The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) continues in its efforts to promote voluntarily developed and implemented compliance programs for the health care industry. The following compliance program guidance is intended to assist third-party medical billing companies (hereinafter referred to as "billing companies")⁽¹⁾ and their agents and subcontractors in developing effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of Federal, State and private health plans.

Billing companies are becoming a vital segment of the national health care industry.⁽²⁾ Increasingly, health care providers⁽³⁾ are relying on billing companies to assist them in processing claims in accordance with applicable statutes and regulations. Additionally, health care providers are consulting with billing companies to provide timely and accurate advice regarding reimbursement matters, as well as overall business decision-making. As a result, the OIG considers the compliance guidance for third-party medical billing companies particularly important in the partnership to defeat health care fraud.

At this juncture, it is important to note the tremendous variation among billing companies in terms of the type of services⁽⁴⁾ and the manner in which these services are provided to their respective clients. For example, some billing companies code the bills for their provider clients, while others only process bills that have already been coded by the provider. Some billing companies offer a spectrum of management services, including accounts receivable management and bad debt collections, while others offer only one or none of these services. Clearly, variations in services give rise to different policies to ensure effective compliance. This guidance does not purport to provide instruction on all aspects of compliance. Rather, we have concentrated our attention on general Federal health care reimbursement principles. For those billing companies that focus their services in a particular sector of the health care industry, the billing company should also consult any compliance program guidance previously issued by the OIG for that particular sector.⁽⁵⁾

This guidance is pertinent for all billing companies, large or small, regardless of the type of services provided. The applicability of the recommendations and guidelines provided in this document depend on the circumstances of each particular billing company. However, regardless of the billing company's size and structure, the OIG believes every billing company can and should strive to accomplish the objectives and principles underlying all of the compliance policies and procedures recommended within this guidance.

Within this document, the OIG first provides its general views on the value and fundamental principles of billing company compliance programs, and then provides specific elements that each billing company should consider when developing and implementing an effective compliance program. Although this document presents basic procedural and structural guidance for designing a compliance program, it is not in itself a compliance program. Rather, it is a set of guidelines for consideration by a billing company interested in implementing a compliance program.

Fundamentally, compliance efforts are designed to establish a culture within a billing company that promotes prevention, detection and resolution of instances of conduct that do not conform to Federal and State law, and Federal, State and private payor health care program requirements, as well as the billing company's ethical and business policies. In practice, the compliance program should effectively articulate and demonstrate the organization's commitment to legal and ethical conduct. Eventually, a compliance program should become part of the fabric of routine billing company operations.

Specifically, compliance programs guide a billing company's governing body (e.g., boards of directors or trustees), chief executive officer (CEO), managers, billing and coding personnel and other employees in the efficient management and operation of the company. They are especially critical as an internal quality assurance control in reimbursement and payment areas, where claims and billing operations are often the source of fraud and abuse and, therefore, historically have been the focus of Government regulation, scrutiny and sanctions.

It is incumbent upon a billing company's corporate officers and managers to provide ethical leadership to the organization and to assure adequate systems are in place to facilitate and promote ethical and legal conduct. Employees, managers and the Government will focus on the words and actions of a billing company's leadership as a measure of the organization's commitment to compliance. Indeed, many billing companies have adopted mission statements articulating their commitment to high ethical standards. Compliance programs also provide a central coordinating mechanism for furnishing and disseminating information and guidance on applicable Federal and State statutes, regulations and other payor requirements.

The OIG believes that open and frequent communication⁽⁶⁾ between the billing company and the health care provider is fundamental to the success of any compliance endeavor. The OIG realizes billing companies are in a unique position with regard to establishing compliance programs. An individual billing company may support a variety of providers with different specialities and, consequently, different risk areas. It is with this in mind that the OIG strongly recommends the billing company coordinate with its provider clients to establish compliance responsibilities.⁽⁷⁾ Once the responsibilities have been clearly delineated, they should be formalized in the written contract between the provider and the billing company. Specifically, the OIG recommends that the contract enumerate those functions that are shared responsibilities and those that are the sole responsibility of either the billing company or the provider.

Implementing an effective compliance program requires a substantial commitment of time, energy and resources by senior management and the billing company's governing body. Superficial programs that simply purport to comply with the elements discussed and described in this guidance or programs hastily constructed and implemented without appropriate ongoing monitoring will likely be ineffective and could expose the billing company to greater liability than no program at all. Additionally, an ineffective compliance program may expose the billing company's provider clients to liability where those providers have relied on the billing company's expertise and its assurances of an effective compliance program. Although it may require significant additional resources or reallocation of existing resources to implement an effective compliance program, the long term benefits of implementing the program significantly outweigh the costs. Undertaking a voluntary compliance program is a beneficial investment that advances both the billing company's organization and the stability and solvency of the Medicare program.

A. BENEFITS OF A COMPLIANCE PROGRAM

The OIG believes an effective compliance program provides a mechanism that brings the public and private sectors together to reach mutual goals of reducing fraud and abuse, improving operational quality, improving the quality of health care and reducing the costs of health care. Attaining these goals provides positive results to business, Government and individual citizens alike. In addition to fulfilling its legal duty to ensure that it is not submitting false or inaccurate claims to Government and private payors, a billing company may gain numerous additional benefits by implementing an effective compliance program. These benefits may include:

The formulation of effective internal controls to assure compliance with Federal regulations, private payor policies and internal guidelines;

Improved medical record documentation;⁽⁸⁾

Improved collaboration, communication and cooperation among health care providers and those processing and using health information;

The ability to more quickly and accurately react to employees' operational compliance concerns and the capability to effectively target resources to address those concerns;

A more efficient communications system that establishes a clear process and structure for addressing compliance concerns quickly and effectively;

A concrete demonstration to employees and the community at large of the billing company's strong commitment to honest and responsible corporate conduct;

The ability to obtain an accurate assessment of employee and contractor behavior relating to fraud and abuse;

Increased likelihood of identification and prevention of criminal and unethical conduct;

A centralized source for distributing information on health care statutes, regulations and other program directives related to fraud and abuse and related issues;

A methodology that encourages employees to report potential problems;

Procedures that allow the prompt, thorough investigation of possible misconduct by corporate officers, managers, employees and independent contractors, who can impact billing decisions;

An improved relationship with the applicable Medicare contractor;

Early detection and reporting, minimizing the loss to the Government from false claims, and thereby reducing the billing company's exposure to civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion;⁽⁹⁾ and

Enhancement of the structure of the billing company's operations and the consistency between separate business units.

Overall, the OIG believes that an effective compliance program is a sound business investment on the part of a billing company.

The OIG recognizes the implementation of an effective compliance program may not entirely eliminate fraud, abuse and waste from an organization. However, a sincere effort by billing companies to comply with applicable Federal and State standards, as well as the requirements of private health care programs, through the establishment of an effective compliance program, significantly reduces the risk of unlawful or improper conduct.

B. APPLICATION OF COMPLIANCE PROGRAM GUIDANCE

Given the diversity in size and services offered by billing companies within the industry, there is no single "best" compliance program. The OIG understands the variances and complexities within the industry and is sensitive to the differences between large and small billing companies. Similarly, the OIG understands the availability of resources for any one billing company can differ vastly, given that billing companies vary greatly in the type of services offered and the manner that they are provided. Nonetheless, elements of this guidance can be used by all billing companies, regardless of size, location or corporate structure, to establish an effective compliance program. The OIG recognizes some billing companies may not be able to adopt certain elements to the same comprehensive degree that others with more extensive resources may achieve. This guidance represents the OIG's suggestions on how a billing company can best establish internal controls and monitor company conduct to correct and prevent fraudulent activities. By no means should the contents of this guidance be viewed as an exclusive discussion of the advisable elements of a compliance program. On the contrary, the OIG strongly encourages billing companies to develop and implement compliance elements that uniquely address the individual billing company's risk areas.

The OIG appreciates that the success of the compliance program guidance hinges on thoughtful and practical comments from those individuals and organizations that will utilize the tools set forth in this document. In a continuing effort to collaborate closely with the private sector, the OIG solicited input and support from representatives of the major trade associations in the development of this compliance program guidance. Further, we took into consideration previous OIG publications, such as Special Fraud Alerts,⁽¹⁰⁾ the recent findings and recommendations in reports issued by OIG's Office of Audit Services, comments from the Health Care Financing Administration, as well as the experience of past and recent fraud investigations related to billing companies conducted by OIG's Office of Investigations and the Department of Justice.

As appropriate, this guidance may be modified and expanded as more information and knowledge is obtained by the OIG, and as changes in the law, and in the rules, policies and procedures of the Federal, State and private health plans occur. The OIG understands billing companies will need adequate time to react to these modifications and expansions and to make any necessary changes to their voluntary compliance programs. New compliance practices may eventually be incorporated into this guidance if the OIG discovers significant enhancements to better ensure an effective compliance program. We recognize the development and implementation of compliance programs in billing companies often raise sensitive and complex legal and managerial issues.⁽¹¹⁾ However, the OIG wishes to offer what it believes is critical guidance for those who are sincerely attempting to comply with the relevant health care statutes and regulations.

II. COMPLIANCE PROGRAM ELEMENTS

The elements proposed by these guidelines are similar to those of the clinical laboratory model compliance program guidance published by the OIG in February 1997 (updated in August 1998), the hospital compliance program guidance published in February 1998, the home health compliance program guidance published in August 1998⁽¹²⁾ and our corporate integrity agreements.⁽¹³⁾ The elements represent a guide that can be tailored to fit the needs and financial realities of a particular billing company, large or small, regardless of the type of services offered. The OIG is cognizant that with regard to compliance programs, one model is not suitable to every organization. Nonetheless, the OIG believes every billing company, regardless of size, structure or services offered can benefit from the principles espoused in this guidance.

The OIG firmly believes every effective compliance program must begin with a formal commitment⁽¹⁴⁾ by the billing company's governing body to include all of the applicable elements listed below. These elements are based on the seven steps of the Federal Sentencing Guidelines.⁽¹⁵⁾ We believe every billing company can implement all of the recommended elements, expanding upon the seven steps of the Federal Sentencing Guidelines. The OIG recognizes full implementation of all elements may not be immediately feasible for all billing companies. However, as a first step, a good faith and meaningful commitment on the part of the billing company administration, especially the governing body and the CEO, will substantially contribute to the program's successful implementation. As the compliance program is implemented, that commitment should cascade down through the management to every employee in the organization.

At a minimum, comprehensive compliance programs should include the following seven elements:

(1) The development and distribution of written standards of conduct, as well as written policies and procedures that promote the billing company's commitment to compliance (e.g., by including adherence to the compliance program as an element in evaluating managers and employees) and that address specific areas of potential fraud, such as the claims submission process, code gaming and financial relationships with its providers;

(2) The designation of a chief compliance officer and other appropriate bodies, e.g., a corporate compliance committee, charged with the responsibility of operating and monitoring the compliance program and who report directly to the CEO and the governing body;⁽¹⁶⁾

(3) The development and implementation of regular, effective education and training programs for all affected employees;⁽¹⁷⁾

(4) The creation and maintenance of a process, such as a hotline, to receive complaints and the adoption of procedures to protect the anonymity of complainants and to protect callers from retaliation;

(5) The development of a system to respond to allegations of improper/illegal activities and the enforcement of appropriate disciplinary action against employees who have violated internal compliance policies, applicable statutes, regulations or Federal, State or private payor health care program requirements;

(6) The use of audits and/or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas;⁽¹⁸⁾ and

(7) The investigation and correction of identified systemic problems and the development of policies addressing the non-employment of sanctioned individuals.

A. WRITTEN POLICIES AND PROCEDURES

Every compliance program should require the development and distribution of written compliance policies, standards and practices that identify specific areas of risk and vulnerability to the billing company. These policies should be developed under the direction and supervision of the chief compliance officer and the compliance committee (if such a committee is practicable for the billing company) and, at a minimum, should be provided to all individuals who are affected by the particular policy at issue, including the billing company's agents and independent contractors⁽¹⁹⁾ who may affect billing decisions.

1. Standards of Conduct

Billing companies should develop standards of conduct for all affected employees that include a clearly delineated commitment to compliance by the billing company's senior management⁽²⁰⁾ and its divisions. The standards should function in the same fashion as a constitution, i.e., as a foundational document that details the fundamental principles, values and framework for action within an organization. Standards should articulate the billing company's commitment to comply with all Federal and State standards, with an emphasis on preventing fraud and abuse. They should state the organization's mission, goals and ethical principles relating to compliance and clearly define the organization's commitment to compliance and its expectations for all billing company governing body members, officers, managers, employees and, where appropriate, contractors and other agents. The standards should promote integrity, support objectivity and foster trust. Standards should not only address compliance with statutes and regulations, but should also set forth broad principles that guide employees in conducting business professionally and properly. Furthermore, a billing company's standards of conduct should reflect a commitment to the highest quality health data submission, as evidenced by its accuracy, reliability, timeliness and validity.

2. Written Policies for Risk Areas

As part of its commitment to compliance, billing companies should establish a comprehensive set of policies that delineate billing and coding procedures for the company. In contrast to the standards of conduct, which are designed to be a clear and concise collection of fundamental standards, the written policies should articulate specific procedures personnel should follow when submitting initial or follow-up claims to Federal health care programs.

Among the issues to be addressed in the polices are the education and training requirements for billing and coding personnel; the risk areas for fraud, waste and abuse; the integrity of the billing company's information system; the methodology for resolving ambiguities in the provider's paperwork;⁽²¹⁾ the procedure for identifying and reporting credit balances; and the procedure to ensure duplicate bills are not submitted in an attempt to gain duplicate payment.

Billing companies that provide coding services should provide additional policies for risk areas that apply specifically to coding.⁽²²⁾ The policies and procedures should describe the necessary steps to take in reviewing a billing document. Specific attention should be placed on the proper steps the coder should take if unable to locate a code for a documented diagnosis or procedure or if the medical record documentation is not sufficient to determine a diagnosis or procedure.⁽²³⁾ Billing companies that provide additional services should consider consulting an attorney for guidance on other regulatory issues.⁽²⁴⁾

a. Risk Assessment - All Billing Companies

The OIG believes a billing company's written policies and procedures, its educational program and its audit and investigation plans should take into consideration the particular statutes, rules and program instructions that apply to each function or department of the billing company. Consequently, we recommend coordination between these functions with an emphasis on areas of special concern that have been identified by the OIG through its investigative and audit functions.⁽²⁵⁾ Furthermore, the OIG recommends that billing companies conduct a comprehensive self-administered risk analysis or contract for an independent risk analysis by experienced health care consulting professionals. This risk analysis should identify and rank the various compliance and business risks the company may experience in its daily operations.

Once completed, the risk analysis should serve as the basis for the written policies the billing company should develop. The OIG has provided the following specific list of particular risk areas that should be addressed by billing companies. It should be noted that this list is not all-encompassing and the risk analysis completed as a result of the company's audit may provide a more individualized roadmap. Nonetheless, this list is a compilation of several years of OIG audits, investigations and evaluations and should provide a solid starting point for a company's initial effort.

Among the risk areas the OIG has identified as particularly problematic are:⁽²⁶⁾

Billing for items or services not actually documented;⁽²⁷⁾

Unbundling;⁽²⁸⁾

Upcoding,⁽²⁹⁾ such as, for example, "DRG creep;"⁽³⁰⁾

Inappropriate balance billing;⁽³¹⁾

Inadequate resolution of overpayments;⁽³²⁾

Lack of integrity in computer systems;⁽³³⁾

Computer software programs that encourage billing personnel to enter data in fields indicating services were rendered though not actually performed or documented;

Failure to maintain the confidentiality of information/records;⁽³⁴⁾

Knowing misuse of provider identification numbers, which results in improper billing;⁽³⁵⁾

Outpatient services rendered in connection with inpatient stays;⁽³⁶⁾

Duplicate billing in an attempt to gain duplicate payment;⁽³⁷⁾

Billing for discharge in lieu of transfer;⁽³⁸⁾

Failure to properly use modifiers;⁽³⁹⁾

Billing company incentives that violate the anti-kickback statute or other similar Federal or State statute or regulation;⁽⁴⁰⁾

Joint ventures;⁽⁴¹⁾

Routine waiver of copayments and billing third-party insurance only;⁽⁴²⁾ and

Discounts and professional courtesy.⁽⁴³⁾

A billing company's prior history of noncompliance with applicable statutes, regulations and Federal health care program requirements may indicate additional types of risk areas where the billing company may be vulnerable and may require necessary policy measures to prevent avoidable recurrence.⁽⁴⁴⁾ Additional risk areas should be assessed by billing companies as well as incorporated into the written policies and procedures and training elements developed as part of their compliance programs.

Billing companies that do not code bills should implement policies that require notification to the provider who is coding to implement and follow compliance safeguards with respect to documentation of services rendered. Moreover, the OIG recommends that billing companies who do not code for their provider clients incorporate in their contractual agreements the provider's acknowledgment and agreement to address the following coding compliance safeguards.⁽⁴⁵⁾

b. Risk Assessment - Billing Companies that Provide Coding Services

The written policies and procedures concerning proper coding should reflect the current reimbursement principles set forth in applicable statutes, regulations⁽⁴⁶⁾ and Federal, State or private payor health care program requirements and should be developed in tandem with organizational standards. Furthermore, written policies and procedures should ensure that coding and billing are based on medical record documentation. Particular attention should be paid to issues of appropriate diagnosis codes, DRG coding, individual Medicare Part B claims (including documentation guidelines for evaluation and management services) and the use of patient discharge codes.⁽⁴⁷⁾ The billing company should also institute a policy that all rejected claims pertaining to diagnosis and procedure codes be reviewed by the coder or the coding department. This should facilitate a reduction in similar errors. Among the risk areas that billing companies who provide coding services should address are:

Internal coding practices;⁽⁴⁸⁾

"Assumption" coding;⁽⁴⁹⁾

Alteration of the documentation;

Coding without proper documentation⁽⁵⁰⁾ of all physician and other professional services;

Billing for services provided by unqualified or unlicensed clinical personnel;

Availability of all necessary documentation at the time of coding; and

Employment of sanctioned individuals.⁽⁵¹⁾

Billing companies that provide coding services should maintain an up-to-date, user-friendly index for coding policies and procedures to ensure that specific information can be readily located. Similarly, for billing companies that provide coding services, the billing company should assure that essential coding materials are readily accessible to all coding staff.⁽⁵²⁾ Finally, billing companies should emphasize in their standards the importance of safeguarding the confidentiality of medical, financial and other personal information in their possession.

3. Claim Submission Process

A number of the risk areas identified above, pertaining to the claim development and submission process, have been the subject of administrative proceedings, as well as investigations and prosecutions under the civil False Claims Act and criminal statutes. Settlement of these cases often has required the defendants to execute corporate integrity agreements, in addition to paying significant civil damages and/or criminal fines and penalties. These corporate integrity agreements have provided the OIG with a mechanism to advise billing companies concerning acceptable practices to ensure compliance with applicable Federal and State statutes, regulations and program requirements. The following recommendations include a number of provisions from various corporate integrity agreements. Although these recommendations include examples of effective policies, each billing company should develop its own specific policies tailored to fit its individual needs.

With respect to claims, a billing company's written policies and procedures should reflect and reinforce current Federal and State statutes. The policies must create a mechanism for the billing or reimbursement staff to communicate effectively and accurately with the health care provider. Policies and procedures should:

Ensure that proper and timely documentation of all physician and other professional services is obtained prior to billing to ensure that only accurate and properly documented services are billed;

Emphasize that claims should be submitted only when appropriate documentation supports the claims and only when such documentation is maintained, appropriately organized in legible form and available for audit and review. The documentation, which may include patient records, should record the time spent in conducting the activity leading to the record entry and the identity of the individual providing the service;

Indicate that the diagnosis and procedures reported on the reimbursement claim should be based on the medical record and other documentation and that the documentation necessary for accurate code assignment should be available to coding staff at the time of coding. The Health Care Financing Administration Common Procedure Coding System (HCPCS), International Classification of Disease (ICD), Current Procedural Terminology (CPT), any other applicable code or revenue code (or successor code(s)) used by the coding staff should accurately describe the service that was ordered by the physician;

Provide that the compensation for billing department coders and billing consultants should not provide any financial incentive to improperly upcode claims;⁽⁵³⁾

Establish and maintain a process for pre- and post-submission review of claims⁽⁵⁴⁾ to ensure claims submitted for reimbursement accurately represent services provided, are supported by sufficient documentation and are in conformity with any applicable coverage criteria for reimbursement; and

Obtain clarification from the provider when documentation is confusing or lacking adequate justification.

Because coding for providers often involves the interpretation of medical diagnosis and other clinical data and documentation, a billing company may wish to contract with/assign a qualified physician to provide guidance to the coding staff regarding clinical issues. Procedures should be in place to access medical experts when necessary. Such procedures should allow for medical personnel to be available for guidance without interrupting or interfering with the quality of patient care.

4. Credit Balances

Credit balances occur when payments, allowances or charge reversals posted to an account exceed the charges to the account. Providers and their billers should establish policies and procedures, as well as responsibility, for timely and appropriate identification and resolution of these overpayments.⁽⁵⁵⁾ For example, a billing company may redesignate segments of its information system to allow for the segregation of patient accounts reflecting credit balances. The billing company could remove these accounts from the active accounts and place them in a holding account pending the processing of a reimbursement claim to the appropriate payor. A billing company's information system should have the ability to print out the individual patient accounts that reflect a credit balance in order to permit simplified tracking of credit balances. The billing company should maintain a complete audit trail of all credit balances.

In addition, a billing company should designate at least one person (e.g., in the patient accounts department or reasonable equivalent thereof) as having the responsibility for the tracking, recording and reporting of credit balances. Further, a comptroller or an accountant in the billing company's accounting department (or reasonable equivalent thereof) may review reports of credit balances and adjustments on a monthly basis as an additional safeguard.

5. Integrity of Data Systems

Increasingly, the health care industry is using electronic data interchange (EDI) to conduct business more quickly and efficiently. As a result, the industry is relying on the capabilities of computers. Billing companies should establish procedures for maintaining the integrity of its data collection systems. This should include procedures for regularly backing-up data (either by diskette, restricted system or tape) to ensure the accuracy of all data collected in connection with submission of claims and reporting of credit balances. At all times, the billing company should have a complete and accurate audit trail. Additionally, billing companies should develop a system to prevent the contamination of data by outside parties. This system should include regularly scheduled virus checks. Finally, billing companies should ensure that electronic data are protected against unauthorized access or disclosure.

6. Retention of Records

Billing company compliance programs should provide for the implementation of a records system. This system should establish policies and procedures regarding the creation, distribution, retention, storage, retrieval and destruction of documents. The three types of documents developed under this system should include: 1) all records and documentation required by either Federal or State law and the program requirements of Federal, State and private health plans (for billing companies, this should include all documents related to the billing and coding process); 2) records listing the persons responsible for implementing each part of the compliance plan; and 3) all records necessary to protect the integrity of the billing company's compliance process and confirm the effectiveness of the program. The documentation necessary to satisfy the third requirement includes: evidence of adequate employee training; reports from the billing company's hotline; results of any investigation conducted as a consequence of a hotline call; modifications to the compliance program; self-disclosure; all written notifications to providers;⁽⁵⁶⁾ and the results of the billing company's auditing and monitoring efforts.

7. Compliance as an Element of a Performance Plan

Compliance programs should require that the promotion of, and adherence to, the elements of the compliance program be a factor in evaluating the performance of all employees. Employees should be periodically trained in new compliance policies and procedures. In addition, all managers and supervisors involved in the coding and claims submission processes should:

Discuss with all supervised employees and relevant contractors the compliance policies and legal requirements applicable to their function;

Inform all supervised personnel that strict compliance with these policies and requirements is a condition of employment; and

Disclose to all supervised personnel that the billing company will take disciplinary action up to and including termination for violation of these policies or requirements.

In addition to making performance of these duties an element in evaluations, the compliance officer or company management should include a policy that managers and supervisors will be sanctioned for failure to instruct adequately their subordinates or for failure to detect noncompliance with applicable policies and legal requirements, where reasonable diligence on the part of the manager or supervisor should have led to the discovery of any problems or violations.

B. DESIGNATION OF A COMPLIANCE OFFICER AND A COMPLIANCE COMMITTEE

1. Compliance Officer

Every billing company should designate a compliance officer to serve as the focal point for compliance activities. This responsibility may be the individual's sole duty or added to other management responsibilities, depending upon the size and resources of the billing company and the complexity of the task. For those billing companies that have limited resources, the compliance function could be outsourced to an expert in compliance.⁽⁵⁷⁾

Designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official in the billing company with direct access to the company's governing body, the CEO, all other senior management and legal counsel.⁽⁵⁸⁾ The officer should have sufficient funding and staff to perform his or her responsibilities fully. Coordination and communication are the key functions of the compliance officer with regard to planning, implementing and monitoring the compliance program. With this in mind, the OIG recommends the billing company's compliance officer closely coordinate compliance functions with the provider's compliance officer.

The compliance officer's primary responsibilities should include:

Overseeing and monitoring the implementation of the compliance program;⁽⁵⁹⁾

Reporting on a regular basis to the billing company's governing body, CEO and compliance committee (if applicable) on the progress of implementation, and assisting these components in establishing methods to improve the billing company's efficiency and quality of services and to reduce the billing company's vulnerability to fraud, abuse and waste;

Periodically revising the program in light of changes in the organization's needs and in the law and policies and procedures of Government and private payor health plans;

Reviewing employees' certifications that they have received, read and understood the standards of conduct;

Developing, coordinating and participating in a multifaceted educational and training program that focuses on the elements of the compliance program and seeks to ensure that all appropriate employees and management are knowledgeable of, and comply with, pertinent Federal and State standards;

Coordinating personnel issues with the billing company's human resources/personnel office (or its equivalent) to ensure that providers and employees do not appear in the Cumulative Sanction Report;⁽⁶⁰⁾

Assisting the billing company's financial management in coordinating internal compliance review and monitoring activities, including annual or periodic reviews of departments;

Independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action with all billing departments, providers and sub-providers, agents and, if appropriate, independent contractors;

Developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation; and

Continuing the momentum of the compliance program and the accomplishment of its objectives long after the initial years of implementation.⁽⁶¹⁾

The compliance officer must have the authority to review all documents and other information that are relevant to compliance activities, including, but not limited to, patient records (where appropriate), billing records and records concerning the marketing efforts of the facility and the billing company's arrangements with other parties, including employees, professionals on staff, relevant independent contractors, suppliers, agents, supplemental staffing entities and physicians. This policy enables the compliance officer to review contracts and obligations (seeking the advice of legal counsel, where appropriate) that may contain referral and payment provisions that could violate statutory or regulatory requirements.

In addition, the compliance officer should be copied on the results of all internal audit reports and work closely with key managers to identify aberrant trends in the coding and billing areas. The compliance officer should ascertain patterns that require a change in policy and forward these issues to the compliance committee to remedy the problem. A compliance officer should have full authority to stop the processing of claims that he or she believes are problematic until such time as the issue in question has been resolved.

2. Compliance Committee

The OIG recommends, where feasible,⁽⁶²⁾ that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.⁽⁶³⁾ When assembling a team of people to serve as the billing company's compliance committee, the company should include individuals with a variety of skills.⁽⁶⁴⁾ Appropriate members of the compliance committee include the director of billing and the director of coding. The OIG strongly recommends that the compliance officer manage the compliance committee. Once a billing company chooses the people that will accept the responsibilities vested in members of the compliance committee, the billing company must train these individuals on the policies and procedures of the compliance program.

The committee's responsibilities should include:

Analyzing the organization's regulatory environment, the legal requirements with which it must comply⁽⁶⁵⁾ and specific risk areas;

Assessing existing policies and procedures that address these areas for possible incorporation into the compliance program;

Working with appropriate departments to develop standards of conduct and policies and procedures that promote allegiance to the company's compliance program;⁽⁶⁶⁾

Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization's standards, policies and procedures as part of its daily operations;

Determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms;

Developing a system to solicit, evaluate and respond to complaints and problems; and

Monitoring internal and external audits and investigations for the purpose of identifying troublesome issues and deficient areas experienced by the billing company and implementing corrective and preventive action.

The committee may also address other functions as the compliance concept becomes part of the overall operating structure and daily routine.

C. CONDUCTING EFFECTIVE TRAINING AND EDUCATION

1. Initial Training in Compliance

The proper education and training of corporate officers, managers, employees, and the continual retraining of current personnel at all levels, are significant elements of an effective compliance program. In order to ensure the appropriate information is being disseminated to the correct individuals, the training should be separated into two sessions, depending on the employees' involvement in the submission of claims for reimbursement. All employees should attend the general session on compliance, while employees whose job primarily focuses on submission of claims for reimbursement should be the participants in the detailed sessions.

In the development of a training program, the billing company should consult with its provider clients to ensure that a consistent message is being delivered and avoid any potential conflicts in the implementation of policies and procedures.

a. General Sessions

As part of their compliance programs, billing companies should require all affected personnel to attend training on an annual basis, including appropriate training in Federal and State statutes, regulations and guidelines, the policies of private payors and training in corporate ethics. The general training sessions should emphasize the organization's commitment to compliance with these legal requirements and policies.

These training programs should include sessions highlighting the organization's compliance program, summarizing fraud and abuse statutes and regulations, Federal, State and private payor health care program requirements, coding requirements, claim submission processes and marketing practices that reflect current legal and program standards. The organization must take steps to communicate effectively its standards and procedures to all affected employees, physicians, independent contractors and other significant agents, e.g., by requiring participation in training programs and disseminating publications that explain specific requirements in a practical manner.⁽⁶⁷⁾ Managers of specific departments or groups can assist in identifying areas that require training and in carrying out such training.⁽⁶⁸⁾ Training instructors may come from outside or inside the organization. New employees should be targeted for training early in their employment.⁽⁶⁹⁾

As part of the initial training, the standards of conduct should be distributed to all employees.⁽⁷⁰⁾ At the end of this training session, every employee, as well as contracted consultants, should be required to sign and date a statement that reflects the employee's knowledge of and commitment to the standards of conduct.

This attestation should be retained in the employee's personnel file. For contracted consultants, the attestation should become part of the contract and remain in the file that contains such documentation. Further, to assist in ensuring employees continuously meet the expected high standards set forth in the code of conduct, any employee handbook delineating or expanding upon these standards of conduct should be regularly updated as applicable statutes, regulations and Federal health care program requirements are modified.⁽⁷¹⁾ Billing companies should provide an additional attestation in the modified standards that stipulates the employee's knowledge of and commitment to the modifications.

b. Coding and Billing Training

In addition to specific training in the risk areas identified in section II.A.2, above, primary training to appropriate corporate officers, managers and other billing company staff should include such topics as:

Specific Government and private payor reimbursement principles;⁽⁷²⁾

General prohibitions on paying or receiving remuneration to induce referrals;

Proper selection and sequencing of diagnoses;

Improper alterations to documentation;

Submitting a claim for physician services when rendered by a non-physician (i.e., the "incident to" rule and the physician physical presence requirement);

Proper documentation of services rendered, including the correct application of official coding rules and guidelines;

Signing a form for a physician without the physician's authorization; and

Duty to report misconduct.

Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a billing company's marketing and financial personnel, in that the pressure to meet business goals may render these employees particularly vulnerable to engaging in prohibited practices.

2. Format of the Training Program

The OIG suggests all relevant levels of personnel be made part of various educational and training programs of the billing company.⁽⁷³⁾ Employees should be required to have a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities.⁽⁷⁴⁾ For example, as discussed above, certain employees involved in billing functions should be required to attend periodic training in applicable reimbursement coverage and documentation of records.⁽⁷⁵⁾

A variety of teaching methods, such as interactive training and training in several different languages, particularly where a billing company has a culturally diverse staff, should be implemented so that all affected employees are knowledgeable about the institution's standards of conduct and procedures for alerting senior management to problems and concerns.⁽⁷⁶⁾ Targeted training should be provided to corporate officers, managers and other employees whose actions affect the accuracy of the claims submitted to the Government, such as employees involved in the coding, billing and marketing processes. All training materials should be designed to take into account the skills, knowledge and experience of the individual trainees. Given the complexity and interdependent relationships of many departments, it is important for the compliance officer to supervise and coordinate the training program.

The OIG recommends attendance and participation at training programs be made a condition of continued employment and that failure to comply with training requirements should result in disciplinary action, including possible termination, when such failure is serious. Adherence to the provisions of the compliance program, such as training requirements, should be a factor in the annual evaluation of each employee. The billing company should retain adequate records of its training of employees, including attendance logs and material distributed at training sessions.

3. Continuing Education on Compliance Issues

It is essential that compliance issues remain at the forefront of the billing company's priorities. The OIG recommends billing company compliance programs address the need for periodic professional education courses for billing company personnel. In particular, the billing company should ensure that coding personnel receive annual professional training on the updated codes for the current year.

In order to maintain a sense of seriousness about compliance in the billing company's operations, the billing company must continue to disseminate the compliance message. One effective mechanism for maintaining a consistent presence of the compliance message is to publish a monthly newsletter to address compliance concerns. This would allow the billing company to address specific examples of problems the company encountered during its ongoing audits and risk analysis, while reinforcing the company's firm commitment to the general principles of compliance and ethical conduct. The newsletter could also include the risk areas published by the OIG in its Special Fraud Alerts. Finally, the billing company could use the newsletter as a mechanism to address areas of ambiguity in the coding and billing process. The billing company should maintain its newsletters in a central location to document the guidance offered and provide new employees with access to guidance previously provided.

D. DEVELOPING EFFECTIVE LINES OF COMMUNICATION

1. Access to the Compliance Officer

An open line of communication between the compliance officer and the billing company personnel is equally important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. Written confidentiality and non-retaliation policies should be developed and distributed to all employees to encourage communication and the reporting of incidents of potential fraud.⁽⁷⁷⁾ The compliance committee should also develop several independent reporting paths for an employee to report fraud, waste or abuse so that such reports cannot be diverted by supervisors or other personnel.

The OIG encourages the establishment of procedures for personnel to seek clarification from the compliance officer or members of the compliance committee in the event of any confusion or question regarding a company policy, practice or procedure. Questions and responses should be documented and dated and, if appropriate, shared with other staff so that standards, policies, practices and procedures can be updated and improved to reflect any necessary changes or clarifications. The compliance officer may want to solicit employee input in developing these communication and reporting systems.

2. Hotlines and Other Forms of Communication

The OIG encourages the use of hotlines⁽⁷⁸⁾ (including anonymous hotlines), e-mails, written memoranda, newsletters and other forms of information exchange to maintain these open lines of communication.⁽⁷⁹⁾ If the billing company establishes a hotline, the telephone number should be made readily available to all employees and independent contractors, by circulating the number on wallet cards or conspicuously posting the telephone number in common work areas.⁽⁸⁰⁾ Employees should be permitted to report matters on an anonymous basis. Matters reported through the hotline or other communication sources that suggest substantial violations of compliance policies, Federal, State or private payor health care program requirements, regulations or statutes should be documented and investigated promptly to determine their veracity. A log should be maintained by the compliance officer that records such calls, including the nature of any investigation and its results.⁽⁸¹⁾ Such information should be included in reports to the governing body, the CEO and compliance committee.⁽⁸²⁾ Further, while the billing company should always strive to maintain the confidentiality of an employee's identity, it should also explicitly communicate that there may be a point where the individual's identity may become known or may have to be revealed.

The OIG recognizes that assertions of fraud and abuse by employees who may have participated in illegal conduct or committed other malfeasance raise numerous complex legal and management issues that should be examined on a case-by-case basis. The compliance officer should work closely with legal counsel, who can provide guidance regarding such issues.

E. ENFORCING STANDARDS THROUGH WELL-PUBLICIZED DISCIPLINARY GUIDELINES

1. Discipline Policy and Actions

An effective compliance program should include guidance regarding disciplinary action for corporate officers, managers and employees who have failed to comply with the billing company's standards of conduct, policies and procedures, Federal, State or private payor health care program requirements, or Federal and State laws, or those who have otherwise engaged in wrongdoing, which has the potential to impair the billing company's status as a reliable, honest and trustworthy organization.

The OIG believes the compliance program should include a written policy statement setting forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers and employees for failing to comply with the billing company's standards and policies and applicable statutes and regulations. Intentional or reckless noncompliance should subject transgressors to significant sanctions. Such sanctions could range from oral warnings to suspension, termination or financial penalties, as appropriate. Each situation must be considered on a case-by-case basis to determine the appropriate sanction. The written standards of conduct should elaborate on the procedures for handling disciplinary problems and identify who will be responsible for taking appropriate action. Some disciplinary actions can be handled by department managers, while others may have to be resolved by a senior manager. Disciplinary action may be appropriate where a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct. Personnel should be advised by the billing company that disciplinary action will be taken on a fair and equitable basis. Managers and supervisors should be made aware that they have a responsibility to discipline employees in an appropriate and consistent manner.

It is vital to publish and disseminate the range of possible disciplinary actions for improper conduct and to educate officers and other staff regarding these standards. The consequences of noncompliance should be consistently applied and enforced for the disciplinary policy to have the required deterrent effect. All levels of employees should be subject to the same disciplinary action for the commission of similar offenses. The commitment to compliance applies to all personnel levels within a billing company. The OIG believes that corporate officers, managers and supervisors should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, laws, rules, program instructions and procedures.

2. New Employee Policy

For all new employees who have discretionary authority to make decisions that may involve compliance with the law or compliance oversight, billing companies should conduct a reasonable and prudent background investigation, including a reference check, as part of every such employment application. The application should specifically require the applicant to disclose any criminal conviction, as defined by 42 U.S.C. § 1320a-7(i), or exclusion action. Pursuant to the compliance program, billing company policies should prohibit the employment of individuals who have been recently convicted of a criminal offense related to health care or who are listed as debarred, excluded or otherwise ineligible for participation in Federal health care programs.⁽⁸³⁾ In addition, pending the resolution of any criminal charges or proposed debarment or exclusion, the OIG recommends that such individuals should be removed from direct responsibility for, or involvement in, any Federal health care program.⁽⁸⁴⁾ Similarly, with regard to current employees or independent contractors, if resolution of the matter results in conviction, debarment or exclusion, then the billing company should remove the individual from direct responsibility for or involvement with all Federal health care programs.

F. AUDITING AND MONITORING

An ongoing evaluation process is critical to a successful compliance program. The OIG believes an effective program should incorporate thorough monitoring of its implementation and regular reporting to senior company officers.⁽⁸⁵⁾ Compliance reports created by this ongoing monitoring, including reports of suspected noncompliance, should be maintained by the compliance officer and reviewed with the billing company's senior management and the compliance committee. The extent and frequency of the audit function may vary depending on factors such as the size of the company, the resources available to the company, the company's prior history of noncompliance and the risk factors that are prevalent in a particular billing company.

Although many monitoring techniques are available, one effective tool to promote and ensure compliance is the performance of regular, periodic compliance audits by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal, State and private payor health care program requirements. The audits should focus on the billing company's programs or divisions, including external relationships with third-party contractors, specifically those with substantive exposure to Government enforcement actions. At a minimum, these audits should be designed to address the billing company's compliance with laws governing kickback arrangements, coding practices, claim submission, reimbursement and marketing. In addition, the audits and reviews should examine the billing company's compliance with specific rules and policies that have been the focus of particular attention on the part of the Medicare fiscal intermediaries or carriers, and law enforcement, as evidenced by OIG Special Fraud Alerts, OIG audits and evaluations, and law enforcement's initiatives.⁽⁸⁶⁾ In addition, the billing company should focus on any areas of specific concern identified within that billing company and those that may have been identified by any outside agency, whether Federal or State.

Monitoring techniques may include sampling protocols that permit the compliance officer to identify and review variations from an established baseline.⁽⁸⁷⁾ Significant variations from the baseline should trigger a reasonable inquiry to determine the cause of the deviation. If the inquiry determines that the deviation occurred for legitimate, explainable reasons, the compliance officer or manager may want to limit any corrective action or take no action. If it is determined that the deviation was caused by improper procedures, misunderstanding of rules, including fraud and systemic problems, the billing company should take prompt steps to correct the problem.⁽⁸⁸⁾ Any overpayments discovered as a result of such deviations should be reported promptly to the appropriate provider, with appropriate documentation and a thorough explanation of the reason for the overpayment.⁽⁸⁹⁾

An effective compliance program should also incorporate periodic (at a minimum, annual) reviews of whether the program's compliance elements have been satisfied, e.g., whether there has been appropriate dissemination of the program's standards, training, ongoing educational programs and disciplinary actions, among others.⁽⁹⁰⁾ This process will verify actual conformance by all departments with the compliance program. Such reviews could support a determination that appropriate records have been created and maintained to document the implementation of an effective program. However, when monitoring discloses deviations were not detected in a timely manner due to program deficiencies, appropriate modifications must be implemented. Such evaluations, when developed with the support of management, can help ensure compliance with the billing company's policies and procedures.

As part of the review process, the compliance officer or reviewers should consider techniques such as:

On-site visits;

Testing billing and coding staff on their knowledge of reimbursement and coverage criteria (e.g., presenting hypothetical scenarios of situations experienced in daily practice and assess responses);

Unannounced mock surveys, audits and investigations;

Examination of the billing company's complaint logs;

Checking personnel records to determine whether any individuals who have been reprimanded for compliance issues in the past are among those currently engaged in improper conduct;

Interviews with personnel involved in management, operations, coding, claim development and submission and other related activities;

Questionnaires developed to solicit impressions of a broad cross-section of the billing company's employees and staff;

Reviews of written materials and documentation prepared by the different divisions of a billing company; and

Trend analyses, or longitudinal studies, that seek deviations, positive or negative, in specific areas over a given period.

The reviewers should:

Possess the qualifications and experience necessary to adequately identify potential issues with the subject matter to be reviewed;

Be objective and independent of line management;⁽⁹¹⁾

Have access to existing audit and health care resources, relevant personnel and all relevant areas of operation;

Present written evaluative reports on compliance activities to the CEO, governing body members of the compliance committee and its provider clients on a regular basis, but not less than annually;⁽⁹²⁾ and

Specifically identify areas where corrective actions are needed.

With these reports, management can take whatever steps are necessary to correct past problems and prevent them from recurring. In certain cases, subsequent reviews or studies would be advisable to ensure that the recommended corrective actions have been implemented successfully.

The billing company should document its efforts to comply with applicable statutes, regulations and Federal health care program requirements. For example, where a billing company, in its efforts to comply with a particular statute, regulation or program requirement, requests advice from a Government agency (including a Medicare fiscal intermediary or carrier) charged with administering a Federal health care program, the billing company should document and retain a record of the request and any written or oral response. This step is extremely important if the billing company intends to rely on that response to guide it in future decisions, actions or claim reimbursement requests or appeals. A log of oral inquiries between the billing company and third parties will help the organization document its attempts at compliance. In addition, the billing company should maintain records relevant to the issue of whether its reliance was "reasonable," and whether it exercised due diligence in developing procedures to implement the advice.

G. RESPONDING TO DETECTED OFFENSES AND DEVELOPING CORRECTIVE ACTION INITIATIVES

1. Violations and Investigations

Violations of the billing company's compliance program, failures to comply with applicable Federal or State law, rules and program instructions and other types of misconduct threaten a billing company's status as a reliable, honest and trustworthy company. Detected but uncorrected misconduct can seriously endanger the mission, reputation and legal status of the billing company. Consequently, upon reports or reasonable indications of suspected noncompliance, it is important that the chief compliance officer or other management officials promptly investigate the conduct in question to determine whether a material violation of applicable law, rule or program instruction or the requirements of the compliance program has occurred, and if so, take steps to correct the problem.⁽⁹³⁾ As appropriate, such steps may include an immediate referral to criminal and/or civil law enforcement authorities, a corrective action plan,⁽⁹⁴⁾ a report to the Government,⁽⁹⁵⁾ and the notification to the provider of any discrepancies or overpayments, if applicable.

Even if the overpayment detection and return process is working and is being monitored by the billing company's audit or coding divisions, the OIG still believes that the compliance officer needs to be made aware of these significant overpayments, violations or deviations that may reveal trends or patterns indicative of a systemic problem.

Depending upon the nature of the alleged violations, an internal investigation will probably include interviews and a review of relevant documents. Some billing companies should consider engaging outside counsel, auditors or health care experts to assist in an investigation. Records of the investigation should contain documentation of the alleged violation, a description of the investigative process (including the objectivity of the investigators and methodologies utilized), copies of interview notes and key documents, a log of the witnesses interviewed and the documents reviewed, the results of the investigation, e.g., any disciplinary action taken and any corrective action implemented. Although any action taken as the result of an investigation will necessarily vary depending upon the billing company and the situation, billing companies should strive for some consistency by utilizing sound practices and disciplinary protocols.⁽⁹⁶⁾ Further, after a reasonable period, the compliance officer should review the circumstances that formed the basis for the investigation to determine whether similar problems have been uncovered or modifications of the compliance program are necessary to prevent and detect other inappropriate conduct or violations.

If an investigation of an alleged violation is undertaken and the compliance officer believes the integrity of the investigation may be at stake because of the presence of employees under investigation, those subjects should be removed from their current work activity until the investigation is completed (unless an internal or Government-led undercover operation known to the billing company is in effect). In addition, the compliance officer should take appropriate steps to secure or prevent the destruction of documents or other evidence relevant to the investigation. If the billing company determines disciplinary action is warranted, it should be prompt and imposed in accordance with the billing company's written standards of disciplinary action.

2. Reporting

a. Obligations based on Billing Company Misconduct

If the compliance officer, compliance committee or a management official discovers credible evidence of misconduct by the billing company from any source and, after reasonable inquiry, has reason to believe that the misconduct may violate criminal, civil or administrative law,⁽⁹⁷⁾ then the billing company should report the existence of misconduct promptly to the appropriate Government authority⁽⁹⁸⁾ within a reasonable period, but not more than sixty (60) days after determining that there is credible evidence of a violation. Prompt reporting will demonstrate the billing company's good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct will be considered a mitigating factor by the OIG in determining administrative sanctions (e.g., penalties, assessments and exclusion), if the reporting company becomes the target of an OIG investigation.⁽⁹⁹⁾

b. Obligations based on Provider Misconduct

Billing companies are in a unique position to discover various types of fraud, waste, abuse and mistakes on the part of the provider for which they furnish services. This unique access to information may place the billing company in a precarious position. On the one hand, the billing company's allegiance is to the provider client. On the other, the billing company maintains a commitment to compliance with the applicable Federal and State laws, and the program requirements of Federal, State and private health plans. The OIG recognizes the importance of maintaining a positive and interactive communication between billing companies and the providers they service. It is with this understanding that the OIG has addressed the issue of obligations on the part of third-party medical billing companies with regard to provider misconduct.

If the billing company finds evidence of misconduct⁽¹⁰⁰⁾ (e.g., inaccurate claim submission) on the part of the provider that they service, the billing company should refrain from the submission of questionable claims and notify the provider in writing within thirty (30) days of such a determination. This notification should include all claim specific information and the rationale for such a determination.

If the billing company discovers credible evidence of the provider's continued misconduct or flagrant fraudulent or abusive conduct,⁽¹⁰¹⁾ the billing company should: (1) refrain from submitting any false or inappropriate claims; (2) terminate the contract; and/or (3) report the misconduct to the appropriate Federal and State authorities within a reasonable time, but not more than sixty (60) days after determining that there is credible evidence of a violation.

c. Reporting Procedure

When reporting misconduct to the Government, a billing company should provide all evidence relevant to the alleged violation of applicable Federal or State law(s) and the potential cost impact. The compliance officer, with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, the compliance officer should be required to notify the appropriate governmental authority of the outcome of the investigation, including a description of the impact of the alleged violation on the operation of the applicable health care programs or their beneficiaries. If the investigation ultimately reveals criminal, civil or administrative violations have occurred, the appropriate Federal and State officials⁽¹⁰²⁾ should be notified immediately.

3. Corrective Actions

Billing companies play a critical role in the restitution of overpayments to appropriate payors.⁽¹⁰³⁾ As previously stated, billing companies should take appropriate corrective action, including prompt identification of any overpayment to the provider and the affected payor and the imposition of proper disciplinary action, if applicable. Failure to notify authorities of an overpayment within a reasonable period of time could be interpreted as an intentional attempt to conceal the overpayment from the Government, thereby establishing an independent basis for a criminal violation with respect to the billing company, as well as any individuals who may have been involved.⁽¹⁰⁴⁾ For this reason, billing company compliance programs should ensure that overpayments are identified quickly and encourage their providers to promptly return overpayments obtained from Medicare or other Federal health care programs.⁽¹⁰⁵⁾

III. CONCLUSION

Through this document, the OIG has attempted to provide a foundation to the process necessary to develop an effective and cost-efficient third-party medical billing compliance program. As previously stated, however, each program must be tailored to fit the needs and resources of an individual billing company, depending upon its particular corporate structure, mission and employee composition. The statutes, regulations and guidelines of the Federal and State health insurance programs, as well as the policies and procedures of the private health plans, should be integrated into every billing company's compliance program.

The OIG recognizes that the health care industry in this country, which reaches millions of beneficiaries and expends about a trillion dollars annually, is constantly evolving. In particular, the billing process has changed dramatically in recent years. As a result, the time is right for billing companies to implement strong, voluntary compliance programs. As stated throughout this guidance, compliance is a dynamic process that helps to ensure billing companies are better able to fulfill their commitment to ethical behavior, and to meet the changes and challenges being imposed upon them by Congress and private insurers. Ultimately, it is OIG's hope that voluntarily created compliance programs will enable billing companies to meet their goals and substantially reduce fraud, waste and abuse, as well as the cost of health care to Federal, State and private health insurers.

FOOTNOTES:

1. For the purposes of this compliance program guidance, "third-party medical billing companies" include clearinghouses and value-added networks.

2. Recent survey results from the Healthcare Billing and Management Association (HBMA) show that its membership processes more than 17.6 million claims per month totaling $18 billion a year.

3. For the purposes of this compliance program guidance, "provider" shall include any individual, company, corporation or organization that submits claims for reimbursement to a Federal health care program. The term "Federal health care programs" is applied in this document as defined in 42 U.S.C. § 1320a-7b(f), which includes any plan or program that provides health benefits, whether directly, through insurance, or otherwise, which is funded directly, in whole or in part by the United States Federal Government (i.e., via programs such as Medicare, Federal Employees' Compensation Act, Black Lung, or Longshore and Harbor Worker's Compensation Act) or any State health plan (e.g., Medicaid, or program receiving funds from block grants for social services or child health services). Also, for purposes of this document, the term "Federal health care program requirements" refers to the statutes, regulations, rules, requirements, directives and instructions governing Medicare, Medicaid and all other Federal health care programs.

4. Billing companies provide services for virtually every aspect of the health care industry. Among the areas of greatest concentration for billing companies are: physicians, ambulatory surgery centers (ASCs), durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) industry, home health agencies (HHAs) and hospitals.

5. See 63 Fed. Reg. 45076 (8/24/98) for Compliance Program Guidance for Clinical Laboratories; 63 Fed. Reg. 42410 (8/7/98) for Compliance Program Guidance for Home Health Agencies; 63 Fed. Reg. 8987 (2/23/98) for Compliance Program Guidance for Hospitals. These documents are also located on the Internet at http://www.dhhs.gov/progorg/oig.

6. E.g., the billing company should communicate the results of audits, determinations of inappropriate claim submissions and notifications of overpayments.

7. At a minimum, the billing company should send a copy of its compliance program to all of its provider clients. The billing company should also coordinate with its provider clients in the development of a training program, an audit plan and policies for investigating misconduct.

8. Billing and coding personnel can provide critical advice to physicians and other health care providers that may greatly improve the quality of medical record documentation.

9. The OIG, for example, will consider the existence of an effective compliance program that pre-dated any governmental investigation when addressing the appropriateness of administrative sanctions. However, the burden is on the billing company to demonstrate the operational effectiveness of a compliance program. Further, the False Claims Act, 31 U.S.C. §§ 3729-3733, provides that a person who has violated the Act, but who voluntarily discloses the violation to the Government within thirty days of detection, in certain circumstances will be subject to not less than double, as opposed to treble, damages. See 31 U.S.C. § 3729(a). Thus, the ability to react quickly when violations of the law are discovered may materially help reduce the billing company's liability.

10. Special Fraud Alerts are available on the OIG website at http://www.dhhs.gov/progorg/oig.

11. Nothing stated herein should be substituted for, or used in lieu of, competent legal advice from counsel.

12. See note 5.

13. Corporate integrity agreements are executed as part of a civil settlement agreement between the health care provider or entity responsible for billing for the provider and the Government to resolve a case based on allegations of health care fraud or abuse. These OIG-imposed programs are in effect for a period of three to five years and require many of the elements included in this compliance guidance.

14. Formal commitment may include a resolution by the board of directors, where applicable. A formal commitment does include the allocation of adequate resources to ensure that each of the elements is addressed.

15. See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing Guidelines are detailed policies and practices for the Federal criminal justice system that prescribe appropriate sanctions for offenders convicted of Federal crimes.

16. The integral functions of a compliance officer and a corporate compliance committee in implementing an effective compliance program are discussed throughout this compliance guidance. However, the OIG recognizes that the differences in the sizes and structures of billing companies will result in differences in the ways in which compliance programs are set up. The important thing is that the billing company structures its compliance program in such a way that the program is able to accomplish the key functions of a corporate compliance officer and a corporate compliance committee discussed within this document.

17. Training and education programs for billing companies should be detailed and comprehensive. They should cover specific billing and coding procedures, as well as the general areas of compliance.

18. For example, spot-checking the work of coding and billing personnel periodically should be an element of an effective compliance program. Identification of risk areas, discussed in further detail in section II.A.2, is the first step in correcting aberrant billing patterns.

19. According to the Federal Sentencing Guidelines, an organization must have established compliance standards and procedures to be followed by its employees and other agents in order to receive sentencing credit for an "effective" compliance program. The Federal Sentencing Guidelines define "agent" as "any individual, including a director, an officer, an employee, or an independent contractor, authorized to act on behalf of the organization." See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(d).

20. The OIG strongly encourages high-level involvement by the billing company's governing body, chief executive officer, chief operating officer, general counsel and chief financial officer, in the development of standards of conduct. Such involvement should help communicate a strong and explicit organizational commitment to compliance goals and standards.

21. Billing company personnel should maintain an open dialogue with their providers regarding documentation issues. If the documentation received from a provider is ambiguous or conflicting, the billing company should contact the provider for clarification or resolution.

22. See section II.A.2.b.

23. If the coding staff finds the physician's documentation to be unclear or conflicting, then they should ask the physician for clarification. This will frequently allow the coder to choose a more appropriate code. If the coder does not know how to code a particular type of bill for Medicare payment, he or she should first consult with a supervisor. If the question persists, the supervisor should contact the provider's carrier/intermediary. The billing company could also contact an authoritative coding organization. For example, the American Hospital Association maintains a central office on ICD-9-CM. All such correspondence should be maintained in a log. In the rare instance that the documentation appears to be for a new type of disease or syndrome, the supervisor can send an inquiry to the National Center for Health Statistics, 6525 Belcrest Road, Room 1100, Hyattsville, MD 20782.

24. For example, billing companies that provide marketing services should develop policies to ensure compliance with the anti-kickback statute. 42 U.S.C. § 1320a-7b(b). In addition, such policies should provide that the billing company shall not submit or cause to be submitted to health care programs claims for patients by virtue of a compensation agreement that was designed to induce such referrals in violation of the anti-kickback statute, or similar Federal or State statute or regulation. Further, the policies and procedures should reference the OIG's safe harbor regulations, clarifying those payment practices that would be immune from prosecution under the anti-kickback statute. See 42 C.F.R. § 1001.952.

25. The OIG periodically issues Special Fraud Alerts setting forth activities believed to raise legal and enforcement issues. Billing company compliance programs should require the legal staff, chief compliance officer or other appropriate personnel to carefully consider any and all Special Fraud Alerts issued by the OIG that relate to health care providers to which they offer services. Moreover, the compliance programs should address the ramifications of failing to cease and correct any conduct criticized in such a Special Fraud Alert, if applicable to billing companies, or to take reasonable action to prevent such conduct from reoccurring in the future. If appropriate, billing companies should take the steps described in Section G regarding investigations, reporting and correction of identified problems.

26. The OIG's work plan is currently available on the Internet at http://www.dhhs.gov/progorg/oig. The OIG Work Plan details the various projects the OIG intends to address in the fiscal year. The Work Plan contains the projects of the Office of Audit Services, Office of Evaluation and Inspections, Office of Investigations and the Office of Counsel to the Inspector General.

27. Billing for items or services not actually documented involves submitting a claim that cannot be substantiated in the documentation.

28. "Unbundling" occurs when a billing entity uses separate billing codes for services that have an aggregate billing code.

29.^"Upcoding" reflects the practice of using a billing code that provides a higher reimbursement rate than the billing code that actually reflects the service furnished to the patient. Upcoding has been a major focus of the OIG's law enforcement efforts. In fact, the Health Insurance Portability and Accountability Act of 1996 added another civil monetary penalty to the OIG's sanction authorities for upcoding violations. See 42 U.S.C. § 1320a-7a(a)(1)(A).

30. "DRG creep" is a variety of upcoding that involves the practice of billing using a Diagnosis Related Group (DRG) code that provides a higher reimbursement rate than the DRG code that accurately reflects patient's diagnosis.

31. Inappropriate balance billing refers to the practice of billing Medicare beneficiaries for the difference between the total provider charges and the Medicare Part B allowable payment.

32. An overpayment is an improper or excessive payment made to a health care provider as a result of patient billing or claims processing errors for which a refund is owed by the provider. Examples of Medicare overpayments include instances where a provider is: (1) paid twice for the same service either by Medicare or by Medicare and another insurer or beneficiary; or (2) paid for services planned but not performed or for non-covered services. Billing companies should institute procedures to provide for timely and accurate reporting to both the provider and the health care program of overpayments.

33. Because billing companies are in the business of processing health care information, it is essential they develop policies and procedures to ensure the integrity of the information they process and to ensure that records can be easily located and accessed within a well-organized filing or alternative retrieval system. All billing companies should have a back-up system (whether by disk, tape or system) to ensure the integrity of data. Policies should provide for a regular system back-up to ensure that no information is lost.

34. All billing companies should develop, implement, audit and enforce policies and procedures to ensure the confidentiality and privacy of financial, medical, personnel and other sensitive information in their possession. These policies should address both electronic and hard copy documents.

35. Of particular concern, billing companies should be aware of the provisions of reassignment of benefits. These provisions govern who may receive payment due to a provider or supplier of services or a beneficiary. See 42 C.F.R.§§ 424.70-424.80. See also Medicare Carrier Manual § 3060.10.

36. Billing companies that submit claims for non-physician outpatient services that were already included in the hospital's inpatient payment under the Prospective Payment System (PPS) are in effect submitting duplicate claims.

37. Duplicate billing occurs when the billing company submits more than one claim for the same service or the bill is submitted to more than one primary payor at the same time. Although duplicate billing can occur due to simple error, knowing duplicate billing -- which is sometimes evidenced by systematic or repeated double billing -- can create liability under criminal, civil or administrative law, particularly if any overpayment is not promptly refunded.

38. Under the Medicare regulations, when a PPS hospital transfers a patient to another PPS hospital, only the hospital to which the patient was transferred may charge the full DRG; the transferring hospital should charge Medicare only a per diem amount. See 42 C.F.R. § 412.4.

39. A modifier, as defined by the CPT-4 manual, provides the means by which the reporting position (or provider) can indicate a service or procedure that has been performed has been altered by some specific circumstance, but not changed in its definition or code. Assuming the modifier is used correctly and appropriately, this specificity provides the justification for payment for these services. For correct use of modifiers, the billing company should reference the appropriate sections of the Medicare carrier manual. For general information on the correct use of modifiers, the billing personnel should also reference the Correct Coding Initiative. See Medicare Carrier Manual § 4630.

40. For billing companies that provide marketing services, percentage arrangements may implicate the anti-kickback statute. See 42 U.S.C. § 1320a-7b(b) and 59 Fed. Reg. 65372 (12/19/94). Cf. OIG Ad. Op. 98-10 (1998). The OIG has a longstanding concern that percentage billing arrangements may increase the risk of upcoding and similar abusive billing practices. See, e.g., OIG Ad. Op. 98-1 (1998) and OIG Ad. Op. 98-4 (1998).

41.The OIG is troubled by the proliferation of business arrangements that may violate the anti-kickback statute. Such arrangements are generally established between those in a position to refer business, such as physicians, and those providing items or services for which a Federal health care program pays. Sometimes established as "joint ventures," these arrangements may take a variety of forms. The OIG currently has a number of investigations and audits underway that focus on such areas of concern. Similarly, the billing company should not confer gifts/entertainment upon the client-provider as this could also implicate the anti-kickback statute.

42. Billing companies should encourage providers to make a good faith effort to collect copayments, deductibles and non-covered services from federally and privately-insured patients. Billing "insurance only" may violate the False Claims Act, the anti-kickback statute, the Civil Monetary Penalties Law, 42 U.S.C. § 1320a-7a(a)5, as amended by Pub. L. No. 104-91 § 231(h), and State laws. For additional information on this problem, the OIG has published a Special Fraud Alert on the routine waiver of copayments or deductibles under Medicare Part B. See 59 Fed. Reg. 65,373 (12/19/94).

43. Discounts and professional courtesy may not be appropriate unless the total fee is discounted or reduced. In such situations, the payor (eg., Medicare, Medicaid or any other private payor) should receive its proportional share of the discount or reduction.

44. "Recurrence of misconduct similar to that which an organization has previously committed casts doubt on whether it took all reasonable steps to prevent such misconduct" and is a significant factor in the assessment of whether a compliance program is effective. See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(7)(ii).

45. The following risk areas are in no way a comprehensive list of risk areas for health care providers. They are merely a suggested list of documentation risks. They do not address the additional risk areas that apply to health care providers (e.g., medical necessity issues).

46. The official coding guidelines are promulgated by the Health Care Financing Administration, the National Center for Health Statistics, the American Medical Association and the American Health Information Management Association. See International Classification of Diseases, 9^thRevision, Clinical Modification (ICD-9 CM)(and its successors); 1998 Health Care Financing Administration Common Procedure Coding System (HCPCS) (and its successors); and Physicians' Current Procedural Terminology (CPT). In addition, there are specialized coding systems for specific segments of the health care industry. Among these are ADA (for dental procedures), DSM IV (psychiatric health benefits) and DMERCs (for durable medical equipment, prosthetics, orthotics and supplies.)

47. The failure of a provider to: (i) document items and services rendered; and (ii) properly submit them for reimbursement is a major area of potential fraud and abuse in Federal health care programs. The OIG has undertaken numerous audits, investigations, inspections and national enforcement initiatives aimed at reducing potential and actual fraud, abuse and waste in these areas.

48. Internal coding practices, including software edits, should be reviewed periodically to determine consistency with all applicable Federal, State and private payor health care program requirements.

49. This refers to the coding of a diagnosis or procedure without supporting clinical documentation. Coding personnel must be aware of the need for documented verification of services from the attending physician.

50. While proper documentation is the responsibility of the health care provider, the coder should be aware of proper documentation requirements and should encourage providers to document their services appropriately. Depending on the circumstances, proper documentation can include:

(1) The reason for the patient encounter;

(2) An appropriate history and evaluation;

(3) Documentation of all services;

(4) Documentation of reasons for the services;

(5) An ongoing assessment of the patient's condition;

(6) Information on the patient's progress and treatment outcome;

(7) A documented treatment plan;

(8) A plan of care, including treatments, medications (including dosage and frequency), referrals and consultations, patient and family education, and follow-up care;

(9) Changes in treatment plan;

(10) Documentation of medical rationale for the services rendered;

(11) Documentation that supports the standards of medical necessity, e.g., certificates of medical necessity for DMEPOS and home health services;

(12) Abnormal test results addressed in the physician's documentation;

(13) Identification of relevant health risk factors;

(14) Documentation that meets the E & M codes billed;

(15) Medical records that are dated and authenticated; and/or

(16) Prescriptions.

Billing companies should also reference the Documentation Guidelines for Evaluation and Management (E/M) Services, published by the Health Care Financing Administration. These guidelines are available on the Internet at http://www.hcfa.gov/medicare/mcarpti.htm.

51. Billing companies should ensure that they do not employ or contract with individuals that have been sanctioned by the OIG or barred from Federal procurement programs. The Cumulative Sanction Report is available on the Internet at http://www.dhhs.gov/progorg/oig. In addition, the General Services Administration maintains a monthly listing of debarred contractors on the Internet at http://www.arnet.gov/epls.

52. Examples of reference resources necessary for proper coding include: a medical dictionary; an anatomy/physiology textbook; up-to-date ICD, HCPCS and CPT code books; Physician's Desk Reference; Merck Manual; the applicable contractor's provider manual; and subscriptions to the American Hospital Association's Coding Clinic for ICD-9-CM (and its successors) and the American Medical Association's CPT Assistant.

53. See OIG Ad. Op. 98-1 (1998) and OIG Ad. Op. 98-4 (1998). See also 42 C.F.R. § 424.73.

54. The OIG recommends that, at a minimum, a valid statistical sample of claims be reviewed annually both before and after billing is submitted. This review should be done by a qualified expert in the applicable coding process.

55. The billing company should also refer to State escheat laws for the specific requirements relating to notifications, time periods and payment of any unclaimed funds.

56. This should include notifications regarding: inappropriate claims; overpayments; and termination of the contract.

57. If the billing company chooses to outsource the compliance function, the OIG recommends the billing company engage an individual with significant experience in the billing and coding industries. Multiple small billing and coding facilities may contract with an individual to job-share the individual's time and expertise in the area of compliance.

58. The OIG believes that it is not advisable for the compliance function to be subordinate to the billing company's general counsel, or comptroller or similar billing company financial officer. Free standing compliance functions help to ensure independent and objective legal reviews and financial analyses of the institution's compliance efforts and activities. By separating the compliance function from the key management positions of general counsel or chief financial officer (where the size and structure of the billing company make this a feasible option), a system of checks and balances is established to more effectively achieve the goals of the compliance program.

59. For multi-site billing companies, the OIG encourages coordination with each billing facility owned by the billing company through the use of a corporate compliance officer.

60. See note 51.

61. Periodic on-site visits of the billing company's operations, bulletins with compliance updates and reminders, distribution of audiotapes or videotapes on different risk areas, lectures at management and employee meetings, circulation of recent health care articles covering fraud and abuse, and innovative changes to compliance training are various examples of approaches and techniques the compliance officer can employ for the purpose of ensuring continued interest in the compliance program and the billing company's commitment to its principles and policies.

62. The OIG recognizes that smaller billing companies may not be able to establish a compliance committee. In those situations, the compliance officer should fulfill the responsibilities of the compliance committee.

63. The compliance committee benefits from having the perspectives of individuals with varying responsibilities in the organization, such as operations, finance, audit, human resources, utilization review, medicine, coding and legal, as well as employees and managers of key operating units. These individuals should have the requisite seniority and comprehensive experience within their respective departments to implement any necessary changes in the company's policies and procedures.

64. A billing company should expect its compliance committee members and compliance officer to demonstrate high integrity, good judgment, assertiveness and an approachable demeanor, while eliciting the respect and trust of employees of the billing company. The compliance committee members should also have significant professional experience in working with billing, coding, clinical records and auditing principles.

65. This includes, but is not limited to, the civil False Claims Act, 31 U.S.C. §§ 3729-3733, the criminal false claims statutes, 18 U.S.C. §§ 287, 1001, the fraud and abuse provisions of the Balanced Budget Act of 1997, Pub.L. 105-33 and the Health Insurance Portability and Accountability Act of 1996, Pub.L. 104-191.

66. For billing companies, this includes developing and fostering excellent coordination and communication with its provider clients.

67. Some publications, such as Special Fraud Alerts, audit and inspection reports, and advisory opinions, as well as the annual OIG work plan, are readily available from the OIG and could be the basis for standards, educational courses and programs for appropriate billing employees.

68. Significant variations in functions and responsibilities of different departments or groups may create the need for training materials that are tailored to the compliance concerns associated with particular operations and duties.

69. Certain positions, such as those involving the coding of medical services, create a greater organizational legal exposure, and therefore require specialized training. Billing companies should fill such positions with individuals who have the appropriate educational background, training and credentials.

70. Where the billing company has a culturally diverse employee base, the standards of conduct should be translated into other languages and written at appropriate reading levels.

71.The OIG recognizes that not all standards, policies and procedures need to be communicated to all employees. However, the OIG believes that the bulk of the standards that relate to complying with fraud and abuse laws and other ethical areas should be addressed and made part of all employees' training. The billing company should determine what additional training to provide categories of employees based upon their job responsibilities.

72. Government, in this context, includes the appropriate Medicare carrier or intermediary.

73. In addition, where feasible, the OIG recommends that a billing company afford outside contractors and its provider clients the opportunity to participate in the billing company's compliance training and educational programs, or develop their own programs that complement the billing company's standards of conduct, compliance requirements and other rules and practices.

74. Currently, the OIG is monitoring a significant number of corporate integrity agreements that require many of these training elements. The OIG usually requires a minimum of one to three hours annually for basic training in compliance areas. Additional training is required for specialty fields such as billing, coding and marketing.

75. Appropriate coding and billing depends upon the quality and completeness of documentation. Therefore, the OIG believes that the billing company must foster an environment where interactive communication is encouraged. Health care providers should be reminded that thorough, precise and timely documentation of services provided serves the interests of the patient, the interest of the provider, as well as the interests of the billing company.

76. Post-training tests can be used to assess the success of training provided and employee comprehension of the billing company's policies and procedures.

77.The OIG believes that whistle blowers should be protected against retaliation, a concept embodied in the provisions of the False Claims Act. See 31 U.S.C. § 3730(h). In many cases, employees sue their employers under the False Claims Act's qui tam provisions out of frustration because of the company's failure to take action when a questionable, fraudulent or abusive situation was brought to the attention of senior corporate officials.

78. The OIG recognizes that it may not be financially feasible for a small billing company to maintain a telephone hotline dedicated to receiving calls solely on compliance issues. These companies may explore alternative methods, such as contracting with an independent source to provide hotline services or establishing a written method of confidential disclosure.

79. In addition to methods of communication used by current employees, an effective employee exit interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of the billing company's policy and procedures.

80. Billing companies should also post in a prominent, available area the HHS-OIG Hotline telephone number, 1-800-447-8477 (HHS-TIPS), in addition to any company hotline number that may be posted.

81. To efficiently and accurately fulfill such an obligation, the billing company should create an intake form for all compliance issues identified through reporting mechanisms. The form could include information concerning the date the potential problem was reported, the internal investigative methods utilized, the results of any investigation, any corrective action implemented, any disciplinary measures imposed and any overpayments and monies returned.

82. Information obtained over the hotline may provide valuable insight into management practices and operations, whether reported problems are actual or perceived.

83. See note 51. Likewise, billing company compliance programs should establish standards prohibiting the execution of contracts with companies that have been recently convicted of a criminal offense related to health care or that are listed by a Federal agency as debarred, excluded or otherwise ineligible for participation in Federal health care programs.

84. Prospective employees who have been officially reinstated into the Medicare and Medicaid programs by the OIG may be considered for employment upon proof of such reinstatement.

85. Even when a facility is owned by a larger corporate entity, the regular auditing and monitoring of the compliance activities of an individual facility must be a key feature in any annual review. Appropriate reports on audit findings should be periodically provided and explained to a parent-organization's senior staff and officers.

86. See section II.A.2.

87. The OIG recommends that when a compliance program is established in a billing company, the compliance officer, with the assistance of department managers, take a "snapshot" of the company's operations from a compliance perspective. This assessment can be undertaken by outside consultants, law or accounting firms, or internal staff, with authoritative knowledge of health care compliance requirements. This "snapshot," often used as part of bench marking analysis, becomes a baseline for the compliance officer and other managers to judge the billing company's progress in reducing or eliminating potential areas of vulnerability. For example, it has been suggested that a baseline level include the frequency and percentile levels of CPT and HCPCS codes. Similarly, billing companies should track statistical data on claim rejection by code. This will facilitate identification of problem areas and elimination of potential areas of abusive or fraudulent conduct.

88. Prompt steps to correct the problem include contacting the appropriate provider in situations where the provider's actions contributed to the problem.

89. In addition, when appropriate, as referenced in section G.2, below, reports of fraud or systemic problems should also be made to the appropriate governmental authority.

90. One way to assess the knowledge, awareness and perceptions of the billing company staff is through the use of a validated survey instrument (e.g., employee questionnaires, interviews or focus groups).

91. The OIG recognizes that billing companies that are small in size and have limited resources may not be able to use internal reviewers who are not part of line management or hire outside reviewers.

92. These evaluative reports should include a valid statistical sample of claims submitted to Federal health care programs.

93. Instances of non-compliance must be determined on a case-by-case basis. The existence, or amount, of a monetary loss to a health care program is not solely determinative of whether or not the conduct should be investigated and reported to governmental authorities. In fact, there may be instances where there is no readily identifiable monetary loss at all, but corrective action and reporting are still necessary to protect the integrity of the applicable program and its beneficiaries.

94. Advice from the billing company's in-house counsel or an outside law firm may be sought to determine the extent of the billing company's liability and to plan the appropriate course of action.

95. The OIG currently maintains a provider self-disclosure protocol that encourages providers to report suspected fraud. The concept of self-disclosure is premised on a recognition that the Government alone cannot protect the integrity of the Medicare and other Federal health care programs. Health care providers must be willing to police themselves, correct underlying problems and work with the Government to resolve these matters. The self-disclosure protocol can be located on the OIG's website at http://www.dhhs.gov/progorg/oig.

96. The parameters of a claim review subject to an internal investigation will depend on the circumstances surrounding the issue(s) identified. By limiting the scope of the internal audit to current billing, a billing company may fail to identify major problems and deficiencies in operations, as well as be subject to certain liability.

97. When making the determination of credible misconduct, the billing company should consider 18 U.S.C. § 669 [holding an individual(s) criminally liable for knowingly and willfully embezzling, stealing or otherwise converting to the use of any person other than the rightful owner or intentionally misapplying any of the monies, funds . . . premiums, credits, property or assets of a health care benefit program] and 18 U.S.C. § 2 [establishing criminal liability for an individual(s) who commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission as punishable as the principle].

98. Appropriate Federal and/or State authorities include the Office of Inspector General of the Department of Health and Human Services, the Criminal and Civil Divisions of the Department of Justice, the U.S. Attorneys in the relevant districts, and the other investigative arms for agencies administering the affected Federal or State health care programs, such as the State Medicaid Fraud Control Unit, the Defense Criminal Investigative Service, the Department of Veterans Affairs, the Office of Inspector General, U.S. Department of Labor (which has primary criminal jurisdiction over FECA, Black Lung and Longshore programs) and the Office of Inspector General, U.S. Office of Personnel Management (which has primary jurisdiction over the Federal Employees Health Benefit Program).

99. The OIG has published criteria setting forth those factors that the OIG takes into consideration in determining whether it is appropriate to exclude a health care provider from program participation pursuant to 42 U.S.C. § 1320a-7(b)(7) for violations of various fraud and abuse laws. See 62 Fed. Reg. 67,392 (12/24/97).

100. Misconduct does not include inadvertent errors or mistakes. Such errors should be reported through the normal channels with the applicable carrier, intermediary or other HCFA-designated payor.

101. Such conduct may include patterns of misconduct, particularly with regard to conduct that had previously been identified by the billing company or carrier as suspect.

102. See note 98.

103. As a result of the limitations on reassignment, billing companies rarely engage in receiving payment on behalf of their provider clients or negotiating checks on behalf of their provider clients. Because of these provisions, the OIG recognizes that billing companies are rarely in the position to make restitution on behalf of their clients and it is generally viewed as the provider's responsibility to make restitution to the appropriate payor. See 42 C.F.R. § 424.73.

104. See 42 U.S.C. § 1320a-7b(a)(3).

105. If a billing company needs further guidance to inform its provider clients of normal repayment channels, the company should consult with the applicable Medicare intermediary/carrier. The applicable Medicare intermediary/carrier may require certain information (e.g., alleged violation or issue causing overpayment, description of overpayment, description of the internal investigative process with methodologies used to determine any overpayments, disciplinary actions taken and corrective actions taken) to be submitted with return of any overpayments, and that such repayment information be submitted to a specific department or individual in the carrier or intermediary's organization. Interest will be assessed, when appropriate. See 42 C.F.R.§ 405.376.