This paper was presented at the Law Education Institute, 2008 National CLE Conference Health Law Program, sponsored in part by the ABA Health Law Section, Colorado, Texas and North Carolina Bar Associations.
Introduction
As members of a highly regulated industry, health care organizations must continuously monitor their compliance with federal and state health care program requirements, including government program conditions of participation and reimbursement rules, and identify and monitor fraud and abuse risk areas relevant to their business. To assist in developing a process for voluntary compliance efforts, the Office of Inspector General (OIG) of the Department of Health and Human Services has developed a series of Compliance Program Guidances directed at discrete segments of the health care industry.1 Because of heightened governmental enforcement activities aimed at this industry, a majority of healthcare organizations have adopted voluntary compliance programs fashioned after these Compliance Program Guidances. Other considerations which have influenced the adoption of compliance programs include the reporting obligations placed on public companies by the Sarbanes-Oxley Act of 20022 and the incentives for reporting offered by the Federal Sentencing Guidelines for Organizations.3
As a part of their compliance programs, most health care organizations have developed internal auditing, monitoring and reporting systems designed to detect and investigate suspected noncompliance or misconduct. Health care organizations are expected to respond to detected offenses, develop corrective action initiatives and, where appropriate, report misconduct. The OIG suggests that, in evaluating the effectiveness of the manner in which a health care organization responds to detected deficiencies, it will consider whether all matters are thoroughly and promptly investigated and whether overpayments are promptly reported and repaid to the carrier or fiscal intermediary.
In addition, if a matter results in a probable violation of law, the OIG expects the health care organization to make a prompt self-disclosure of the matter to the appropriate law enforcement agency. The timing for reporting depends on the nature of the violation. A provider that uncovers an ongoing fraud scheme within its organization is advised to immediately contact the OIG, instead of following the OIG’s Provider Self-Disclosure Protocol steps for investigation and quantification of the scope of the problem.4 With respect to self-reporting matters which require an initial assessment of wrongdoing, the OIG advises:
Where the compliance officer, compliance committee, or a member of senior management discovers credible evidence of misconduct from any source and, after a reasonable inquiry, believes that the misconduct may violate criminal, civil, or administrative law, the [health care organization] should promptly report the existence of misconduct to the appropriate Federal and State authorities within a reasonable period, but not more than 60 days, after determining that there is credible evidence of a violation.5
1. The OIG has developed Compliance Program Guidances for hospitals; clinical laboratories; home health agencies; third-party billing companies; durable medical equipment, prosthetics, orthotics, and supply companies; hospices; Medicare+Choice organizations; nursing facilities; physicians; ambulance suppliers; and pharmaceutical manufacturers and a draft Guidance has been proposed for recipients of PHS research awards.
2. The Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2003)
3. United States Sentencing Commission, 2005 Federal Sentencing Guidelines, Chapter 8.
4. 63 Fed. Reg. 58403 (1998)
5. 70 Fed Reg. at 4876 (2005)