Corporate Compliance: How to Stay on the Right Side of the Fraud and Abuse Laws

Combating health care fraud and abuse is a growing federal government enforcement priority, with 1,866 criminal and 3,471 civil matters pending at the end of 1998. Significantly, the federal government imposes high standards on health care entities in an attempt to ensure that they comply with the Byzantine regulations and guidance that make up the federally funded health care programs. Many health care entities are turning to corporate compliance programs to address these concerns. Compliance plans have come to be seen as the key to staying on the right side of the fraud and abuse laws.

A compliance program has several benefits. First, an effective program can reduce the likelihood of violations by training employees as to what behavior is impermissible. Second, creating and implementing such a program can reduce certain criminal penalties for a health care entity if violations do arise. Third, an effective corporate compliance plan may be helpful in settlement negotiations with the federal government on both civil and administrative matters, framing the entity as a responsible corporate citizen. Finally, when done correctly, a compliance plan also can be good business, discovering little problems before they develop into big ones, and providing would-be "whistleblowers" with an outlet for disclosing a perceived wrong, rather than leaving them to file a qui tam suit under the False Claims Act.

This past winter, the Office of Inspector General ("OIG") of the Department of Health and Human Services introduced two new compliance guidance documents ("Guidance")-- one for third-party billing companies and another for the durable medical equipment, prosthetics, orthotics, and supplies ("DMEPOS") industry. Compliance guidance appears to be the manner in which the OIG is trying to engage the private health care community in addressing and fighting fraud and abuse.

"While enforcement is an essential element of the government's anti-fraud and abuse campaign, so is prevention," OIG Inspector General June Gibbs Brown recently stated. "And the cornerstone of our prevention efforts is the development of voluntary compliance guidance that will help the health care industry meet the high ethical and legal standards we expect of those doing business with the government."

The foundation of both Guidance documents mirrors the compliance elements set forth in the United States Federal Sentencing Guidelines ("Guidelines") and OIG's previously issued guidance for other health care entities. The seven elements articulated in these Guidelines include the following: (1) implementation of written policies, procedures and standards of conduct; (2) designation of a high-level compliance officer and other appropriate compliance officials; (3) development of training and education programs; (4) measures for receiving complaints; (5) enforcement of standards through well-publicized disciplinary directives; (6) performance of internal audits; and (7) prompt response to detected offenses through corrective action.

Weaving compliance into the fabric of an organization is consistent with the culture and values of most health care entities. However, because of cost, complexity or unfeasibility, some elements suggested by OIG may not be appropriate for all such entities. Nevertheless, OIG instructs companies to implement each of the seven elements. For example, OIG believes that, regardless of size or structure, every DMEPOS supplier can and should strive to accomplish the objectives and principles underlying all of the compliance policies and procedures recommended within the Guidance.

But not everyone agrees with OIG's position on this issue. Simply put, requiring all seven elements to apply to each and every health care company is neither reasonable nor feasible. A one-size-fits-all compliance program is particularly ill-suited for the DMEPOS industry, where some suppliers are small independents with limited resources, in comparison to others that are large chains with extensive financial assets and large staffs.

OIG issued the final DMEPOS guidance on [to be published in the Federal Register this week]. For the first time, the guidance included recommendations as to how small suppliers with limited resources can implement controls into their operations. While a welcomed acknowledgment of the unique challenges facing smaller entities, the addition of a short, stock paragraph at the conclusion of each section does not go far enough in recognizing the unique position of smaller organization.

Additional complications exist in the third-party billing company context. The nature of a billing company's third-party relationship provides unique challenges for these organizations in developing a compliance program that will promote adherence to applicable program requirements. An individual billing company may support a variety of providers, all with different specialties and, consequently, different statutory and regulatory frameworks. With this in mind, the OIG correctly recommends that billing companies coordinate with their provider-clients in establishing compliance responsibilities.

In the DMEPOS Guidance, OIG quite properly notes that superficial programs which have the appearance of compliance without being wholeheartedly adopted by the health care company will be ineffective. A "paper" compliance plan that says all the right things but is not embraced by the entity is worse than no plan at all. But OIG failed to reconcile this limitation with its requirement for full implementation of all seven compliance elements.

Copyright © 2000 Corrine P. Parver