[Federal Register Volume 64, Number 219 (Monday, November 15, 1999)]
[Notices]
[Pages 61893-61910]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-29632]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General


Publication of the OIG's Compliance Program Guidance for 
Medicare+Choice Organizations Offering Coordinated Care Plans

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: This Federal Register notice sets forth the Compliance Program 
Guidance for Medicare+Choice Organizations Offering Coordinated Care 
Plans (``Medicare+Choice organizations'') that was recently issued by 
the Office of Inspector General (OIG). The OIG has previously developed 
and published compliance program guidance focused on other areas of the 
health care industry. We believe that the development and issuance of 
this compliance program guidance for Medicare+Choice organizations will 
continue to serve as a positive step toward promoting a high level of 
ethical and lawful conduct throughout the entire health care industry.

FOR FURTHER INFORMATION CONTACT: Barbara Frederickson, Office of 
Counsel to the Inspector General, (202) 619-2078.

SUPPLEMENTARY INFORMATION:

Background

    The creation of compliance program guidance continues to be a major 
initiative by the OIG in its effort to engage the health care community 
in combating fraud and abuse. In formulating compliance guidance, the 
OIG has worked closely with the Health Care Financing Administration 
(HCFA), the Department of Justice (DOJ) and various sectors of the 
health care industry to provide clear guidance to the industry. The 
previously-issued compliance program guidances addressed six areas: the 
hospital industry; home health agencies; clinical laboratories; third-
party medical billing companies; the durable medical equipment, 
prosthetics, orthotics and supply industry; and hospices. The 
development of these compliance program guidances is based on our 
belief that a health care provider can use internal controls to more 
efficiently monitor adherence to applicable statutes, regulations and 
program requirements.

Guidance for Medicare+Choice Organizations

    On September 22, 1998, the OIG published a solicitation notice 
seeking information and recommendations for developing formal guidance 
for Medicare+Choice organizations (63 FR 50577). In response to that 
solicitation notice, the OIG received five comments from the industry 
and their representatives. After careful consideration of those initial 
comments, and in an effort to ensure that all parties had a reasonable 
opportunity to provide input into a final product, the OIG published 
draft guidance for Medicare+Choice organizations on June 24, 1999 (64 
FR 33869) for further comment and recommendations. A total of 16 
timely-filed comments were received for consideration by the OIG in 
response to the publication of that draft guidance.

Elements for an Effective Compliance Program

    Through experience, the OIG has identified seven fundamental 
elements to an effective compliance guidance program that are being 
reflected in this latest issuance. They are:
     Implementing written policies, procedures and standards of 
conduct;
     Designating a compliance officer and a compliance 
committee;
     Conducting effective training and education;
     Developing effective lines of communication;
     Enforcing standards through well-publicized disciplinary 
guidelines and developing policies addressing dealings with sanctioned 
individuals;
     Conducting internal monitoring and auditing; and
     Responding promptly to detected offenses, developing 
corrective action, and reporting to the Government.
    The OIG is offering specific compliance measures that may be 
implemented by Medicare+Choice organizations in an effort to curtail or 
eliminate fraud and abuse. While HCFA regulations require 
Medicare+Choice organizations to implement compliance programs, 
adoption of the Compliance Program Guidance for Medicare+Choice 
Organizations Offering Coordinated Care Plans set forth below is 
voluntary.
    A reprint of this newly-issued compliance program guidance follows:

Office of Inspector General's Compliance Program Guidance for 
Medicare+Choice Organizations Offering Coordinated Care Plans 
(November 1999)

I. Introduction

    In its ongoing effort to work collaboratively with the health care 
industry to achieve the mutual goals of quality health care and the 
elimination of fraud, waste and abuse, the Office of Inspector General 
(OIG) of the Department of Health and Human Services (HHS) encourages 
voluntarily developed and implemented compliance programs for the 
health care industry. Fundamentally, compliance efforts are designed to 
establish a culture within an organization that promotes prevention, 
detection and resolution of instances of conduct that do not conform to 
Federal and State law and Federal health care program requirements, as 
well as the organization's ethical and business policies. In practice, 
the compliance program should effectively articulate and demonstrate 
the organization's commitment to legal and ethical conduct.
    As a demonstration of the OIG's commitment to compliance, the OIG 
has issued recommendations, in the form of compliance program 
guidances, that provide suggestions regarding how specific segments of 
the industry can

[[Page 61894]]

best implement compliance programs.\1\ As a result of the changing 
nature of the health care delivery system and the growing trend toward 
reliance on the managed care industry in the provision of health care 
in the Medicare context, the OIG believes it is appropriate to issue a 
guidance focusing on Medicare+Choice organizations \2\ offering 
coordinated care plans \3\ (Medicare+Choice organizations). The OIG 
formulated this guidance specifically for Medicare+Choice organizations 
because these organizations are well-defined and are subject to a 
comprehensive regulatory structure.\4\ In addition, Congress envisioned 
an important role for Medicare+Choice organizations, demonstrated by 
the substantial amount of Federal funds received by these 
organizations.
---------------------------------------------------------------------------

    \1\ See 64 FR 58419 (10/29/99) for the draft compliance program 
guidance for nursing facilities; 64 FR 54031 (10/5/99) for the 
compliance program guidance for hospices; 64 FR 36368 (7/6/99) for 
the compliance program guidance for the durable medical equipment, 
prosthetics, orthotics and suppliers industry; 63 FR 70138 (12/18/
98) for the compliance program guidance for third-party medical 
billing companies; 63 FR 45076 (8/24/98) for the compliance program 
guidance for clinical laboratories; 63 FR 42410 (8/7/98) for the 
compliance program guidance for home health agencies; and 63 FR 8987 
(2/23/98) for the compliance program guidance for hospitals.    
These documents are also located on the Internet at http://
www.hhs.gov/oig/.
    \2\ A Medicare+Choice organization is defined as a public or 
private entity organized and licensed by a State as a risk-bearing 
entity (with the exception of provider-sponsored organizations 
receiving waivers) that is certified by the Health Care Financing 
Administration (HCFA) as meeting the Medicare+Choice contract 
requirements (42 CFR 422.2).
    \3\ For the purposes of this compliance program guidance, a 
``coordinated care plan'' is a plan that includes a network of 
providers that are under contract or arrangement with the 
organization to deliver the benefit package approved by HCFA (42 
U.S.C. 1395w-28(a)(1); 42 CFR 422.4).
    \4\ In this guidance, we have focused our attention on 
regulations applicable to Medicare+Choice organizations governing 
marketing, enrollment, disenrollment, underutilization, data 
collection, anti-kickback statute and emergency services, rather 
than providing instruction on all aspects of regulatory compliance.
---------------------------------------------------------------------------

    The OIG encourages Medicare+Choice organizations to read the 
guidance with the whole organization in mind, applying the guidance to 
whatever departments or divisions, including private-sector managed 
care areas, that are deemed appropriate by that organization. Indeed, 
many of the suggestions in this guidance can be used by managed care 
organizations that do not contract with HCFA to provide a 
Medicare+Choice plan. In particular, entities that participate in other 
public health care programs, such as Medicaid, may want to look to the 
general principles in this document to assist them in developing 
compliance programs.
    While the regulations implementing the Medicare+Choice program, or 
Part C, require a Medicare+Choice organization to establish a 
compliance plan,\5\ the OIG's program guidance is voluntary and simply 
is intended to provide assistance for Medicare+Choice organizations 
looking for additional direction in the development of internal 
controls that promote adherence to applicable Federal and State law. 
The OIG first provides its general views on the value and fundamental 
principles of Medicare+Choice organizations' compliance programs, and 
then provides specific elements that each Medicare+Choice organization 
should consider when developing and implementing an effective 
compliance program.
---------------------------------------------------------------------------

    \5\ The regulations require that any plan contracting with HCFA 
implement a compliance plan that encompasses the elements detailed 
in the Federal Sentencing Guidelines. 42 CFR 422.501(b)(vi). HCFA 
will release an operational policy letter addressing the compliance 
requirements detailed in the regulation. In response to concerns 
from industry representatives on the short time frame for 
implementing a compliance plan, HCFA delayed the actual 
implementation date of the compliance plan until January 1, 2000.
---------------------------------------------------------------------------

A. Benefits of a Compliance Plan

    The OIG believes an effective compliance program provides a 
mechanism that brings the public and private sectors together to reach 
mutual goals of reducing fraud and abuse, improving operational 
quality, and ensuring the provision of high quality cost-effective 
care. Attaining these goals benefits business, Government, individual 
citizens and Medicare beneficiaries alike. In addition to fulfilling 
its legal duties to ensure that it is not submitting false or 
inaccurate information to the Government or providing substandard care 
to Medicare beneficiaries, a Medicare+Choice organization may gain 
numerous additional benefits by implementing an effective compliance 
program. These benefits may include:
     The formulation of effective internal controls to assure 
compliance with Federal regulations and internal guidelines;
     Improved communication with and satisfaction of 
Medicare+Choice enrollees;
     The ability to more quickly and accurately react to 
employees operational compliance concerns and the capability to 
effectively target resources to address those concerns;
     A concrete demonstration to employees and the community at 
large of the Medicare+Choice organization's strong commitment to honest 
and responsible corporate conduct;
     The ability to obtain an accurate assessment of employee 
and contractor behavior relating to fraud and abuse;
     Improved (clinical and non-clinical) quality of care and 
service;
     Improved assessment tools that could affect many or all of 
the Medicare+Choice organization's divisions or departments;
     Increased likelihood of identification and prevention of 
unlawful and unethical conduct;
     A centralized source for distributing information on 
health care statutes, regulations and other program directives related 
to fraud and abuse;
     The creation or reinforcement of an environment that 
encourages employees to report potential problems;
     Procedures that allow the prompt, thorough investigation 
of possible misconduct by corporate officers, managers, employees and 
independent contractors;
     An improved relationship with the Center for Health Plans 
and Providers (CHPP) at HCFA; and
     Early detection and reporting, minimizing the loss to the 
Government from false or improper claims, and thereby reducing the 
Medicare+Choice organization's exposure to civil damages and penalties, 
criminal sanctions, and administrative remedies, such as program 
exclusion.\6\
---------------------------------------------------------------------------

    \6\ The OIG, for example, will consider the existence of an 
effective compliance program that pre-dated any governmental 
investigation when addressing the appropriateness of administrative 
sanctions. However, the burden is on the Medicare+Choice 
organization to demonstrate the operational effectiveness of a 
compliance program. Further, the False Claims Act, 31 U.S.C. 3729-
3733, provides that a person who has violated the Act, but who 
voluntarily discloses the violation to the Government within 30 days 
of detection, in certain circumstances will be subject to not less 
than double, as opposed to treble, damages. See 31 U.S.C. 3729(a). 
In addition, an organization will receive sentencing credit for an 
``effective'' compliance program under the Federal Sentencing 
Guidelines. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8C2.5. Thus, the ability to react quickly when 
violations of the law are discovered may materially reduce the 
Medicare+Choice organization's liability.
---------------------------------------------------------------------------

    Overall, the OIG believes that an effective compliance program is a 
sound business investment that has the potential of enhancing the 
efficiency and effectiveness of the Medicare+Choice organization. It 
may also improve the Medicare+Choice organization's financial structure 
by addressing not only fraud and abuse concerns, but efficiency and 
productivity concerns in other operational areas.
    The OIG recognizes the implementation of an effective

[[Page 61895]]

compliance program may not entirely eliminate fraud, abuse and waste 
from an organization. However, a sincere effort by a Medicare+Choice 
organization to comply with applicable Federal and State standards, 
through the establishment of an effective compliance program, 
significantly reduces the probability of unlawful or improper conduct.

B. Application of Compliance Program Guidance

    Before explaining the specific elements of a compliance program, it 
is important to emphasize several aspects of this document: its 
voluntary nature, its applicability to Medicare+Choice organizations, 
the collaborative nature by which it was developed, and its evolving 
nature.
    First, it should be re-emphasized that while the regulations 
implementing the Medicare+Choice program, or Part C, require a 
Medicare+Choice organization to establish a compliance plan, including 
specified elements,\7\ this program guidance is voluntary. Although 
this document presents basic procedural and structural guidance for 
designing a compliance program, it is not in itself a compliance 
program. Rather, it is a set of guidelines for consideration by a 
Medicare+Choice organization interested in obtaining specific 
information on implementing a compliance program. This guidance 
represents the OIG's suggestions on how a Medicare+Choice organization 
can establish internal controls and monitor company conduct to correct 
and prevent fraudulent activities.
---------------------------------------------------------------------------

    \7\ See note 5.
---------------------------------------------------------------------------

    It is critical for the Medicare+Choice organization to assess its 
own organization and determine its needs with regard to compliance with 
applicable Federal and State statutes and Federal health care program 
requirements. By no means should the contents of this guidance be 
viewed as an exclusive discussion of the advisable components of a 
compliance program. On the contrary, the OIG strongly encourages 
Medicare+Choice organizations to develop and implement compliance 
components that uniquely address the individual organization's risk 
areas.
    Implementing a compliance program in a Medicare+Choice organization 
is a complicated venture. There are significant variances and 
complexities among Medicare+Choice organizations in terms of the type 
of services and the manner in which these services are provided to the 
respective members. For example, some Medicare+Choice organizations 
cover broad service areas, while others are focused on a particular 
geographic region. Similarly, the range of benefits covered differ 
among plans, as does the size of the network and the use of a varying 
number of provider contracting tiers to deliver services. Clearly, 
these differences may give rise to different substantive policies to 
ensure effective compliance. Furthermore, some Medicare+Choice 
organizations are relatively small, while others are fully integrated 
and offer Medicare+Choice plans in a wide variety of areas. Finally, 
the availability of resources for any one Medicare+Choice organization 
can differ vastly.
    Notwithstanding these differences, this guidance is pertinent for 
all Medicare+Choice organizations, large or small, regardless of the 
type of services provided. The applicability of the recommendations and 
guidelines provided in this document may depend on the circumstances 
and resources of each particular Medicare+Choice organization. However, 
regardless of the organization's size and structure, the OIG believes 
every Medicare+Choice organization can and should strive to accomplish 
the objectives and major principles underlying all of the compliance 
policies and procedures recommended within this guidance.
    The OIG recognizes that the success of the compliance program 
guidance hinges on thoughtful and practical comments from those 
individuals and organizations that will utilize the tools set forth in 
this document. In a continuing effort to collaborate closely with the 
private sector, the OIG solicited input and support from the public in 
the development of this compliance program guidance.\8\ Further, we 
took into consideration previous OIG publications, such as Special 
Fraud Alerts, the recent findings and recommendations in reports issued 
by OIG's Office of Audit Services (OAS) and Office of Evaluation and 
Inspections (OEI),\9\ comments from HCFA, as well as the experience of 
past and recent fraud investigations related to managed care 
organizations \10\ conducted by OIG's Office of Investigations (OI) and 
the Department of Justice.
---------------------------------------------------------------------------

    \8\ See Solicitation of Information and Recommendations for 
Developing the OIG Compliance Program Guidance for Certain 
Medicare+Choice Organizations (63 FR 50577 (9/22/98)). We also 
requested public comment on the draft guidance (64 FR 33869 (6/24/
99)).
    \9\ Special Fraud Alerts are available on the OIG website at 
http://www.hhs.gov/oig/. The recent findings and recommendations of 
OEI and OAS can be located on the Internet at http://www.hhs.gov/oei 
and http://www.hhs.gov/progorg/oas/cats/hcfa.html, respectively.
    \10\ These investigations include findings based upon Medicare 
risk-based Health Maintenance Organizations and competitive medical 
plans as defined in 42 U.S.C. 1395mm.
---------------------------------------------------------------------------

    As appropriate, this guidance may be modified and expanded as more 
information and knowledge is obtained by the OIG, and as changes in the 
law, and in the rules, policies and procedures of the Federal and State 
plans occur. New compliance practices may eventually be incorporated 
into this guidance if the OIG discovers significant enhancements to 
better ensure an effective compliance program. We recognize the 
development and implementation of compliance programs in 
Medicare+Choice organizations often raise sensitive and complex legal 
and managerial issues.\11\ However, the OIG wishes to offer what it 
believes is critical guidance for those who are sincerely attempting to 
comply with the relevant health care statutes and regulations.
---------------------------------------------------------------------------

    \11\ Nothing stated herein should be substituted for, or used in 
lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------

II. Compliance Program Elements

    The elements discussed in this guidance are similar to those of the 
other OIG Compliance Program Guidances \12\ and our corporate integrity 
agreements.\13\ While these same elements are required by HCFA in the 
Medicare+Choice regulations,\14\ the OIG reiterates that this guidance 
is not mandatory, but simply represents OIG's recommendations on how 
the elements can be implemented.\15\
---------------------------------------------------------------------------

    \12\ See note 1.
    \13\ Corporate integrity agreements are executed as part of a 
civil settlement agreement between the health care provider and the 
Government to resolve a case based on allegations of health care 
fraud or abuse. These OIG-imposed agreements are generally in effect 
for a period of 3 to 5 years and require many of the elements 
included in this compliance guidance.
    \14\ 42 CFR 422.501(b)(vi).
    \15\ The OIG appreciates that because Medicare+Choice 
organizations are subject to substantial regulations that contain 
extensive operational requirements as well as requirements regarding 
self-monitoring and monitoring or review of activities by external 
organizations, they may already be performing some of the activities 
discussed in this guidance. Each Medicare+Choice organization must 
determine the extent to which these activities need to be modified 
or supplemented to create an effective compliance program.
---------------------------------------------------------------------------

    Every effective compliance program must begin with a formal 
commitment \16\ by the Medicare+Choice organization's governing body to 
include all of the

[[Page 61896]]

applicable elements listed below. A good faith and meaningful 
commitment on the part of the Medicare+Choice organization's 
administration, especially the governing body and the chief executive 
officer (CEO), will substantially contribute to the program's 
successful implementation. It is incumbent upon an organization's 
officers and managers to provide ethical leadership to the organization 
and to assure adequate systems and resources are in place to facilitate 
and promote ethical and legal conduct. Employees, managers and the 
Government will focus on the words and actions (including decisions 
made on resources devoted to compliance) of an organization's 
leadership as a measure of the organization's commitment to compliance.
---------------------------------------------------------------------------

    \16\ Formal commitment may include a resolution by the board of 
directors, where applicable. A formal commitment does include the 
allocation of adequate resources to ensure that each of the elements 
is addressed.
---------------------------------------------------------------------------

    Under Medicare+Choice, an organization may, by written contract, 
delegate any activity required under or governed by the Medicare+Choice 
standards to another entity. However, an organization entering into a 
Medicare contract remains entirely accountable to HCFA for the 
performance of any delegated function.\17\ It is the sole 
responsibility of the organization to ensure that the function is 
performed in accordance with applicable standards. While the activity 
may be delegated, the oversight responsibility remains with the 
Medicare+Choice organization. Each Medicare+Choice organization should 
keep these requirements and responsibilities in mind as it develops its 
compliance program.
---------------------------------------------------------------------------

    \17\ 42 CFR 422.502(i).
---------------------------------------------------------------------------

    These elements are based on the seven steps of the Federal 
Sentencing Guidelines.\18\ As required by the HCFA regulations, every 
Medicare+Choice organization must implement all of the recommended 
elements and expand upon them, as appropriate. At a minimum, 
comprehensive compliance programs should include the following seven 
elements:
---------------------------------------------------------------------------

    \18\ See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing 
Guidelines are detailed policies and practices for the Federal 
criminal justice system that prescribe appropriate sanctions for 
offenders convicted of Federal crimes.
---------------------------------------------------------------------------

    (1) The development and distribution of written standards of 
conduct, as well as written policies and procedures, that promote the 
Medicare+Choice organization's commitment to compliance and that 
address specific areas of potential fraud (e.g., the marketing process 
and utilization);
    (2) The designation of a chief compliance officer and other 
appropriate bodies, e.g., a corporate compliance committee, charged 
with the responsibility and authority of operating and monitoring the 
compliance program and who report directly to the CEO and the governing 
body;
    (3) The development and implementation of regular, effective 
education and training programs for all affected employees;
    (4) The development of effective lines of communication between the 
compliance officer and all employees, including a process, such as a 
hotline, to receive complaints (and the adoption of procedures to 
protect the anonymity of complainants and to protect callers from 
retaliation);
    (5) The use of audits or other risk evaluation techniques to 
monitor compliance and assist in the reduction of identified problem 
areas;
    (6) The development of disciplinary mechanisms to consistently 
enforce standards and the development of policies addressing dealings 
with sanctioned and other specified individuals; and
    (7) The development of policies to respond to detected offenses, to 
initiate corrective action to prevent similar offenses, and to report 
to Government authorities when appropriate.

A. Written Policies and Procedures

    Every compliance program should require the development and 
distribution of written compliance policies, standards and practices 
that identify specific areas of risk and vulnerability to the 
Medicare+Choice organization. These policies should be developed by the 
appropriate operational officials within the Medicare+Choice 
organization, with appropriate review and oversight by the compliance 
officer and compliance committee. The OIG recommends that these 
policies be made available to all individuals who are affected by the 
particular risk or policy area at issue. Such individuals would 
include, for example, Medicare+Choice employees whose duties touch upon 
a particular risk or policy area, as well as agents and independent 
contractors with whom the organization has contracted to perform 
delegated activities, which touch upon a particular risk or policy 
area.\19\ The OIG also recommends that Medicare+Choice organizations 
provide, upon request, all contractors with a summary of the standards 
of conduct and the number of the hotline. The distribution of these 
materials could be accomplished via hard copy or via electronic means.
---------------------------------------------------------------------------

    \19\ When determining to whom to distribute various policies, 
the Medicare+Choice organizations should keep in mind that, 
according to the Federal Sentencing Guidelines, an organization must 
have established compliance standards to be followed by its 
employees and other agents in order to receive sentencing credit. 
The Guidelines define ``agent'' as ``any individual, including a 
director, an officer, an employee, or an independent contractor, 
authorized to act on behalf of the organization.'' See United States 
Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, 
Application Note 3(d).
---------------------------------------------------------------------------

1. Standards of Conduct
    Medicare+Choice organizations should develop standards of conduct 
for all affected employees that include a clearly delineated commitment 
to compliance by the organization's senior management and its 
divisions. To help communicate a strong and explicit organizational 
commitment to compliance goals and standards, the Medicare+Choice 
organization's governing body, CEO, chief operating officer (COO), 
general counsel, chief financial officer (CFO) and other senior 
officials should be directly involved in the development of standards 
of conduct.
    The standards should function in the same fashion as a 
constitution, i.e., as a foundational document that details the 
fundamental principles, values and framework for action within an 
organization, as well as the organization's mission and goals. The 
standards should also articulate the Medicare+Choice organization's 
commitment to comply with all Federal and State laws and regulations, 
with an emphasis on preventing fraud and abuse, and include the 
ramifications of failure to comply with these standards. The standards 
should not only address compliance with statutes and regulations, but 
should also set forth broad principles that guide employees in 
conducting business professionally and properly. In short, the 
standards should promote integrity, support objectivity and foster 
trust. Furthermore, a Medicare+Choice organization's standards of 
conduct should reflect a commitment to high quality health care 
delivery, as evidenced by its conduct of on-going performance 
assessment, improved outcomes of care and respect for the rights of 
Medicare+Choice enrollees.
2. Written Policies for Risk Areas
    As part of its commitment to compliance, Medicare+Choice 
organizations should establish a comprehensive set of written policies 
addressing all applicable statutes, rules and program instructions that 
apply to each function or department of that Medicare+Choice 
organization.\20\ The

[[Page 61897]]

policies should address specific areas of concern, such as marketing 
practices and data collection and submission processes. In contrast to 
the standards of conduct, which are designed to be a clear and concise 
collection of fundamental standards, the written policies should 
articulate specific procedures personnel should follow when performing 
their duties.\21\
---------------------------------------------------------------------------

    \20\ This includes, but is not limited to, the Medicare+Choice 
provisions and the fraud and abuse provisions of the Balanced Budget 
Act of 1997, Pub. L. 105-33; the Civil False Claims Act, 31 U.S.C. 
3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001; 
the fraud and abuse provisions of the Health Insurance Portability 
and Accountability Act of 1996 (HIPAA), Pub.L. 104-191; and the 
civil money penalties in the Social Security Act, 42 U.S.C. 1320a-7a 
and 42 U.S.C. 1395w-27(g). See also 42 CFR 422.1-422.312.
    \21\ The Medicare+Choice organization should document its 
efforts to formulate its policies to comply with applicable 
statutes, regulations and program requirements. For example, where a 
Medicare+Choice organization requests advice from HCFA, the 
Medicare+Choice organization should document and retain a record of 
the request and any written or oral response. This step is extremely 
important if the Medicare+Choice organization intends to rely on 
that response to guide it in future decisions, actions or appeals. 
In addition, the Medicare+Choice organization should maintain 
records relevant to the issue of whether its reliance was 
``reasonable,'' and whether it exercised due diligence in developing 
procedures to implement the advice.
---------------------------------------------------------------------------

    The regulations and operational policies issued by HCFA that 
implement the Medicare+Choice program are very comprehensive and, as 
required by HCFA, serve as the basis for the policies and procedures of 
a Medicare+Choice organization.\22\ The legal, policy and contractual 
requirements that organizations must meet and perform as a 
Medicare+Choice organization are articulated in documentation 
promulgated by HCFA and other Federal agencies and should be considered 
de facto risk areas. Included among these risk areas are: (1) The 
election process; (2) benefits and beneficiary protections; (3) quality 
assessment and performance improvement; (4) cost sharing; (5) solvency, 
licensure and other State regulatory issues; (6) claims processing; and 
(7) appeals and grievance procedures.
---------------------------------------------------------------------------

    \22\ Medicare+Choice organizations should regularly access the 
HCFA managed care website at http://www.hcfa.gov/medicare/
mgdcar1.htm for updates on regulations and operational policies. 
Operational Policy Letters can be located on HCFA's web site at 
http://www.hcfa.gov/medicare/mgd-ops.htm.
---------------------------------------------------------------------------

    To determine the additional policies and procedures that are needed 
for a given Medicare+Choice organization (and which policies may need 
particular attention), the OIG recommends that Medicare+Choice 
organizations conduct a comprehensive self-administered risk analysis 
or contract for an independent risk analysis by experienced health care 
consulting professionals. This risk analysis could include surveys and 
statistical analysis specifically tailored to the organization's 
beneficiary population, provider pool and organizational structure and 
should identify and rank the various compliance and business risks the 
company may experience in its daily operations.\23\ A Medicare+Choice 
organization's prior history of noncompliance with applicable statutes, 
regulations and Federal health care program requirements, or the 
failure to report such non-compliance, may indicate additional types of 
risk areas where the organization may be vulnerable and may require 
necessary policy measures to prevent avoidable recurrence.\24\
---------------------------------------------------------------------------

    \23\ Medicare+Choice organizations may also want to consult the 
OIG's Work Plan when conducting the risk assessment. The OIG Work 
Plan details the various projects the OIG currently intends to 
address in the fiscal year. It should be noted that the priorities 
in the Work Plan are subject to modification and revision as the 
year progresses and the Work Plan does not represent a complete or 
final list of areas of concern to the OIG. The Work Plan is 
currently available on the Internet at http://www.hhs.gov/oig/.
    \24\ ``Recurrence of misconduct similar to that which an 
organization has previously committed casts doubt on whether it took 
all reasonable steps to prevent such misconduct'' and is a 
significant factor in the assessment of whether a compliance program 
is effective. See United States Sentencing Commission Guidelines, 
Guidelines Manual, 8A1.2, Application Note 3(7)(ii).
---------------------------------------------------------------------------

    The fact that Medicare+Choice organizations may be both providers 
and insurers of health care increases the number and type of risk areas 
to which a Medicare+Choice organization must be attuned, as well as the 
type of auditing and monitoring procedures that must be implemented, in 
the development of its compliance efforts. For example, there are a 
variety of substantially different operational areas within the 
structure of a Medicare+Choice organization such as marketing, health 
services delivery and finances that could require different types of 
policies.
    Given the detailed nature of the HCFA rules and regulations, we 
have not attempted in this document to identify each and every policy 
that should be established by a Medicare+Choice organization. Rather, 
based on a review of OIG audits, investigations and evaluations, we 
have identified the following areas of particular concern to OIG that 
the Medicare+Choice organization should include in its written policies 
and procedures:\25\
---------------------------------------------------------------------------

    \25\ Although many of these areas apply specifically to 
Medicare+Choice organizations, many of the areas identified below 
have analogous issues in non-Medicare organizations. Medicare+Choice 
organizations that provide private managed care products should 
consider establishing additional policies and procedures for risk 
areas that apply specifically to those areas. Although the policies 
may be integrated, they should identify, as appropriate, where 
deviations may be necessary to meet Medicare+Choice requirements or 
State licensure requirements.
---------------------------------------------------------------------------

     Marketing materials and personnel;
     Selective marketing and enrollment;
     Disenrollment;
     Underutilization and quality of care;
     Data collection and submission processes;
     Anti-kickback statute and other inducements; and
     Emergency services.
    The following sections provide specific guidance regarding the risk 
areas identified above.
a. Marketing Materials and Personnel
    While each Medicare+Choice organization must comply with all of 
HCFA's detailed requirements relating to marketing their plans,\26\ OIG 
is particularly concerned that organizations have policies regarding: 
(1) The completeness and accuracy of the marketing materials; and (2) 
marketing personnel.
---------------------------------------------------------------------------

    \26\ Medicare+Choice organizations should ensure that they 
conform to fair marketing standards as set forth in the statute, the 
Medicare Managed Care National Marketing Guide (Marketing Guide) and 
all HCFA Operational Policy Letters affecting marketing matters.
---------------------------------------------------------------------------

    Accurate and useful information is crucial to the success of the 
Medicare+Choice program. The OIG is concerned that Medicare+Choice 
organizations correctly and completely describe plan information in 
marketing materials or other materials distributed to individuals prior 
to and following enrollment. Medicare+Choice organizations that 
misrepresent or falsify information submitted to HCFA, individuals or 
entities are subject to civil money penalties (CMPs) or other 
intermediate sanctions.\27\
---------------------------------------------------------------------------

    \27\ 42 U.S.C. 1395w-27(g).
---------------------------------------------------------------------------

    The submission of inaccurate or misleading information is of 
particular concern to OIG. Medicare+Choice organizations should be 
aware that the fact that materials have been approved by HCFA does not 
absolve them from potential liability for misrepresenting or falsifying 
information.\28\
---------------------------------------------------------------------------

    \28\ Medicare+Choice organizations may not distribute marketing 
materials or election forms unless they have submitted them to HCFA 
for review 45 days prior to distribution and HCFA has not 
disapproved their distribution (42 CFR 422.80).
---------------------------------------------------------------------------

    HCFA considers marketing materials to include any informational 
materials targeted to Medicare beneficiaries. Marketing materials go 
beyond the public's general conception of marketing materials and 
include general

[[Page 61898]]

circulation brochures, leaflets, newspapers, magazines, television, 
radio, billboards, yellow pages, the internet, slides and charts, and 
leaflets for distribution by providers. Such materials also include 
membership communication materials such as membership rules, subscriber 
agreements, or confirmation of enrollment.\29\ Accordingly, 
Medicare+Choice organizations should carefully scrutinize all of these 
materials for completeness, accuracy and compliance with HCFA rules, 
regulations and policy letters.
---------------------------------------------------------------------------

    \29\ 42 CFR 422.80(b).
---------------------------------------------------------------------------

    In verifying that marketing materials meet all HCFA requirements, 
Medicare+Choice organizations should ensure that the appropriate 
materials contain an adequate description of enrollee rights, 
procedures for accessing basic benefits and services, and a clear 
explanation of the appeal and grievance process.\30\ Of particular 
concern to HCFA and OIG is that the concept of ``lock-in'' is clearly 
explained in all marketing material. Many Medicare beneficiaries are 
unfamiliar with the notion that managed care may limit their health 
care provider choices. Describing the process of selecting a primary 
care physician and the limitations that this places on a 
Medicare+Choice enrollee's choice of provider will reduce the unmet 
expectations of Medicare beneficiaries.
---------------------------------------------------------------------------

    \30\ 42 CFR 422.80(c).
---------------------------------------------------------------------------

    Another important concept to include in the marketing materials is 
that the beneficiary may be terminated from enrollment in the plan due 
to the decision of the Medicare+Choice organization not to renew its 
contract with HCFA, or due to HCFA's refusal to renew the contract.\31\ 
This termination can affect the enrollee's eligibility for supplemental 
insurance and other benefits.
---------------------------------------------------------------------------

    \31\ 42 CFR 422.80(c)(3).
---------------------------------------------------------------------------

    Second, in light of the critical role that marketing personnel play 
in representing the plan to Medicare enrollees, the Medicare+Choice 
organization must take all appropriate steps to ensure that marketing 
personnel are presenting clear, complete and accurate information to 
potential enrollees. To that end, the OIG encourages Medicare+Choice 
organizations to employ their own marketing personnel, as opposed to 
contracting these responsibilities to outside entities.\32\ This 
provides the Medicare+Choice organization the necessary control to 
ensure that these individuals meet all HCFA guidelines. Similarly, it 
safeguards Medicare beneficiaries from practices that could greatly 
affect the access to health care to which they are entitled and their 
ability to acquire accurate and complete information regarding their 
health care options.
---------------------------------------------------------------------------

    \32\ It should be noted that Medicare+Choice organizations have 
ultimate responsibility for the acts and omissions of its marketing 
agents (42 CFR 422.502(i)).
---------------------------------------------------------------------------

    Medicare+Choice organizations should also be aware that the OIG and 
HCFA strongly discourage the use of physicians as marketing agents for 
several reasons: (1) When a physician acts outside his or her 
traditional role as care provider, the physician's patients may be 
confused as to when the physician is acting as an agent of the plan, 
and when the physician is acting in his or her role as a fiduciary to 
act in the best interests of the patient; (2) a physician's knowledge 
of a patient's health status increases the potential for discriminating 
in favor of Medicare beneficiaries with positive health status when 
acting as a marketing agent; (3) physicians may not be fully aware of 
membership plan benefits and costs; and (4) physicians may not be the 
best source of membership information for their patients.\33\ 
Therefore, the organization should develop policies to ensure that any 
provider promotional activities are conducted in accordance with HCFA 
guidelines (which allow, e.g., the distribution of health plan 
brochures (exclusive of applications) at a health fair or in their own 
offices).\34\
---------------------------------------------------------------------------

    \33\ Marketing Guide, Chapter IV.
    \34\ Id.
---------------------------------------------------------------------------

b. Selective marketing and Enrollment
    The OIG is very concerned about the practice known as ``cherry-
picking,'' or selective marketing,\35\ in which Medicare+Choice 
organizations discriminate in the marketing and enrollment process 
based upon an enrollee's degree of risk for costly or prolonged 
treatment.\36\ Except for individuals who have been medically 
determined to have end-stage renal disease, a Medicare+Choice 
organization may not deny, limit or condition the coverage or 
furnishing of benefits to individuals eligible to enroll in a 
Medicare+Choice plan offered by the organization on the basis of any 
factor that is related to health status, including, but not limited to, 
the following: (1) Medical condition (including mental illness); (2) 
claims experience; (3) receipt of health care; (4) medical history; (5) 
genetic information; (6) evidence of insurability; and (7) 
disability.\37\ Engaging in practices that would reasonably be expected 
to have the effect of denying or discouraging enrollment by eligible 
individuals whose medical condition or history indicates the need for 
substantial future medical services subjects the Medicare+Choice 
organization to a CMP or other sanction, such as suspension of 
enrollment or suspension of payment.\38\
---------------------------------------------------------------------------

    \35\ OIG is also concerned about a similar problem, known as 
``gerrymandering,'' which is an attempt to eliminate certain high 
dollar risk areas from the Medicare+Choice organization's service 
area. Medicare+Choice organizations should have policies in place to 
avoid such practices.
    \36\ Although the Medicare+Choice program has attempted to 
alleviate many of the selective marketing practices through the use 
of risk adjustment, the phase-in period for risk-adjustment 
virtually assures that this will remain a troubling issue through 
2004.
    \37\ 42 U.S.C. 1395w-22(b)(1); 42 CFR 422.110.
    \38\ 42 U.S.C. 1395w-27(g)(1)(D); 42 CFR 422.750 through 
422.760.
---------------------------------------------------------------------------

    Certain types of practices clearly fall into the category of 
cherry-picking and Medicare+Choice organizations should implement 
policies to prohibit and prevent such practices. For example, 
organizations should generally prohibit employees from conducting 
medical screening, i.e., asking the beneficiary medical questions prior 
to enrollment.\39\ In a 1996 survey, the OIG found that such screening 
for health status at application was reported by 18 percent of 
beneficiaries. While this represented a reduction from the 1993 level 
of 43 percent, it still represents a potentially serious problem.\40\
---------------------------------------------------------------------------

    \39\ Pursuant to 42 CFR 422.50(a)(2), it would be appropriate to 
determine whether a potential enrollee has end-stage renal disease.
    \40\ ``Beneficiary Perspectives of Medicare Risk HMOs 1996.'' 
(OEI-06-95-00430)(March 1998).
---------------------------------------------------------------------------

    Another way in which Medicare+Choice organizations may 
inappropriately target healthier beneficiaries is by primarily 
marketing their plans in places where healthy enrollees are more likely 
to be present, such as at health and exercise clubs, or in areas that 
are difficult to access for people with disabilities (e.g., upper 
floors of buildings that do not have elevators).\41\ Similarly, 
organizations may inappropriately provide inducements to potential 
enrollees in a way that would encourage younger, healthier 
beneficiaries to enroll in the plan. For example, the offering of free 
gym memberships or kayaking or other sporting lessons would appeal to a 
healthy class of enrollees and discriminate against those who would not 
be interested in such activities.\42\ If

[[Page 61899]]

a Medicare+Choice organization intends to offer such items as a 
Medicare+Choice benefit, the item must meet the definitional 
requirements of a bona fide benefit. The item must be: (1) Related to 
health care; and (2) costed out in the Medicare+Choice organization's 
Adjusted Community Rate. Any such items that do not meet these 
requirements are not valid Medicare+Choice benefits and must be 
considered ``value added services'' (VAS) subject to all the 
limitations associated with VAS.
---------------------------------------------------------------------------

    \41\ In fact, Medicare+Choice organizations are required to 
allocate part of their resources to marketing to the Medicare 
population with disabilities (42 CFR 422.80(e)(2)(i)).
    \42\ The statute prohibits the provision of cash or other 
monetary rebates as an inducement for enrollment in the plan. See 42 
U.S.C. 1395w-21(h)(4)(A). However, HCFA allows Medicare+Choice 
organizations to give Medicare beneficiaries nominal value gifts, 
provided that the plan offers these gifts whether or not the 
beneficiary enrolls in the plan. HCFA defines nominal value as an 
item having little or no resale value (generally, less than $10), 
which cannot be readily converted into cash. See Marketing Guide, 
Chapter II. The use of inducements is also discussed in Section 
II.A.2.f.--Anti-kickback and Other Inducements.
---------------------------------------------------------------------------

    Other examples of cherry-picking would be: (1) Attempts to give 
enrollment priority to newly eligible Medicare beneficiaries (who are 
theoretically younger and healthier), other than as set forth in the 
regulations; \43\ (2) the tracking of costs incurred by enrollees who 
were enrolled in different settings (e.g., at the health fair, or at a 
health club), which could be used to target healthier enrollees in the 
future; or (3) re-enrollment campaigns targeting past plan subscribers 
who had low medical costs. There are many other subtle ways in which a 
Medicare+Choice organization may try to enroll healthy patient 
populations in a discriminatory manner (i.e., not making similar 
attempts to enroll less healthy beneficiaries) and the organization 
should implement policies actively to prevent such practices.
---------------------------------------------------------------------------

    \43\ 42 CFR 422.66(d).
---------------------------------------------------------------------------

c. Disenrollment
    In general, Medicare+Choice organizations are prohibited from 
disenrolling, or requesting or encouraging (either by action or 
inaction) an individual to disenroll from any plan it offers.\44\ If a 
Medicare+Choice organization acts to expel or refuses to reenroll an 
individual in violation of the statute, a civil money penalty or other 
sanction can be imposed on the organization.\45\ The OIG is 
particularly concerned about disenrollment in light of its recent 
review, which revealed that there was a problem with disenrollment of 
beneficiaries just prior to receiving expensive inpatient services.\46\
---------------------------------------------------------------------------

    \44\ Medicare+Choice organizations are entitled to disenroll 
individuals under certain circumstances, e.g., failure to pay 
premiums or engagement in disruptive behavior. 42 CFR 422.74.
    \45\ 42 U.S.C. 1395w-27(g)(1)(C).
    \46\ Review of Inpatient Services Performed on Beneficiaries 
After Disenrolling from Medicare Managed Care.'' (A-07-98-01256) 
(May 1999).
---------------------------------------------------------------------------

    In this review, OIG found that Medicare paid for inpatient hospital 
services amounting to $224 million in fee-for-service (FFS) payments 
within 3 months of beneficiaries' disenrollment from six risk plans 
during 1991 through 1996. Had these beneficiaries not disenrolled, 
Medicare would have paid the HMOs $20 million in monthly capitation 
payments. Had the beneficiaries remained in the HMOs, Medicare would 
have saved $204 million in expenditures. Included in the Medicare FFS 
payments were $41 million for beneficiaries who disenrolled, had FFS 
procedures performed, and then reenrolled into another or the same 
managed care plan.
    While this study did not identify the reasons for the disenrollment 
as part of this review, one partial explanation of the review could be 
that some managed care plans or their medical personnel may be 
encouraging sicker beneficiaries to disenroll as a way to avert their 
own costs at a high cost to the Medicare system.
    Each Medicare+Choice organization must implement policies to ensure 
that inappropriate disenrollment does not occur.\47\ Such policies 
should include clarification of when it is appropriate for medical 
personnel to discuss the concept of disenrollment. Generally speaking, 
OIG believes it would be inappropriate for medical personnel to 
initiate discussion of disenrollment or to promote disenrollment (when 
the topic is initiated by the enrollee), except in the rare 
circumstance where the Medicare+Choice organization cannot or does not 
provide the covered medical items or services needed by the patient.
---------------------------------------------------------------------------

    \47\ Such policies should be consistent with the provisions that 
prohibit Medicare+Choice organizations from restricting a health 
care professional from advising patients of the ``health status of 
the individual or medical care or treatment for the individual's 
condition or disease, regardless of whether benefits for such care 
or treatment are provided under the plan.'' See 42 U.S.C. 
1852(j)(3)(emphasis added).
---------------------------------------------------------------------------

d. Underutilization and Quality of Care
    Medicare+Choice organizations must ensure that all covered services 
are available and accessible to all enrollees.\48\ The OIG views the 
inappropriate withholding or delay of services, known as 
underutilization or ``stinting,'' as a serious issue.\49\ Examples of 
practices that can lead to underutilization and poor quality include 
the failure to employ or contract with sufficient institutional and 
individual providers to accommodate all enrollees, the failure to 
provide geographically reachable services to enrollees, the delay in 
approving or failure to approve referrals for covered services, the 
establishment of utilization review procedures that are so burdensome 
that an enrollee could not reasonably be expected to fulfill the 
requirements and the categorical denial of payment of claims.\50\
---------------------------------------------------------------------------

    \48\ 42 U.S.C. 1395w-22. To this end, Medicare+Choice 
organizations must comply with the standards contained in the 
Quality Improvement System for Managed Care (QISMC) for 
Organizations Contracting with Medicare or Medicaid.
    \49\ Medicare+Choice organizations can be subject to sanctions 
for failing substantially to provide medically necessary items and 
services that are required to be provided, if the failure has 
adversely affected (or has the substantial likelihood of adversely 
affecting) the individual. 42 U.S.C. 1395w-27(g)(1)(A).
    \50\ See QISMC Standards 2.1.2, 2.2.2 and 3.1.
---------------------------------------------------------------------------

    There are a wide variety of policies that a Medicare+Choice 
organization should implement to be sure it is providing all medically 
necessary services to its enrollees. The regulations and guidelines 
that implement the Medicare+Choice program contain numerous provisions 
that deal with this issue. While we have not attempted to develop a 
comprehensive list in this document, we would like to highlight three 
types of policies that Medicare+Choice organizations should develop 
that may help address underutilization and quality of care.
    First, Medicare+Choice organizations should have policies that 
prohibit interference with health care professionals' advice to 
enrollees. Also known as the ``gag rule,'' this prohibition extends to 
advice regarding the patient's health status, medical care, and 
treatment options, the risks, benefits and consequences of treatment or 
non-treatment, or the opportunity for the individual to refuse 
treatment and to express preferences about future treatment 
options.51 Failure to comply with this requirement can lead 
to sanctions.52
---------------------------------------------------------------------------

    \51 \42 U.S.C. 1395w-22(j)(3), 42 CFR 422.206; QISMC Standard 
3.3.1.7.
    \52 \42 U.S.C. 1395w-27(g)(1)(F); 42 CFR 422.750 through 
422.760.
---------------------------------------------------------------------------

    Second, Medicare+Choice organizations should be sure, to they 
extent that they utilize physician incentive plans (PIPs) in their 
payment arrangements with individual physicians or physician groups, 
that they comply with all applicable regulations and that such payment 
arrangements are fully disclosed to HCFA as required by regulation. The 
PIPs raise utilization concerns because they are defined as ``any 
compensation

[[Page 61900]]

arrangement to pay a physician or physician group that may directly or 
indirectly have the effect of reducing or limiting services provided to 
any plan enrollees.'' 53 Any PIP operated by a 
Medicare+Choice organization must comply with the following 
requirements. First, it may make no payments to physicians (such as 
offerings of monetary value, including, but not limited to, stock 
options or waivers of debt 54) to reduce or limit medically 
necessary services furnished to any particular enrollee. Second, if the 
PIP puts a physician or physician group at ``substantial financial 
risk'' 55 for referral services, the Medicare+Choice 
organization must: (1) survey current and previously enrolled members 
to assess access to, and satisfaction with, the quality of services; 
and (2) assure that there is adequate and appropriate stop-loss 
protection.56 Finally, Medicare+Choice organizations must 
disclose to HCFA certain information regarding their PIPs. These 
disclosure requirements apply to direct contracting arrangements, as 
well as subcontracting arrangements.57
---------------------------------------------------------------------------

    \53 \42 CFR 422.208.
    \54 \42 U.S.C. 1395w-22(j)(4); 42 CFR 422.208.
    \55 \``Substantial financial risk'' threshold is set at 25 
percent of potential payments for covered services, regardless of 
the frequency of assessment (i.e., collection) or distribution of 
payments. 42 CFR 422.208.
    \56 \42 CFR 422.208(c).
    \57 \42 CFR 422.210(a).
---------------------------------------------------------------------------

    Finally, the OIG is aware of cases in which beneficiaries have 
received covered services from individuals that were not appropriately 
licensed. Given the serious quality of care implications of this type 
of practice, the OIG is particularly concerned that Medicare+Choice 
organizations have procedures for the selection of providers, including 
criteria for the credentialing of providers. This process should 
include an application, verification of information and a site visit, 
where applicable.58 The information that must be verified 
includes that the individual has a valid license to practice, clinical 
privileges in good standing and appropriate educational qualifications.
---------------------------------------------------------------------------

    \58 \42 CFR 422.204.
---------------------------------------------------------------------------

e. Data Collection and Submission Processes
    The regulations implementing the Medicare+Choice program contain 
numerous requirements relating to the data collection and submission 
process, ranging from a requirement for an effective system for 
receiving, controlling and processing election forms 59 to 
requirements for the timely submission of disenrollment 
notices.60 These requirements cover the gamut of 
requirements with which a Medicare+Choice organization must comply and 
are too detailed to enumerate in this document. Medicare+Choice 
organizations should establish a policy that all required submissions 
to HCFA be accurate, timely and complete and that all appropriate 
reporting requirements are met.61
---------------------------------------------------------------------------

    \59 \42 CFR 422.60(e).
    \60 \42 CFR 422.66(b)(3)(i).
    \61 \On a related topic, Medicare+Choice organizations should 
also be sure that their computer systems are Year 2000 (Y2K) 
compliant. An OIG report indicates that managed care organizations 
have made significant progress in this regard, with more than 80% 
indicating that they are Y2K compliant. ``Y2K Readiness of Managed 
Care Organizations.'' (OEI-05-98-0591)(October 1999).
---------------------------------------------------------------------------

    The OIG is particularly concerned that Medicare+Choice 
organizations submit accurate data when that information determines the 
amount of payment received from HCFA. The regulations require that when 
a Medicare+Choice organization requests payment under the contract, the 
CEO or CFO must certify the accuracy, completeness and truthfulness of 
relevant data, including enrollment data, encounter data and 
information provided as part of an adjusted community rate (ACR) 
proposal.62 When a Medicare+Choice organization submits this 
type of data to HCFA, it is making a ``claim'' for capitation payment 
in the amount dictated by the data submitted, or in the case of the ACR 
submission, a ``claim'' to retain the portion of the capitation amount 
that is under the average payment rate, rather than providing 
additional benefits. When a Medicare+Choice organization is claiming 
payment (or the right to retain payment) based upon information 
submitted to HCFA, it must take responsibility for having taken 
reasonable steps to assure the accuracy of this information. The 
attestation forms developed by HCFA for this purpose require 
certification that the information submitted is true and accurate based 
on best knowledge, information and belief.
---------------------------------------------------------------------------

    \62 \42 CFR 422.502(l) and (m). See also Contract for Year 2000, 
Attachments A, B and C.
---------------------------------------------------------------------------

    The requirement that the CEO or CFO certify as to the accuracy, 
completeness and truthfulness of data, based on best knowledge, 
information and belief, does not constitute an absolute guarantee of 
accuracy. Rather, it creates a duty on the Medicare+Choice organization 
to put in place an information collection and reporting system 
reasonably designed to yield accurate information. Further, the 
Medicare+Choice organization should exercise due diligence to ensure 
that these systems are working properly. The exact methods used by the 
Medicare+Choice organization to accomplish this can be determined by 
the organization, however, it should ordinarily conduct sample audits 
and spot checks of this system to verify whether it is yielding 
accurate information.
    The knowing submission of false information to HCFA can lead to 
serious criminal or civil penalties.63 Medicare+Choice 
organizations should implement policies so that the enrollment, 
encounter and ACR data submitted to HCFA are accurate, complete and 
truthful. While information from a variety of sources can affect this 
data, Medicare+Choice organizations should take note of two reports 
issued by the OIG that have identified concerns in two aspects of this 
data.
---------------------------------------------------------------------------

    \63 \Falsification of documentation in any application for any 
benefit or payment under a Federal health care program is a Federal 
offense punishable by not more than $25,000 or imprisonment for 5 
years, or both. See 42 U.S.C. 1320a-7b. In addition, a CMP can be 
imposed for the misrepresentation or falsification of information 
submitted to HCFA under Medicare+Choice. See 42 U.S.C. 1395w-
27(g)(1)(E).
---------------------------------------------------------------------------

    First, the OIG recommends that Medicare+Choice organizations have 
policies and procedures in place that ensure that the administrative 
component of the ACR is calculated accurately.\64\ As part of this 
process, Medicare+Choice organizations should have clearly defined 
criteria for claiming reimbursement for their administrative costs. 
These costs should not include any costs that are directly associated 
with furnishing patient care. All such costs should be allocated to the 
applicable operating component. The OIG has articulated serious 
concerns about the methodology used by managed care organizations in 
computing their administrative rate on the ACR proposal.\65\ For 
example, computing an administrative rate based on the use of a medical 
utilization factor could generate a payment that is almost three times 
what would be charged on the commercial side.
---------------------------------------------------------------------------

    \64\ The administrative component of the ACR covers any 
management, financial or other costs that are incurred by or 
allocated to a business unit for the management or administration of 
the business unit as a whole.
    \65\ See, e.g.,``Administrative Costs Submitted by Risk-Based 
Health Maintenance Organizations on the Adjusted Community Rate 
Proposals are Highly Inflated.'' (A-14-97-00202) (July 1998).
---------------------------------------------------------------------------

    Second, the OIG recommends that Medicare+Choice organizations have 
adequate internal controls in place to ensure that the institutional 
status of

[[Page 61901]]

beneficiaries is reported accurately.\66\ A recent report issued by the 
OIG estimated that risk-based HMOs received Medicare overpayments of 
$22.2 million for beneficiaries incorrectly classified as 
institutionalized.\67\ The incorrect classification was largely due to 
deficiencies in the HMOs internal controls in two areas: (1) 
Verification of beneficiaries' institutional status; and (2) reporting 
of institutional beneficiaries to HCFA. The results were based on 
audits of eight randomly selected HMOs.
---------------------------------------------------------------------------

    \66\ This will remain a concern until risk adjustment is fully 
implemented.
    \67\ ``Review of Medicare Managed Care Payments for 
Beneficiaries with Institutional Status.'' (A-05-98-00046)(April 
1999).
---------------------------------------------------------------------------

f. Anti-Kickback Statute and Other Inducements
    The anti-kickback statute provides criminal penalties for 
individuals or entities that knowingly and willfully offer, pay, 
solicit or receive remuneration to induce the referral of business 
reimbursable under a Federal health care program (including Medicare 
and Medicaid).\68\ The OIG has promulgated safe harbor regulations that 
define practices that are not subject to the anti-kickback statute 
because such practices would be unlikely to result in fraud or 
abuse.\69\
---------------------------------------------------------------------------

    \68\ 42 U.S.C. 1320a-7b(b). If it is determined that a party has 
violated the anti-kickback statute, the individual or entity can be 
excluded from participation in the Medicare and other Federal health 
care programs (as defined in 42 U.S.C. 1320a-7b(f)). 42 U.S.C. 
1320a-7(b)(7). In addition, there is an administrative CMP provision 
for violating the anti-kickback statute (42 U.S.C. 1320a-7a(a)(7)).
    \69\ 42 CFR 1001.952. The safe harbors set forth specific 
conditions that, if met, assure entities involved of not being 
prosecuted or sanctioned for the arrangement qualifying for the safe 
harbor. However, safe harbor protection is afforded only to those 
arrangements that precisely meet all of the conditions set forth in 
the safe harbor. The failure of an arrangement to fit inside a safe 
harbor or statutory exception does not mean that the arrangement is 
illegal. It is incorrect to assume that arrangements outside of a 
safe harbor are suspect due to that fact alone. That an arrangement 
does not meet a safe harbor only means that the arrangement does not 
have guaranteed protection and must be evaluated on a case-by-case 
basis.
---------------------------------------------------------------------------

    The anti-kickback statute potentially applies to many managed care 
arrangements because a common strategy of these arrangements is to 
offer physicians, hospitals and other providers increased patient 
volume in return for substantial fee discounts. Because discounts to 
managed care organizations can constitute ``remuneration'' within the 
meaning of the anti-kickback statute, a number of health care providers 
have expressed concern that many relatively innocuous, or even 
beneficial, commercial managed care arrangements implicate the statute 
and may subject them to criminal prosecution and administrative 
sanctions.
    The OIG recognizes that when managed care organizations are paid a 
capitated amount for all of the services they provide regardless of the 
dates, frequency or type of services, there is no incentive for them to 
overutilize. In any event, even if overutilization occurs, the Federal 
health care programs are not at risk for these increased costs. 
Accordingly, OIG will be issuing a safe harbor from the anti-kickback 
statute that will provide protection for certain financial arrangements 
between managed care organizations (including Medicare+Choice 
organizations) and individuals or entities with whom they contract for 
the provision of health care items or services, where a Federal health 
care program pays such organizations on a capitated basis.\70\
---------------------------------------------------------------------------

    \70\ This safe harbor was developed in accordance with section 
216 of HIPAA and section 14 of the Medicare and Medicaid Patient and 
Program Protection Act of 1987 (Pub. L. 100-93) through a negotiated 
rulemaking process that began in the spring of 1997. For a more 
detailed description of the negotiated rulemaking, see the Committee 
Statement of the Negotiated Rulemaking Committee on the Shared Risk 
Exception (January 22, 1998), which can be found on the Internet at 
http://www.hhs.gov/oig/.
---------------------------------------------------------------------------

    In general, the safe harbor protects payments between capitated 
managed care organizations (including Medicare+Choice organizations 
offering coordinated care plans) and individuals or entities with which 
it has direct contracts to provide or arrange for the provision of 
items or services.\71\ While this is a broad exception, there are three 
important limitations.
---------------------------------------------------------------------------

    \71\ In addition, arrangements between direct contractors and 
all subcontractors or successive tiers of subcontractors are 
protected, as long as the arrangement is for the provision of health 
care items or services that are covered by the arrangement between 
the direct contractor and the managed care organization and the 
arrangement meets the requirements applicable to arrangements 
between the direct contractor and the managed care organization.
---------------------------------------------------------------------------

    The first significant limitation is that there is no protection if 
the financial arrangements under the managed care agreement are 
implicitly or explicitly part of a broader agreement to steer fee-for-
service Federal health care program business to the entity giving the 
discount to induce the referral of managed care business. Specifically, 
we understand that most managed care organizations have multiple 
relationships with their contractors and subcontractors for the 
provision of services for various product lines, including non-federal 
HMOs, preferred provider organizations (PPOs) and point of service 
networks. Consequently, although neither a managed care organization 
receiving a capitated payment from a Federal health care program nor 
its contractors or subcontractors has an incentive to overutilize items 
or services or pass additional costs back to the Federal health care 
programs under the capitated arrangement, we are concerned that a 
managed care organization or contractor may offer (or be offered) a 
reduced rate for its items or services in the Federal capitated 
arrangement in order to have the opportunity to participate in other 
product lines that do not have stringent payment or utilization 
constraints. This practice is a form of a practice known as 
``swapping;'' in the case of managed care arrangements, low capitation 
rates could be traded for access to additional fee-for-service lines of 
business. We are concerned when these discounts are in exchange for 
access to fee-for-service lines of business, where there is an 
incentive to overutilize services provided to Federal health care 
program beneficiaries.
    For example, we would have concerns where an HMO with a Medicare 
risk contract under Medicare Part C also has an employer-sponsored PPO 
that includes retirees and requires participating providers to accept a 
low capitation rate for the Medicare HMO risk patients in exchange for 
access to the Medicare fee-for-service patients in the PPO. Although in 
such circumstances the cost to the Medicare program for the risk-based 
HMO beneficiaries will not be increased, there may be increased 
expenditures for Medicare beneficiaries in the PPO arrangement, because 
the providers may have an incentive to increase services to the 
Medicare enrollees in the PPO to offset the discounted rates to the 
Medicare HMO. Accordingly, such arrangements could violate the anti-
kickback statute and should not be protected.
    A second limitation on the regulatory safe harbor protection is 
that it only applies to remuneration for health care items and services 
and those items or services reasonably related to the provision of 
health care items and services. It does not cover marketing services or 
any services provided prior to a beneficiary's enrollment in a health 
plan.
    Finally, the broad protection is limited to risk-based managed care 
plans that do not claim any payment from a Federal health care program 
other than the capitated amount set forth in the managed care 
organization's agreement with the Federal health care

[[Page 61902]]

program. Where the managed care plan, its contractors or its 
subcontractors are permitted to seek additional payments from any of 
the Federal health care programs, the regulatory safe harbor protection 
is significantly more limited. For example, protection is not extended 
to arrangements with subcontractors when the contract under section 
1876 of the Social Security Act is cost-based or where the prime 
contract is protected solely because the contracting entity is a 
Federally-qualified HMO.\72\ In the first instance, reimbursement from 
the Federal health care program is based on costs, and in the latter 
case, services for Medicare enrollees are reimbursed on a fee-for-
services basis. In both instances, reimbursement will increase with 
utilization, thus providing the same incentive to overutilize as any 
fee-for-service payment methodology.
---------------------------------------------------------------------------

    \72\ The arrangements may qualify for other safe harbors, such 
as the discount or personal services safe harbors.
---------------------------------------------------------------------------

    While the new safe harbor will provide protection from the anti-
kickback statute for most arrangements between Medicare+Choice 
organizations and their contractors, Medicare+Choice organizations 
should also have policies in place that ensure that any incentives that 
the Medicare+Choice organization offers directly or indirectly to 
beneficiaries and potential beneficiaries do not run afoul of the anti-
kickback statute or the new civil money penalty relating to incentives 
to beneficiaries.\73\ The CMP was enacted in section 231(h) of HIPAA 
(42 U.S.C. 1320a-7a(a)(5)) and imposes sanctions against individuals or 
entities that offer remuneration to a program beneficiary that they 
know, or should know, will influence the beneficiary's decision to 
order or receive items or services from a particular provider, 
practitioner or supplier reimbursable by Medicare or the State health 
care programs.
---------------------------------------------------------------------------

    \73\ Our concerns regarding the use of inducements in a manner 
that leads to enrollment of only healthy beneficiaries, such as 
offering memberships to exercise clubs for purposes of patient 
screening, is discussed above in Section II.A.2.b.--Selective 
Marketing and Enrollment.
---------------------------------------------------------------------------

    Pending the publication of the final rule implementing this CMP, we 
can provide the following guidance. It is our view that organizations 
that provide incentives to Federal health care program beneficiaries to 
enroll in a plan are not offering remuneration to induce the enrollees 
to use a particular provider, practitioner or supplier. Accordingly, we 
anticipate that organizations that provide incentives to enroll in a 
plan will not be subject to sanctions under this provision. However, 
incentives provided by organizations to induce a beneficiary to use a 
particular provider, practitioner or supplier once the beneficiary has 
enrolled in a plan are within the purview of this CMP and are 
prohibited if they do not meet an exception. For example, incentives 
given to beneficiaries by a particular physician group within the 
physician panel of a Medicare+Choice organization to encourage the 
beneficiary to use that physician group over another physician in the 
panel would be prohibited.
g. Emergency Services
    The OIG and HCFA believe that there may be special concerns 
regarding the provision of emergency services to enrollees of 
Medicare+Choice plans. The anti-dumping statute \74\ imposes specific 
obligations on Medicare-participating hospitals that offer emergency 
services to individuals presenting themselves at the hospital seeking 
possible emergency treatment. While the obligations under the anti-
dumping statute prohibit a hospital from inquiring into the patient's 
method of payment or insurance status when it results in the delay of a 
medical screening examination and/or stabilizing treatment, it has come 
to our attention that some hospitals routinely seek prior authorization 
from the patient's primary care physician or from the managed care plan 
when a managed care patient requests emergency services. Investigations 
of allegations of the anti-dumping statute across the country have 
persuaded the OIG that managed care patients may be at risk of being 
discharged or transferred without receiving a medical screening 
examination, largely because of the problems inherent in seeking 
``prior authorization.''
---------------------------------------------------------------------------

    \74\ 42 U.S.C. 1395dd.
---------------------------------------------------------------------------

    To ensure appropriate access to emergency services for 
Medicare+Choice enrollees, Medicare+Choice organizations should comply 
with several key provisions. First, Medicare+Choice organizations are 
prohibited from requiring prior authorization for emergency services 
and must provide coverage for such services without regard to the 
emergency care provider's contractual relationship with the 
Medicare+Choice organization.\75\ Second, payment must be provided for 
emergency services based on a ``prudent layperson standard,'' which 
means that the need for emergency services should be determined from a 
reasonable patient's perspective at the time of presentation of the 
symptoms \76\ Finally, Medicare+Choice organizations must comply with 
all guidelines relating to the efficient and timely coordination of 
appropriate maintenance and post-stabilization of an enrollee after the 
enrollee has been stabilized under the anti-dumping statute.\77\
---------------------------------------------------------------------------

    \75\ 42 U.S.C. 1395w-22(d)(1)(E). Medicare+Choice organizations 
should not offer, or enter into, contracts with hospitals that are 
inconsistent with the anti-dumping statute.
    \76\ 42 U.S.C. 1395w-22(d)(3).
    \77\ 42 U.S.C. 1395w-22(d)(2).
---------------------------------------------------------------------------

    Medicare+Choice organizations should be particularly careful of the 
requirements of the anti-dumping statute in the event that they 
participate in the so-called ``dual staffing'' of emergency 
departments. Dual staffing occurs when hospitals enter into 
arrangements allowing a managed care organization to station its own 
physicians in the hospital's emergency department for the purpose of 
screening and treating managed care enrollees. Implementation of dual 
staffing raises some concerns under the anti-dumping statute, 
particularly where different procedures and protocols have been 
established for each staff.
    In addition, Medicare+Choice organizations should be particularly 
careful in operating ``urgent care'' services and in instructing 
enrollees to contact such services when enrollees need care. The 
organizations should ensure that such operations and instructions do 
not delay or otherwise compromise enrollees' access to services that 
should be provided in a hospital emergency room.
3. Retention of Records and Information Systems
    Medicare+Choice organizations' compliance programs should provide 
for the implementation of a records retention system. This system 
should establish policies and procedures regarding the creation, 
distribution, retention, storage, retrieval and destruction of 
documents. The three types of documents developed under this system 
should include: (1) All records and documentation required by either 
Federal or State law and the program requirements of Federal and State 
health plans; \78\ (2) records listing the persons responsible for 
implementing each part of the compliance plan; and (3) all records 
necessary to protect the integrity of the Medicare+Choice 
organization's compliance process and confirm the effectiveness of the 
program. The documentation necessary to satisfy the third category 
includes, but is not

[[Page 61903]]

limited to the following: evidence of adequate employee training; 
reports from the Medicare+Choice organization's hotline; results of any 
investigation conducted as a consequence of a hotline call; 
modifications to the compliance program; all written notifications to 
providers regarding compliance activities; \79\ and the results of the 
Medicare+Choice organization's auditing and monitoring efforts.
---------------------------------------------------------------------------

    \78\ These documents should be maintained for the periods 
required by the HCFA Medicare+Choice regulations.
    \79\ This should include notifications regarding: quality of 
care issues; confusing or inaccurate encounter data; and termination 
of the contract.
---------------------------------------------------------------------------

    In light of the increasing reliance on electronic data interchange 
by the health care industry, Medicare+Choice organizations should take 
particular care in establishing procedures for maintaining the 
integrity of its data collection systems. This should include 
procedures for regularly backing-up data (either by diskette, 
restricted system or tape) collected in connection with all aspects of 
the Medicare+Choice program requirements.
    In addition, all Medicare+Choice organizations should develop and 
implement policies and procedures to ensure the confidentiality and 
privacy of financial, medical, personnel and other sensitive 
information in their possession.\80\ These policies should address both 
electronic and hard copy documents.
---------------------------------------------------------------------------

    \80\ 42 U.S.C. 1395w-22(h); 42 CFR 422.118.
---------------------------------------------------------------------------

4. Compliance as an Element of a Performance Plan
    Compliance programs should require that the promotion of, and 
adherence to, the elements of the compliance program be a factor in 
evaluating the performance of all relevant employees. Such employees 
should be periodically trained in new compliance policies and 
procedures.
    Policies should require that managers:
     Discuss with all relevant employees the compliance 
policies and legal requirements applicable to their function;
     inform all relevant personnel that strict compliance with 
these policies and requirements is a condition of employment; and
     Disclose to all relevant personnel that the 
Medicare+Choice organization will take disciplinary action up to and 
including termination for violation of these policies or requirements.
    In addition to making performance of these duties an element in 
evaluations, the compliance officer or company management should 
include a policy that managers and supervisors will be sanctioned for 
failure to instruct adequately their subordinates or for failure to 
detect noncompliance with applicable policies and legal requirements, 
where reasonable diligence on the part of the manager or supervisor 
should have led to the discovery of any problems or violations.

B. Designation of a Compliance Officer and a Compliance Committee

1. Compliance Officer
    Every Medicare+Choice organization should designate a compliance 
officer to serve as the focal point for compliance activities. This 
responsibility may be the individual's sole duty or added to other 
management responsibilities, depending upon the size and resources of 
the Medicare+Choice organization and the complexity of the task.
    Designating a compliance officer with the appropriate authority is 
critical to the success of the program, necessitating the appointment 
of a high-level official in the Medicare+Choice organization with 
direct access to the company's governing body, the CEO and all other 
senior management and legal counsel.\81\ While it is important that the 
compliance officer have appropriate authority, we are not suggesting 
that the compliance officer should have operational responsibility for 
the various aspects of the Medicare+Choice program. For example, the 
compliance officer should have full authority to stop the submission of 
data that he or she believes is problematic until such time as the 
issue in question has been resolved. In addition, the compliance 
officer should be copied on the results of all internal audit reports 
and work closely with key managers to identify aberrant trends in the 
areas that require certification. The compliance officer must have the 
authority to review all documents and other information that are 
relevant to compliance activities, including, but not limited to, 
enrollee records (where appropriate) and records concerning the 
marketing efforts of the organization and the Medicare+Choice 
organization arrangements with other parties, including employees, 
professionals on staff, relevant independent contractors, suppliers, 
agents and physicians. This policy enables the compliance officer to 
review contracts and obligations (seeking the advice of legal counsel, 
where appropriate) that may contain referral and payment provisions 
that could violate statutory or regulatory requirements.
---------------------------------------------------------------------------

    \81\ The OIG believes that it is not advisable for the 
compliance function to be subordinate to the Medicare+Choice 
organization's general counsel, comptroller or similar company 
financial officer. Free-standing compliance functions help to ensure 
independent legal reviews and financial analyses of the 
institution's compliance activities. By separating the compliance 
function from the key management positions of general counsel or CFO 
(where the size and structure of the organization make this a 
feasible option), a system of checks and balances is established to 
more effectively achieve the compliance program's goals.
---------------------------------------------------------------------------

    Coordination and communication are the key functions of the 
compliance officer with regard to planning, implementing and monitoring 
the compliance program. With this in mind, the OIG recommends that the 
Medicare+Choice organization's compliance officer closely coordinate 
compliance functions with providers' compliance officers.
    The compliance officer should have sufficient funding and staff to 
fully perform his or her responsibilities. These duties should include:
     Overseeing and monitoring the implementation of the 
compliance program; \82\
---------------------------------------------------------------------------

    \82\ For multi-site Medicare+Choice organizations, the OIG 
encourages coordination with each facility owned by the 
Medicare+Choice organization through the use of compliance liaisons 
at each site.
---------------------------------------------------------------------------

     Reporting on a regular basis to the Medicare+Choice 
organization's governing body, CEO and compliance committee on the 
progress of implementation;
     Periodically revising the program in light of changes in 
the organization's needs and in the law and policies and procedures of 
Government and private payor health plans;
     Reviewing employees' certifications stating that they have 
received, read and understood the standards of conduct;
     Developing, coordinating and participating in a 
multifaceted educational and training program that focuses on the 
elements of the compliance program and seeks to ensure that all 
appropriate employees and management are knowledgeable of, and comply 
with, pertinent Federal and State standards;
     Coordinating personnel issues with the Medicare+Choice 
organization's human resources/personnel office (or its equivalent) to 
ensure that providers and employees do not appear in the List of 
Excluded Individuals/Entities and the General Services Administration 
(GSA) list of debarred contractors; \83\
---------------------------------------------------------------------------

    \83\ See note 101.
---------------------------------------------------------------------------

     Assisting the Medicare+Choice organization's management in 
coordinating internal compliance review and monitoring activities, 
including annual or periodic reviews of departments;
     Independently investigating and acting on matters related 
to compliance, including the flexibility to design and

[[Page 61904]]

coordinate internal investigations (e.g., responding to reports of 
problems or suspected violations) and any resulting corrective action 
with all departments, providers, agents, and, if appropriate, 
independent contractors;
     Developing policies and programs that encourage managers 
and employees to report suspected fraud and other improprieties without 
fear of retaliation; and
     Continuing the momentum of the compliance program and the 
accomplishment of its objectives long after the initial years of 
implementation.
2. Compliance Committee
    The OIG recommends that a compliance committee be established to 
advise the compliance officer and assist in the implementation of the 
compliance program.\84\ When assembling a team of people to serve as 
the Medicare+Choice organization's compliance committee, the company 
should include individuals with a variety of skills.\85\ The OIG 
strongly recommends that the compliance officer manage the compliance 
committee. Once a managed care organization chooses the people that 
will accept the responsibilities vested in members of the compliance 
committee, the organization must train these individuals on the 
policies and procedures of the compliance program.
---------------------------------------------------------------------------

    \84\ The compliance committee benefits from having the 
perspectives of individuals with varying responsibilities in the 
organization, such as operations, finance, audit, human resources, 
utilization review, medicine, claims processing, information 
systems, legal, marketing, enrollment and disenrollment as well as 
employees and managers of key operating units. These individuals 
should have the requisite seniority and comprehensive experience 
within their respective departments to implement any necessary 
changes in the company's policies and procedures. Some organizations 
have found it helpful to include an outside director on its 
compliance committee to provide a different perspective.
    \85\ A Medicare+Choice organization should expect its compliance 
committee members and compliance officer to demonstrate high 
integrity, good judgment, assertiveness and an approachable 
demeanor, while eliciting the respect and trust of employees of the 
organization. The compliance committee members should also have 
significant professional experience in working with quality 
assurance, enrollment, marketing, clinical records and auditing 
principles.
---------------------------------------------------------------------------

    The committee's responsibilities should include:
     Analyzing the organization's regulatory environment, the 
legal requirements with which it must comply and specific risk areas;
     Assessing existing policies and procedures that address 
these areas for possible incorporation into the compliance program;
     Working with appropriate departments, as well as 
affiliated providers, to develop standards of conduct and policies and 
procedures that promote allegiance to the organization's compliance 
program;
     Recommending and monitoring, in conjunction with the 
relevant departments, the development of internal systems and controls 
to carry out the organization's standards, policies and procedures as 
part of its daily operations;
     Determining the appropriate strategy/approach to promote 
compliance with the program and detection of any potential violations, 
such as through hotlines and other fraud reporting mechanisms;
     Developing a system to solicit, evaluate and respond to 
complaints and problems; and
     Monitoring internal and external audits and investigations 
for the purpose of identifying troublesome issues and deficient areas 
experienced by the Medicare+Choice organization and implementing 
corrective and preventive action.
    The committee may also address other functions as the compliance 
concept becomes part of the overall operating structure and daily 
routine.

C. Conducting Effective Training and Education

    The proper education and training of corporate officers, managers, 
employees and the continual retraining of current personnel at all 
levels are significant elements of an effective compliance program. 
Where appropriate, the Medicare+Choice organization may afford its 
contractors the opportunity to participate in the organization's 
compliance training and educational programs.\86\ The contractors 
should be encouraged to develop their own compliance programs that 
complement the Medicare+Choice organization's compliance program.
---------------------------------------------------------------------------

    \86\ While some Medicare+Choice organizations may encourage 
providers to participate in education programs designed for its own 
employees, other organizations may prefer to develop provider-
specific education programs about compliance.
---------------------------------------------------------------------------

1. Formal Training Programs
    To ensure the appropriate information is being disseminated to the 
correct individuals, the Medicare+Choice organization training program 
should include both a general session and specialized sessions on 
specific risk areas. All employees should attend the general session on 
compliance. Employees whose job responsibilities implicate specific 
risk areas (e.g., marketing or data collection and submission) should 
attend the specialized sessions.
    The OIG recommends that attendance and participation at training 
programs be made a condition of continued employment and that failure 
to comply with training requirements should result in disciplinary 
action, including possible termination, when such failure is serious. 
The Medicare+Choice organization should retain adequate records of its 
training of employees, including attendance logs and material 
distributed at training sessions. New employees should be targeted for 
training early in their employment, and to the extent that they perform 
complicated tasks with greater organizational legal exposure, should be 
monitored closely until all training is completed.
a. General Sessions
    As part of their compliance programs, Medicare+Choice organizations 
should require all employees to attend annual training that emphasizes 
the organization's commitment to compliance with all Federal and State 
statutes and requirements, and the policies of private payors. While 
the OIG recognizes that not all standards, policies and procedures need 
to be communicated to all employees, it believes that the general 
message about the importance of complying with fraud and abuse laws and 
other ethical areas should be addressed and made part of the general 
training.
    As part of the initial training, the standards of conduct should be 
distributed to all employees. Every employee should be required to sign 
and date a statement that reflects the employee's knowledge of, and 
commitment to the standards of conduct. This attestation should be 
retained in the employee's personnel file. The standards of conduct 
should be updated and revised as appropriate.
b. Specialized Training
    Because Medicare+Choice organizations are responsible for 
compliance in all of the risk areas mentioned in section II.A. above, 
the OIG recommends Medicare+Choice organizations require individuals 
who are involved in the risk areas to receive specialized training. For 
example, marketing employees should receive training on the marketing, 
enrollment, disenrollment and anti-kickback policies. All employees who 
work with beneficiaries or providers regarding medical services should 
receive appropriate training on the risks associated with 
underutilization. Those employees who are involved in developing 
enrollment, encounter and ACR data should receive training on

[[Page 61905]]

HCFA policies in these areas. Clarifying and emphasizing these areas of 
concern through training and educational programs are particularly 
relevant to a Medicare+Choice organization's marketing and financial 
personnel, in that the pressure to meet business goals may render these 
employees particularly vulnerable to engaging in prohibited practices.
    The OIG recommends Medicare+Choice organizations' compliance 
programs address the need for periodic professional education courses 
for relevant personnel. Such courses would be in addition to the 
internal training sessions provided by the organization.
c. Format of the Training Program
    The OIG suggests all relevant levels of personnel be made part of 
various educational and training programs of the Medicare+Choice 
organization. Employees should be required to have a minimum number of 
educational hours per year, as appropriate, as part of their employment 
responsibilities. A variety of teaching methods, such as interactive 
training and training in several different languages (including the 
translation of standards of conducts and other materials), particularly 
where a Medicare+Choice organization has a culturally diverse staff, 
should be implemented so that all affected employees are knowledgeable 
about the institution's standards of conduct and procedures for 
alerting senior management to problems and concerns. In addition, the 
materials should be written at appropriate reading levels for targeted 
employees. All training materials should be designed to take into 
account the skills, knowledge and experience of the individual 
trainees. Post-training tests can be used to assess the success of 
training provided and employee comprehension of the Medicare+Choice 
organization's policies and procedures.
2. Informal and Ongoing Compliance Training
    It is essential that compliance issues remain at the forefront of 
the Medicare+Choice organization's priorities. The organization must 
demonstrate its commitment by continuing to disseminate the compliance 
message. One effective mechanism to achieve this goal is to publish a 
monthly compliance newsletter, or devote a section to compliance in a 
general weekly or monthly existing newsletter. This would allow the 
Medicare+Choice organization to address specific examples of problems 
the company encountered during its ongoing audits and risk analysis, 
while reinforcing the company's firm commitment to the general 
principles of compliance and ethical conduct. The newsletter could also 
include the risk areas identified in current OIG publications or 
investigations. Finally, the Medicare+Choice organization could use the 
newsletter as a mechanism to notify employees of significant legal or 
regulatory developments. The Medicare+Choice organization should 
maintain its newsletters in a central location to document the guidance 
offered and provide new employees with access to guidance previously 
provided. Other written materials, such as posters, fliers or articles 
in other company publications, could also be used to disseminate the 
compliance message.
    Another effective method of maintaining the presence of the 
compliance message is to maintain a website devoted to compliance 
issues. This could be linked to the homepage of the organization. Many 
organizations have chosen to maintain these sites internally on the 
Intranet to alleviate any confidentiality concerns. The Intranet (or 
Internet) also facilitates the use of hypertext links that allow the 
organization to maintain a centralized source on statutory, regulatory 
and other program guidance disseminated by HCFA, the OIG, the 
Department of Justice and the Congress. These links, along with any 
other webpages that the Medicare+Choice organization deems pertinent 
and useful can be assembled on a single site that can, by hypertext 
link, provide access to all of these useful resources.

D. Developing Effective Lines of Communication

    An open line of communication between the compliance officer and 
Medicare+Choice organization personnel, as well as among the 
organization, health care providers and enrollees, is critical to the 
successful implementation of a compliance program and the reduction of 
any potential for fraud, abuse and waste. Each organization should have 
in place both a mechanism for the reporting of improper conduct, as 
well a mechanism for more routine types of communication among the 
compliance officer and relevant groups.
1. Hotline or Other System for Reports of Potential Misconduct
    Each Medicare+Choice organization should have in place a hotline or 
other mechanism \87\ through which employees, enrollees or other 
parties can report potential violations of the organization's 
compliance policies or of Federal or State health care program 
requirements. In any event, several independent reporting paths should 
be created for an employee to report fraud, waste or abuse so that such 
reports cannot be diverted by supervisors or other personnel. If the 
organization establishes a hotline, the telephone number should be made 
readily available to all employees, enrollees and independent 
contractors, by circulating the number on wallet cards or conspicuously 
posting the telephone number in common work areas.\88\
---------------------------------------------------------------------------

    \87\ The OIG recognizes that it may not be financially feasible 
for a small Medicare+Choice organization to maintain a telephone 
hotline dedicated to receiving calls solely on compliance issues. 
These companies may explore alternative methods, e.g., contracting 
with an independent source to provide hotline services or 
establishing a written method of confidential disclosure.
    \88\ Medicare+Choice organizations should also post in a 
prominent, available area the HHS-OIG Hotline telephone number, 1-
800-447-8477 (1-800-HHS-TIPS), in addition to any organization's 
hotline number that may be posted.
---------------------------------------------------------------------------

    Matters reported through the hotline or other communication sources 
that suggest violations of compliance policies, Federal and State 
health care program requirements, regulations or statutes should be 
documented and investigated promptly to determine their veracity and 
significance. A log should be maintained by the compliance officer or 
authorized designee that records such calls, including the nature of 
any investigation and its results.\89\ Such information should be 
included in reports to the governing body, the CEO and compliance 
committee.
---------------------------------------------------------------------------

    \89\ To efficiently and accurately fulfill such an obligation, 
the Medicare+Choice organization should create an intake form for 
all issues identified through reporting mechanisms. The form could 
include information concerning the date the potential problem was 
reported, the internal investigative methods utilized, the results 
of any investigation, any corrective action implemented, any 
disciplinary measures imposed and any overpayments and monies 
returned.
---------------------------------------------------------------------------

    Employees, enrollees and providers should be permitted to report 
matters on a confidential basis. To encourage such reporting, written 
confidentiality and non-retaliation policies should be developed. 
Employees, enrollees, providers and other contractors should be made 
aware of these policies to encourage communication and the reporting of 
incidents of potential fraud.\90\ While the Medicare+Choice

[[Page 61906]]

organization should always strive to maintain the confidentiality of 
the reporter's identity, the policies should explicitly communicate 
that there may be a point where the individual's identity may become 
known or may have to be revealed.
---------------------------------------------------------------------------

    \90\ The OIG believes that whistleblowers should be protected 
against retaliation, a concept embodied in the provisions of the 
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees 
sue their employers under the False Claims Act's qui tam provisions 
out of frustration because of the company's failure to take action 
when a questionable, fraudulent or abusive situation was brought to 
the attention of senior corporate officials.
---------------------------------------------------------------------------

    The OIG recognizes that assertions of fraud and abuse by those who 
may have participated in illegal conduct or committed other malfeasance 
raise numerous complex legal and management issues that should be 
examined on a case-by-case basis. The compliance officer may wish to 
work closely with legal counsel to obtain guidance on these issues.
2. Routine Communication/Access to the Compliance Officer
    While it is crucial that Medicare+Choice organizations have 
effective systems in place for the reporting of suspected misconduct, 
it is equally important that the compliance officer foster more routine 
communication both among its employees and among its health care 
providers and enrollees.
    With respect to its own employees, the OIG encourages the 
establishment of procedures for personnel to seek clarification from 
the compliance officer or members of the compliance committee in the 
event of any confusion or question regarding a company policy, practice 
or procedure. Questions and responses should be documented and dated 
and, if appropriate, shared with other staff so that standards, 
policies, practices and procedures can be updated and improved to 
reflect any necessary changes or clarifications. The compliance officer 
may want to solicit employee input in developing these communication 
and reporting systems. The methods discussed above relating to ongoing 
training and education are an integral part of this communication.\91\
---------------------------------------------------------------------------

    \91\ In addition to methods of communication used by current 
employees, an effective employee exit interview program could be 
designed to solicit information from departing employees regarding 
potential misconduct and suspected violations of the Medicare+Choice 
organization's policy and procedures.
---------------------------------------------------------------------------

    The communication and coordination function of the compliance 
program serves an even more critical role in the context of the managed 
care environment because the managed care entity serves as an 
intermediary between the health care provider and the enrollee. In 
fact, the raison d'etre of a managed care organization is to coordinate 
the care of its enrollees. As with providers, communications with 
beneficiaries and communications with HCFA (and its designees) must 
demonstrate the highest level of integrity, honesty and judgment. The 
Medicare+Choice organization should implement methods to encourage 
communication among its enrollees and providers. For example, as 
appropriate, a Medicare+Choice organization should communicate the 
results of audits, disenrollment surveys, utilization data and quality 
of care determinations to its contracting suppliers and providers in 
order to facilitate open discussion regarding appropriate health care 
delivery.

E. Auditing and Monitoring

    An ongoing evaluation process is critical to a successful 
compliance program.\92\ The OIG believes an effective program should 
incorporate thorough monitoring of its implementation and regular 
reporting to senior company officers. Compliance reports created by 
this ongoing monitoring, including reports of suspected noncompliance, 
should be maintained by the compliance officer and reviewed with the 
Medicare+Choice organization's senior management and the compliance 
committee. The extent and frequency of the audit function may vary 
depending on factors such as the size of the company, the resources 
available to the company, the company's prior history of noncompliance 
and the risk factors that are prevalent in a particular organization. 
However, all Medicare+Choice organizations have an obligation to 
establish an adequate audit function and meet all of HCFA's 
requirements.
---------------------------------------------------------------------------

    \92\ The OIG recognizes that Medicare+Choice organizations have 
a variety of ongoing monitoring processes and would most likely 
incorporate these existing processes, as appropriate, into their 
compliance program. We do not anticipate that the compliance 
monitoring function would exist entirely independently of the 
operational program.
---------------------------------------------------------------------------

    Although many monitoring techniques are available, one effective 
tool to promote and ensure compliance is the performance of regular, 
periodic compliance audits by internal or external auditors who have 
expertise in Federal and State health care statutes, regulations and 
Federal health care program requirements. The audits should focus on 
the Medicare+Choice organization's programs or divisions, including 
external relationships with third-party contractors, specifically those 
with substantive exposure to Government enforcement actions. The audits 
should cover the range of programmatic requirements of the 
Medicare+Choice program and comply with generally accepted protocols 
governing such audits. In particular, the audits should focus on the 
risk areas identified earlier in this document, especially the data and 
information that affect payments by Medicare. Finally, the 
Medicare+Choice organization should focus on any areas of specific 
concern identified within that organization and those that may have 
been identified by any outside agency, whether Federal or State.
    Monitoring techniques may include sampling protocols that permit 
the compliance officer to identify and review variations from an 
established baseline.\93\ Significant variations from the baseline 
should trigger a reasonable inquiry to determine the cause of the 
deviation. If the inquiry determines that the deviation occurred for 
legitimate, explainable reasons, the compliance officer or manager may 
want to limit any corrective action or take no action. If it is 
determined that the deviation was caused by improper procedures, 
misunderstanding of rules, including fraud and systemic problems, the 
Medicare+Choice organization should take prompt steps to correct the 
problem.\94\ Any overpayments discovered as a result of such deviations 
should be reported promptly to HCFA (or its designees), with 
appropriate documentation and a thorough explanation of the reason for 
the overpayment.\95\
---------------------------------------------------------------------------

    \93\ The OIG recommends that when a compliance program is 
established in a Medicare+Choice organization, the compliance 
officer, with the assistance of department managers, take a 
``snapshot'' of the organization's operations from a compliance 
perspective. This assessment can be undertaken by outside 
consultants, law or accounting firms, or internal staff, with 
authoritative knowledge of health care compliance requirements. This 
``snapshot,'' often used as part of bench marking analysis, becomes 
a baseline for the compliance officer and other managers to judge 
the Medicare+Choice organization's progress in reducing or 
eliminating potential areas of vulnerability. Medicare+Choice 
organizations should track statistical data on utilization review 
and quality data based on customer satisfaction and renewal data. 
This will facilitate identification of problem areas and elimination 
of potential areas of abusive or fraudulent conduct.
    \94\ Prompt steps to correct the problem include contacting the 
appropriate provider in situations where the provider's actions 
contributed to the problem.
    \95\ In addition, when appropriate, as referenced in section G, 
below, reports of fraud or systemic problems should also be made to 
the appropriate Government authority.
---------------------------------------------------------------------------

    An effective compliance program should also incorporate periodic 
(at a minimum, annual) reviews of whether the program's compliance 
elements have been satisfied, e.g., whether there has been appropriate 
dissemination of the program's standards, training, ongoing educational 
programs and

[[Page 61907]]

disciplinary actions.\96\ This process will verify actual conformance 
by all departments with the compliance program. Such reviews may 
support a determination that appropriate records have been created and 
maintained to document the implementation of an effective program.
---------------------------------------------------------------------------

    \96\ One way to assess the knowledge, awareness and perceptions 
of the Medicare+Choice organization's staff is through the use of a 
validated survey instrument (e.g., employee questionnaires, 
interviews or focus groups).
---------------------------------------------------------------------------

    The reviewers involved in any audits should:
     Possess the qualifications and experience necessary to 
adequately identify potential issues with the subject matter to be 
reviewed;
     Be independent of the specific functional area examined;
     Have access to existing audit resources, relevant 
personnel and all relevant areas of operation;
     Present written evaluative reports on compliance 
activities to the CEO, governing body members of the compliance 
committee on a regular basis, but not less than annually; and
     Specifically identify areas where corrective actions are 
needed.
    In the Medicare+Choice context, a variety of different methods will 
be necessary to adequately monitor and evaluate the ongoing operations 
of the Medicare+Choice organization. In general, the OIG recommends the 
use of techniques such as on-site visits, questionnaires (for 
providers, enrollees and employees), and trend analyses, to name just 
several.\97\ Because the auditing and monitoring function is very 
different and much more complex in the managed care context than in any 
other segment of the health care industry, we have provided additional 
guidance on the methods to be used in evaluating selected risk areas.
---------------------------------------------------------------------------

    \97\ Medicare+Choice organizations may want to consult HCFA's 
Contractor Performance Monitoring System Manual to get additional 
ideas for monitoring methods. In addition, organizations may want to 
consult the OAS website for information on conducting audits, 
including information on statistical sampling (RAT-STATS). See note 
10.
---------------------------------------------------------------------------

1. Marketing/Enrollment/Diseenrollment
    Developing a system for evaluating the compliance of the marketing, 
enrollment and disenrollment functions of a Medicare+Choice 
organization requires innovative techniques. Each Medicare+Choice 
organization will have to develop an individualized method as to how to 
obtain this data. Some of the methods that the OIG suggests include: 
using secret shoppers; surveying \98\ current enrollees; \99\ and 
conducting exit interviews with former enrollees (particularly those 
that disenrolled just prior to obtaining an expensive service) on their 
experience with the Medicare+Choice marketing and enrollment process. 
Once this data is collected, it must be maintained in a format that can 
be accessed readily.
---------------------------------------------------------------------------

    \98\ Medicare+Choice organizations may be able to use response 
data from already existing surveys, such as from the Health of 
Seniors survey (HEDIS) and for certain organizations, the mandatory 
disenrollment surveys required under PIP.
    \99\ It should be noted, while this method may be less 
expensive, it may not provide unbiased data, particularly in the 
area of selective marketing. In fact, in the selective marketing 
area, the data may be skewed significantly in favor of the 
Medicare+Choice organization.
---------------------------------------------------------------------------

    In an effort to integrate the monitoring function with its training 
function, a Medicare+Choice organization may wish to test its marketing 
staff on their knowledge of the company's policies and procedures, as 
well as the Federal and State statutes that govern the marketing 
process. This assessment can be developed using many formats. Many 
companies have customized interactive software to test employees' 
knowledge of relevant policies and procedures. It may also be 
formulated in the traditional written version.
    Methods used to monitor marketing agents include the analysis of 
disenrollment data to identify marketing agents with high and low 
percentages of member disenrollments within a set number of days (e.g., 
90 days). In addition, Medicare+Choice organizations may want to 
establish enrollment verification systems requiring that a different 
individual from the sales agent meet with beneficiaries who have 
applied for enrollment to ensure that they understand restrictions of 
the plan, such as the lock-in provision.
    Finally, it is essential for all marketing materials to be reviewed 
by an independent and competent reviewer, such as an individual in the 
general counsel's office, to ensure that they do not mislead, confuse 
or misrepresent any aspect of the plan. Similarly, a Medicare+Choice 
organization may want to consider having the materials examined by 
individuals familiar with the claims processing department and 
utilization review office for consistency with the policies, procedures 
and practices of these departments.
2. Underutilization and Quality of Care
    Procedures for tracking and reporting utilization review data are 
vital to the success of any compliance endeavor. Medicare+Choice 
organizations should periodically review the service areas that are 
part of the Medicare+Choice organization to ensure that enrollees are 
receiving adequate access to care. In reviewing service areas, 
Medicare+Choice organizations should collect data on a variety of 
topics, including the number of primary care physicians in the service 
area, the number and type of specialists in the service area, the 
waiting time for appointments, the telephone access to the 
Medicare+Choice organization, rates of denial of emergency services 
claims and the problems associated with the coordination of care. All 
of this data should be maintained in a database in a format that can be 
used to generate statistical data and analysis.
    Medicare+Choice organizations should ensure that there are adequate 
systems in place to monitor underutilization and inappropriate denials. 
Such procedures include collecting data on utilization patterns and 
detecting aberrant patterns. This data should be checked against 
utilization rates in the industry. This function could be performed by 
a medical affairs department that is responsible for regular review of 
claims, the payment system, encounter data and medical record review to 
assess the degree to which care is under (or over) utilized.
    Similarly, the Medicare+Choice organization should survey its 
enrollees on utilization patterns and whether they felt they were 
subjected to inadequate health care services, inappropriate denials, 
type of practitioner providing treatment and whether a beneficiary's 
request for another provider was denied or approved. Such survey 
results should be reviewed and investigated, when appropriate. 
Generally, these may be skewed in favor of the Medicare+Choice 
organization if the enrollees are current members. Presumably, if an 
enrollee was truly dissatisfied with the Medicare+Choice organization's 
attitude toward enrollee rights, the enrollee would have disenrolled 
from the plan. As a result, a Medicare+Choice organization should 
evaluate both current enrollee satisfaction surveys and exit interview 
surveys of former enrollees.
    Medicare+Choice organizations have a good source of information 
regarding utilization issues, simply by tracking the type of appeals 
and grievances they receive from beneficiaries. This information should 
be tracked in a database that can be easily accessed by type of 
grievance or appeal and results.

[[Page 61908]]

3. Data Collection and Submission Processes
    Given the importance of the enrollment, encounter and ACR data, the 
Medicare+Choice organization should develop ways to audit this 
information to assure its accuracy, completeness and truthfulness, on 
best knowledge, information and belief. As indicated earlier, such 
methods would ordinarily include sample audits and spot checks of the 
system. These activities should be facilitated by the fact that HCFA 
requires Medicare+Choice organizations to detail in their contractual 
relationships with providers the access that they will need to the 
provider's medical record documentation.
4. Anti-Kickback and Other Inducements
    Medicare+Choice organizations should periodically review their 
contractual documents and discussions with providers to ensure that 
``swapping'' is not occurring. In addition, contracts with marketing 
personnel should be reviewed by legal counsel to be sure they do not 
violate the anti-kickback statute and other applicable statutes and 
regulations.

F. Enforcing Standards Through Well-Publicized Disciplinary Guidelines 
and Policies Regarding Dealings With Ineligible Persons

    The OIG recommends that all Medicare +Choice organizations' 
compliance programs include several key policies in the area of 
personnel/human resources. The first deals with the establishment, and 
consistent application of, appropriate disciplinary policies to deal 
with improper conduct and the second deals with the employment of 
certain ineligible individuals.
1. Consistent Enforcement of Disciplinary Policies
    An effective compliance program should include guidance regarding 
disciplinary action for all employees who have failed to comply with 
the Medicare+Choice organization's standards of conduct, policies and 
procedures, Federal health care program requirements, or Federal and 
State laws, or those who have otherwise engaged in wrongdoing. It is 
vital to publish and disseminate the range of possible disciplinary 
actions for improper conduct and to educate officers and other staff 
regarding these standards. Employees should be advised that 
disciplinary action may be appropriate where a responsible employee's 
failure to detect a violation is attributable to his or her negligence 
or reckless conduct. The sanctions could range from oral warnings to 
suspension, termination or other sanctions, as appropriate. While each 
situation must be considered on a case-by-case basis to determine the 
appropriate sanction, intentional or reckless noncompliance should 
subject transgressors to significant sanctions.
    The written standards of conduct should elaborate on the procedures 
for handling disciplinary problems and identify who will be responsible 
for taking appropriate action. For example, while disciplinary actions 
can be handled by department managers, others may have to be resolved 
by a more senior official of the organization. Personnel should be 
advised by the organization that disciplinary action will be taken on a 
fair and equitable basis, that is, all levels of employees should be 
subject to similar disciplinary action for the commission of similar 
offenses. Managers and supervisors should be held accountable to 
implement the disciplinary policy consistently so that the policy will 
have the required deterrent effect.
2. Employment of, and Contracting With, Ineligible Persons
    All Medicare+Choice organizations should use care when delegating 
substantial discretionary authority to make decisions that may involve 
compliance with the law or compliance oversight. In particular, the 
organization should ensure that it does not delegate such 
responsibilities to individuals or entities that it knows, or should 
have known, have a propensity to engage in inappropriate or improper 
conduct. Pursuant to the compliance program, a Medicare+Choice 
organization's policies should prohibit the hiring of, or entering 
into, contracts with individuals or entities who have been recently 
convicted of a criminal offense related to health care or who are 
listed as debarred, excluded or otherwise ineligible for participation 
in Federal health care programs.\100\ The policies should require the 
Medicare+Choice organization to utilize Government resources to 
determine whether such individuals or entities are debarred or 
excluded. These resources should be used for both potential employees 
(as part of the employment application process, which should also 
include a reasonable and prudent background investigation), and should 
be used to periodically check existing employees and contractors.
---------------------------------------------------------------------------

    \100\ Prospective employees who have been officially reinstated 
into the Medicare and Medicaid programs by the OIG may be considered 
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------

    Lists of debarred and excluded individuals and entities are 
currently maintained by both the OIG and the General Services 
Administration.\101\ By approximately January 2000, the Healthcare 
Integrity Protection Data Bank (HIPDB) will be available to 
Medicare+Choice organizations (for a nominal fee) to use in conducting 
these checks on employees and contractors.\102\ The HIPDB is an 
electronic data collection program that will collect, store and 
disseminate reports on practitioners, providers and suppliers that have 
been the subject of health care related final adverse actions in 
criminal, civil and administrative proceedings. The final adverse 
actions to be reported to the HIPDB include criminal convictions or 
civil judgments related to the delivery of health care, actions by 
Federal or State agencies responsible for licensing or certification of 
health care providers, suppliers and practitioners, exclusions from 
Federal or State health care programs, and certain final adverse 
actions taken by health plans.\103\ Pending the resolution of any known 
criminal charges or proposed debarment or exclusion, the OIG recommends 
that such individuals should be removed from direct responsibility for, 
or involvement in, any Federal health care program. If labor agreements 
make such removal legally impermissible, the OIG recommends that the 
individual be closely supervised in all aspects of his or her duties 
that relate to Federal health care programs. If the resolution of the 
matter results in conviction, debarment or exclusion of a current 
employee or contractor, then the Medicare+Choice organization must not 
continue to employ or contract with such individual for the provision 
of health care, utilization review, medical social work or 
administrative services.\104\
---------------------------------------------------------------------------

    \101\ OIG's List of Excluded Individuals/Entities is available 
on the Internet at http://www.hhs.gov/oig/ and the GSA list of 
debarred contractors is available on the Internet at http://
www.arnet.gov/epls.
    \102\ 42 U.S.C. 1320a-7e.
    \103\ Note that agencies and health plans are required by HIPAA 
to report to the HIPDB. Failure by a health plan to make the 
mandated reports to the HIPDB may result in CMPs being assessed 
against the health plan, pursuant to 42 U.S.C. 1320a-7e(b)(6).
    \104\ 42 CFR 422.752(a)(8).
---------------------------------------------------------------------------

G. Responding to Detected Offenses, Developing Corrective Action 
Initiatives, and Reporting to Government Authorities

    Violations of the Medicare+Choice organization's compliance 
program, failures to comply with applicable

[[Page 61909]]

Federal or State law, rules and program instructions and other types of 
misconduct may threaten a Medicare+Choice organization's status as a 
reliable, honest and trustworthy company. Detected but uncorrected 
misconduct can seriously endanger the mission, reputation and legal 
status of the organization. Consequently, it is important that the 
chief compliance officer or other management officials promptly 
investigate and take appropriate action with respect to any reports or 
reasonable indications of suspected noncompliance.\105\
---------------------------------------------------------------------------

    \105\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a 
health care program is not solely determinative of whether or not 
the conduct should be investigated and reported to governmental 
authorities. In fact, there may be instances where there is no 
readily identifiable monetary loss at all, but corrective action and 
reporting are still necessary to protect the integrity of the 
applicable program and its beneficiaries.
---------------------------------------------------------------------------

    Pending issuance of final HCFA regulations \106\ regarding the 
obligations of a Medicare+Choice organizations to report misconduct, 
the OIG recommends that the following procedures be followed when a 
Medicare+Choice organization discovers from any source evidence of 
misconduct related to payment or delivery of health care items or 
services under the Medicare+Choice contract. First, the Medicare+Choice 
organization should conduct a timely, reasonable inquiry into the 
misconduct. Second, if after reasonable inquiry, the organization has 
determined that the misconduct may violate criminal, civil or 
administrative law, it should report the existence of the misconduct 
promptly to the appropriate Government authority \107\ within a 
reasonable period, but not more than 60 days \108\ after a 
determination that a violation may have occurred.\109\ When reporting 
potential violations to the Government, a Medicare+Choice organization 
should provide all evidence relevant to the potential violation, 
including the impact of the potential violation on beneficiaries and 
any potential cost impact. Finally, the Medicare+Choice organization 
should initiate and implement appropriate corrective actions, e.g., 
repayment of overpayments, disciplinary actions and modifications of 
procedures to ensure the problem does not recur.
---------------------------------------------------------------------------

    \106\ 42 CFR 422.501(b)(vi).
    \107\ For example, if the potential violation relates to federal 
criminal law, the Civil False Claims Act, the civil money penalty 
authorities (primarily under sections 1128A and 1857 of the Social 
Security Act) and related statutes administered by the HHS/OIG, the 
report must be made to that office.
    \108\ While the OIG recommends reporting in 60 days, the 
organization must report within 30 days in order to attempt to 
obtain favorable treatment under the Civil False Claims Act. See 
note 6. In addition, reporting such conduct may be considered a 
mitigating factor by the OIG in determining administrative sanctions 
(e.g., penalties, assessments and exclusion), if the reporting 
company becomes the subject of an OIG investigation. See 62 FR 67392 
(12/24/97).
    \109\ The OIG believes that some potential violations may be so 
serious that they warrant immediate notification to Government 
authorities, prior to, or simultaneous with, commencing an internal 
inquiry. Examples of such situations include instances when the 
misconduct: (1) Is a clear violation of civil fraud or criminal law; 
(2) has a significant adverse effect on the quality of care provided 
to program beneficiaries (in addition to any other legal obligations 
regarding quality of care); or (3) indicates evidence of a systemic 
failure to comply with applicable laws or an existing corporate 
integrity agreement, regardless of the financial impact on Federal 
health care programs.
---------------------------------------------------------------------------

    Failure to notify HCFA of an overpayment within a reasonable period 
of time could be interpreted as an intentional attempt to conceal the 
overpayment from the Government, thereby establishing an independent 
basis for a criminal violation with respect to the Medicare+Choice 
organization, as well as any individuals who may have been 
involved.\110\ For this reason, Medicare+Choice compliance programs 
should ensure that overpayments are identified quickly and promptly 
return overpayments obtained from Medicare or other Federal health care 
programs.
---------------------------------------------------------------------------

    \110\ 42 U.S.C. 1320a-7b(a)(3).
---------------------------------------------------------------------------

    The OIG recommends that Medicare+Choice organizations consider the 
following guidance as they structure internal inquiries. Depending upon 
the nature of the alleged violations, an internal inquiry will probably 
include interviews and a review of relevant documents. Medicare+Choice 
organizations should consider engaging outside counsel, auditors or 
health care experts to assist in an inquiry. Records of the inquiry 
should contain documentation of the alleged violation, a description of 
the process (including the objectivity of the investigators and 
methodologies utilized), copies of interview notes and key documents, a 
log of the witnesses interviewed and the documents reviewed, and the 
results of the investigation, e.g., any disciplinary action taken and 
any corrective action implemented. Although any action taken as the 
result of an inquiry will necessarily vary depending upon the 
Medicare+Choice organization and the situation, Medicare+Choice 
organizations should strive for some consistency by utilizing sound 
practices and disciplinary protocols. Further, after a reasonable 
period, the compliance officer should review the circumstances that 
formed the basis for the inquiry to determine whether similar problems 
have been uncovered or modifications of the compliance program are 
necessary to prevent and detect other inappropriate conduct or 
violations.
    If an inquiry of an alleged violation is undertaken and the 
compliance officer believes the integrity of the inquiry may be at 
stake because of the presence of employees under investigation, those 
subjects should be removed from their current work activity until the 
inquiry is completed (unless an internal or Government-led undercover 
operation known to the Medicare+Choice organization is in effect). In 
addition, the compliance officer should take appropriate steps to 
secure or prevent the destruction of documents or other evidence 
relevant to the inquiry. If the Medicare+Choice organization determines 
disciplinary action is warranted, it should be prompt and imposed in 
accordance with the organization's written standards of disciplinary 
action.

III. Conclusion

    Through this document, the OIG has attempted to provide a 
foundation for the development of effective and comprehensive 
Medicare+Choice compliance programs. These principles can also be used 
by entities to develop compliance programs applicable to other Federal 
and health care programs, as well as for their private lines of 
business. As previously stated, however, each program must be tailored 
to fit the needs and resources of an individual organization, depending 
upon its particular corporate structure, mission and employee 
composition. The statutes, regulations and guidelines of the Federal 
and State health insurance programs, as well as the policies and 
procedures of the private health plans, should be integrated into every 
Medicare+Choice organization's compliance program.
    The OIG recognizes that the health care industry, which reaches 
millions of beneficiaries and expends about a trillion dollars 
annually, is constantly evolving. In no area of the industry is this 
more evident than in the growing area of managed care, particularly 
Medicare managed care. As a result, the time is right for 
Medicare+Choice organizations to implement strong, voluntary compliance 
programs. Compliance is a dynamic process that helps to ensure 
Medicare+Choice organizations are better able to fulfill their 
commitment to ethical behavior and to meet the changes and challenges 
being imposed upon them by the Congress and private insurers. It is

[[Page 61910]]

OIG's hope that voluntarily created compliance programs will enable 
Medicare+Choice organizations to meet their goal of providing efficient 
and quality health care and, at the same time, substantially reducing 
fraud, waste and abuse.

    Dated: November 5, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-29632 Filed 11-12-99; 8:45 am]
BILLING CODE 4150-04-P