Durable medical equipment (DME) is particularly important for many Medicare beneficiaries. However, companies that manufacture and sell DME need to be careful because there are strict federal regulations outlining almost every aspect of the business. These include, among other things, identifying the products that qualify as DME and the nature of the relationship between a DME company and a physician.

Too often, DME companies end up inadvertently engaging in conduct that winds up serving as the basis for a federal healthcare fraud claim. In large part, this is because the rules for billing government programs such as Medicare, Medicaid and Tricare are very complex. Thus, even well-meaning companies can run afoul of the law. To avoid unwanted and unnecessary federal scrutiny, it is imperative that DME companies develop a comprehensive DME compliance program.

What Is DME Compliance?

DME companies are subject to strict federal oversight. The two organizations that primarily oversee DME companies are the U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) and the Centers for Medicare and Medicaid Services (CMS).

An organization is DME-compliant if it implements a system of review to ensure that all advertising and billing procedures comply with current federal laws and regulations. While a DME company has many compliance obligations, in recent years, the most common violations involve billing practices, marketing practices, and the payment of illegal kickbacks or referral fees.

How to Achieve DME Compliance

Companies are too often left guessing when it comes to complying with federal regulations. However, when it comes to DME compliance, the HHS-OIG provides a list of seven “fundamental elements” that every compliance program should include. Of course, these are subject to change, and companies seeking to achieve compliance should reach out to a federal healthcare fraud defense lawyer to check the current status of the law before developing a comprehensive DME compliance program.

Currently, the HHS-OIG has established the following seven elements to an effective DME compliance program:

1. Implement written policies, procedures and standards of conduct

According to the HHS-OIG, “[e]very compliance program should require the development and distribution of written compliance policies, standards, and practices that identify specific areas of risk and vulnerability.” These policies should be provided to all employees of the DEM company, as well as all other “individuals who are affected by the particular policy at issue,” including suppliers and independent contractors. The exact policies provided should reflect the nature of their role in the business. For example, suppliers and independent contractors may need a different set of policies than employees. Documents should be provided to non-employees when they first begin working with a DME company and should again be provided when there is a change to the policies.

The main thrust of these written policies is to convey the company’s commitment to complying with all state and federal laws and should “explicitly state the organization’s mission, goals, and ethical principles relative to compliance.” In addition, the HHS-OIG recommends that the following areas are included in the DME compliance policy documents:

• Billing for items or services not provided;
• Billing for items or services not ordered;
• Billing for items or services the DME company has reason to believe will be denied;
• Billing patients for denied charges (without prior written acknowledgment);
• Duplicate billing
• Using an unauthorized billing agent or unauthorized billing terms;
• Upcoding;
• Unbundling; and
• Providing used equipment but billing for new equipment.

The HHS-OIG provides a list of dozens of other matters that should be included in a compliance program.

2. Designate a compliance officer and compliance committee

Ideally, the HHS-OIG wants to see a company designate a team of compliance officers whose sole job is to ensure ongoing company compliance. However, the HHS-OIG recognizes that small companies may not be able to devote this level of resources to DME compliance and allows for a single compliance officer. In some situations, it may be appropriate for a single employee to take on compliance as well as other job duties. However, larger companies may incur suspicion if they allow this type of job sharing, as it could be taken as a lack of commitment to compliance.

The duties of a compliance team include, but are not limited to:

• Assessing the regulatory environment in which the company operates;
• Working with outside suppliers to ensure compliance;
• Recommending additional compliance policies;
• Developing a system for identifying or referring potential violations;
• Determining how to deal with potential violations; and
• Monitoring internal and external audits to verify ongoing compliance with changing laws and regulations.

3. Conduct effective training and education among employees

The HHS-OIG notes that “The proper education and training of corporate officers, managers, employees and the continual retraining of current personnel at all levels, are significant elements of an effective compliance program.” Thus, having a comprehensive DME compliance policy in effect will not be enough to provide an organization’s commitment to operating within the framework of the law; the organization must also make a significant effort to educate all employees on its DME compliance policies.

The HHS-OIG recommends organizations hold a “general” training on compliance, requiring all employees to attend. Additionally, employees and contractors involved in sales and marketing should undergo additional training, outlining the compliance obligations specific to their roles. So too should employees who are involved in billing and claims development.

Generally, organizations should plan to conduct follow-up trainings on the current DME compliance policy. The idea is that a company can convey its commitment to compliance by repetitively keeping compliance at the front of everyone’s mind.

4. Maintain open and effective lines of communication

An otherwise comprehensive compliance program becomes much less effective if there are no means by which employees, suppliers and contractors can refer to potentially violative conduct. Thus, the HHS-OIG recommends that an organization make the compliance officer (or compliance team) accessible to anyone who has a DME compliance concern. Employees should also be made aware that they can report conduct anonymously and that any information they provide about another party or the company in general will not serve as the basis for any adverse action against them. For larger companies, the HHS-OIG recommends establishing a hotline.

5. Enforce standards through well-publicized disciplinary guidelines

Employees and others working with a DME company need to know the consequences of failing to remain in compliance. This includes not only internal disciplinary proceedings but also the possibility of civil or criminal liability under state and federal law.

DME companies should provide detailed guidelines explaining the “degree of disciplinary action” associated with non-compliant parties. The HHS-OIG specifically notes that “[i]ntentional or reckless noncompliance should subject transgressors to significant sanctions… [including]oral warnings, suspension, termination, or other sanctions, as appropriate.” However, each disciplinary action should be handled on a case-by-case basis.

6. Conduct internal monitoring and auditing

To best assess a DME company’s ongoing compliance obligations, an organization should engage in both internal and external audits. These audits should focus on identifying particular areas of DME compliance risk. When determining the appropriate frequency of an audit, a DME company may consider the company’s size and resources, its history of non-compliance, and the particular risk factors facing the organization.

7. Respond promptly to detected offenses and develop a corrective action plan

The HHS-OIG wants to see that a DME company has specific and clear procedures in place to investigate potential compliance issues. Chief among these policies is initiating a prompt investigation and referral to the appropriate state or federal law enforcement authority. However, inadvertent violations or those that do not rise to the level of potential fraud should still be reported to the company’s compliance officer. The compliance officer can then make an independent judgment about how to proceed with the information. If the compliance officer finds credible evidence to believe a violation of the law occurred, they should report it within 60 days. The HHS-OIG notes that doing so will be considered a mitigating factor when considering whether any administrative sanctions should be imposed.

While the seven elements of a DME compliance program provide significant guidance to companies, determining how to implement them in the context of a particular industry can be a challenge. Yet, having a comprehensive and effective compliance program is crucial for all healthcare providers and medical supplies, especially DME companies. Dr. Nick Oberheiden, a federal healthcare fraud defense attorney, explains:

DME companies face a unique set of regulatory challenges when it comes to remaining in compliance with the ever-changing state and federal regulations. Most management teams that find themselves in the middle of a fraud investigation had no intention of violating the law. However, due to the complexity of the regulations governing this industry, a DME company’s good intentions will only get it so far when it comes to a federal investigation. However, a detailed compliance program can act as a shield for DME companies facing an investigation because it will be evidence of the organization’s commitment to compliance.

Management teams of DME companies must take compliance seriously, as the failure to do so can result in unnecessary exposure to administrative sanctions, as well as possible civil or criminal liability. For these companies, few matters are more pressing than creating a comprehensive HHS-OIG compliance policy.