The Office of Inspector General is a division of the U.S. Department of Health and Human Services that is tasked with combating fraud committed against Medicare, Medicaid, and other federally funded government programs. The Health and Human Services Office of Inspector General (HHS-OIG) is the largest inspector general’s office in the U.S. government, employing more than 1,600 investigators, attorneys, and support staff. While the HHS-OIG investigates healthcare fraud across more than 100 government-funded programs, it dedicates the vast majority of its resources to Medicare and Medicaid fraud.

Any healthcare service provider who bills Medicare or Medicaid is subject to HHS-OIG oversight. This includes hospitals, nursing facilities, pharmacies, laboratories, medical device manufacturers, dentists, and physicians. While the HHS-OIG is involved in a wide range of healthcare fraud issues, the majority of investigations originate out of concerns that a service provider’s billing procedures are out of compliance. This can result in the HHS-OIG referring a provider to another federal agency that will pursue civil or criminal charges.

The best way to avoid the possibility of Medicare or Medicaid fraud charges is to design, implement, and maintain a rigorous compliance program. The HHS-OIG provides some field-specific guidance on what a compliance program should look like. However, in general, an OIG compliance program for a hospital should contain the following seven elements.

OIG Compliance Programs for Hospitals

Hospitals are an amalgam of medical practitioners and, as a result, have unique compliance concerns. As Dr. Nick Oberheiden, an OIG investigation defense attorney, explains:

Hospitals typically employ hundreds of people— if not more. Thus, given most hospitals' size and resources, the OIG expects more detailed and robust compliance plans. What may not be feasible for a small practice group of physicians is a justifiable expense for a large hospital. However, size is not the only issue confronting hospitals when they set about creating an OIG compliance plan: Hospitals also deal with practitioners across the medical field, requiring a detailed knowledge of myriad laws and regulations.

When it comes to developing an OIG compliance program for a hospital, there are seven concepts to keep in mind:

1. Identifying Risk Areas Through Internal Monitoring and Auditing

The first step in developing a comprehensive OIG compliance program is to take a deep-dive into the hospital’s unique circumstances to identify areas that present a high level of compliance risk. In most hospitals, the areas of coding and billing are the top culprits.

Hospitals should consider a two-tiered approach when identifying their risk areas. First, by reviewing the current policies and procedures that are already in place, and next, by completing an internal claims submission audit. A claims submission audit entails a service provider reviewing all previously denied claims and those claims that resulted in overpayments. This allows hospital management to ensure bills are accurately coded, the correct documentation is being provided, all services are necessary and reasonable, and whether there are any prohibited incentives for unnecessary services. Once this is complete, management can create a “benchmark” by which to determine overall compliance and gauge future approval and denial rates.

2. Implementing Additional Compliance Standards

Once a hospital completes a self-audit, it will have a better idea of which areas pose a particularly high risk. The next step is to add to or modify existing standards and procedures to address these high-risk areas. Having a comprehensive compliance program in place will not only increase a hospital’s overall compliance, but can also serve as a defense when violations inevitably arise.

In general, the OIG identifies four primary risk areas for healthcare practitioners:

1. Coding and billing;
2. Reasonable and necessary services;
3. Documentation; and
4. Improper inducements, kickbacks, and self-referrals

Of course, every hospital will have different risk areas, and it is important to address these matters with specificity in a compliance program. Often, management can obtain some guidance from other hospitals; however, it is imperative that a hospital create a compliance program that is custom-tailored to its specific obligations.

3. Naming a Compliance Officer or Contact Person

After assessing all risk areas and developing a compliance strategy, the next step is to designate a chief compliance officer, or several employees who will oversee adherence to the plan and, when necessary, determine how the hospital will respond to any potential violations. For hospitals, it makes sense to hire one or more people to fulfill compliance obligations. The OIG recommends using a third-party compliance consultant, to the extent staffing concerns limit a hospital’s ability to assign compliance issues out to existing staff. This is generally a good idea; however, when using third-party compliance consultants, be sure to utilize one that is both familiar with the industry and able to maintain fluid and consistent communication, even if they are not located in the same city or state.

4. Ensuring the Proper Training and Education

A compliance program is only as strong as its weakest link. Thus, educating staff is important to ensure compliance, and IOG investigators want to see a robust education and training element in any compliance program. Hospital management should be guided by the following three basic steps when developing a training regimen:

1. Identify who needs training;
2. Determine what type of training best suits the individual needs of the hospital; and
3. Pin down the practicalities of providing the training, including when, how often, and how much training is needed.

The gold-standard when it comes to compliance training is in-person learning. However, this is not always feasible, or even necessary. Thus, newsletters, bulletin board postings, and online learning can be used to supplement in-person instruction. Regardless of the method of instruction selected, it is imperative that a compliance program is forward-looking. Compliance is not static, and hospitals should provide for continuing education in any compliance program.

5. Responding to Potential Violations and Determining the Appropriate Corrective Action

Medicaid and Medicare billing regulations and laws are extremely complex, and it is likely that errors will occur, even in the most well-intentioned hospitals. The OIG wants to see that a hospital takes potential violations seriously. Thus, addressing mistakes and other possible violations is just as important as outlining procedures to prevent errors from occurring.

An effective compliance program will outline a hospital’s response to a possible violation, and provide a clear procedure for addressing the situation. Generally, the OIG prefers that a hospital conducts regular self-assessments and reports all possible violations to the appropriate regulatory agency or law enforcement entity. For example, a hospital may set out a corrective action plan, arrange for the return of all overpayments, and provide a mechanism to report all potential violations to law enforcement.

It is also important to keep in mind that, if a violation occurs, it may mean that the compliance program needs another look.

6. Maintaining Open Lines of Communication

An effective compliance program allows for an open line of communication between those responsible for developing and maintaining a compliance program within the hospital and the physicians working in the hospital. If a compliance program is vague in terms of the reporting protocol, or does not adequately encourage employees to report potential misconduct, the program will have little effect.

A few examples of policies that foster open communication include:

• Requiring employees to report any good-faith belief that they witness fraudulent conduct;
• Focusing on creating a user-friendly process for filing a report;
• Proving some type of disincentive for failing to report known fraudulent activity;
• Allowing anonymous reporting (to the extent possible); and
• Making it clear that there will be no adverse action taking against employees who file a report.

While smaller practices can get away with written guidelines, given the size of most hospitals, it makes sense to set up a hotline that staff can call to anonymously report alleged violations.

7. Creating and Disseminating Clear Disciplinary Standards

The final step is to ensure that all hospital staff is informed of the repercussions stemming from any non-compliant conduct. This adds credibility to a compliance program, and helps show that a hospital is committed to remaining compliant.

The disciplinary procedures outlined in the program should be strict, while remaining flexible. In other words, the program must have teeth, but should not be so rigid as to punish without considering the surrounding mitigating (or aggravating) circumstances. It is especially important that those charged with enforcing violations of the program do so in a consistent and even-handed manner. Possible disciplinary actions following a violation may include:

• An oral warning;
• Write-ups;
• Probation;
• Demotion;
• Temporary suspension;
• Termination;
• Restitution; and
• Referral for criminal prosecution.

It is also crucial to make the possible disciplinary violations known among all staff. While there are several ways to accomplish this, the easiest is to include them in a hospital training manual.

8. Continuing to Revise and Update the Program

Of course, developing a compliance program is not a one-time task, as laws and regulations change over time. So, providers may need to occasionally revisit each of these steps to ensure a compliance program remains effective. Thus, it is important for hospitals to regularly undergo voluntary audits, to check progress and identify any up-and-coming problem areas. If unexpected concerns arise, this is an opportunity to make any revisions to the compliance program.

Devising an OIG compliance program for a hospital is a serious endeavor and may be outside the specialty of hospital management. Given the unique compliance obligations of hospitals, it is wise for management to consult with a federal OIG compliance attorney for assistance. Lawyers that handle OIG compliance are often highly focused on this unique area of the law and have successfully created compliance programs for other hospitals and healthcare providers.