Management & Compliance for Large/Academic Pathology Practices
Part 7 -
Compliance Programs for Physician Practices
Black-Schaffer & Johnson
Compliance Programs for Physician Practices
Office of Inspector General, HHS, Publication of the OIG's Final Compliance Program Guidance for
Individual and Small Group Physician Practices (65 FR 59434; October 5, 2000).
[U]nlike other guidances issued by OIG, this guidance for physicians does not suggest that physician
practices implement all seven components of a full scale compliance program. Instead, the guidance
emphasizes a step by step approach to follow in developing and implementing a voluntary compliance
program. This change is in recognition of the financial and staffing resource constraints faced by
physician practices. The guidance should not be viewed as mandatory or as an all-inclusive discussion of
the advisable components of a compliance program.
The goal of voluntary compliance programs is to provide a tool to strengthen the efforts of health
care providers to prevent and reduce improper conduct. These programs can also benefit physician
practices by helping to streamline business operations by:
Voluntary compliance programs also provide benefits by not only helping to prevent erroneous or
fraudulent claims, but also by showing that the physician practice is making additional good faith
efforts to submit claims appropriately.
- Speeding and optimizing proper payment of claims;
- Minimizing billing mistakes;
- Reducing the chances that an audit will be conducted by CMS or the OIG;
- Avoiding conflicts with the self-referral and anti-kickback statutes.
A compliance program also sends an important message to a physician practice's employees that while
the practice recognizes that mistakes will occur, employees have an affirmative, ethical duty to come
forward and report erroneous or fraudulent conduct, so that it may be corrected.
There [are] critical differences between what the Government views as innocent "erroneous" claims on
the one hand and "fraudulent" (intentionally or recklessly false) health care claims on the other.
[U]nder the law, physicians are not subject to criminal, civil or administrative penalties for
innocent errors, or even negligence. The Government's primary enforcement tool, the civil False Claims
Act, covers only offenses that are committed with actual knowledge of the falsity of the claim, reckless
disregard, or deliberate ignorance of the falsity of the claim.
[I]mplementing a voluntary compliance program can be a multi-tiered process. Initial development ...
can be focused on practice risk areas that have been problematic for the practice such as coding and
billing. [T]he practice should examine its ... most frequent sources of ... denials or overpayments. A
review ... will help the practice scrutinize a significant risk area and improve its cash flow by
submitting correct claims that will be paid the first time they are submitted. As this example
illustrates, a compliance program for a physician practice often makes sound business sense.
Step One: Auditing and Monitoring
An ongoing evaluation process is important to a successful compliance program. There are two types of
reviews that can be performed as part of this evaluation:
1. Standards and Procedures: individual(s) in the physician practice [should be] be charged with
periodically reviewing the practice's standards and procedures to determine if they are current and
2. Claims Submission Audit: bills and medical records [should] be reviewed for compliance with
applicable coding, billing and documentation requirements.
The practice's self-audits can be used to determine whether:
One of the most important components of a successful compliance audit protocol is an appropriate
response when the physician practice identifies a problem.
- Bills are accurately coded and accurately reflect the services provided (as documented
in the medical records);
- Documentation is being completed correctly;
- Services or items provided are reasonable and necessary; and
- Any incentives for unnecessary services exist.
In some cases, the response can be as straight forward as generating a repayment with appropriate
explanation to Medicare or the appropriate payor from which the overpayment was received.
[But t]here is no boilerplate solution to how to handle problems that are identified.
Step Two: Practice Standards and Procedures
After the internal audit identifies the practice's risk areas, the next step is to develop a method
for dealing with those risk areas through the practice's standards and procedures. Written standards and
procedures are a central component of any compliance program.
Physician practices ... can develop them by: (1) Developing a written standards and procedures
manual; and (2) updating clinical forms periodically to make sure they facilitate and encourage clear and
complete documentation of patient care.
To assist physician practices in performing this initial assessment, the OIG has developed a list of
four potential risk areas affecting physician practices. These risk areas include:
(a) coding and billing;
(b) reasonable and necessary services;
(c) documentation; and
(d) improper inducements, kickbacks and self-referrals.
a. Coding and Billing. A major part of any physician practice's compliance program is the
identification of risk areas associated with coding and billing. The following risk areas associated
with billing have been among the most frequent subjects of investigations and audits by the OIG:
[I]nvolves seeking reimbursement for a service that is not warranted by a patient's documented medical
condition. ("no payment may be made under part A or part B [of Medicare] for any expenses incurred for
items or services which ... are not reasonable and necessary for the diagnosis or treatment of illness or
injury or to improve the functioning of the malformed body member")
- Billing for items or services not rendered or not provided as claimed;
- Submitting claims for equipment, medical supplies and services that are not reasonable
[O]ccurs when a physician bills for the same item or service more than once or another party billed
the Federal health care program for an item or service also billed by the physician. Although duplicate
billing can occur due to simple error, the knowing submission of duplicate claims (which is sometimes
evidenced by systematic or repeated double billing) can create liability under criminal, civil, and/or
- Double billing resulting in duplicate payment;
- Billing for non-covered services as if covered;
- Knowing misuse of provider identification numbers, which results in improper billing;
- Unbundling (billing for each component of the service instead of billing or using an
Unbundling is the practice of a physician billing for multiple components of a service that must be
included in a single fee.
A modifier, as defined by the CPT–4 manual, provides the means by which a physician practice can
indicate a service or procedure that has been performed has been altered by some specific circumstance,
but not changed in its definition or code. Assuming the modifier is used correctly and appropriately,
this specificity provides the justification for payment for those services.
This is the practice of coding/charging one or two middle levels of service codes exclusively, under
the philosophy that some will be higher, some lower, and the charges will average out over an extended
period (in reality, this overcharges some patients while undercharging others).
- Failure to properly use coding modifiers;
- Unbundling (billing for each component of the service instead of billing or using an
Upcoding is billing for a more expensive service than the one actually performed.
Furthermore, written standards and procedures should ensure that coding and billing are
based on medical record documentation. Particular attention should be paid to issues of appropriate
diagnosis codes and individual Medicare Part B claims.
The failure of a physician practice to: (i) document items and services rendered; and (ii) properly
submit the corresponding claims for reimbursement is a major area of potential erroneous or fraudulent
conduct involving Federal health care programs. The OIG has undertaken numerous audits, investigations,
inspections and national enforcement initiatives in these areas.
b. Reasonable and Necessary Services. A practice's compliance program may provide
guidance that claims are to be submitted only for services that [are] reasonable and necessary.
The OIG recognizes that physicians should be able to order any tests, including screening tests, they
believe are appropriate for the treatment of their patients. However, a physician practice should be
aware that Medicare will only pay for services that meet the Medicare definition of reasonable and
"... for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed
c. Documentation. Timely, accurate and complete documentation is important to clinical
patient care. This same documentation serves as a second function when a bill is submitted for payment,
namely, as verification that the bill is accurate as submitted. Therefore, one of the most important
physician practice compliance issues is the appropriate documentation of diagnosis and treatment.
1. Medical Record Documentation.
In addition to facilitating high quality patient care, a properly documented medical
record verifies and documents precisely what services were actually provided.
The CPT and ICD–9–CM codes reported on the health insurance claims form should be supported by
documentation in the medical record and the medical chart should contain all necessary information.
Additionally, CMS and the local carriers should be able to determine the person who provided the
d. Improper Inducements, Kickbacks and Self-Referrals. A physician practice would be well
advised to have standards and procedures that encourage compliance with the anti-kickback statute and the
physician self-referral law.
Remuneration for referrals is illegal: it can distort medical decision-making, cause
overutilization of services or supplies, increase costs to Federal health care programs, and result in
unfair competition by shutting out competitors who are unwilling to pay for referrals.
The anti-kickback statute provides criminal penalties for individuals and entities that knowingly
offer, pay, solicit, or receive bribes or kickbacks or other remuneration in order to induce business
reimbursable by Federal health care programs.
The physician self-referral ("Stark") law prohibits a making a referral to an entity with which a
physician or member of the physician's immediate family has a financial relationship, if the referral is
for designated health services and unless the financial relationship fits into an exception set forth in
the statute or implementing regulations.
Possible risk factors relating to this risk area that could be addressed in the practice's
standards and procedures include:
- Financial arrangements with outside entities to whom the practice may refer Federal
health care program business;
All physician contracts and agreements with parties in a position to influence Federal
health care program business or to whom the doctor is in such a position to influence should be reviewed
to avoid violation of the anti-kickback, self-referral, and other relevant Federal and State laws.
- Joint ventures with entities supplying goods or services to the physician
practice or its patients;
- Consulting contracts or medical directorships;
- Office and equipment leases with entities to which the physician refers; and
- Soliciting, accepting or offering any gift or gratuity of more than nominal value to or
from those who may benefit from a physician practice's referral of Federal health care program business.
Physician practices should establish clear standards and procedures governing gift-giving because such
exchanges may be viewed as inducements to influence business decisions.
2. Retention of Records
In light of the documentation requirements faced by physician practices, it would be to the practice's
benefit if its standards and procedures contained a section on the retention of compliance, business and
medical records. These records primarily include documents relating to patient care and the practice's
While conducting its compliance activities, as well as its daily operations, a physician
practice would be well advised, to the extent it is possible, to document its efforts to comply with
applicable Federal health care program requirements.
For example, if a physician practice requests advice from a Government agency (including a Medicare
carrier) charged with administering a Federal health care program, it is to the benefit of the practice
to document and retain a record of the request and any written or oral response (or nonresponse). This
step is extremely important if the practice intends to rely on that response to guide it in future
decisions, actions, or claim reimbursement requests or appeals.
Step Three: Compliance Officer or Contact Person
After the audits have been completed and the risk areas identified, ideally one member of
the physician practice staff needs to accept the responsibility of developing a corrective action plan,
if necessary, and oversee the practice's adherence to that plan. However, the resource constraints of
physician practices make it so that it is often impossible to designate one person to be in charge of
[T]he following is a list of suggested duties that the practice may want to assign to that
Each physician practice needs to assess its own practice situation and determine what best
suits that practice in terms of compliance oversight.
- Overseeing and monitoring the implementation of the compliance program;
- Establishing methods, such as periodic audits, to improve the practice's efficiency and
quality of services, and to reduce the practice's vulnerability to fraud and abuse;
- Periodically revising the compliance program in light of changes in the needs of the
practice or changes in the law and in the standards and procedures of Government and private payor health
- Developing, coordinating and participating in a training program that focuses on the
components of the compliance program, and seeks to ensure that training materials are appropriate;
- Ensuring that the HHS–OIG's List of Excluded Individuals and Entities, and the General
Services Administration's (GSA's) List of Parties Debarred from Federal Programs have been checked with
respect to all employees, medical staff and independent contractors;
- Investigating any report or allegation concerning possible unethical or improper
business practices, and monitoring subsequent corrective action and/or compliance.
Step Four: Training and Education
Education is an important part of any compliance program and is the logical next step after problems
have been identified and the practice has designated a person to oversee educational training.
Ideally, education programs will be tailored to the physician practice's needs, specialty and size and
will include both compliance and specific training.
There are three basic steps for setting up educational objectives:
- Determining who needs training (both in coding and billing and in compliance);
- Determining the type of training that best suits the practice's needs (e.g., seminars,
in-service training, self-study or other programs); and
- Determining when and how often education is needed and how much each person should
1. Compliance Training
Under the direction of the compliance officer/contact, initial and recurrent training in compliance is
advisable both with respect to the compliance program itself and applicable statutes and regulations.
[I]tems to include in compliance training are: The operation and importance of the compliance program;
the consequences of violating the standards and procedures set forth in the program; and the role of each
employee in the operation of the compliance program.
2. Coding and Billing Training
3. Format of the Training Program
- Coding requirements;
- Claim development and submission processes;
- Signing a form for a physician without the physician's authorization;
- Proper documentation of services rendered;
- Proper billing standards and procedures and submission of accurate bills for services or
items rendered to Federal health care program beneficiaries; and
- The legal sanctions for submitting deliberately false or reckless billings.
Training may be conducted either in-house or by an outside source. [A]nother way for physician
practices to receive training is for the physicians and/or the employees of the practice to attend
training programs offered by outside entities, such as a hospital, a local medical society or a carrier.
This sort of collaborative effort is an excellent way for the practice to meet the desired training
objective without having to expend the resources to develop and implement in-house training.
4. Continuing Education on Compliance Issues
There is no set formula for determining how often training sessions should occur. Currently, the OIG
is monitoring a significant number of corporate integrity agreements that require many of these training
The OIG usually requires a minimum of one hour annually for basic training in compliance areas.
Ideally, new billing and coding employees will be trained as soon as possible after assuming their duties
and will work under an experienced employee until their training has been completed.
Step Five: Response to Offenses and Development of Corrective Action
When a practice determines it has detected a possible violation, the next step is to develop a
corrective action plan and determine how to respond to the problem.
[U]pon receipt of reports or reasonable indications of suspected noncompliance, it is important … to
determine whether a significant violation of applicable law or ... the compliance program has indeed
occurred, and, if so, take decisive steps to correct the problem.
As appropriate, such steps may involve
Step Six: Open Lines of Communication
a corrective action plan,
the return of any overpayments,
a report to the Government, and/or
a referral to law enforcement authorities.
Instances of noncompliance must be determined on a case-by-case basis. The existence or amount of a
monetary loss to a health care program is not solely determinative of whether the conduct should be
investigated and reported to governmental authorities. The physician practice may seek advice from its
legal counsel to determine the extent of the practice's liability and to plan the appropriate course of
One suggestion is that the practice, in developing its compliance program, develop its own set of
monitors and warning indicators.
Significant changes in the number and/or types of claim rejections and/or reductions; correspondence
from the carriers and insurers challenging the medical necessity or validity of claims; illogical
patterns or unusual changes in the pattern of CPT–4, HCPCS or ICD–9 code utilization; and high volumes of
unusual charge or payment adjustment transactions.
It is also recommended that the compliance program provide for a full internal assessment of all
reports of detected violations. If the physician practice ignores reports of possible fraudulent
activity, it is undermining the very purpose it hoped to achieve by implementing a compliance program.
For potential criminal violations, a physician practice would be well advised in its compliance
program procedures to include steps for prompt referral or disclosure to an appropriate Government
authority or law enforcement agency. In regard to overpayment issues, it is advised that the physician
practice take appropriate corrective action, including prompt identification and repayment of any
overpayment to the affected payor.
The physician practice may consider the fact that if a violation occurred and was not detected, its
compliance program may require modification.
Physician practices that detect violations could analyze the situation to determine whether a flaw in
their compliance program failed to anticipate the detected problem, or whether the compliance program's
procedures failed to prevent the violation.
In any event, it is prudent, even absent the detection of any violations, for physician practices to
periodically review and modify their compliance programs.
In order to prevent problems from occurring and to have a frank discussion of why the problem happened
in the first place, physician practices need to have open lines of communication.
Especially in a smaller practice, an open line of communication is an integral part of implementing a
A compliance program's system for meaningful and open communication can include the following:
- The requirement that employees report conduct that a reasonable person would, in good
faith, believe to be erroneous or fraudulent;
- The creation of a user-friendly process (such as an anonymous drop box for larger
practices) for effectively reporting erroneous or fraudulent conduct;
- Provisions in the standards and procedures that state that a failure to report erroneous
or fraudulent conduct is a violation of the compliance program;
- The development of a simple and readily accessible procedure to process reports of
erroneous or fraudulent conduct;
- If a billing company is used, communication to and from the billing company's compliance
officer/contact and other responsible staff to coordinate billing and compliance activities of the
practice and the billing company, respectively. Communication can include, as appropriate, lists of
reported or identified concerns, initiation and the results of internal assessments, training needs,
regulatory changes, and other operational and compliance matters;
- The utilization of a process that maintains the anonymity of the persons involved in the
reported possible erroneous or fraudulent conduct and the person reporting the concern; and
While the physician practice may strive to maintain the anonymity of an employee's
identity, it also needs to make clear that there may be a point at which the individual's identity may
become known or may have to be revealed in certain instances.
- Provisions in the standards and procedures that there will be no retribution for
reporting conduct that a reasonable person acting in good faith would have believed to be erroneous or
Step Seven: Enforcement of Disciplinary Standards through Well-Publicized
- Finally, the last step that a physician practice may wish to take is to incorporate measures into its
practice to ensure that practice employees understand the consequences if they behave in a non-compliant