OIG Compliance Program for Individual And Small-Group Physician Practices

by Steven I. Kern

In September 2000 the Office of the Inspector General (OIG) of the US Department of Health and Human Services (HHS) issued its long-awaited final regulation–the OIG Compliance Program for Individual and Small Group Physician Practices. The new regulation shifts the burden of proving that a physician has engaged in fraudulent practices. The civil False Claims Act and Civil Monetary Penalties Law cover offenses that are committed with actual knowledge of the falsity of the claim or reckless disregard or deliberate ignorance of the falsity of the claim. To prove a violation or even obtain a criminal conviction the government no longer must demonstrate a physician’s actual knowledge of the falsity of a claim or even that the physician had engaged in reckless disregard of the requirements of law. A careful analysis reveals that, under the new guidelines, physicians who cannot prove that they have taken affirmative and regular action to eliminate billing errors and to avoid other fraud and abuse problems can be found to have engaged in criminal conduct through "deliberate ignorance." Although the OIG states that "the guidance should not be viewed as mandatory," it is anticipated that the government, when seeking criminal convictions, will argue that failure to take reasonable steps to implement an effective compliance program will constitute prima facie evidence of a physician’s deliberate ignorance. This concern is based on the guidelines pronouncement that physicians have an affirmative "duty to reasonably ensure that the claims submitted to Medicare and other federal health care programs are true and accurate." It can also be anticipated that an effective compliance program will be measured against the stringent criteria of the recommended guidelines.

The OIG has forthrightly stated that the compliance program guidelines are published based on the belief that physicians can use internal controls more efficiently than they currently do to monitor adherence to the law. That law includes the myriad of federal health care statutes, regulations, and program requirements pertaining to the provision of medical services to federal health care program beneficiaries and obtaining reimbursement for those services. This body of law currently takes up thousands of pages in books, newsletters, directives, and program manuals that often conflict with one another. Given the breadth and depth of this body of law and the rapidity with which it changes, practicing physicians will find it very difficult to remain current. This is evident from the multitude of documents and information referenced by the OIG in the numerous appendices to the final guide.

The OIG further cautions that the compliance program is intended to send an important message to a physician practice’s employees that mistakes will occur, but that employees have an affirmative, ethical duty to come forward and report erroneous or fraudulent conduct, so that it may be corrected.

Despite the enormous obligation placed on physicians under these new OIG guidelines, the guidelines themselves do not provide a model compliance program. Rather, the guidelines offer a "procedural and structural" skeleton of "fundamental elements" and "principles" that physicians must consider in "developing and implementing their own ‘effective compliance programs.’"

According to the OIG in its proposed regulation, the benefits to be derived from requiring physicians to implement compliance programs within their offices include:

The development of effective internal procedures within physicians’ offices to ensure compliance with regulations, payment policies, and coding rules.

Avoidance of conflicts with the self-referral and antikickback statutes.

Improved medical record documentation.

Improved education for practice employees.

Minimized billing mistakes, a reduction in the denial of claims, and quicker proper payment of claims.

More streamlined business operations through better communication and more comprehensive policies.

Reduced chances of an audit by the Health Care Financing Administration (HCFA) or the OIG.

The avoidance of potential liability arising from noncompliance.

Reduced exposure to penalties.

The final regulation defines the benefits of a compliance program to include enhanced patient care through increased accuracy of documentation, speeding and optimizing the proper payment of claims, reducing the chances of an audit by the Health Care Financing Administration or the OIG, avoidance of conflicts with self-referral and anti-kickback statutes, prevention of fraudulent or erroneous claims, and demonstrating that the practice is making good faith efforts to submit claims appropriately.

The guidelines require physicians to take affirmative steps to both develop and ensure that their offices comply with all applicable regulations, payment policies, and coding rules and that their medical record documentation supports all of their billings1 The affirmative steps required to meet the OIG guidelines include additional education and training for practice employees and the establishment of communication channels, which in practical terms may need to be through third parties, to ensure that any employee complaint is immediately responded to and acted on. Failure to adequately respond to and resolve an employee complaint involving a potential violation of law can create an affirmative obligation on the employee to notify the government of the illegal activity. Indeed, according to the OIG, an effective compliance program must send a message to a physician’s employees that they have "an affirmative, ethical duty to come forward and report fraudulent or erroneous conduct."


Full implementation of the OIG guidelines will require physicians to craft compliance programs that meet the following seven element:

Conducting internal monitoring and auditing through the performance of periodic audits.

Implementing compliance and practice standards through the development of written standards and procedures.

Designating a compliance officer or contact(s) to monitor compliance efforts and enforce practice standards.

Conducting appropriate training and education on practice standards and procedures.

Responding appropriately to detected violations through the investigation of allegations and the disclosure of incidents to appropriate Government entities.

Developing open lines of communication, such as (1) discussions at staff meetings regarding how to avoid erroneous or fraudulent conduct and (2) community bulletin boards, to keep practice employees updated regarding compliance activities.

Enforcing disciplinary standards through well-publicized guidelines.

Although the OIG recognizes that full implementation may not be feasible for all physician practices, physicians must show, as a first step, that they have engaged in good-faith meaningful commitment to compliance implementation. However, the failure to demonstrate efforts to implement an effective, ongoing compliance program will result in increased exposure to liability, with dramatic penalties.

The Seven Elements Analyzed

Auditing and Monitoring. Under the guidelines, an ongoing evaluation of the practice must be conducted to ensure that the practice’s standards and procedures are in fact current and accurate and that the compliance program is effective. The burden is placed on the practice to ensure that the goals and purposes of eliminating error are being achieved and that employees are properly carrying out their responsibilities. If errors continue to be made, the physician may be held liable for failing to take affirmative action to detect and correct these errors, under either a reckless-disregard or intentional-ignorance standard.

Standards and procedures should be assessed for currency, completeness, and effectiveness. Bills and medical records should be reviewed for compliance with applicable coding, billing, and documentation requirements, either through retrospective or concurrent claims review. This self-audit should confirm that bills are accurately coded and accurately reflect the services provided; services or items provided are reasonable and necessary; no incentives for unnecessary services exist; and medical records contain sufficient documentation to support the charge.

In addition, a baseline audit should examine the claim development and submission process, from patient intake through claim submission and payment, and identify elements within this process that may contribute to noncompliance or that may need to be the focus for improving execution. This audit should establish a consistent methodology for selecting and examining records, and the methodology should serve as a basis for future audits, according to the OIG. Following the baseline audit, periodic audits should be conducted at least once each year to ensure that the compliance program is being followed.

If the practice identifies a problem during its internal audit, action must be taken as soon as possible. If overpayment has been made, repayment must be made to the appropriate payor. If other problems are detected, the OIG recommends that the physician practice seek legal advice and consult with a coding/billing consultant.

In addition to taking action to deal with past problems, corrective action must be taken immediately to avoid similar problems in the future.

Written Standards and Procedures. Practice standards and procedures specific to an individual practice are to be included in written policies. These practice standards and procedures must also include a statement of the practice’s expectations for its employees with respect to billing and coding, reasonable and necessary services, documentation, and improper inducements, kickbacks and self-referrals, and retention of records. Although expectations may be set out in a mission statement that simply states that the practice bills only for services that are actually rendered, codes accurately, documents medical necessity and appropriateness, and adheres to all payor contracts, this is not enough. This commitment to compliance must be clearly established and documented during training and in the practice’s ongoing policies. The practice is obligated to ensure that everyone in the practice, including all employees, contractors, and agents, are informed and understand the obligation to comply with these standards. These materials must be reviewed at least annually and revised as necessary.

Once a practice sets policies, the government will expect it to adhere to those standards. These standards will become the "law" on which the practice will be judged. Failure to achieve a standard set by the practice itself will lead to an argument that the failure is the result not of mere negligence but of a willful or reckless failure to meet the very criteria set by the practice. Therefore, failure to meet the requirements the physician sets for the practice will constitute the test for whether the failure is merely negligent or the result of criminal activity–that is, reckless disregard for the physician’s own published standard.

A high standard will require increased diligence and precise compliance with myriad rules, regulations, and interpretations of the law. Failure to adhere to these self-imposed high standards could lead to accusations of reckless disregard of the practice’s own rules. A low standard, by contrast, can further an argument that the practice failed to implement appropriate policies to eliminate fraud, bolstering a claim of deliberate ignorance of the physician’s obligations to obey the law. Finding an appropriate middle ground is, therefore, all important. For this reason, and because the rules require such, the standards and procedures must be tailored to the individual physician’s practice.

These practice standards and procedures, according to the OIG, should be reinforced with basic policies reaffirming their key points. These policies are to explain the procedures by which compliance measures are to be incorporated into standard operating practices. Consequently, a physician practice must not only develop a written compliance manual but must update clinical forms periodically to ensure that they "elicit the data required for the different levels of coding."

In addition to policies implementing billing, coding, and record-keeping requirements, the OIG recommends that policies should be considered for employee hiring and retention; creation and maintenance of encounter forms, including the registration form, history and physical form, and charge master (superbill and patient statement); coding and billing competence and responsibilities; correct coding initiatives; patient outreach and communication; general marketing; and patient quality of care.

The OIG suggests that creating a resource manual from publicly available information may be a cost-effective approach for developing policies and procedures. As an example, it gives the suggestion that a practice can develop a binder that contains the practice's written policies and procedures, relevant HCFA directives and carrier bulletins, and summaries of informative OIG documents (e.g., Special Fraud Alerts, Advisory Opinions, inspection and audit reports)3

While tempting, the creation of such a binder can be dangerous. It is easy to place interesting materials into a binder. It must be remembered, however, that the physician’s practice will ultimately be judged against the materials in this binder. Lofty goals, high expectations, and great ideals placed in a binder will become the standard by which the practice will be measured. Failure to meet those goals, expectations, and ideals can create serious difficulties. Items should be placed in binders only after scrupulous review and assurance that the requirements contained in those materials are all being met by the practice. It is generally more prudent to establish reasonable minimal standards and surpass them than to create standards that cannot be reasonably met on a continuing basis. Decisions as to what goes into a policy manual should be carefully made on the basis of the needs and resources of each individual practice.

The policies and procedures should also be directed toward areas of specific risk to a particular practice. Physician practices, according to the OIG, should determine the types of fraud- and abuse-related topics that need to be addressed, according to the specific needs of each practice. The OIG has developed a list of potential risk areas affecting physician practices, which include: coding and billing; reasonable and necessary services; documentation; and improper inducements, kickbacks, and self-referrals. This list of risk areas is not exhaustive or all encompassing but, according to the OIG, should be viewed as a starting point for an internal review of potential vulnerabilities within the physician practice. Physician practices should also, according to the OIG, review its semiannual reports, which identify program vulnerabilities and risk areas, and incorporate them into the practice’s own policies and procedures. The objective of this risk assessment should be to ensure that key personnel in the physician practice are aware of these risk areas and that steps are taken to minimize the types of problems identified.

Designating a Compliance Officer. Every practice should designate an individual who is responsible for overseeing the practice’s compliance program. This person can be the office manager or the primary biller. In addition, the individual should possess such attributes as attention to detail, experience in billing and coding, and effective communication skills. In lieu of having one designated compliance officer, the practice can describe in its standards and procedures the compliance functions for which designated employees, known as "compliance contacts," would be responsible. In situations where staffing limitations are such that the practice cannot afford to designate a compliance officer or contacts, the practice, at its expense, can outsource these duties to a third-party consultant. Indeed, because of the time commitment and special talents required, practices may find it necessary to outsource these duties.

Of course, the expense to the physician to outsource these functions could be significant. (And the practice must be careful to pay fair market value for any compliance functions outsourced to an entity that is also a referral source or recipient of the practice’s referrals.) These responsibilities include:

Overseeing and monitoring the implementation of the compliance program

Establishing methods, such as periodic audits, to improve the practice's efficiency and quality of services and to reduce the practice's vulnerability to fraud and abuse

Periodically revising the compliance program in light of changes in the needs of the practice or changes in the law and in the policies and procedures of government and private payor health plan.

Developing, coordinating, and participating in a training program that focuses on the elements of the compliance program and seeking to ensure that training materials are appropriate.

Ensuring that the OIG's List of Excluded Individuals and Entities and the General Services Administration's List of Parties Debarred from Federal Programs have been checked with respect to all employees, medical staff, and independent contractors.

Investigating any report or allegation concerning possible unethical or improper business practices and monitoring subsequent corrective action or compliance.

Training and Education. The OIG calls for initial and recurrent compliance training under the direction of the designated compliance officer or responsible contact. All employees are to receive training on how to perform their jobs properly and in compliance with the law and the practice’s compliance program. This training should occur as soon as possible after an employee’s start date and must be documented. Refresher training should be conducted annually or as appropriate. The goals of compliance training should be to assure that all employees learn how to perform their jobs in compliance with the standards of practice and any applicable regulations and that each employee understands that compliance is a condition of continued employment. Emphasis should be placed on teaching employees that violating standards and procedures may subject the employee to disciplinary measures. Employees who engage in coding and billing should also receive extensive education specific to that individual’s responsibilities, including training in:

Coding requirements.

Claim development and submission processes.

Signing a form for a physician without the physician’s authorization;

Proper documentation of services rendered.

Proper billing standards and procedures and submission of accurate bills for services or items rendered to Federal health care program beneficiaries;

The legal sanctions for submitting deliberately false or reckless billings.

Responding to Detected Offenses. Suspicion of a violation of the physician practice’s compliance program requires investigation of the allegations to determine whether a violation has in fact occurred. In other words, once a question is brought to the attention of the practice, investigation must be undertaken. Even a hint of wrongdoing requires immediate and professional response. If, after investigation, a violation has been found to occur, decisive steps must be taken to correct the problem, including creation of a corrective action plan, the return of any overpayment, a report to the government, or a referral to law enforcement authorities. The guidelines provide the following practical advise: "The physician practice may seek advice from its legal counsel to determine the extent of the practice’s liability and to plan the appropriate course of action."

Developing Effective Lines of Communication. The OIG requires an open-door policy between the physicians and compliance personnel and the practice employees. This open-door policy can be supplemented by other communication efforts, such as the posting of conspicuous notices and establishing a compliance bulletin board in the office. In addition, the OIG wants practices to post the HHS-OIG hotline telephone number in a prominent area of the office. This prominently displayed number can be used for employees who suspect there is a problem with a practice and wish to inform the OIG.

The communication system should also include the following requirements:

Employees must report conduct that a reasonable person would in good faith believe to be fraudulent or erroneous.

The practice must create a user-friendly process, such as an anonymous drop box, for effectively reporting fraudulent or erroneous conduct.

The standards and procedures must include a statement that a failure to report fraudulent or erroneous conduct is a violation of the compliance program.

The practice must develop a simple and readily accessible procedure to process reports of fraudulent or erroneous conduct.

The process must maintain the anonymity of the persons involved in the alleged fraudulent or erroneous conduct and the person making the allegation.

The standards and procedures manual must state that there will be no retribution for reporting conduct that a reasonable person acting in good faith would believe to be fraudulent or erroneous and in fact failure to report a compliance deficiency will place the employee at great personal risk.

If a billing company is used, the practice must develop communications to and from the billing company’s compliance officer/contact and other responsible staff to coordinate billing and compliance activities of the practice and the billing company, respectively.

Enforcing Disciplinary Standards. The OIG guidelines require that a practice have well-publicized disciplinary standards to penalize individuals who violate the practice’s compliance or other practice standards or who fail to detect or report violations of the compliance program. Inclusion of the disciplinary standards in the in-house training and procedure manuals is sufficient to meet the "well publicized" standard of this component. The sanctions should include warnings, reprimands, probation, demotion, suspension, termination of employment, restitution of damages, and referral for criminal prosecution. Any finding of noncompliant conduct should also be documented in the compliance files.


The OIG Compliance Program for Individual and Small Group Physician Practices dramatically raises the stakes for every physician practice. Under these guidelines the physician must ensure strict compliance with government regulations, policies, and interpretations. Even though the OIG characterizes the implementation of a compliance program as voluntary for a physician practice, failure to implement a compliance program shifts the burden from the government proving that a physician has engaged in criminal activity to requiring a physician to prove that he or she has not intentionally remained ignorant of government requirements.

Self-reporting requirements and substantial incentives for employees to report errors to government officials will undoubtedly result in increases in criminal and civil actions against physicians and demands for monetary recoveries. Development and implementation of and adherence to a sound compliance program are essential to the conduct of a successful practice.

The failure to implement an effective, ongoing compliance program will result in increased exposure to liability for dramatic penalties.

Steven I. Kern and Denise L. Sanders are principals with the health law firm of Kern Augustine Conroy & Schoppmann, PC, in Bridgewater, New Jersey and Lake Success, New York


1. The OIG has yet to publish its new evaluation and management documentation requirements, after withdrawing its last proposal nearly two years ago.

2. The OIG states that, unlike other compliance guidelines issued by the OIG, the physician guidelines do not suggest that physician practices implement all seven components of a full-scale compliance program but rather take a step-by-step approach to developing and implementing a compliance program based on the "circumstances and resources of the particular physician practice." As discussed elsewhere in this article, however, neglecting any of the recommended components carries risk.

3. This binder, according to the OIG, should be regularly updated and should be accessible to all employees. It could also include a summary of the relevant reimbursement requirements of federal and private payor plans, including those relating to reasonable and necessary services, coding, and documentation. In the case of more technical materials, it may be advisable to provide summaries in the handbook and make the source documents available on request. If individual copies of this handbook are not made available to all employees, a reference copy should be available in a readily accessible location. If updates to the policies and procedures are necessary, those updates should be given to employees. New employees should receive the practice standards and procedures when hired and be trained in their contents immediately thereafter. As part of the compliance effort, the distribution of the standards and procedures should be documented.