Why Every Provider Must Establish and Maintain a Medicare/Medicaid Fraud and Abuse Program

Free Articles | Free Newsletters | Web Links

By Elizabeth E. Hogue, Esq.

Providers have heard or read about the importance of an internal Medicare/Medicaid Fraud and Abuse Compliance Program in their organizations. Despite the wealth of available information about Compliance Programs, many providers are still uncertain about their value. Here are some of the questions providers commonly ask about Compliance Programs:

1. Why should every provider have a Medicare/Medicaid Fraud and Abuse Compliance Program?

First, as a practical matter, when providers establish and maintain Compliance Programs it clearly discourages regulators from pursuing allegations of fraud and abuse violations.

Technically speaking, the Federal Sentencing Guidelines make it clear that establishment and implementation of Compliance Programs is considered to be a mitigating factor. That is, if accusations of criminal conduct are made, the punishment received may be substantially less severe as a result of a properly implemented Compliance Plan.

Practically speaking, providers with Compliance Plans are more likely to avoid fraud and abuse. This is because Plans routinely establish an obligation on the part of each employee to prevent fraud and abuse and the Plans include training for all employees.

Finally, Compliance Plans may help to prevent qui tam, or so-called “whistleblower” lawsuits by private individuals, as opposed to government enforcers, who believe that they have identified instances of fraud and abuse. Since “whistleblowers” receive a share of monies recovered as a result of their efforts, there are significant incentives to bring these legal actions. Some “whistleblowers” have received millions of dollars. Compliance Plans make it clear that employees have an obligation to bring any potential fraud and abuse issues to the attention of their employers FIRST.

2. We don't receive reimbursement from the Medicare or Medicaid Programs. Do we still need a Compliance Program?

Statutes and regulations governing fraud and abuse also apply to providers who participate in Medicaid waiver and other federal and state health care programs such as Tri-Care.

3. We hear that the Office of the Inspector General (OIG) of the U.S. Department for
Health and Human Services (DHHS) has developed “model” Compliance Plans for various segments of the healthcare industry. Specifically, the OIG has already published plans for clinical laboratories, hospitals, home health agencies, hospices, physicians' practices, third-party billing companies and home medical equipment companies. Should we just use the model Program that is applicable to us?

The answer is "no." A review of these "models" indicates that "model" is not an accurate description for this document. The "guidance" from the OIG consists of general guidelines and does not constitute a valid compliance plan. In addition, the OIG has made it clear that plans must be customized for each organization. Training to implement the program will still be necessary.

4. We have read that, before implementing Compliance Plans, providers must conduct an expensive internal audit that can take many months to complete. Is this true?

While beginning the compliance process with an extensive internal audit is certainly one way to proceed, it is not the only viable way to work toward compliance. It is equally valid to begin with a Compliance Plan that is customized for the organization that includes training for all employees about fraud and abuse and the Compliance Plan. Then all staff members can subsequently participate in internal compliance activities, including audits, with a process in place to handle any issues that arise as a result of the audits.

5. We have all sorts of policies and procedures in our organization. Why do we need something else called a Compliance Plan?

Compliance Plans are specific types of documents that are unfamiliar to many providers. They routinely include policies and procedures that are not included in those that providers usually implement. In addition, providers may not gain the benefits of the Federal Sentencing Guidelines described in paragraph one (1) above if there is no formal document called a Compliance Plan.

6. We just spent a lot of money to become accredited or reaccredited by the Joint Commission for the Accreditation of Healthcare Organizations (JCAHO) and or CHAP. Doesn't certification mean that we are in compliance?

On the contrary, a Compliance Program appropriately addresses potential fraud and abuse issues. It also includes mechanisms for compliance, such as a specified process for identification and correction of potential problems, that are not addressed during the certification process. In other words, organizations may be JCAHO or CHAP accredited, but fail to meet applicable standards for appropriate compliance activities.

7. Are Compliance Plans required?

Most providers are not currently required to have Compliance Plans in order to conduct business. It seems likely, however, that Compliance Plans will be required in order to receive Medicare and/or Medicaid reimbursement in the future. Compliance Plans are also “good business” in terms of internal prevention and correction of fraud and abuse before government enforcers, private individuals in qui tam, or “whistleblowers,” get involved.

8. Will the fact that our organization has a Compliance Plan make any difference with regard to the outcome of fraud and abuse investigations and the imposition of Corporate Integrity Agreements (CIA's)?

Yes, it is likely to make a considerable difference based on recent statements from the OIG. If the provider has a Compliance Plan in place during an investigation, the OIG is likely to be less aggressive in pursuing any potential violations. When the OIG actually discovers problems with fraud and abuse in organizations, providers are usually asked to develop and implement a CIA. The OIG often requires CIA's to include a process for stringent monitoring by the OIG on a continuous basis. These monitoring activities can be extremely burdensome to providers in terms of both time and money. The OIG recently announced, however, that providers with valid Compliance Programs will probably not be asked to develop and implement CIA's.

Now is the time for all providers to recognize and act upon the need to establish and maintain Compliance Programs. "Working on it" is no longer good enough.

Elizabeth E. Hogue, Esq.
15118 Liberty Grove Drive
Burtonsville, Maryland 20866
Office: 301-421-0143
Fax: 301-421-1699