulfilling
its legal duties to ensure that it is not submitting false or
inaccurate information to the Government or providing substandard care
to Medicare beneficiaries, a Medicare+Choice organization may gain
numerous additional benefits by implementing an effective compliance
program. These benefits may include:
The formulation of effective internal controls to assure
compliance with Federal regulations and internal guidelines;
Improved communication with and satisfaction of
Medicare+Choice enrollees;
The ability to more quickly and accurately react to
employees operational compliance concerns and the capability to
effectively target resources to address those concerns;
A concrete demonstration to employees and the community at
large of the Medicare+Choice organization's strong commitment to honest
and responsible corporate conduct;
The ability to obtain an accurate assessment of employee
and contractor behavior relating to fraud and abuse;
Improved (clinical and non-clinical) quality of care and
service;
Improved assessment tools that could affect many or all of
the Medicare+Choice organization's divisions or departments;
Increased likelihood of identification and prevention of
unlawful and unethical conduct;
A centralized source for distributing information on
health care statutes, regulations and other program directives related
to fraud and abuse;
The creation or reinforcement of an environment that
encourages employees to report potential problems;
Procedures that allow the prompt, thorough investigation
of possible misconduct by corporate officers, managers, employees and
independent contractors;
An improved relationship with the Center for Health Plans
and Providers (CHPP) at HCFA; and
Early detection and reporting, minimizing the loss to the
Government from false or improper claims, and thereby reducing the
Medicare+Choice organization's exposure to civil damages and penalties,
criminal sanctions, and administrative remedies, such as program
exclusion.\6\
---------------------------------------------------------------------------
\6\ The OIG, for example, will consider the existence of an
effective compliance program that pre-dated any governmental
investigation when addressing the appropriateness of administrative
sanctions. However, the burden is on the Medicare+Choice
organization to demonstrate the operational effectiveness of a
compliance program. Further, the False Claims Act, 31 U.S.C. 3729-
3733, provides that a person who has violated the Act, but who
voluntarily discloses the violation to the Government within 30 days
of detection, in certain circumstances will be subject to not less
than double, as opposed to treble, damages. See 31 U.S.C. 3729(a).
In addition, an organization will receive sentencing credit for an
``effective'' compliance program under the Federal Sentencing
Guidelines. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8C2.5. Thus, the ability to react quickly when
violations of the law are discovered may materially reduce the
Medicare+Choice organization's liability.
---------------------------------------------------------------------------
Overall, the OIG believes that an effective compliance program is a
sound business investment that has the potential of enhancing the
efficiency and effectiveness of the Medicare+Choice organization. It
may also improve the Medicare+Choice organization's financial structure
by addressing not only fraud and abuse concerns, but efficiency and
productivity concerns in other operational areas.
The OIG recognizes the implementation of an effective
[[Page 61895]]
compliance program may not entirely eliminate fraud, abuse and waste
from an organization. However, a sincere effort by a Medicare+Choice
organization to comply with applicable Federal and State standards,
through the establishment of an effective compliance program,
significantly reduces the probability of unlawful or improper conduct.
B. Application of Compliance Program Guidance
Before explaining the specific elements of a compliance program, it
is important to emphasize several aspects of this document: its
voluntary nature, its applicability to Medicare+Choice organizations,
the collaborative nature by which it was developed, and its evolving
nature.
First, it should be re-emphasized that while the regulations
implementing the Medicare+Choice program, or Part C, require a
Medicare+Choice organization to establish a compliance plan, including
specified elements,\7\ this program guidance is voluntary. Although
this document presents basic procedural and structural guidance for
designing a compliance program, it is not in itself a compliance
program. Rather, it is a set of guidelines for consideration by a
Medicare+Choice organization interested in obtaining specific
information on implementing a compliance program. This guidance
represents the OIG's suggestions on how a Medicare+Choice organization
can establish internal controls and monitor company conduct to correct
and prevent fraudulent activities.
---------------------------------------------------------------------------
\7\ See note 5.
---------------------------------------------------------------------------
It is critical for the Medicare+Choice organization to assess its
own organization and determine its needs with regard to compliance with
applicable Federal and State statutes and Federal health care program
requirements. By no means should the contents of this guidance be
viewed as an exclusive discussion of the advisable components of a
compliance program. On the contrary, the OIG strongly encourages
Medicare+Choice organizations to develop and implement compliance
components that uniquely address the individual organization's risk
areas.
Implementing a compliance program in a Medicare+Choice organization
is a complicated venture. There are significant variances and
complexities among Medicare+Choice organizations in terms of the type
of services and the manner in which these services are provided to the
respective members. For example, some Medicare+Choice organizations
cover broad service areas, while others are focused on a particular
geographic region. Similarly, the range of benefits covered differ
among plans, as does the size of the network and the use of a varying
number of provider contracting tiers to deliver services. Clearly,
these differences may give rise to different substantive policies to
ensure effective compliance. Furthermore, some Medicare+Choice
organizations are relatively small, while others are fully integrated
and offer Medicare+Choice plans in a wide variety of areas. Finally,
the availability of resources for any one Medicare+Choice organization
can differ vastly.
Notwithstanding these differences, this guidance is pertinent for
all Medicare+Choice organizations, large or small, regardless of the
type of services provided. The applicability of the recommendations and
guidelines provided in this document may depend on the circumstances
and resources of each particular Medicare+Choice organization. However,
regardless of the organization's size and structure, the OIG believes
every Medicare+Choice organization can and should strive to accomplish
the objectives and major principles underlying all of the compliance
policies and procedures recommended within this guidance.
The OIG recognizes that the success of the compliance program
guidance hinges on thoughtful and practical comments from those
individuals and organizations that will utilize the tools set forth in
this document. In a continuing effort to collaborate closely with the
private sector, the OIG solicited input and support from the public in
the development of this compliance program guidance.\8\ Further, we
took into consideration previous OIG publications, such as Special
Fraud Alerts, the recent findings and recommendations in reports issued
by OIG's Office of Audit Services (OAS) and Office of Evaluation and
Inspections (OEI),\9\ comments from HCFA, as well as the experience of
past and recent fraud investigations related to managed care
organizations \10\ conducted by OIG's Office of Investigations (OI) and
the Department of Justice.
---------------------------------------------------------------------------
\8\ See Solicitation of Information and Recommendations for
Developing the OIG Compliance Program Guidance for Certain
Medicare+Choice Organizations (63 FR 50577 (9/22/98)). We also
requested public comment on the draft guidance (64 FR 33869 (6/24/
99)).
\9\ Special Fraud Alerts are available on the OIG website at
http://www.hhs.gov/oig/. The recent findings and recommendations of
OEI and OAS can be located on the Internet at http://www.hhs.gov/oei
and http://www.hhs.gov/progorg/oas/cats/hcfa.html, respectively.
\10\ These investigations include findings based upon Medicare
risk-based Health Maintenance Organizations and competitive medical
plans as defined in 42 U.S.C. 1395mm.
---------------------------------------------------------------------------
As appropriate, this guidance may be modified and expanded as more
information and knowledge is obtained by the OIG, and as changes in the
law, and in the rules, policies and procedures of the Federal and State
plans occur. New compliance practices may eventually be incorporated
into this guidance if the OIG discovers significant enhancements to
better ensure an effective compliance program. We recognize the
development and implementation of compliance programs in
Medicare+Choice organizations often raise sensitive and complex legal
and managerial issues.\11\ However, the OIG wishes to offer what it
believes is critical guidance for those who are sincerely attempting to
comply with the relevant health care statutes and regulations.
---------------------------------------------------------------------------
\11\ Nothing stated herein should be substituted for, or used in
lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------
II. Compliance Program Elements
The elements discussed in this guidance are similar to those of the
other OIG Compliance Program Guidances \12\ and our corporate integrity
agreements.\13\ While these same elements are required by HCFA in the
Medicare+Choice regulations,\14\ the OIG reiterates that this guidance
is not mandatory, but simply represents OIG's recommendations on how
the elements can be implemented.\15\
---------------------------------------------------------------------------
\12\ See note 1.
\13\ Corporate integrity agreements are executed as part of a
civil settlement agreement between the health care provider and the
Government to resolve a case based on allegations of health care
fraud or abuse. These OIG-imposed agreements are generally in effect
for a period of 3 to 5 years and require many of the elements
included in this compliance guidance.
\14\ 42 CFR 422.501(b)(vi).
\15\ The OIG appreciates that because Medicare+Choice
organizations are subject to substantial regulations that contain
extensive operational requirements as well as requirements regarding
self-monitoring and monitoring or review of activities by external
organizations, they may already be performing some of the activities
discussed in this guidance. Each Medicare+Choice organization must
determine the extent to which these activities need to be modified
or supplemented to create an effective compliance program.
---------------------------------------------------------------------------
Every effective compliance program must begin with a formal
commitment \16\ by the Medicare+Choice organization's governing body to
include all of the
[[Page 61896]]
applicable elements listed below. A good faith and meaningful
commitment on the part of the Medicare+Choice organization's
administration, especially the governing body and the chief executive
officer (CEO), will substantially contribute to the program's
successful implementation. It is incumbent upon an organization's
officers and managers to provide ethical leadership to the organization
and to assure adequate systems and resources are in place to facilitate
and promote ethical and legal conduct. Employees, managers and the
Government will focus on the words and actions (including decisions
made on resources devoted to compliance) of an organization's
leadership as a measure of the organization's commitment to compliance.
---------------------------------------------------------------------------
\16\ Formal commitment may include a resolution by the board of
directors, where applicable. A formal commitment does include the
allocation of adequate resources to ensure that each of the elements
is addressed.
---------------------------------------------------------------------------
Under Medicare+Choice, an organization may, by written contract,
delegate any activity required under or governed by the Medicare+Choice
standards to another entity. However, an organization entering into a
Medicare contract remains entirely accountable to HCFA for the
performance of any delegated function.\17\ It is the sole
responsibility of the organization to ensure that the function is
performed in accordance with applicable standards. While the activity
may be delegated, the oversight responsibility remains with the
Medicare+Choice organization. Each Medicare+Choice organization should
keep these requirements and responsibilities in mind as it develops its
compliance program.
---------------------------------------------------------------------------
\17\ 42 CFR 422.502(i).
---------------------------------------------------------------------------
These elements are based on the seven steps of the Federal
Sentencing Guidelines.\18\ As required by the HCFA regulations, every
Medicare+Choice organization must implement all of the recommended
elements and expand upon them, as appropriate. At a minimum,
comprehensive compliance programs should include the following seven
elements:
---------------------------------------------------------------------------
\18\ See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing
Guidelines are detailed policies and practices for the Federal
criminal justice system that prescribe appropriate sanctions for
offenders convicted of Federal crimes.
---------------------------------------------------------------------------
(1) The development and distribution of written standards of
conduct, as well as written policies and procedures, that promote the
Medicare+Choice organization's commitment to compliance and that
address specific areas of potential fraud (e.g., the marketing process
and utilization);
(2) The designation of a chief compliance officer and other
appropriate bodies, e.g., a corporate compliance committee, charged
with the responsibility and authority of operating and monitoring the
compliance program and who report directly to the CEO and the governing
body;
(3) The development and implementation of regular, effective
education and training programs for all affected employees;
(4) The development of effective lines of communication between the
compliance officer and all employees, including a process, such as a
hotline, to receive complaints (and the adoption of procedures to
protect the anonymity of complainants and to protect callers from
retaliation);
(5) The use of audits or other risk evaluation techniques to
monitor compliance and assist in the reduction of identified problem
areas;
(6) The development of disciplinary mechanisms to consistently
enforce standards and the development of policies addressing dealings
with sanctioned and other specified individuals; and
(7) The development of policies to respond to detected offenses, to
initiate corrective action to prevent similar offenses, and to report
to Government authorities when appropriate.
A. Written Policies and Procedures
Every compliance program should require the development and
distribution of written compliance policies, standards and practices
that identify specific areas of risk and vulnerability to the
Medicare+Choice organization. These policies should be developed by the
appropriate operational officials within the Medicare+Choice
organization, with appropriate review and oversight by the compliance
officer and compliance committee. The OIG recommends that these
policies be made available to all individuals who are affected by the
particular risk or policy area at issue. Such individuals would
include, for example, Medicare+Choice employees whose duties touch upon
a particular risk or policy area, as well as agents and independent
contractors with whom the organization has contracted to perform
delegated activities, which touch upon a particular risk or policy
area.\19\ The OIG also recommends that Medicare+Choice organizations
provide, upon request, all contractors with a summary of the standards
of conduct and the number of the hotline. The distribution of these
materials could be accomplished via hard copy or via electronic means.
---------------------------------------------------------------------------
\19\ When determining to whom to distribute various policies,
the Medicare+Choice organizations should keep in mind that,
according to the Federal Sentencing Guidelines, an organization must
have established compliance standards to be followed by its
employees and other agents in order to receive sentencing credit.
The Guidelines define ``agent'' as ``any individual, including a
director, an officer, an employee, or an independent contractor,
authorized to act on behalf of the organization.'' See United States
Sentencing Commission Guidelines, Guidelines Manual, 8A1.2,
Application Note 3(d).
---------------------------------------------------------------------------
1. Standards of Conduct
Medicare+Choice organizations should develop standards of conduct
for all affected employees that include a clearly delineated commitment
to compliance by the organization's senior management and its
divisions. To help communicate a strong and explicit organizational
commitment to compliance goals and standards, the Medicare+Choice
organization's governing body, CEO, chief operating officer (COO),
general counsel, chief financial officer (CFO) and other senior
officials should be directly involved in the development of standards
of conduct.
The standards should function in the same fashion as a
constitution, i.e., as a foundational document that details the
fundamental principles, values and framework for action within an
organization, as well as the organization's mission and goals. The
standards should also articulate the Medicare+Choice organization's
commitment to comply with all Federal and State laws and regulations,
with an emphasis on preventing fraud and abuse, and include the
ramifications of failure to comply with these standards. The standards
should not only address compliance with statutes and regulations, but
should also set forth broad principles that guide employees in
conducting business professionally and properly. In short, the
standards should promote integrity, support objectivity and foster
trust. Furthermore, a Medicare+Choice organization's standards of
conduct should reflect a commitment to high quality health care
delivery, as evidenced by its conduct of on-going performance
assessment, improved outcomes of care and respect for the rights of
Medicare+Choice enrollees.
2. Written Policies for Risk Areas
As part of its commitment to compliance, Medicare+Choice
organizations should establish a comprehensive set of written policies
addressing all applicable statutes, rules and program instructions that
apply to each function or department of that Medicare+Choice
organization.\20\ The
[[Page 61897]]
policies should address specific areas of concern, such as marketing
practices and data collection and submission processes. In contrast to
the standards of conduct, which are designed to be a clear and concise
collection of fundamental standards, the written policies should
articulate specific procedures personnel should follow when performing
their duties.\21\
---------------------------------------------------------------------------
\20\ This includes, but is not limited to, the Medicare+Choice
provisions and the fraud and abuse provisions of the Balanced Budget
Act of 1997, Pub. L. 105-33; the Civil False Claims Act, 31 U.S.C.
3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001;
the fraud and abuse provisions of the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), Pub.L. 104-191; and the
civil money penalties in the Social Security Act, 42 U.S.C. 1320a-7a
and 42 U.S.C. 1395w-27(g). See also 42 CFR 422.1-422.312.
\21\ The Medicare+Choice organization should document its
efforts to formulate its policies to comply with applicable
statutes, regulations and program requirements. For example, where a
Medicare+Choice organization requests advice from HCFA, the
Medicare+Choice organization should document and retain a record of
the request and any written or oral response. This step is extremely
important if the Medicare+Choice organization intends to rely on
that response to guide it in future decisions, actions or appeals.
In addition, the Medicare+Choice organization should maintain
records relevant to the issue of whether its reliance was
``reasonable,'' and whether it exercised due diligence in developing
procedures to implement the advice.
---------------------------------------------------------------------------
The regulations and operational policies issued by HCFA that
implement the Medicare+Choice program are very comprehensive and, as
required by HCFA, serve as the basis for the policies and procedures of
a Medicare+Choice organization.\22\ The legal, policy and contractual
requirements that organizations must meet and perform as a
Medicare+Choice organization are articulated in documentation
promulgated by HCFA and other Federal agencies and should be considered
de facto risk areas. Included among these risk areas are: (1) The
election process; (2) benefits and beneficiary protections; (3) quality
assessment and performance improvement; (4) cost sharing; (5) solvency,
licensure and other State regulatory issues; (6) claims processing; and
(7) appeals and grievance procedures.
---------------------------------------------------------------------------
\22\ Medicare+Choice organizations should regularly access the
HCFA managed care website at http://www.hcfa.gov/medicare/
mgdcar1.htm for updates on regulations and operational policies.
Operational Policy Letters can be located on HCFA's web site at
http://www.hcfa.gov/medicare/mgd-ops.htm.
---------------------------------------------------------------------------
To determine the additional policies and procedures that are needed
for a given Medicare+Choice organization (and which policies may need
particular attention), the OIG recommends that Medicare+Choice
organizations conduct a comprehensive self-administered risk analysis
or contract for an independent risk analysis by experienced health care
consulting professionals. This risk analysis could include surveys and
statistical analysis specifically tailored to the organization's
beneficiary population, provider pool and organizational structure and
should identify and rank the various compliance and business risks the
company may experience in its daily operations.\23\ A Medicare+Choice
organization's prior history of noncompliance with applicable statutes,
regulations and Federal health care program requirements, or the
failure to report such non-compliance, may indicate additional types of
risk areas where the organization may be vulnerable and may require
necessary policy measures to prevent avoidable recurrence.\24\
---------------------------------------------------------------------------
\23\ Medicare+Choice organizations may also want to consult the
OIG's Work Plan when conducting the risk assessment. The OIG Work
Plan details the various projects the OIG currently intends to
address in the fiscal year. It should be noted that the priorities
in the Work Plan are subject to modification and revision as the
year progresses and the Work Plan does not represent a complete or
final list of areas of concern to the OIG. The Work Plan is
currently available on the Internet at http://www.hhs.gov/oig/.
\24\ ``Recurrence of misconduct similar to that which an
organization has previously committed casts doubt on whether it took
all reasonable steps to prevent such misconduct'' and is a
significant factor in the assessment of whether a compliance program
is effective. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(7)(ii).
---------------------------------------------------------------------------
The fact that Medicare+Choice organizations may be both providers
and insurers of health care increases the number and type of risk areas
to which a Medicare+Choice organization must be attuned, as well as the
type of auditing and monitoring procedures that must be implemented, in
the development of its compliance efforts. For example, there are a
variety of substantially different operational areas within the
structure of a Medicare+Choice organization such as marketing, health
services delivery and finances that could require different types of
policies.
Given the detailed nature of the HCFA rules and regulations, we
have not attempted in this document to identify each and every policy
that should be established by a Medicare+Choice organization. Rather,
based on a review of OIG audits, investigations and evaluations, we
have identified the following areas of particular concern to OIG that
the Medicare+Choice organization should include in its written policies
and procedures:\25\
---------------------------------------------------------------------------
\25\ Although many of these areas apply specifically to
Medicare+Choice organizations, many of the areas identified below
have analogous issues in non-Medicare organizations. Medicare+Choice
organizations that provide private managed care products should
consider establishing additional policies and procedures for risk
areas that apply specifically to those areas. Although the policies
may be integrated, they should identify, as appropriate, where
deviations may be necessary to meet Medicare+Choice requirements or
State licensure requirements.
---------------------------------------------------------------------------
Marketing materials and personnel;
Selective marketing and enrollment;
Disenrollment;
Underutilization and quality of care;
Data collection and submission processes;
Anti-kickback statute and other inducements; and
Emergency services.
The following sections provide specific guidance regarding the risk
areas identified above.
a. Marketing Materials and Personnel
While each Medicare+Choice organization must comply with all of
HCFA's detailed requirements relating to marketing their plans,\26\ OIG
is particularly concerned that organizations have policies regarding:
(1) The completeness and accuracy of the marketing materials; and (2)
marketing personnel.
---------------------------------------------------------------------------
\26\ Medicare+Choice organizations should ensure that they
conform to fair marketing standards as set forth in the statute, the
Medicare Managed Care National Marketing Guide (Marketing Guide) and
all HCFA Operational Policy Letters affecting marketing matters.
---------------------------------------------------------------------------
Accurate and useful information is crucial to the success of the
Medicare+Choice program. The OIG is concerned that Medicare+Choice
organizations correctly and completely describe plan information in
marketing materials or other materials distributed to individuals prior
to and following enrollment. Medicare+Choice organizations that
misrepresent or falsify information submitted to HCFA, individuals or
entities are subject to civil money penalties (CMPs) or other
intermediate sanctions.\27\
---------------------------------------------------------------------------
\27\ 42 U.S.C. 1395w-27(g).
---------------------------------------------------------------------------
The submission of inaccurate or misleading information is of
particular concern to OIG. Medicare+Choice organizations should be
aware that the fact that materials have been approved by HCFA does not
absolve them from potential liability for misrepresenting or falsifying
information.\28\
---------------------------------------------------------------------------
\28\ Medicare+Choice organizations may not distribute marketing
materials or election forms unless they have submitted them to HCFA
for review 45 days prior to distribution and HCFA has not
disapproved their distribution (42 CFR 422.80).
---------------------------------------------------------------------------
HCFA considers marketing materials to include any informational
materials targeted to Medicare beneficiaries. Marketing materials go
beyond the public's general conception of marketing materials and
include general
[[Page 61898]]
circulation brochures, leaflets, newspapers, magazines, television,
radio, billboards, yellow pages, the internet, slides and charts, and
leaflets for distribution by providers. Such materials also include
membership communication materials such as membership rules, subscriber
agreements, or confirmation of enrollment.\29\ Accordingly,
Medicare+Choice organizations should carefully scrutinize all of these
materials for completeness, accuracy and compliance with HCFA rules,
regulations and policy letters.
---------------------------------------------------------------------------
\29\ 42 CFR 422.80(b).
---------------------------------------------------------------------------
In verifying that marketing materials meet all HCFA requirements,
Medicare+Choice organizations should ensure that the appropriate
materials contain an adequate description of enrollee rights,
procedures for accessing basic benefits and services, and a clear
explanation of the appeal and grievance process.\30\ Of particular
concern to HCFA and OIG is that the concept of ``lock-in'' is clearly
explained in all marketing material. Many Medicare beneficiaries are
unfamiliar with the notion that managed care may limit their health
care provider choices. Describing the process of selecting a primary
care physician and the limitations that this places on a
Medicare+Choice enrollee's choice of provider will reduce the unmet
expectations of Medicare beneficiaries.
---------------------------------------------------------------------------
\30\ 42 CFR 422.80(c).
---------------------------------------------------------------------------
Another important concept to include in the marketing materials is
that the beneficiary may be terminated from enrollment in the plan due
to the decision of the Medicare+Choice organization not to renew its
contract with HCFA, or due to HCFA's refusal to renew the contract.\31\
This termination can affect the enrollee's eligibility for supplemental
insurance and other benefits.
---------------------------------------------------------------------------
\31\ 42 CFR 422.80(c)(3).
---------------------------------------------------------------------------
Second, in light of the critical role that marketing personnel play
in representing the plan to Medicare enrollees, the Medicare+Choice
organization must take all appropriate steps to ensure that marketing
personnel are presenting clear, complete and accurate information to
potential enrollees. To that end, the OIG encourages Medicare+Choice
organizations to employ their own marketing personnel, as opposed to
contracting these responsibilities to outside entities.\32\ This
provides the Medicare+Choice organization the necessary control to
ensure that these individuals meet all HCFA guidelines. Similarly, it
safeguards Medicare beneficiaries from practices that could greatly
affect the access to health care to which they are entitled and their
ability to acquire accurate and complete information regarding their
health care options.
---------------------------------------------------------------------------
\32\ It should be noted that Medicare+Choice organizations have
ultimate responsibility for the acts and omissions of its marketing
agents (42 CFR 422.502(i)).
---------------------------------------------------------------------------
Medicare+Choice organizations should also be aware that the OIG and
HCFA strongly discourage the use of physicians as marketing agents for
several reasons: (1) When a physician acts outside his or her
traditional role as care provider, the physician's patients may be
confused as to when the physician is acting as an agent of the plan,
and when the physician is acting in his or her role as a fiduciary to
act in the best interests of the patient; (2) a physician's knowledge
of a patient's health status increases the potential for discriminating
in favor of Medicare beneficiaries with positive health status when
acting as a marketing agent; (3) physicians may not be fully aware of
membership plan benefits and costs; and (4) physicians may not be the
best source of membership information for their patients.\33\
Therefore, the organization should develop policies to ensure that any
provider promotional activities are conducted in accordance with HCFA
guidelines (which allow, e.g., the distribution of health plan
brochures (exclusive of applications) at a health fair or in their own
offices).\34\
---------------------------------------------------------------------------
\33\ Marketing Guide, Chapter IV.
\34\ Id.
---------------------------------------------------------------------------
b. Selective marketing and Enrollment
The OIG is very concerned about the practice known as ``cherry-
picking,'' or selective marketing,\35\ in which Medicare+Choice
organizations discriminate in the marketing and enrollment process
based upon an enrollee's degree of risk for costly or prolonged
treatment.\36\ Except for individuals who have been medically
determined to have end-stage renal disease, a Medicare+Choice
organization may not deny, limit or condition the coverage or
furnishing of benefits to individuals eligible to enroll in a
Medicare+Choice plan offered by the organization on the basis of any
factor that is related to health status, including, but not limited to,
the following: (1) Medical condition (including mental illness); (2)
claims experience; (3) receipt of health care; (4) medical history; (5)
genetic information; (6) evidence of insurability; and (7)
disability.\37\ Engaging in practices that would reasonably be expected
to have the effect of denying or discouraging enrollment by eligible
individuals whose medical condition or history indicates the need for
substantial future medical services subjects the Medicare+Choice
organization to a CMP or other sanction, such as suspension of
enrollment or suspension of payment.\38\
---------------------------------------------------------------------------
\35\ OIG is also concerned about a similar problem, known as
``gerrymandering,'' which is an attempt to eliminate certain high
dollar risk areas from the Medicare+Choice organization's service
area. Medicare+Choice organizations should have policies in place to
avoid such practices.
\36\ Although the Medicare+Choice program has attempted to
alleviate many of the selective marketing practices through the use
of risk adjustment, the phase-in period for risk-adjustment
virtually assures that this will remain a troubling issue through
2004.
\37\ 42 U.S.C. 1395w-22(b)(1); 42 CFR 422.110.
\38\ 42 U.S.C. 1395w-27(g)(1)(D); 42 CFR 422.750 through
422.760.
---------------------------------------------------------------------------
Certain types of practices clearly fall into the category of
cherry-picking and Medicare+Choice organizations should implement
policies to prohibit and prevent such practices. For example,
organizations should generally prohibit employees from conducting
medical screening, i.e., asking the beneficiary medical questions prior
to enrollment.\39\ In a 1996 survey, the OIG found that such screening
for health status at application was reported by 18 percent of
beneficiaries. While this represented a reduction from the 1993 level
of 43 percent, it still represents a potentially serious problem.\40\
---------------------------------------------------------------------------
\39\ Pursuant to 42 CFR 422.50(a)(2), it would be appropriate to
determine whether a potential enrollee has end-stage renal disease.
\40\ ``Beneficiary Perspectives of Medicare Risk HMOs 1996.''
(OEI-06-95-00430)(March 1998).
---------------------------------------------------------------------------
Another way in which Medicare+Choice organizations may
inappropriately target healthier beneficiaries is by primarily
marketing their plans in places where healthy enrollees are more likely
to be present, such as at health and exercise clubs, or in areas that
are difficult to access for people with disabilities (e.g., upper
floors of buildings that do not have elevators).\41\ Similarly,
organizations may inappropriately provide inducements to potential
enrollees in a way that would encourage younger, healthier
beneficiaries to enroll in the plan. For example, the offering of free
gym memberships or kayaking or other sporting lessons would appeal to a
healthy class of enrollees and discriminate against those who would not
be interested in such activities.\42\ If
[[Page 61899]]
a Medicare+Choice organization intends to offer such items as a
Medicare+Choice benefit, the item must meet the definitional
requirements of a bona fide benefit. The item must be: (1) Related to
health care; and (2) costed out in the Medicare+Choice organization's
Adjusted Community Rate. Any such items that do not meet these
requirements are not valid Medicare+Choice benefits and must be
considered ``value added services'' (VAS) subject to all the
limitations associated with VAS.
---------------------------------------------------------------------------
\41\ In fact, Medicare+Choice organizations are required to
allocate part of their resources to marketing to the Medicare
population with disabilities (42 CFR 422.80(e)(2)(i)).
\42\ The statute prohibits the provision of cash or other
monetary rebates as an inducement for enrollment in the plan. See 42
U.S.C. 1395w-21(h)(4)(A). However, HCFA allows Medicare+Choice
organizations to give Medicare beneficiaries nominal value gifts,
provided that the plan offers these gifts whether or not the
beneficiary enrolls in the plan. HCFA defines nominal value as an
item having little or no resale value (generally, less than $10),
which cannot be readily converted into cash. See Marketing Guide,
Chapter II. The use of inducements is also discussed in Section
II.A.2.f.--Anti-kickback and Other Inducements.
---------------------------------------------------------------------------
Other examples of cherry-picking would be: (1) Attempts to give
enrollment priority to newly eligible Medicare beneficiaries (who are
theoretically younger and healthier), other than as set forth in the
regulations; \43\ (2) the tracking of costs incurred by enrollees who
were enrolled in different settings (e.g., at the health fair, or at a
health club), which could be used to target healthier enrollees in the
future; or (3) re-enrollment campaigns targeting past plan subscribers
who had low medical costs. There are many other subtle ways in which a
Medicare+Choice organization may try to enroll healthy patient
populations in a discriminatory manner (i.e., not making similar
attempts to enroll less healthy beneficiaries) and the organization
should implement policies actively to prevent such practices.
---------------------------------------------------------------------------
\43\ 42 CFR 422.66(d).
---------------------------------------------------------------------------
c. Disenrollment
In general, Medicare+Choice organizations are prohibited from
disenrolling, or requesting or encouraging (either by action or
inaction) an individual to disenroll from any plan it offers.\44\ If a
Medicare+Choice organization acts to expel or refuses to reenroll an
individual in violation of the statute, a civil money penalty or other
sanction can be imposed on the organization.\45\ The OIG is
particularly concerned about disenrollment in light of its recent
review, which revealed that there was a problem with disenrollment of
beneficiaries just prior to receiving expensive inpatient services.\46\
---------------------------------------------------------------------------
\44\ Medicare+Choice organizations are entitled to disenroll
individuals under certain circumstances, e.g., failure to pay
premiums or engagement in disruptive behavior. 42 CFR 422.74.
\45\ 42 U.S.C. 1395w-27(g)(1)(C).
\46\ Review of Inpatient Services Performed on Beneficiaries
After Disenrolling from Medicare Managed Care.'' (A-07-98-01256)
(May 1999).
---------------------------------------------------------------------------
In this review, OIG found that Medicare paid for inpatient hospital
services amounting to $224 million in fee-for-service (FFS) payments
within 3 months of beneficiaries' disenrollment from six risk plans
during 1991 through 1996. Had these beneficiaries not disenrolled,
Medicare would have paid the HMOs $20 million in monthly capitation
payments. Had the beneficiaries remained in the HMOs, Medicare would
have saved $204 million in expenditures. Included in the Medicare FFS
payments were $41 million for beneficiaries who disenrolled, had FFS
procedures performed, and then reenrolled into another or the same
managed care plan.
While this study did not identify the reasons for the disenrollment
as part of this review, one partial explanation of the review could be
that some managed care plans or their medical personnel may be
encouraging sicker beneficiaries to disenroll as a way to avert their
own costs at a high cost to the Medicare system.
Each Medicare+Choice organization must implement policies to ensure
that inappropriate disenrollment does not occur.\47\ Such policies
should include clarification of when it is appropriate for medical
personnel to discuss the concept of disenrollment. Generally speaking,
OIG believes it would be inappropriate for medical personnel to
initiate discussion of disenrollment or to promote disenrollment (when
the topic is initiated by the enrollee), except in the rare
circumstance where the Medicare+Choice organization cannot or does not
provide the covered medical items or services needed by the patient.
---------------------------------------------------------------------------
\47\ Such policies should be consistent with the provisions that
prohibit Medicare+Choice organizations from restricting a health
care professional from advising patients of the ``health status of
the individual or medical care or treatment for the individual's
condition or disease, regardless of whether benefits for such care
or treatment are provided under the plan.'' See 42 U.S.C.
1852(j)(3)(emphasis added).
---------------------------------------------------------------------------
d. Underutilization and Quality of Care
Medicare+Choice organizations must ensure that all covered services
are available and accessible to all enrollees.\48\ The OIG views the
inappropriate withholding or delay of services, known as
underutilization or ``stinting,'' as a serious issue.\49\ Examples of
practices that can lead to underutilization and poor quality include
the failure to employ or contract with sufficient institutional and
individual providers to accommodate all enrollees, the failure to
provide geographically reachable services to enrollees, the delay in
approving or failure to approve referrals for covered services, the
establishment of utilization review procedures that are so burdensome
that an enrollee could not reasonably be expected to fulfill the
requirements and the categorical denial of payment of claims.\50\
---------------------------------------------------------------------------
\48\ 42 U.S.C. 1395w-22. To this end, Medicare+Choice
organizations must comply with the standards contained in the
Quality Improvement System for Managed Care (QISMC) for
Organizations Contracting with Medicare or Medicaid.
\49\ Medicare+Choice organizations can be subject to sanctions
for failing substantially to provide medically necessary items and
services that are required to be provided, if the failure has
adversely affected (or has the substantial likelihood of adversely
affecting) the individual. 42 U.S.C. 1395w-27(g)(1)(A).
\50\ See QISMC Standards 2.1.2, 2.2.2 and 3.1.
---------------------------------------------------------------------------
There are a wide variety of policies that a Medicare+Choice
organization should implement to be sure it is providing all medically
necessary services to its enrollees. The regulations and guidelines
that implement the Medicare+Choice program contain numerous provisions
that deal with this issue. While we have not attempted to develop a
comprehensive list in this document, we would like to highlight three
types of policies that Medicare+Choice organizations should develop
that may help address underutilization and quality of care.
First, Medicare+Choice organizations should have policies that
prohibit interference with health care professionals' advice to
enrollees. Also known as the ``gag rule,'' this prohibition extends to
advice regarding the patient's health status, medical care, and
treatment options, the risks, benefits and consequences of treatment or
non-treatment, or the opportunity for the individual to refuse
treatment and to express preferences about future treatment
options.51 Failure to comply with this requirement can lead
to sanctions.52
---------------------------------------------------------------------------
\51 \42 U.S.C. 1395w-22(j)(3), 42 CFR 422.206; QISMC Standard
3.3.1.7.
\52 \42 U.S.C. 1395w-27(g)(1)(F); 42 CFR 422.750 through
422.760.
---------------------------------------------------------------------------
Second, Medicare+Choice organizations should be sure, to they
extent that they utilize physician incentive plans (PIPs) in their
payment arrangements with individual physicians or physician groups,
that they comply with all applicable regulations and that such payment
arrangements are fully disclosed to HCFA as required by regulation. The
PIPs raise utilization concerns because they are defined as ``any
compensation
[[Page 61900]]
arrangement to pay a physician or physician group that may directly or
indirectly have the effect of reducing or limiting services provided to
any plan enrollees.'' 53 Any PIP operated by a
Medicare+Choice organization must comply with the following
requirements. First, it may make no payments to physicians (such as
offerings of monetary value, including, but not limited to, stock
options or waivers of debt 54) to reduce or limit medically
necessary services furnished to any particular enrollee. Second, if the
PIP puts a physician or physician group at ``substantial financial
risk'' 55 for referral services, the Medicare+Choice
organization must: (1) survey current and previously enrolled members
to assess access to, and satisfaction with, the quality of services;
and (2) assure that there is adequate and appropriate stop-loss
protection.56 Finally, Medicare+Choice organizations must
disclose to HCFA certain information regarding their PIPs. These
disclosure requirements apply to direct contracting arrangements, as
well as subcontracting arrangements.57
---------------------------------------------------------------------------
\53 \42 CFR 422.208.
\54 \42 U.S.C. 1395w-22(j)(4); 42 CFR 422.208.
\55 \``Substantial financial risk'' threshold is set at 25
percent of potential payments for covered services, regardless of
the frequency of assessment (i.e., collection) or distribution of
payments. 42 CFR 422.208.
\56 \42 CFR 422.208(c).
\57 \42 CFR 422.210(a).
---------------------------------------------------------------------------
Finally, the OIG is aware of cases in which beneficiaries have
received covered services from individuals that were not appropriately
licensed. Given the serious quality of care implications of this type
of practice, the OIG is particularly concerned that Medicare+Choice
organizations have procedures for the selection of providers, including
criteria for the credentialing of providers. This process should
include an application, verification of information and a site visit,
where applicable.58 The information that must be verified
includes that the individual has a valid license to practice, clinical
privileges in good standing and appropriate educational qualifications.
---------------------------------------------------------------------------
\58 \42 CFR 422.204.
---------------------------------------------------------------------------
e. Data Collection and Submission Processes
The regulations implementing the Medicare+Choice program contain
numerous requirements relating to the data collection and submission
process, ranging from a requirement for an effective system for
receiving, controlling and processing election forms 59 to
requirements for the timely submission of disenrollment
notices.60 These requirements cover the gamut of
requirements with which a Medicare+Choice organization must comply and
are too detailed to enumerate in this document. Medicare+Choice
organizations should establish a policy that all required submissions
to HCFA be accurate, timely and complete and that all appropriate
reporting requirements are met.61
---------------------------------------------------------------------------
\59 \42 CFR 422.60(e).
\60 \42 CFR 422.66(b)(3)(i).
\61 \On a related topic, Medicare+Choice organizations should
also be sure that their computer systems are Year 2000 (Y2K)
compliant. An OIG report indicates that managed care organizations
have made significant progress in this regard, with more than 80%
indicating that they are Y2K compliant. ``Y2K Readiness of Managed
Care Organizations.'' (OEI-05-98-0591)(October 1999).
---------------------------------------------------------------------------
The OIG is particularly concerned that Medicare+Choice
organizations submit accurate data when that information determines the
amount of payment received from HCFA. The regulations require that when
a Medicare+Choice organization requests payment under the contract, the
CEO or CFO must certify the accuracy, completeness and truthfulness of
relevant data, including enrollment data, encounter data and
information provided as part of an adjusted community rate (ACR)
proposal.62 When a Medicare+Choice organization submits this
type of data to HCFA, it is making a ``claim'' for capitation payment
in the amount dictated by the data submitted, or in the case of the ACR
submission, a ``claim'' to retain the portion of the capitation amount
that is under the average payment rate, rather than providing
additional benefits. When a Medicare+Choice organization is claiming
payment (or the right to retain payment) based upon information
submitted to HCFA, it must take responsibility for having taken
reasonable steps to assure the accuracy of this information. The
attestation forms developed by HCFA for this purpose require
certification that the information submitted is true and accurate based
on best knowledge, information and belief.
---------------------------------------------------------------------------
\62 \42 CFR 422.502(l) and (m). See also Contract for Year 2000,
Attachments A, B and C.
---------------------------------------------------------------------------
The requirement that the CEO or CFO certify as to the accuracy,
completeness and truthfulness of data, based on best knowledge,
information and belief, does not constitute an absolute guarantee of
accuracy. Rather, it creates a duty on the Medicare+Choice organization
to put in place an information collection and reporting system
reasonably designed to yield accurate information. Further, the
Medicare+Choice organization should exercise due diligence to ensure
that these systems are working properly. The exact methods used by the
Medicare+Choice organization to accomplish this can be determined by
the organization, however, it should ordinarily conduct sample audits
and spot checks of this system to verify whether it is yielding
accurate information.
The knowing submission of false information to HCFA can lead to
serious criminal or civil penalties.63 Medicare+Choice
organizations should implement policies so that the enrollment,
encounter and ACR data submitted to HCFA are accurate, complete and
truthful. While information from a variety of sources can affect this
data, Medicare+Choice organizations should take note of two reports
issued by the OIG that have identified concerns in two aspects of this
data.
---------------------------------------------------------------------------
\63 \Falsification of documentation in any application for any
benefit or payment under a Federal health care program is a Federal
offense punishable by not more than $25,000 or imprisonment for 5
years, or both. See 42 U.S.C. 1320a-7b. In addition, a CMP can be
imposed for the misrepresentation or falsification of information
submitted to HCFA under Medicare+Choice. See 42 U.S.C. 1395w-
27(g)(1)(E).
---------------------------------------------------------------------------
First, the OIG recommends that Medicare+Choice organizations have
policies and procedures in place that ensure that the administrative
component of the ACR is calculated accurately.\64\ As part of this
process, Medicare+Choice organizations should have clearly defined
criteria for claiming reimbursement for their administrative costs.
These costs should not include any costs that are directly associated
with furnishing patient care. All such costs should be allocated to the
applicable operating component. The OIG has articulated serious
concerns about the methodology used by managed care organizations in
computing their administrative rate on the ACR proposal.\65\ For
example, computing an administrative rate based on the use of a medical
utilization factor could generate a payment that is almost three times
what would be charged on the commercial side.
---------------------------------------------------------------------------
\64\ The administrative component of the ACR covers any
management, financial or other costs that are incurred by or
allocated to a business unit for the management or administration of
the business unit as a whole.
\65\ See, e.g.,``Administrative Costs Submitted by Risk-Based
Health Maintenance Organizations on the Adjusted Community Rate
Proposals are Highly Inflated.'' (A-14-97-00202) (July 1998).
---------------------------------------------------------------------------
Second, the OIG recommends that Medicare+Choice organizations have
adequate internal controls in place to ensure that the institutional
status of
[[Page 61901]]
beneficiaries is reported accurately.\66\ A recent report issued by the
OIG estimated that risk-based HMOs received Medicare overpayments of
$22.2 million for beneficiaries incorrectly classified as
institutionalized.\67\ The incorrect classification was largely due to
deficiencies in the HMOs internal controls in two areas: (1)
Verification of beneficiaries' institutional status; and (2) reporting
of institutional beneficiaries to HCFA. The results were based on
audits of eight randomly selected HMOs.
---------------------------------------------------------------------------
\66\ This will remain a concern until risk adjustment is fully
implemented.
\67\ ``Review of Medicare Managed Care Payments for
Beneficiaries with Institutional Status.'' (A-05-98-00046)(April
1999).
---------------------------------------------------------------------------
f. Anti-Kickback Statute and Other Inducements
The anti-kickback statute provides criminal penalties for
individuals or entities that knowingly and willfully offer, pay,
solicit or receive remuneration to induce the referral of business
reimbursable under a Federal health care program (including Medicare
and Medicaid).\68\ The OIG has promulgated safe harbor regulations that
define practices that are not subject to the anti-kickback statute
because such practices would be unlikely to result in fraud or
abuse.\69\
---------------------------------------------------------------------------
\68\ 42 U.S.C. 1320a-7b(b). If it is determined that a party has
violated the anti-kickback statute, the individual or entity can be
excluded from participation in the Medicare and other Federal health
care programs (as defined in 42 U.S.C. 1320a-7b(f)). 42 U.S.C.
1320a-7(b)(7). In addition, there is an administrative CMP provision
for violating the anti-kickback statute (42 U.S.C. 1320a-7a(a)(7)).
\69\ 42 CFR 1001.952. The safe harbors set forth specific
conditions that, if met, assure entities involved of not being
prosecuted or sanctioned for the arrangement qualifying for the safe
harbor. However, safe harbor protection is afforded only to those
arrangements that precisely meet all of the conditions set forth in
the safe harbor. The failure of an arrangement to fit inside a safe
harbor or statutory exception does not mean that the arrangement is
illegal. It is incorrect to assume that arrangements outside of a
safe harbor are suspect due to that fact alone. That an arrangement
does not meet a safe harbor only means that the arrangement does not
have guaranteed protection and must be evaluated on a case-by-case
basis.
---------------------------------------------------------------------------
The anti-kickback statute potentially applies to many managed care
arrangements because a common strategy of these arrangements is to
offer physicians, hospitals and other providers increased patient
volume in return for substantial fee discounts. Because discounts to
managed care organizations can constitute ``remuneration'' within the
meaning of the anti-kickback statute, a number of health care providers
have expressed concern that many relatively innocuous, or even
beneficial, commercial managed care arrangements implicate the statute
and may subject them to criminal prosecution and administrative
sanctions.
The OIG recognizes that when managed care organizations are paid a
capitated amount for all of the services they provide regardless of the
dates, frequency or type of services, there is no incentive for them to
overutilize. In any event, even if overutilization occurs, the Federal
health care programs are not at risk for these increased costs.
Accordingly, OIG will be issuing a safe harbor from the anti-kickback
statute that will provide protection for certain financial arrangements
between managed care organizations (including Medicare+Choice
organizations) and individuals or entities with whom they contract for
the provision of health care items or services, where a Federal health
care program pays such organizations on a capitated basis.\70\
---------------------------------------------------------------------------
\70\ This safe harbor was developed in accordance with section
216 of HIPAA and section 14 of the Medicare and Medicaid Patient and
Program Protection Act of 1987 (Pub. L. 100-93) through a negotiated
rulemaking process that began in the spring of 1997. For a more
detailed description of the negotiated rulemaking, see the Committee
Statement of the Negotiated Rulemaking Committee on the Shared Risk
Exception (January 22, 1998), which can be found on the Internet at
http://www.hhs.gov/oig/.
---------------------------------------------------------------------------
In general, the safe harbor protects payments between capitated
managed care organizations (including Medicare+Choice organizations
offering coordinated care plans) and individuals or entities with which
it has direct contracts to provide or arrange for the provision of
items or services.\71\ While this is a broad exception, there are three
important limitations.
---------------------------------------------------------------------------
\71\ In addition, arrangements between direct contractors and
all subcontractors or successive tiers of subcontractors are
protected, as long as the arrangement is for the provision of health
care items or services that are covered by the arrangement between
the direct contractor and the managed care organization and the
arrangement meets the requirements applicable to arrangements
between the direct contractor and the managed care organization.
---------------------------------------------------------------------------
The first significant limitation is that there is no protection if
the financial arrangements under the managed care agreement are
implicitly or explicitly part of a broader agreement to steer fee-for-
service Federal health care program business to the entity giving the
discount to induce the referral of managed care business. Specifically,
we understand that most managed care organizations have multiple
relationships with their contractors and subcontractors for the
provision of services for various product lines, including non-federal
HMOs, preferred provider organizations (PPOs) and point of service
networks. Consequently, although neither a managed care organization
receiving a capitated payment from a Federal health care program nor
its contractors or subcontractors has an incentive to overutilize items
or services or pass additional costs back to the Federal health care
programs under the capitated arrangement, we are concerned that a
managed care organization or contractor may offer (or be offered) a
reduced rate for its items or services in the Federal capitated
arrangement in order to have the opportunity to participate in other
product lines that do not have stringent payment or utilization
constraints. This practice is a form of a practice known as
``swapping;'' in the case of managed care arrangements, low capitation
rates could be traded for access to additional fee-for-service lines of
business. We are concerned when these discounts are in exchange for
access to fee-for-service lines of business, where there is an
incentive to overutilize services provided to Federal health care
program beneficiaries.
For example, we would have concerns where an HMO with a Medicare
risk contract under Medicare Part C also has an employer-sponsored PPO
that includes retirees and requires participating providers to accept a
low capitation rate for the Medicare HMO risk patients in exchange for
access to the Medicare fee-for-service patients in the PPO. Although in
such circumstances the cost to the Medicare program for the risk-based
HMO beneficiaries will not be increased, there may be increased
expenditures for Medicare beneficiaries in the PPO arrangement, because
the providers may have an incentive to increase services to the
Medicare enrollees in the PPO to offset the discounted rates to the
Medicare HMO. Accordingly, such arrangements could violate the anti-
kickback statute and should not be protected.
A second limitation on the regulatory safe harbor protection is
that it only applies to remuneration for health care items and services
and those items or services reasonably related to the provision of
health care items and services. It does not cover marketing services or
any services provided prior to a beneficiary's enrollment in a health
plan.
Finally, the broad protection is limited to risk-based managed care
plans that do not claim any payment from a Federal health care program
other than the capitated amount set forth in the managed care
organization's agreement with the Federal health care
[[Page 61902]]
program. Where the managed care plan, its contractors or its
subcontractors are permitted to seek additional payments from any of
the Federal health care programs, the regulatory safe harbor protection
is significantly more limited. For example, protection is not extended
to arrangements with subcontractors when the contract under section
1876 of the Social Security Act is cost-based or where the prime
contract is protected solely because the contracting entity is a
Federally-qualified HMO.\72\ In the first instance, reimbursement from
the Federal health care program is based on costs, and in the latter
case, services for Medicare enrollees are reimbursed on a fee-for-
services basis. In both instances, reimbursement will increase with
utilization, thus providing the same incentive to overutilize as any
fee-for-service payment methodology.
---------------------------------------------------------------------------
\72\ The arrangements may qualify for other safe harbors, such
as the discount or personal services safe harbors.
---------------------------------------------------------------------------
While the new safe harbor will provide protection from the anti-
kickback statute for most arrangements between Medicare+Choice
organizations and their contractors, Medicare+Choice organizations
should also have policies in place that ensure that any incentives that
the Medicare+Choice organization offers directly or indirectly to
beneficiaries and potential beneficiaries do not run afoul of the anti-
kickback statute or the new civil money penalty relating to incentives
to beneficiaries.\73\ The CMP was enacted in section 231(h) of HIPAA
(42 U.S.C. 1320a-7a(a)(5)) and imposes sanctions against individuals or
entities that offer remuneration to a program beneficiary that they
know, or should know, will influence the beneficiary's decision to
order or receive items or services from a particular provider,
practitioner or supplier reimbursable by Medicare or the State health
care programs.
---------------------------------------------------------------------------
\73\ Our concerns regarding the use of inducements in a manner
that leads to enrollment of only healthy beneficiaries, such as
offering memberships to exercise clubs for purposes of patient
screening, is discussed above in Section II.A.2.b.--Selective
Marketing and Enrollment.
---------------------------------------------------------------------------
Pending the publication of the final rule implementing this CMP, we
can provide the following guidance. It is our view that organizations
that provide incentives to Federal health care program beneficiaries to
enroll in a plan are not offering remuneration to induce the enrollees
to use a particular provider, practitioner or supplier. Accordingly, we
anticipate that organizations that provide incentives to enroll in a
plan will not be subject to sanctions under this provision. However,
incentives provided by organizations to induce a beneficiary to use a
particular provider, practitioner or supplier once the beneficiary has
enrolled in a plan are within the purview of this CMP and are
prohibited if they do not meet an exception. For example, incentives
given to beneficiaries by a particular physician group within the
physician panel of a Medicare+Choice organization to encourage the
beneficiary to use that physician group over another physician in the
panel would be prohibited.
g. Emergency Services
The OIG and HCFA believe that there may be special concerns
regarding the provision of emergency services to enrollees of
Medicare+Choice plans. The anti-dumping statute \74\ imposes specific
obligations on Medicare-participating hospitals that offer emergency
services to individuals presenting themselves at the hospital seeking
possible emergency treatment. While the obligations under the anti-
dumping statute prohibit a hospital from inquiring into the patient's
method of payment or insurance status when it results in the delay of a
medical screening examination and/or stabilizing treatment, it has come
to our attention that some hospitals routinely seek prior authorization
from the patient's primary care physician or from the managed care plan
when a managed care patient requests emergency services. Investigations
of allegations of the anti-dumping statute across the country have
persuaded the OIG that managed care patients may be at risk of being
discharged or transferred without receiving a medical screening
examination, largely because of the problems inherent in seeking
``prior authorization.''
---------------------------------------------------------------------------
\74\ 42 U.S.C. 1395dd.
---------------------------------------------------------------------------
To ensure appropriate access to emergency services for
Medicare+Choice enrollees, Medicare+Choice organizations should comply
with several key provisions. First, Medicare+Choice organizations are
prohibited from requiring prior authorization for emergency services
and must provide coverage for such services without regard to the
emergency care provider's contractual relationship with the
Medicare+Choice organization.\75\ Second, payment must be provided for
emergency services based on a ``prudent layperson standard,'' which
means that the need for emergency services should be determined from a
reasonable patient's perspective at the time of presentation of the
symptoms \76\ Finally, Medicare+Choice organizations must comply with
all guidelines relating to the efficient and timely coordination of
appropriate maintenance and post-stabilization of an enrollee after the
enrollee has been stabilized under the anti-dumping statute.\77\
---------------------------------------------------------------------------
\75\ 42 U.S.C. 1395w-22(d)(1)(E). Medicare+Choice organizations
should not offer, or enter into, contracts with hospitals that are
inconsistent with the anti-dumping statute.
\76\ 42 U.S.C. 1395w-22(d)(3).
\77\ 42 U.S.C. 1395w-22(d)(2).
---------------------------------------------------------------------------
Medicare+Choice organizations should be particularly careful of the
requirements of the anti-dumping statute in the event that they
participate in the so-called ``dual staffing'' of emergency
departments. Dual staffing occurs when hospitals enter into
arrangements allowing a managed care organization to station its own
physicians in the hospital's emergency department for the purpose of
screening and treating managed care enrollees. Implementation of dual
staffing raises some concerns under the anti-dumping statute,
particularly where different procedures and protocols have been
established for each staff.
In addition, Medicare+Choice organizations should be particularly
careful in operating ``urgent care'' services and in instructing
enrollees to contact such services when enrollees need care. The
organizations should ensure that such operations and instructions do
not delay or otherwise compromise enrollees' access to services that
should be provided in a hospital emergency room.
3. Retention of Records and Information Systems
Medicare+Choice organizations' compliance programs should provide
for the implementation of a records retention system. This system
should establish policies and procedures regarding the creation,
distribution, retention, storage, retrieval and destruction of
documents. The three types of documents developed under this system
should include: (1) All records and documentation required by either
Federal or State law and the program requirements of Federal and State
health plans; \78\ (2) records listing the persons responsible for
implementing each part of the compliance plan; and (3) all records
necessary to protect the integrity of the Medicare+Choice
organization's compliance process and confirm the effectiveness of the
program. The documentation necessary to satisfy the third category
includes, but is not
[[Page 61903]]
limited to the following: evidence of adequate employee training;
reports from the Medicare+Choice organization's hotline; results of any
investigation conducted as a consequence of a hotline call;
modifications to the compliance program; all written notifications to
providers regarding compliance activities; \79\ and the results of the
Medicare+Choice organization's auditing and monitoring efforts.
---------------------------------------------------------------------------
\78\ These documents should be maintained for the periods
required by the HCFA Medicare+Choice regulations.
\79\ This should include notifications regarding: quality of
care issues; confusing or inaccurate encounter data; and termination
of the contract.
---------------------------------------------------------------------------
In light of the increasing reliance on electronic data interchange
by the health care industry, Medicare+Choice organizations should take
particular care in establishing procedures for maintaining the
integrity of its data collection systems. This should include
procedures for regularly backing-up data (either by diskette,
restricted system or tape) collected in connection with all aspects of
the Medicare+Choice program requirements.
In addition, all Medicare+Choice organizations should develop and
implement policies and procedures to ensure the confidentiality and
privacy of financial, medical, personnel and other sensitive
information in their possession.\80\ These policies should address both
electronic and hard copy documents.
---------------------------------------------------------------------------
\80\ 42 U.S.C. 1395w-22(h); 42 CFR 422.118.
---------------------------------------------------------------------------
4. Compliance as an Element of a Performance Plan
Compliance programs should require that the promotion of, and
adherence to, the elements of the compliance program be a factor in
evaluating the performance of all relevant employees. Such employees
should be periodically trained in new compliance policies and
procedures.
Policies should require that managers:
Discuss with all relevant employees the compliance
policies and legal requirements applicable to their function;
inform all relevant personnel that strict compliance with
these policies and requirements is a condition of employment; and
Disclose to all relevant personnel that the
Medicare+Choice organization will take disciplinary action up to and
including termination for violation of these policies or requirements.
In addition to making performance of these duties an element in
evaluations, the compliance officer or company management should
include a policy that managers and supervisors will be sanctioned for
failure to instruct adequately their subordinates or for failure to
detect noncompliance with applicable policies and legal requirements,
where reasonable diligence on the part of the manager or supervisor
should have led to the discovery of any problems or violations.
B. Designation of a Compliance Officer and a Compliance Committee
1. Compliance Officer
Every Medicare+Choice organization should designate a compliance
officer to serve as the focal point for compliance activities. This
responsibility may be the individual's sole duty or added to other
management responsibilities, depending upon the size and resources of
the Medicare+Choice organization and the complexity of the task.
Designating a compliance officer with the appropriate authority is
critical to the success of the program, necessitating the appointment
of a high-level official in the Medicare+Choice organization with
direct access to the company's governing body, the CEO and all other
senior management and legal counsel.\81\ While it is important that the
compliance officer have appropriate authority, we are not suggesting
that the compliance officer should have operational responsibility for
the various aspects of the Medicare+Choice program. For example, the
compliance officer should have full authority to stop the submission of
data that he or she believes is problematic until such time as the
issue in question has been resolved. In addition, the compliance
officer should be copied on the results of all internal audit reports
and work closely with key managers to identify aberrant trends in the
areas that require certification. The compliance officer must have the
authority to review all documents and other information that are
relevant to compliance activities, including, but not limited to,
enrollee records (where appropriate) and records concerning the
marketing efforts of the organization and the Medicare+Choice
organization arrangements with other parties, including employees,
professionals on staff, relevant independent contractors, suppliers,
agents and physicians. This policy enables the compliance officer to
review contracts and obligations (seeking the advice of legal counsel,
where appropriate) that may contain referral and payment provisions
that could violate statutory or regulatory requirements.
---------------------------------------------------------------------------
\81\ The OIG believes that it is not advisable for the
compliance function to be subordinate to the Medicare+Choice
organization's general counsel, comptroller or similar company
financial officer. Free-standing compliance functions help to ensure
independent legal reviews and financial analyses of the
institution's compliance activities. By separating the compliance
function from the key management positions of general counsel or CFO
(where the size and structure of the organization make this a
feasible option), a system of checks and balances is established to
more effectively achieve the compliance program's goals.
---------------------------------------------------------------------------
Coordination and communication are the key functions of the
compliance officer with regard to planning, implementing and monitoring
the compliance program. With this in mind, the OIG recommends that the
Medicare+Choice organization's compliance officer closely coordinate
compliance functions with providers' compliance officers.
The compliance officer should have sufficient funding and staff to
fully perform his or her responsibilities. These duties should include:
Overseeing and monitoring the implementation of the
compliance program; \82\
---------------------------------------------------------------------------
\82\ For multi-site Medicare+Choice organizations, the OIG
encourages coordination with each facility owned by the
Medicare+Choice organization through the use of compliance liaisons
at each site.
---------------------------------------------------------------------------
Reporting on a regular basis to the Medicare+Choice
organization's governing body, CEO and compliance committee on the
progress of implementation;
Periodically revising the program in light of changes in
the organization's needs and in the law and policies and procedures of
Government and private payor health plans;
Reviewing employees' certifications stating that they have
received, read and understood the standards of conduct;
Developing, coordinating and participating in a
multifaceted educational and training program that focuses on the
elements of the compliance program and seeks to ensure that all
appropriate employees and management are knowledgeable of, and comply
with, pertinent Federal and State standards;
Coordinating personnel issues with the Medicare+Choice
organization's human resources/personnel office (or its equivalent) to
ensure that providers and employees do not appear in the List of
Excluded Individuals/Entities and the General Services Administration
(GSA) list of debarred contractors; \83\
---------------------------------------------------------------------------
\83\ See note 101.
---------------------------------------------------------------------------
Assisting the Medicare+Choice organization's management in
coordinating internal compliance review and monitoring activities,
including annual or periodic reviews of departments;
Independently investigating and acting on matters related
to compliance, including the flexibility to design and
[[Page 61904]]
coordinate internal investigations (e.g., responding to reports of
problems or suspected violations) and any resulting corrective action
with all departments, providers, agents, and, if appropriate,
independent contractors;
Developing policies and programs that encourage managers
and employees to report suspected fraud and other improprieties without
fear of retaliation; and
Continuing the momentum of the compliance program and the
accomplishment of its objectives long after the initial years of
implementation.
2. Compliance Committee
The OIG recommends that a compliance committee be established to
advise the compliance officer and assist in the implementation of the
compliance program.\84\ When assembling a team of people to serve as
the Medicare+Choice organization's compliance committee, the company
should include individuals with a variety of skills.\85\ The OIG
strongly recommends that the compliance officer manage the compliance
committee. Once a managed care organization chooses the people that
will accept the responsibilities vested in members of the compliance
committee, the organization must train these individuals on the
policies and procedures of the compliance program.
---------------------------------------------------------------------------
\84\ The compliance committee benefits from having the
perspectives of individuals with varying responsibilities in the
organization, such as operations, finance, audit, human resources,
utilization review, medicine, claims processing, information
systems, legal, marketing, enrollment and disenrollment as well as
employees and managers of key operating units. These individuals
should have the requisite seniority and comprehensive experience
within their respective departments to implement any necessary
changes in the company's policies and procedures. Some organizations
have found it helpful to include an outside director on its
compliance committee to provide a different perspective.
\85\ A Medicare+Choice organization should expect its compliance
committee members and compliance officer to demonstrate high
integrity, good judgment, assertiveness and an approachable
demeanor, while eliciting the respect and trust of employees of the
organization. The compliance committee members should also have
significant professional experience in working with quality
assurance, enrollment, marketing, clinical records and auditing
principles.
---------------------------------------------------------------------------
The committee's responsibilities should include:
Analyzing the organization's regulatory environment, the
legal requirements with which it must comply and specific risk areas;
Assessing existing policies and procedures that address
these areas for possible incorporation into the compliance program;
Working with appropriate departments, as well as
affiliated providers, to develop standards of conduct and policies and
procedures that promote allegiance to the organization's compliance
program;
Recommending and monitoring, in conjunction with the
relevant departments, the development of internal systems and controls
to carry out the organization's standards, policies and procedures as
part of its daily operations;
Determining the appropriate strategy/approach to promote
compliance with the program and detection of any potential violations,
such as through hotlines and other fraud reporting mechanisms;
Developing a system to solicit, evaluate and respond to
complaints and problems; and
Monitoring internal and external audits and investigations
for the purpose of identifying troublesome issues and deficient areas
experienced by the Medicare+Choice organization and implementing
corrective and preventive action.
The committee may also address other functions as the compliance
concept becomes part of the overall operating structure and daily
routine.
C. Conducting Effective Training and Education
The proper education and training of corporate officers, managers,
employees and the continual retraining of current personnel at all
levels are significant elements of an effective compliance program.
Where appropriate, the Medicare+Choice organization may afford its
contractors the opportunity to participate in the organization's
compliance training and educational programs.\86\ The contractors
should be encouraged to develop their own compliance programs that
complement the Medicare+Choice organization's compliance program.
---------------------------------------------------------------------------
\86\ While some Medicare+Choice organizations may encourage
providers to participate in education programs designed for its own
employees, other organizations may prefer to develop provider-
specific education programs about compliance.
---------------------------------------------------------------------------
1. Formal Training Programs
To ensure the appropriate information is being disseminated to the
correct individuals, the Medicare+Choice organization training program
should include both a general session and specialized sessions on
specific risk areas. All employees should attend the general session on
compliance. Employees whose job responsibilities implicate specific
risk areas (e.g., marketing or data collection and submission) should
attend the specialized sessions.
The OIG recommends that attendance and participation at training
programs be made a condition of continued employment and that failure
to comply with training requirements should result in disciplinary
action, including possible termination, when such failure is serious.
The Medicare+Choice organization should retain adequate records of its
training of employees, including attendance logs and material
distributed at training sessions. New employees should be targeted for
training early in their employment, and to the extent that they perform
complicated tasks with greater organizational legal exposure, should be
monitored closely until all training is completed.
a. General Sessions
As part of their compliance programs, Medicare+Choice organizations
should require all employees to attend annual training that emphasizes
the organization's commitment to compliance with all Federal and State
statutes and requirements, and the policies of private payors. While
the OIG recognizes that not all standards, policies and procedures need
to be communicated to all employees, it believes that the general
message about the importance of complying with fraud and abuse laws and
other ethical areas should be addressed and made part of the general
training.
As part of the initial training, the standards of conduct should be
distributed to all employees. Every employee should be required to sign
and date a statement that reflects the employee's knowledge of, and
commitment to the standards of conduct. This attestation should be
retained in the employee's personnel file. The standards of conduct
should be updated and revised as appropriate.
b. Specialized Training
Because Medicare+Choice organizations are responsible for
compliance in all of the risk areas mentioned in section II.A. above,
the OIG recommends Medicare+Choice organizations require individuals
who are involved in the risk areas to receive specialized training. For
example, marketing employees should receive training on the marketing,
enrollment, disenrollment and anti-kickback policies. All employees who
work with beneficiaries or providers regarding medical services should
receive appropriate training on the risks associated with
underutilization. Those employees who are involved in developing
enrollment, encounter and ACR data should receive training on
[[Page 61905]]
HCFA policies in these areas. Clarifying and emphasizing these areas of
concern through training and educational programs are particularly
relevant to a Medicare+Choice organization's marketing and financial
personnel, in that the pressure to meet business goals may render these
employees particularly vulnerable to engaging in prohibited practices.
The OIG recommends Medicare+Choice organizations' compliance
programs address the need for periodic professional education courses
for relevant personnel. Such courses would be in addition to the
internal training sessions provided by the organization.
c. Format of the Training Program
The OIG suggests all relevant levels of personnel be made part of
various educational and training programs of the Medicare+Choice
organization. Employees should be required to have a minimum number of
educational hours per year, as appropriate, as part of their employment
responsibilities. A variety of teaching methods, such as interactive
training and training in several different languages (including the
translation of standards of conducts and other materials), particularly
where a Medicare+Choice organization has a culturally diverse staff,
should be implemented so that all affected employees are knowledgeable
about the institution's standards of conduct and procedures for
alerting senior management to problems and concerns. In addition, the
materials should be written at appropriate reading levels for targeted
employees. All training materials should be designed to take into
account the skills, knowledge and experience of the individual
trainees. Post-training tests can be used to assess the success of
training provided and employee comprehension of the Medicare+Choice
organization's policies and procedures.
2. Informal and Ongoing Compliance Training
It is essential that compliance issues remain at the forefront of
the Medicare+Choice organization's priorities. The organization must
demonstrate its commitment by continuing to disseminate the compliance
message. One effective mechanism to achieve this goal is to publish a
monthly compliance newsletter, or devote a section to compliance in a
general weekly or monthly existing newsletter. This would allow the
Medicare+Choice organization to address specific examples of problems
the company encountered during its ongoing audits and risk analysis,
while reinforcing the company's firm commitment to the general
principles of compliance and ethical conduct. The newsletter could also
include the risk areas identified in current OIG publications or
investigations. Finally, the Medicare+Choice organization could use the
newsletter as a mechanism to notify employees of significant legal or
regulatory developments. The Medicare+Choice organization should
maintain its newsletters in a central location to document the guidance
offered and provide new employees with access to guidance previously
provided. Other written materials, such as posters, fliers or articles
in other company publications, could also be used to disseminate the
compliance message.
Another effective method of maintaining the presence of the
compliance message is to maintain a website devoted to compliance
issues. This could be linked to the homepage of the organization. Many
organizations have chosen to maintain these sites internally on the
Intranet to alleviate any confidentiality concerns. The Intranet (or
Internet) also facilitates the use of hypertext links that allow the
organization to maintain a centralized source on statutory, regulatory
and other program guidance disseminated by HCFA, the OIG, the
Department of Justice and the Congress. These links, along with any
other webpages that the Medicare+Choice organization deems pertinent
and useful can be assembled on a single site that can, by hypertext
link, provide access to all of these useful resources.
D. Developing Effective Lines of Communication
An open line of communication between the compliance officer and
Medicare+Choice organization personnel, as well as among the
organization, health care providers and enrollees, is critical to the
successful implementation of a compliance program and the reduction of
any potential for fraud, abuse and waste. Each organization should have
in place both a mechanism for the reporting of improper conduct, as
well a mechanism for more routine types of communication among the
compliance officer and relevant groups.
1. Hotline or Other System for Reports of Potential Misconduct
Each Medicare+Choice organization should have in place a hotline or
other mechanism \87\ through which employees, enrollees or other
parties can report potential violations of the organization's
compliance policies or of Federal or State health care program
requirements. In any event, several independent reporting paths should
be created for an employee to report fraud, waste or abuse so that such
reports cannot be diverted by supervisors or other personnel. If the
organization establishes a hotline, the telephone number should be made
readily available to all employees, enrollees and independent
contractors, by circulating the number on wallet cards or conspicuously
posting the telephone number in common work areas.\88\
---------------------------------------------------------------------------
\87\ The OIG recognizes that it may not be financially feasible
for a small Medicare+Choice organization to maintain a telephone
hotline dedicated to receiving calls solely on compliance issues.
These companies may explore alternative methods, e.g., contracting
with an independent source to provide hotline services or
establishing a written method of confidential disclosure.
\88\ Medicare+Choice organizations should also post in a
prominent, available area the HHS-OIG Hotline telephone number, 1-
800-447-8477 (1-800-HHS-TIPS), in addition to any organization's
hotline number that may be posted.
---------------------------------------------------------------------------
Matters reported through the hotline or other communication sources
that suggest violations of compliance policies, Federal and State
health care program requirements, regulations or statutes should be
documented and investigated promptly to determine their veracity and
significance. A log should be maintained by the compliance officer or
authorized designee that records such calls, including the nature of
any investigation and its results.\89\ Such information should be
included in reports to the governing body, the CEO and compliance
committee.
---------------------------------------------------------------------------
\89\ To efficiently and accurately fulfill such an obligation,
the Medicare+Choice organization should create an intake form for
all issues identified through reporting mechanisms. The form could
include information concerning the date the potential problem was
reported, the internal investigative methods utilized, the results
of any investigation, any corrective action implemented, any
disciplinary measures imposed and any overpayments and monies
returned.
---------------------------------------------------------------------------
Employees, enrollees and providers should be permitted to report
matters on a confidential basis. To encourage such reporting, written
confidentiality and non-retaliation policies should be developed.
Employees, enrollees, providers and other contractors should be made
aware of these policies to encourage communication and the reporting of
incidents of potential fraud.\90\ While the Medicare+Choice
[[Page 61906]]
organization should always strive to maintain the confidentiality of
the reporter's identity, the policies should explicitly communicate
that there may be a point where the individual's identity may become
known or may have to be revealed.
---------------------------------------------------------------------------
\90\ The OIG believes that whistleblowers should be protected
against retaliation, a concept embodied in the provisions of the
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees
sue their employers under the False Claims Act's qui tam provisions
out of frustration because of the company's failure to take action
when a questionable, fraudulent or abusive situation was brought to
the attention of senior corporate officials.
---------------------------------------------------------------------------
The OIG recognizes that assertions of fraud and abuse by those who
may have participated in illegal conduct or committed other malfeasance
raise numerous complex legal and management issues that should be
examined on a case-by-case basis. The compliance officer may wish to
work closely with legal counsel to obtain guidance on these issues.
2. Routine Communication/Access to the Compliance Officer
While it is crucial that Medicare+Choice organizations have
effective systems in place for the reporting of suspected misconduct,
it is equally important that the compliance officer foster more routine
communication both among its employees and among its health care
providers and enrollees.
With respect to its own employees, the OIG encourages the
establishment of procedures for personnel to seek clarification from
the compliance officer or members of the compliance committee in the
event of any confusion or question regarding a company policy, practice
or procedure. Questions and responses should be documented and dated
and, if appropriate, shared with other staff so that standards,
policies, practices and procedures can be updated and improved to
reflect any necessary changes or clarifications. The compliance officer
may want to solicit employee input in developing these communication
and reporting systems. The methods discussed above relating to ongoing
training and education are an integral part of this communication.\91\
---------------------------------------------------------------------------
\91\ In addition to methods of communication used by current
employees, an effective employee exit interview program could be
designed to solicit information from departing employees regarding
potential misconduct and suspected violations of the Medicare+Choice
organization's policy and procedures.
---------------------------------------------------------------------------
The communication and coordination function of the compliance
program serves an even more critical role in the context of the managed
care environment because the managed care entity serves as an
intermediary between the health care provider and the enrollee. In
fact, the raison d'etre of a managed care organization is to coordinate
the care of its enrollees. As with providers, communications with
beneficiaries and communications with HCFA (and its designees) must
demonstrate the highest level of integrity, honesty and judgment. The
Medicare+Choice organization should implement methods to encourage
communication among its enrollees and providers. For example, as
appropriate, a Medicare+Choice organization should communicate the
results of audits, disenrollment surveys, utilization data and quality
of care determinations to its contracting suppliers and providers in
order to facilitate open discussion regarding appropriate health care
delivery.
E. Auditing and Monitoring
An ongoing evaluation process is critical to a successful
compliance program.\92\ The OIG believes an effective program should
incorporate thorough monitoring of its implementation and regular
reporting to senior company officers. Compliance reports created by
this ongoing monitoring, including reports of suspected noncompliance,
should be maintained by the compliance officer and reviewed with the
Medicare+Choice organization's senior management and the compliance
committee. The extent and frequency of the audit function may vary
depending on factors such as the size of the company, the resources
available to the company, the company's prior history of noncompliance
and the risk factors that are prevalent in a particular organization.
However, all Medicare+Choice organizations have an obligation to
establish an adequate audit function and meet all of HCFA's
requirements.
---------------------------------------------------------------------------
\92\ The OIG recognizes that Medicare+Choice organizations have
a variety of ongoing monitoring processes and would most likely
incorporate these existing processes, as appropriate, into their
compliance program. We do not anticipate that the compliance
monitoring function would exist entirely independently of the
operational program.
---------------------------------------------------------------------------
Although many monitoring techniques are available, one effective
tool to promote and ensure compliance is the performance of regular,
periodic compliance audits by internal or external auditors who have
expertise in Federal and State health care statutes, regulations and
Federal health care program requirements. The audits should focus on
the Medicare+Choice organization's programs or divisions, including
external relationships with third-party contractors, specifically those
with substantive exposure to Government enforcement actions. The audits
should cover the range of programmatic requirements of the
Medicare+Choice program and comply with generally accepted protocols
governing such audits. In particular, the audits should focus on the
risk areas identified earlier in this document, especially the data and
information that affect payments by Medicare. Finally, the
Medicare+Choice organization should focus on any areas of specific
concern identified within that organization and those that may have
been identified by any outside agency, whether Federal or State.
Monitoring techniques may include sampling protocols that permit
the compliance officer to identify and review variations from an
established baseline.\93\ Significant variations from the baseline
should trigger a reasonable inquiry to determine the cause of the
deviation. If the inquiry determines that the deviation occurred for
legitimate, explainable reasons, the compliance officer or manager may
want to limit any corrective action or take no action. If it is
determined that the deviation was caused by improper procedures,
misunderstanding of rules, including fraud and systemic problems, the
Medicare+Choice organization should take prompt steps to correct the
problem.\94\ Any overpayments discovered as a result of such deviations
should be reported promptly to HCFA (or its designees), with
appropriate documentation and a thorough explanation of the reason for
the overpayment.\95\
---------------------------------------------------------------------------
\93\ The OIG recommends that when a compliance program is
established in a Medicare+Choice organization, the compliance
officer, with the assistance of department managers, take a
``snapshot'' of the organization's operations from a compliance
perspective. This assessment can be undertaken by outside
consultants, law or accounting firms, or internal staff, with
authoritative knowledge of health care compliance requirements. This
``snapshot,'' often used as part of bench marking analysis, becomes
a baseline for the compliance officer and other managers to judge
the Medicare+Choice organization's progress in reducing or
eliminating potential areas of vulnerability. Medicare+Choice
organizations should track statistical data on utilization review
and quality data based on customer satisfaction and renewal data.
This will facilitate identification of problem areas and elimination
of potential areas of abusive or fraudulent conduct.
\94\ Prompt steps to correct the problem include contacting the
appropriate provider in situations where the provider's actions
contributed to the problem.
\95\ In addition, when appropriate, as referenced in section G,
below, reports of fraud or systemic problems should also be made to
the appropriate Government authority.
---------------------------------------------------------------------------
An effective compliance program should also incorporate periodic
(at a minimum, annual) reviews of whether the program's compliance
elements have been satisfied, e.g., whether there has been appropriate
dissemination of the program's standards, training, ongoing educational
programs and
[[Page 61907]]
disciplinary actions.\96\ This process will verify actual conformance
by all departments with the compliance program. Such reviews may
support a determination that appropriate records have been created and
maintained to document the implementation of an effective program.
---------------------------------------------------------------------------
\96\ One way to assess the knowledge, awareness and perceptions
of the Medicare+Choice organization's staff is through the use of a
validated survey instrument (e.g., employee questionnaires,
interviews or focus groups).
---------------------------------------------------------------------------
The reviewers involved in any audits should:
Possess the qualifications and experience necessary to
adequately identify potential issues with the subject matter to be
reviewed;
Be independent of the specific functional area examined;
Have access to existing audit resources, relevant
personnel and all relevant areas of operation;
Present written evaluative reports on compliance
activities to the CEO, governing body members of the compliance
committee on a regular basis, but not less than annually; and
Specifically identify areas where corrective actions are
needed.
In the Medicare+Choice context, a variety of different methods will
be necessary to adequately monitor and evaluate the ongoing operations
of the Medicare+Choice organization. In general, the OIG recommends the
use of techniques such as on-site visits, questionnaires (for
providers, enrollees and employees), and trend analyses, to name just
several.\97\ Because the auditing and monitoring function is very
different and much more complex in the managed care context than in any
other segment of the health care industry, we have provided additional
guidance on the methods to be used in evaluating selected risk areas.
---------------------------------------------------------------------------
\97\ Medicare+Choice organizations may want to consult HCFA's
Contractor Performance Monitoring System Manual to get additional
ideas for monitoring methods. In addition, organizations may want to
consult the OAS website for information on conducting audits,
including information on statistical sampling (RAT-STATS). See note
10.
---------------------------------------------------------------------------
1. Marketing/Enrollment/Diseenrollment
Developing a system for evaluating the compliance of the marketing,
enrollment and disenrollment functions of a Medicare+Choice
organization requires innovative techniques. Each Medicare+Choice
organization will have to develop an individualized method as to how to
obtain this data. Some of the methods that the OIG suggests include:
using secret shoppers; surveying \98\ current enrollees; \99\ and
conducting exit interviews with former enrollees (particularly those
that disenrolled just prior to obtaining an expensive service) on their
experience with the Medicare+Choice marketing and enrollment process.
Once this data is collected, it must be maintained in a format that can
be accessed readily.
---------------------------------------------------------------------------
\98\ Medicare+Choice organizations may be able to use response
data from already existing surveys, such as from the Health of
Seniors survey (HEDIS) and for certain organizations, the mandatory
disenrollment surveys required under PIP.
\99\ It should be noted, while this method may be less
expensive, it may not provide unbiased data, particularly in the
area of selective marketing. In fact, in the selective marketing
area, the data may be skewed significantly in favor of the
Medicare+Choice organization.
---------------------------------------------------------------------------
In an effort to integrate the monitoring function with its training
function, a Medicare+Choice organization may wish to test its marketing
staff on their knowledge of the company's policies and procedures, as
well as the Federal and State statutes that govern the marketing
process. This assessment can be developed using many formats. Many
companies have customized interactive software to test employees'
knowledge of relevant policies and procedures. It may also be
formulated in the traditional written version.
Methods used to monitor marketing agents include the analysis of
disenrollment data to identify marketing agents with high and low
percentages of member disenrollments within a set number of days (e.g.,
90 days). In addition, Medicare+Choice organizations may want to
establish enrollment verification systems requiring that a different
individual from the sales agent meet with beneficiaries who have
applied for enrollment to ensure that they understand restrictions of
the plan, such as the lock-in provision.
Finally, it is essential for all marketing materials to be reviewed
by an independent and competent reviewer, such as an individual in the
general counsel's office, to ensure that they do not mislead, confuse
or misrepresent any aspect of the plan. Similarly, a Medicare+Choice
organization may want to consider having the materials examined by
individuals familiar with the claims processing department and
utilization review office for consistency with the policies, procedures
and practices of these departments.
2. Underutilization and Quality of Care
Procedures for tracking and reporting utilization review data are
vital to the success of any compliance endeavor. Medicare+Choice
organizations should periodically review the service areas that are
part of the Medicare+Choice organization to ensure that enrollees are
receiving adequate access to care. In reviewing service areas,
Medicare+Choice organizations should collect data on a variety of
topics, including the number of primary care physicians in the service
area, the number and type of specialists in the service area, the
waiting time for appointments, the telephone access to the
Medicare+Choice organization, rates of denial of emergency services
claims and the problems associated with the coordination of care. All
of this data should be maintained in a database in a format that can be
used to generate statistical data and analysis.
Medicare+Choice organizations should ensure that there are adequate
systems in place to monitor underutilization and inappropriate denials.
Such procedures include collecting data on utilization patterns and
detecting aberrant patterns. This data should be checked against
utilization rates in the industry. This function could be performed by
a medical affairs department that is responsible for regular review of
claims, the payment system, encounter data and medical record review to
assess the degree to which care is under (or over) utilized.
Similarly, the Medicare+Choice organization should survey its
enrollees on utilization patterns and whether they felt they were
subjected to inadequate health care services, inappropriate denials,
type of practitioner providing treatment and whether a beneficiary's
request for another provider was denied or approved. Such survey
results should be reviewed and investigated, when appropriate.
Generally, these may be skewed in favor of the Medicare+Choice
organization if the enrollees are current members. Presumably, if an
enrollee was truly dissatisfied with the Medicare+Choice organization's
attitude toward enrollee rights, the enrollee would have disenrolled
from the plan. As a result, a Medicare+Choice organization should
evaluate both current enrollee satisfaction surveys and exit interview
surveys of former enrollees.
Medicare+Choice organizations have a good source of information
regarding utilization issues, simply by tracking the type of appeals
and grievances they receive from beneficiaries. This information should
be tracked in a database that can be easily accessed by type of
grievance or appeal and results.
[[Page 61908]]
3. Data Collection and Submission Processes
Given the importance of the enrollment, encounter and ACR data, the
Medicare+Choice organization should develop ways to audit this
information to assure its accuracy, completeness and truthfulness, on
best knowledge, information and belief. As indicated earlier, such
methods would ordinarily include sample audits and spot checks of the
system. These activities should be facilitated by the fact that HCFA
requires Medicare+Choice organizations to detail in their contractual
relationships with providers the access that they will need to the
provider's medical record documentation.
4. Anti-Kickback and Other Inducements
Medicare+Choice organizations should periodically review their
contractual documents and discussions with providers to ensure that
``swapping'' is not occurring. In addition, contracts with marketing
personnel should be reviewed by legal counsel to be sure they do not
violate the anti-kickback statute and other applicable statutes and
regulations.
F. Enforcing Standards Through Well-Publicized Disciplinary Guidelines
and Policies Regarding Dealings With Ineligible Persons
The OIG recommends that all Medicare +Choice organizations'
compliance programs include several key policies in the area of
personnel/human resources. The first deals with the establishment, and
consistent application of, appropriate disciplinary policies to deal
with improper conduct and the second deals with the employment of
certain ineligible individuals.
1. Consistent Enforcement of Disciplinary Policies
An effective compliance program should include guidance regarding
disciplinary action for all employees who have failed to comply with
the Medicare+Choice organization's standards of conduct, policies and
procedures, Federal health care program requirements, or Federal and
State laws, or those who have otherwise engaged in wrongdoing. It is
vital to publish and disseminate the range of possible disciplinary
actions for improper conduct and to educate officers and other staff
regarding these standards. Employees should be advised that
disciplinary action may be appropriate where a responsible employee's
failure to detect a violation is attributable to his or her negligence
or reckless conduct. The sanctions could range from oral warnings to
suspension, termination or other sanctions, as appropriate. While each
situation must be considered on a case-by-case basis to determine the
appropriate sanction, intentional or reckless noncompliance should
subject transgressors to significant sanctions.
The written standards of conduct should elaborate on the procedures
for handling disciplinary problems and identify who will be responsible
for taking appropriate action. For example, while disciplinary actions
can be handled by department managers, others may have to be resolved
by a more senior official of the organization. Personnel should be
advised by the organization that disciplinary action will be taken on a
fair and equitable basis, that is, all levels of employees should be
subject to similar disciplinary action for the commission of similar
offenses. Managers and supervisors should be held accountable to
implement the disciplinary policy consistently so that the policy will
have the required deterrent effect.
2. Employment of, and Contracting With, Ineligible Persons
All Medicare+Choice organizations should use care when delegating
substantial discretionary authority to make decisions that may involve
compliance with the law or compliance oversight. In particular, the
organization should ensure that it does not delegate such
responsibilities to individuals or entities that it knows, or should
have known, have a propensity to engage in inappropriate or improper
conduct. Pursuant to the compliance program, a Medicare+Choice
organization's policies should prohibit the hiring of, or entering
into, contracts with individuals or entities who have been recently
convicted of a criminal offense related to health care or who are
listed as debarred, excluded or otherwise ineligible for participation
in Federal health care programs.\100\ The policies should require the
Medicare+Choice organization to utilize Government resources to
determine whether such individuals or entities are debarred or
excluded. These resources should be used for both potential employees
(as part of the employment application process, which should also
include a reasonable and prudent background investigation), and should
be used to periodically check existing employees and contractors.
---------------------------------------------------------------------------
\100\ Prospective employees who have been officially reinstated
into the Medicare and Medicaid programs by the OIG may be considered
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------
Lists of debarred and excluded individuals and entities are
currently maintained by both the OIG and the General Services
Administration.\101\ By approximately January 2000, the Healthcare
Integrity Protection Data Bank (HIPDB) will be available to
Medicare+Choice organizations (for a nominal fee) to use in conducting
these checks on employees and contractors.\102\ The HIPDB is an
electronic data collection program that will collect, store and
disseminate reports on practitioners, providers and suppliers that have
been the subject of health care related final adverse actions in
criminal, civil and administrative proceedings. The final adverse
actions to be reported to the HIPDB include criminal convictions or
civil judgments related to the delivery of health care, actions by
Federal or State agencies responsible for licensing or certification of
health care providers, suppliers and practitioners, exclusions from
Federal or State health care programs, and certain final adverse
actions taken by health plans.\103\ Pending the resolution of any known
criminal charges or proposed debarment or exclusion, the OIG recommends
that such individuals should be removed from direct responsibility for,
or involvement in, any Federal health care program. If labor agreements
make such removal legally impermissible, the OIG recommends that the
individual be closely supervised in all aspects of his or her duties
that relate to Federal health care programs. If the resolution of the
matter results in conviction, debarment or exclusion of a current
employee or contractor, then the Medicare+Choice organization must not
continue to employ or contract with such individual for the provision
of health care, utilization review, medical social work or
administrative services.\104\
---------------------------------------------------------------------------
\101\ OIG's List of Excluded Individuals/Entities is available
on the Internet at http://www.hhs.gov/oig/ and the GSA list of
debarred contractors is available on the Internet at http://
www.arnet.gov/epls.
\102\ 42 U.S.C. 1320a-7e.
\103\ Note that agencies and health plans are required by HIPAA
to report to the HIPDB. Failure by a health plan to make the
mandated reports to the HIPDB may result in CMPs being assessed
against the health plan, pursuant to 42 U.S.C. 1320a-7e(b)(6).
\104\ 42 CFR 422.752(a)(8).
---------------------------------------------------------------------------
G. Responding to Detected Offenses, Developing Corrective Action
Initiatives, and Reporting to Government Authorities
Violations of the Medicare+Choice organization's compliance
program, failures to comply with applicable
[[Page 61909]]
Federal or State law, rules and program instructions and other types of
misconduct may threaten a Medicare+Choice organization's status as a
reliable, honest and trustworthy company. Detected but uncorrected
misconduct can seriously endanger the mission, reputation and legal
status of the organization. Consequently, it is important that the
chief compliance officer or other management officials promptly
investigate and take appropriate action with respect to any reports or
reasonable indications of suspected noncompliance.\105\
---------------------------------------------------------------------------
\105\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a
health care program is not solely determinative of whether or not
the conduct should be investigated and reported to governmental
authorities. In fact, there may be instances where there is no
readily identifiable monetary loss at all, but corrective action and
reporting are still necessary to protect the integrity of the
applicable program and its beneficiaries.
---------------------------------------------------------------------------
Pending issuance of final HCFA regulations \106\ regarding the
obligations of a Medicare+Choice organizations to report misconduct,
the OIG recommends that the following procedures be followed when a
Medicare+Choice organization discovers from any source evidence of
misconduct related to payment or delivery of health care items or
services under the Medicare+Choice contract. First, the Medicare+Choice
organization should conduct a timely, reasonable inquiry into the
misconduct. Second, if after reasonable inquiry, the organization has
determined that the misconduct may violate criminal, civil or
administrative law, it should report the existence of the misconduct
promptly to the appropriate Government authority \107\ within a
reasonable period, but not more than 60 days \108\ after a
determination that a violation may have occurred.\109\ When reporting
potential violations to the Government, a Medicare+Choice organization
should provide all evidence relevant to the potential violation,
including the impact of the potential violation on beneficiaries and
any potential cost impact. Finally, the Medicare+Choice organization
should initiate and implement appropriate corrective actions, e.g.,
repayment of overpayments, disciplinary actions and modifications of
procedures to ensure the problem does not recur.
---------------------------------------------------------------------------
\106\ 42 CFR 422.501(b)(vi).
\107\ For example, if the potential violation relates to federal
criminal law, the Civil False Claims Act, the civil money penalty
authorities (primarily under sections 1128A and 1857 of the Social
Security Act) and related statutes administered by the HHS/OIG, the
report must be made to that office.
\108\ While the OIG recommends reporting in 60 days, the
organization must report within 30 days in order to attempt to
obtain favorable treatment under the Civil False Claims Act. See
note 6. In addition, reporting such conduct may be considered a
mitigating factor by the OIG in determining administrative sanctions
(e.g., penalties, assessments and exclusion), if the reporting
company becomes the subject of an OIG investigation. See 62 FR 67392
(12/24/97).
\109\ The OIG believes that some potential violations may be so
serious that they warrant immediate notification to Government
authorities, prior to, or simultaneous with, commencing an internal
inquiry. Examples of such situations include instances when the
misconduct: (1) Is a clear violation of civil fraud or criminal law;
(2) has a significant adverse effect on the quality of care provided
to program beneficiaries (in addition to any other legal obligations
regarding quality of care); or (3) indicates evidence of a systemic
failure to comply with applicable laws or an existing corporate
integrity agreement, regardless of the financial impact on Federal
health care programs.
---------------------------------------------------------------------------
Failure to notify HCFA of an overpayment within a reasonable period
of time could be interpreted as an intentional attempt to conceal the
overpayment from the Government, thereby establishing an independent
basis for a criminal violation with respect to the Medicare+Choice
organization, as well as any individuals who may have been
involved.\110\ For this reason, Medicare+Choice compliance programs
should ensure that overpayments are identified quickly and promptly
return overpayments obtained from Medicare or other Federal health care
programs.
---------------------------------------------------------------------------
\110\ 42 U.S.C. 1320a-7b(a)(3).
---------------------------------------------------------------------------
The OIG recommends that Medicare+Choice organizations consider the
following guidance as they structure internal inquiries. Depending upon
the nature of the alleged violations, an internal inquiry will probably
include interviews and a review of relevant documents. Medicare+Choice
organizations should consider engaging outside counsel, auditors or
health care experts to assist in an inquiry. Records of the inquiry
should contain documentation of the alleged violation, a description of
the process (including the objectivity of the investigators and
methodologies utilized), copies of interview notes and key documents, a
log of the witnesses interviewed and the documents reviewed, and the
results of the investigation, e.g., any disciplinary action taken and
any corrective action implemented. Although any action taken as the
result of an inquiry will necessarily vary depending upon the
Medicare+Choice organization and the situation, Medicare+Choice
organizations should strive for some consistency by utilizing sound
practices and disciplinary protocols. Further, after a reasonable
period, the compliance officer should review the circumstances that
formed the basis for the inquiry to determine whether similar problems
have been uncovered or modifications of the compliance program are
necessary to prevent and detect other inappropriate conduct or
violations.
If an inquiry of an alleged violation is undertaken and the
compliance officer believes the integrity of the inquiry may be at
stake because of the presence of employees under investigation, those
subjects should be removed from their current work activity until the
inquiry is completed (unless an internal or Government-led undercover
operation known to the Medicare+Choice organization is in effect). In
addition, the compliance officer should take appropriate steps to
secure or prevent the destruction of documents or other evidence
relevant to the inquiry. If the Medicare+Choice organization determines
disciplinary action is warranted, it should be prompt and imposed in
accordance with the organization's written standards of disciplinary
action.
III. Conclusion
Through this document, the OIG has attempted to provide a
foundation for the development of effective and comprehensive
Medicare+Choice compliance programs. These principles can also be used
by entities to develop compliance programs applicable to other Federal
and health care programs, as well as for their private lines of
business. As previously stated, however, each program must be tailored
to fit the needs and resources of an individual organization, depending
upon its particular corporate structure, mission and employee
composition. The statutes, regulations and guidelines of the Federal
and State health insurance programs, as well as the policies and
procedures of the private health plans, should be integrated into every
Medicare+Choice organization's compliance program.
The OIG recognizes that the health care industry, which reaches
millions of beneficiaries and expends about a trillion dollars
annually, is constantly evolving. In no area of the industry is this
more evident than in the growing area of managed care, particularly
Medicare managed care. As a result, the time is right for
Medicare+Choice organizations to implement strong, voluntary compliance
programs. Compliance is a dynamic process that helps to ensure
Medicare+Choice organizations are better able to fulfill their
commitment to ethical behavior and to meet the changes and challenges
being imposed upon them by the Congress and private insurers. It is
[[Page 61910]]
OIG's hope that voluntarily created compliance programs will enable
Medicare+Choice organizations to meet their goal of providing efficient
and quality health care and, at the same time, substantially reducing
fraud, waste and abuse.
Dated: November 5, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-29632 Filed 11-12-99; 8:45 am]
BILLING CODE 4150-04-P