Reports and guidance documents; availability, etc.: Choice organizations offering coordinated care plans; compliance program guidance,

[Federal Register: November 15, 1999 (Volume 64, Number 219)]

[Notices]

[Page 61893-61910]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr15no99-90]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of Inspector General

Publication of the OIG's Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans

AGENCY: Office of Inspector General (OIG), HHS.

ACTION: Notice.

SUMMARY: This Federal Register notice sets forth the Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans (``Medicare+Choice organizations'') that was recently issued by the Office of Inspector General (OIG). The OIG has previously developed and published compliance program guidance focused on other areas of the health care industry. We believe that the development and issuance of this compliance program guidance for Medicare+Choice organizations will continue to serve as a positive step toward promoting a high level of ethical and lawful conduct throughout the entire health care industry.

FOR FURTHER INFORMATION CONTACT: Barbara Frederickson, Office of Counsel to the Inspector General, (202) 619-2078.

SUPPLEMENTARY INFORMATION:

Background

The creation of compliance program guidance continues to be a major initiative by the OIG in its effort to engage the health care community in combating fraud and abuse. In formulating compliance guidance, the OIG has worked closely with the Health Care Financing Administration (HCFA), the Department of Justice (DOJ) and various sectors of the health care industry to provide clear guidance to the industry. The previously-issued compliance program guidances addressed six areas: the hospital industry; home health agencies; clinical laboratories; third- party medical billing companies; the durable medical equipment, prosthetics, orthotics and supply industry; and hospices. The development of these compliance program guidances is based on our belief that a health care provider can use internal controls to more efficiently monitor adherence to applicable statutes, regulations and program requirements.

Guidance for Medicare+Choice Organizations

On September 22, 1998, the OIG published a solicitation notice seeking information and recommendations for developing formal guidance for Medicare+Choice organizations (63 FR 50577). In response to that solicitation notice, the OIG received five comments from the industry and their representatives. After careful consideration of those initial comments, and in an effort to ensure that all parties had a reasonable opportunity to provide input into a final product, the OIG published draft guidance for Medicare+Choice organizations on June 24, 1999 (64 FR 33869) for further comment and recommendations. A total of 16 timely-filedcomments were received for consideration by the OIG in response to the publication of that draft guidance.

Elements for an Effective Compliance Program

Through experience, the OIG has identified seven fundamental elements to an effective compliance guidance program that are being reflected in this latest issuance. They are:

‹bullet› Implementing written policies, procedures and standards of conduct;

‹bullet› Designating a compliance officer and a compliance committee;

‹bullet› Conducting effective training and education;

‹bullet› Developing effective lines of communication;

‹bullet› Enforcing standards through well-publicized disciplinary guidelines and developing policies addressing dealings with sanctioned individuals;

‹bullet› Conducting internal monitoring and auditing; and

‹bullet› Responding promptly to detected offenses, developing corrective action, and reporting to the Government.

The OIG is offering specific compliance measures that may be implemented by Medicare+Choice organizations in an effort to curtail or eliminate fraud and abuse. While HCFA regulations require Medicare+Choice organizations to implement compliance programs, adoption of the Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans set forth below is voluntary.

A reprint of this newly-issued compliance program guidance follows:

Office of Inspector General's Compliance Program Guidance for Medicare+Choice Organizations Offering Coordinated Care Plans (November 1999)

  1. Introduction

    In its ongoing effort to work collaboratively with the health care industry to achieve the mutual goals of quality health care and the elimination of fraud, waste and abuse, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) encourages voluntarily developed and implemented compliance programs for the health care industry. Fundamentally, compliance efforts are designed to establish a culture within an organization that promotes prevention, detection and resolution of instances of conduct that do not conform to Federal and State law and Federal health care program requirements, as well as the organization's ethical and business policies. In practice, the compliance program should effectively articulate and demonstrate the organization's commitment to legal and ethical conduct.

    As a demonstration of the OIG's commitment to compliance, the OIG has issued recommendations, in the form of compliance program guidances, that provide suggestions regarding how specific segments of the industry can

    [[Page 61894]]

    best implement compliance programs.\1\ As a result of the changing nature of the health care delivery system and the growing trend toward reliance on the managed care industry in the provision of health care in the Medicare context, the OIG believes it is appropriate to issue a guidance focusing on Medicare+Choice organizations \2\ offering coordinated care plans \3\ (Medicare+Choice organizations). The OIG formulated this guidance specifically for Medicare+Choice organizations because these organizations are well-defined and are subject to a comprehensive regulatory structure.\4\ In addition, Congress envisioned an important role for Medicare+Choice organizations, demonstrated by the substantial amount of Federal funds received by these organizations.

    \1\ See 64 FR 58419 (10/29/99) for the draft compliance program guidance for nursing facilities; 64 FR 54031 (10/5/99) for the compliance program guidance for hospices; 64 FR 36368 (7/6/99) for the compliance program guidance for the durable medical equipment, prosthetics, orthotics and suppliers industry; 63 FR 70138 (12/18/ 98) for the compliance program guidance for third-party medical billing companies; 63 FR 45076 (8/24/98) for the compliance program guidance for clinical laboratories; 63 FR 42410 (8/7/98) for the compliance program guidance for home health agencies; and 63 FR 8987 (2/23/98) for the compliance program guidance for hospitals.

    These documents are also located on the Internet at http:// www.hhs.gov/oig/.

    \2\ A Medicare+Choice organization is defined as a public or private entity organized and licensed by a State as a risk-bearing entity (with the exception of provider-sponsored organizations receiving waivers) that is certified by the Health Care Financing Administration (HCFA) as meeting the Medicare+Choice contract requirements (42 CFR 422.2).

    \3\ For the purposes of this compliance program guidance, a ``coordinated care plan'' is a plan that includes a network of providers that are under contract or arrangement with the organization to deliver the benefit package approved by HCFA (42 U.S.C. 1395w-28(a)(1); 42 CFR 422.4).

    \4\ In this guidance, we have focused our attention on regulations applicable to Medicare+Choice organizations governing marketing, enrollment, disenrollment, underutilization, data collection, anti-kickback statute and emergency services, rather than providing instruction on all aspects of regulatory compliance.

    The OIG encourages Medicare+Choice organizations to read the guidance with the whole organization in mind, applying the guidance to whatever departments or divisions, including private-sector managed care areas, that are deemed appropriate by that organization. Indeed, many of the suggestions in this guidance can be used by managed care organizations that do not contract with HCFA to provide a Medicare+Choice plan. In particular, entities that participate in other public health care programs, such as Medicaid, may want to look to the general principles in this document to assist them in developing compliance programs.

    While the regulations implementing the Medicare+Choice program, or Part C, require a Medicare+Choice organization to establish a compliance plan,\5\ the OIG's program guidance is voluntary and simply is intended to provide assistance for Medicare+Choice organizations looking for additional direction in the development of internal controls that promote adherence to applicable Federal and State law. The OIG first provides its general views on the value and fundamental principles of Medicare+Choice organizations' compliance programs, and then provides specific elements that each Medicare+Choice organization should consider when developing and implementing an effective compliance program.

    \5\ The regulations require that any plan contracting with HCFA implement a compliance plan that encompasses the elements detailed in the Federal Sentencing Guidelines. 42 CFR 422.501(b)(vi). HCFA will release an operational policy letter addressing the compliance requirements detailed in the regulation. In response to concerns from industry representatives on the short time frame for implementing a compliance plan, HCFA delayed the actual implementation date of the compliance plan until January 1, 2000.

    1. Benefits of a Compliance Plan

      The OIG believes an effective compliance program provides a mechanism that brings the public and private sectors together to reach mutual goals of reducing fraud and abuse, improving operational quality, and ensuring the provision of high quality cost-effective care. Attaining these goals benefits business, Government, individual citizens and Medicare beneficiaries alike. In addition to fulfilling its legal duties to ensure that it is not submitting false or inaccurate information to the Government or providing substandard care to Medicare beneficiaries, a Medicare+Choice organization may gain numerous additional benefits by implementing an effective compliance program. These benefits may include:

      ‹bullet› The formulation of effective internal controls to assure compliance with Federal regulations and internal guidelines;

      ‹bullet› Improved communication with and satisfaction of Medicare+Choice enrollees;

      ‹bullet› The ability to more quickly and accurately react to employees operational compliance concerns and the capability to effectively target resources to address those concerns;

      ‹bullet› A concrete demonstration to employees and the community at large of the Medicare+Choice organization's strong commitment to honest and responsible corporate conduct;

      ‹bullet› The ability to obtain an accurate assessment of employee and contractor behavior relating to fraud and abuse;

      ‹bullet› Improved (clinical and non-clinical) quality of care and service;

      ‹bullet› Improved assessment tools that could affect many or all of the Medicare+Choice organization's divisions or departments;

      ‹bullet› Increased likelihood of identification and prevention of unlawful and unethical conduct;

      ‹bullet› A centralized source for distributing information on health care statutes, regulations and other program directives related to fraud and abuse;

      ‹bullet› The creation or reinforcement of an environment that encourages employees to report potential problems;

      ‹bullet› Procedures that allow the prompt, thorough investigation of possible misconduct by corporate officers, managers, employees and independent contractors;

      ‹bullet› An improved relationship with the Center for Health Plans and Providers (CHPP) at HCFA; and

      ‹bullet› Early detection and reporting, minimizing the loss to the Government from false or improper claims, and thereby reducing the Medicare+Choice organization's exposure to civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion.\6\

      \6\ The OIG, for example, will consider the existence of an effective compliance program that pre-dated any governmental investigation when addressing the appropriateness of administrative sanctions. However, the burden is on the Medicare+Choice organization to demonstrate the operational effectiveness of a compliance program. Further, the False Claims Act, 31 U.S.C. 3729- 3733, provides that a person who has violated the Act, but who voluntarily discloses the violation to the Government within 30 days of detection, in certain circumstances will be subject to not less than double, as opposed to treble, damages. See 31 U.S.C. 3729(a). In addition, an organization will receive sentencing credit for an ``effective'' compliance program under the Federal Sentencing Guidelines. See United States Sentencing Commission Guidelines, Guidelines Manual, 8C2.5. Thus, the ability to react quickly when violations of the law are discovered may materially reduce the Medicare+Choice organization's liability.

      Overall, the OIG believes that an effective compliance program is a sound business investment that has the potential of enhancing the efficiency and effectiveness of the Medicare+Choice organization. It may also improve the Medicare+Choice organization's financial structure by addressing not only fraud and abuse concerns, but efficiency and productivity concerns in other operational areas.

      The OIG recognizes the implementation of an effective

      [[Page 61895]]

      compliance program may not entirely eliminate fraud, abuse and waste from an organization. However, a sincere effort by a Medicare+Choice organization to comply with applicable Federal and State standards, through the establishment of an effective compliance program, significantly reduces the probability of unlawful or improper conduct.

    2. Application of Compliance Program Guidance

      Before explaining the specific elements of a compliance program, it is important to emphasize several aspects of this document: its voluntary nature, its applicability to Medicare+Choice organizations, the collaborative nature by which it was developed, and its evolving nature.

      First, it should be re-emphasized that while the regulations implementing the Medicare+Choice program, or Part C, require a Medicare+Choice organization to establish a compliance plan, including specified elements,\7\ this program guidance is voluntary. Although this document presents basic procedural and structural guidance for designing a compliance program, it is not in itself a compliance program. Rather, it is a set of guidelines for consideration by a Medicare+Choice organization interested in obtaining specific information on implementing a compliance program. This guidance represents the OIG's suggestions on how a Medicare+Choice organization can establish internal controls and monitor company conduct to correct and prevent fraudulent activities.

      \7\ See note 5.

      It is critical for the Medicare+Choice organization to assess its own organization and determine its needs with regard to compliance with applicable Federal and State statutes and Federal health care program requirements. By no means should the contents of this guidance be viewed as an exclusive discussion of the advisable components of a compliance program. On the contrary, the OIG strongly encourages Medicare+Choice organizations to develop and implement compliance components that uniquely address the individual organization's risk areas.

      Implementing a compliance program in a Medicare+Choice organization is a complicated venture. There are significant variances and complexities among Medicare+Choice organizations in terms of the type of services and the manner in which these services are provided to the respective members. For example, some Medicare+Choice organizations cover broad service areas, while others are focused on a particular geographic region. Similarly, the range of benefits covered differ among plans, as does the size of the network and the use of a varying number of provider contracting tiers to deliver services. Clearly, these differences may give rise to different substantive policies to ensure effective compliance. Furthermore, some Medicare+Choice organizations are relatively small, while others are fully integrated and offer Medicare+Choice plans in a wide variety of areas. Finally, the availability of resources for any one Medicare+Choice organization can differ vastly.

      Notwithstanding these differences, this guidance is pertinent for all Medicare+Choice organizations, large or small, regardless of the type of services provided. The applicability of the recommendations and guidelines provided in this document may depend on the circumstances and resources of each particular Medicare+Choice organization. However, regardless of the organization's size and structure, the OIG believes every Medicare+Choice organization can and should strive to accomplish the objectives and major principles underlying all of the compliance policies and procedures recommended within this guidance.

      The OIG recognizes that the success of the compliance program guidance hinges on thoughtful and practical comments from those individuals and organizations that will utilize the tools set forth in this document. In a continuing effort to collaborate closely with the private sector, the OIG solicited input and support from the public in the development of this compliance program guidance.\8\ Further, we took into consideration previous OIG publications, such as Special Fraud Alerts, the recent findings and recommendations in reports issued by OIG's Office of Audit Services (OAS) and Office of Evaluation and Inspections (OEI),\9\ comments from HCFA, as well as the experience of past and recent fraud investigations related to managed care organizations \10\ conducted by OIG's Office of Investigations (OI) and the Department of Justice.

      \8\ See Solicitation of Information and Recommendations for Developing the OIG Compliance Program Guidance for Certain Medicare+Choice Organizations (63 FR 50577 (9/22/98)). We also requested public comment on the draft guidance (64 FR 33869 (6/24/ 99)).

      \9\ Special Fraud Alerts are available on the OIG website at http://www.hhs.gov/oig/. The recent findings and recommendations of OEI and OAS can be located on the Internet at http://www.hhs.gov/oei and http://www.hhs.gov/progorg/oas/cats/hcfa.html, respectively.

      \10\ These investigations include findings based upon Medicare risk-based Health Maintenance Organizations and competitive medical plans as defined in 42 U.S.C. 1395mm.

      As appropriate, this guidance may be modified and expanded as more information and knowledge is obtained by the OIG, and as changes in the law, and in the rules, policies and procedures of the Federal and State plans occur. New compliance practices may eventually be incorporated into this guidance if the OIG discovers significant enhancements to better ensure an effective compliance program. We recognize the development and implementation of compliance programs in Medicare+Choice organizations often raise sensitive and complex legal and managerial issues.\11\ However, the OIG wishes to offer what it believes is critical guidance for those who are sincerely attempting to comply with the relevant health care statutes and regulations.

      \11\ Nothing stated herein should be substituted for, or used in lieu of, competent legal advice from counsel.

  2. Compliance Program Elements

    The elements discussed in this guidance are similar to those of the other OIG Compliance Program Guidances \12\ and our corporate integrity agreements.\13\ While these same elements are required by HCFA in the Medicare+Choice regulations,\14\ the OIG reiterates that this guidance is not mandatory, but simply represents OIG's recommendations on how the elements can be implemented.\15\

    \12\ See note 1.

    \13\ Corporate integrity agreements are executed as part of a civil settlement agreement between the health care provider and the Government to resolve a case based on allegations of health care fraud or abuse. These OIG-imposed agreements are generally in effect for a period of 3 to 5 years and require many of the elements included in this compliance guidance.

    \14\ 42 CFR 422.501(b)(vi).

    \15\ The OIG appreciates that because Medicare+Choice organizations are subject to substantial regulations that contain extensive operational requirements as well as requirements regarding self-monitoring and monitoring or review of activities by external organizations, they may already be performing some of the activities discussed in this guidance. Each Medicare+Choice organization must determine the extent to which these activities need to be modified or supplemented to create an effective compliance program.

    Every effective compliance program must begin with a formal commitment \16\ by the Medicare+Choice organization's governing body to include all of the

    [[Page 61896]]

    applicable elements listed below. A good faith and meaningful commitment on the part of the Medicare+Choice organization's administration, especially the governing body and the chief executive officer (CEO), will substantially contribute to the program's successful implementation. It is incumbent upon an organization's officers and managers to provide ethical leadership to the organization and to assure adequate systems and resources are in place to facilitate and promote ethical and legal conduct. Employees, managers and the Government will focus on the words and actions (including decisions made on resources devoted to compliance) of an organization's leadership as a measure of the organization's commitment to compliance.

    \16\ Formal commitment may include a resolution by the board of directors, where applicable. A formal commitment does include the allocation of adequate resources to ensure that each of the elements is addressed.

    Under Medicare+Choice, an organization may, by written contract, delegate any activity required under or governed by the Medicare+Choice standards to another entity. However, an organization entering into a Medicare contract remains entirely accountable to HCFA for the performance of any delegated function.\17\ It is the sole responsibility of the organization to ensure that the function is performed in accordance with applicable standards. While the activity may be delegated, the oversight responsibility remains with the Medicare+Choice organization. Each Medicare+Choice organization should keep these requirements and responsibilities in mind as it develops its compliance program.

    \17\ 42 CFR 422.502(i).

    These elements are based on the seven steps of the Federal Sentencing Guidelines.\18\ As required by the HCFA regulations, every Medicare+Choice organization must implement all of the recommended elements and expand upon them, as appropriate. At a minimum, comprehensive compliance programs should include the following seven elements:

    \18\ See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, comment. (n.3(k)). The Federal Sentencing Guidelines are detailed policies and practices for the Federal criminal justice system that prescribe appropriate sanctions for offenders convicted of Federal crimes.

    (1) The development and distribution of written standards of conduct, as well as written policies and procedures, that promote the Medicare+Choice organization's commitment to compliance and that address specific areas of potential fraud (e.g., the marketing process and utilization);

    (2) The designation of a chief compliance officer and other appropriate bodies, e.g., a corporate compliance committee, charged with the responsibility and authority of operating and monitoring the compliance program and who report directly to the CEO and the governing body;

    (3) The development and implementation of regular, effective education and training programs for all affected employees;

    (4) The development of effective lines of communication between the compliance officer and all employees, including a process, such as a hotline, to receive complaints (and the adoption of procedures to protect the anonymity of complainants and to protect callers from retaliation);

    (5) The use of audits or other risk evaluation techniques to monitor compliance and assist in the reduction of identified problem areas;

    (6) The development of disciplinary mechanisms to consistently enforce standards and the development of policies addressing dealings with sanctioned and other specified individuals; and

    (7) The development of policies to respond to detected offenses, to initiate corrective action to prevent similar offenses, and to report to Government authorities when appropriate.

    1. Written Policies and Procedures

      Every compliance program should require the development and distribution of written compliance policies, standards and practices that identify specific areas of risk and vulnerability to the Medicare+Choice organization. These policies should be developed by the appropriate operational officials within the Medicare+Choice organization, with appropriate review and oversight by the compliance officer and compliance committee. The OIG recommends that these policies be made available to all individuals who are affected by the particular risk or policy area at issue. Such individuals would include, for example, Medicare+Choice employees whose duties touch upon a particular risk or policy area, as well as agents and independent contractors with whom the organization has contracted to perform delegated activities, which touch upon a particular risk or policy area.\19\ The OIG also recommends that Medicare+Choice organizations provide, upon request, all contractors with a summary of the standards of conduct and the number of the hotline. The distribution of these materials could be accomplished via hard copy or via electronic means.

      \19\ When determining to whom to distribute various policies, the Medicare+Choice organizations should keep in mind that, according to the Federal Sentencing Guidelines, an organization must have established compliance standards to be followed by its employees and other agents in order to receive sentencing credit. The Guidelines define ``agent'' as ``any individual, including a director, an officer, an employee, or an independent contractor, authorized to act on behalf of the organization.'' See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(d).

      1. Standards of Conduct

        Medicare+Choice organizations should develop standards of conduct for all affected employees that include a clearly delineated commitment to compliance by the organization's senior management and its divisions. To help communicate a strong and explicit organizational commitment to compliance goals and standards, the Medicare+Choice organization's governing body, CEO, chief operating officer (COO), general counsel, chief financial officer (CFO) and other senior officials should be directly involved in the development of standards of conduct.

        The standards should function in the same fashion as a constitution, i.e., as a foundational document that details the fundamental principles, values and framework for action within an organization, as well as the organization's mission and goals. The standards should also articulate the Medicare+Choice organization's commitment to comply with all Federal and State laws and regulations, with an emphasis on preventing fraud and abuse, and include the ramifications of failure to comply with these standards. The standards should not only address compliance with statutes and regulations, but should also set forth broad principles that guide employees in conducting business professionally and properly. In short, the standards should promote integrity, support objectivity and foster trust. Furthermore, a Medicare+Choice organization's standards of conduct should reflect a commitment to high quality health care delivery, as evidenced by its conduct of on-going performance assessment, improved outcomes of care and respect for the rights of Medicare+Choice enrollees. 2. Written Policies for Risk Areas

        As part of its commitment to compliance, Medicare+Choice organizations should establish a comprehensive set of written policies addressing all applicable statutes, rules and program instructions that apply to each function or department of that Medicare+Choice organization.\20\ The

        [[Page 61897]]

        policies should address specific areas of concern, such as marketing practices and data collection and submission processes. In contrast to the standards of conduct, which are designed to be a clear and concise collection of fundamental standards, the written policies should articulate specific procedures personnel should follow when performing their duties.\21\

        \20\ This includes, but is not limited to, the Medicare+Choice provisions and the fraud and abuse provisions of the Balanced Budget Act of 1997, Pub. L. 105-33; the Civil False Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001; the fraud and abuse provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. 104-191; and the civil money penalties in the Social Security Act, 42 U.S.C. 1320a-7a and 42 U.S.C. 1395w-27(g). See also 42 CFR 422.1-422.312.

        \21\ The Medicare+Choice organization should document its efforts to formulate its policies to comply with applicable statutes, regulations and program requirements. For example, where a Medicare+Choice organization requests advice from HCFA, the Medicare+Choice organization should document and retain a record of the request and any written or oral response. This step is extremely important if the Medicare+Choice organization intends to rely on that response to guide it in future decisions, actions or appeals. In addition, the Medicare+Choice organization should maintain records relevant to the issue of whether its reliance was ``reasonable,'' and whether it exercised due diligence in developing procedures to implement the advice.

        The regulations and operational policies issued by HCFA that implement the Medicare+Choice program are very comprehensive and, as required by HCFA, serve as the basis for the policies and procedures of a Medicare+Choice organization.\22\ The legal, policy and contractual requirements that organizations must meet and perform as a Medicare+Choice organization are articulated in documentation promulgated by HCFA and other Federal agencies and should be considered de facto risk areas. Included among these risk areas are: (1) The election process; (2) benefits and beneficiary protections; (3) quality assessment and performance improvement; (4) cost sharing; (5) solvency, licensure and other State regulatory issues; (6) claims processing; and (7) appeals and grievance procedures.

        \22\ Medicare+Choice organizations should regularly access the HCFA managed care website at http://www.hcfa.gov/medicare/ mgdcar1.htm for updates on regulations and operational policies. Operational Policy Letters can be located on HCFA's web site at http://www.hcfa.gov/medicare/mgd-ops.htm.

        To determine the additional policies and procedures that are needed for a given Medicare+Choice organization (and which policies may need particular attention), the OIG recommends that Medicare+Choice organizations conduct a comprehensive self-administered risk analysis or contract for an independent risk analysis by experienced health care consulting professionals. This risk analysis could include surveys and statistical analysis specifically tailored to the organization's beneficiary population, provider pool and organizational structure and should identify and rank the various compliance and business risks the company may experience in its daily operations.\23\ A Medicare+Choice organization's prior history of noncompliance with applicable statutes, regulations and Federal health care program requirements, or the failure to report such non-compliance, may indicate additional types of risk areas where the organization may be vulnerable and may require necessary policy measures to prevent avoidable recurrence.\24\

        \23\ Medicare+Choice organizations may also want to consult the OIG's Work Plan when conducting the risk assessment. The OIG Work Plan details the various projects the OIG currently intends to address in the fiscal year. It should be noted that the priorities in the Work Plan are subject to modification and revision as the year progresses and the Work Plan does not represent a complete or final list of areas of concern to the OIG. The Work Plan is currently available on the Internet at http://www.hhs.gov/oig/.

        \24\ ``Recurrence of misconduct similar to that which an organization has previously committed casts doubt on whether it took all reasonable steps to prevent such misconduct'' and is a significant factor in the assessment of whether a compliance program is effective. See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(7)(ii).

        The fact that Medicare+Choice organizations may be both providers and insurers of health care increases the number and type of risk areas to which a Medicare+Choice organization must be attuned, as well as the type of auditing and monitoring procedures that must be implemented, in the development of its compliance efforts. For example, there are a variety of substantially different operational areas within the structure of a Medicare+Choice organization such as marketing, health services delivery and finances that could require different types of policies.

        Given the detailed nature of the HCFA rules and regulations, we have not attempted in this document to identify each and every policy that should be established by a Medicare+Choice organization. Rather, based on a review of OIG audits, investigations and evaluations, we have identified the following areas of particular concern to OIG that the Medicare+Choice organization should include in its written policies and procedures:\25\

        \25\ Although many of these areas apply specifically to Medicare+Choice organizations, many of the areas identified below have analogous issues in non-Medicare organizations. Medicare+Choice organizations that provide private managed care products should consider establishing additional policies and procedures for risk areas that apply specifically to those areas. Although the policies may be integrated, they should identify, as appropriate, where deviations may be necessary to meet Medicare+Choice requirements or State licensure requirements.

        ‹bullet› Marketing materials and personnel;

        ‹bullet› Selective marketing and enrollment;

        ‹bullet› Disenrollment;

        ‹bullet› Underutilization and quality of care;

        ‹bullet› Data collection and submission processes;

        ‹bullet› Anti-kickback statute and other inducements; and

        ‹bullet› Emergency services.

        The following sections provide specific guidance regarding the risk areas identified above. a. Marketing Materials and Personnel

        While each Medicare+Choice organization must comply with all of HCFA's detailed requirements relating to marketing their plans,\26\ OIG is particularly concerned that organizations have policies regarding: (1) The completeness and accuracy of the marketing materials; and (2) marketing personnel.

        \26\ Medicare+Choice organizations should ensure that they conform to fair marketing standards as set forth in the statute, the Medicare Managed Care National Marketing Guide (Marketing Guide) and all HCFA Operational Policy Letters affecting marketing matters.

        Accurate and useful information is crucial to the success of the Medicare+Choice program. The OIG is concerned that Medicare+Choice organizations correctly and completely describe plan information in marketing materials or other materials distributed to individuals prior to and following enrollment. Medicare+Choice organizations that misrepresent or falsify information submitted to HCFA, individuals or entities are subject to civil money penalties (CMPs) or other intermediate sanctions.\27\

        \27\ 42 U.S.C. 1395w-27(g).

        The submission of inaccurate or misleading information is of particular concern to OIG. Medicare+Choice organizations should be aware that the fact that materials have been approved by HCFA does not absolve them from potential liability for misrepresenting or falsifying information.\28\

        \28\ Medicare+Choice organizations may not distribute marketing materials or election forms unless they have submitted them to HCFA for review 45 days prior to distribution and HCFA has not disapproved their distribution (42 CFR 422.80).

        HCFA considers marketing materials to include any informational materials targeted to Medicare beneficiaries. Marketing materials go beyond the public's general conception of marketing materials and include general

        [[Page 61898]]

        circulation brochures, leaflets, newspapers, magazines, television, radio, billboards, yellow pages, the internet, slides and charts, and leaflets for distribution by providers. Such materials also include membership communication materials such as membership rules, subscriber agreements, or confirmation of enrollment.\29\ Accordingly, Medicare+Choice organizations should carefully scrutinize all of these materials for completeness, accuracy and compliance with HCFA rules, regulations and policy letters.

        \29\ 42 CFR 422.80(b).

        In verifying that marketing materials meet all HCFA requirements, Medicare+Choice organizations should ensure that the appropriate materials contain an adequate description of enrollee rights, procedures for accessing basic benefits and services, and a clear explanation of the appeal and grievance process.\30\ Of particular concern to HCFA and OIG is that the concept of ``lock-in'' is clearly explained in all marketing material. Many Medicare beneficiaries are unfamiliar with the notion that managed care may limit their health care provider choices. Describing the process of selecting a primary care physician and the limitations that this places on a Medicare+Choice enrollee's choice of provider will reduce the unmet expectations of Medicare beneficiaries.

        \30\ 42 CFR 422.80(c).

        Another important concept to include in the marketing materials is that the beneficiary may be terminated from enrollment in the plan due to the decision of the Medicare+Choice organization not to renew its contract with HCFA, or due to HCFA's refusal to renew the contract.\31\ This termination can affect the enrollee's eligibility for supplemental insurance and other benefits.

        \31\ 42 CFR 422.80(c)(3).

        Second, in light of the critical role that marketing personnel play in representing the plan to Medicare enrollees, the Medicare+Choice organization must take all appropriate steps to ensure that marketing personnel are presenting clear, complete and accurate information to potential enrollees. To that end, the OIG encourages Medicare+Choice organizations to employ their own marketing personnel, as opposed to contracting these responsibilities to outside entities.\32\ This provides the Medicare+Choice organization the necessary control to ensure that these individuals meet all HCFA guidelines. Similarly, it safeguards Medicare beneficiaries from practices that could greatly affect the access to health care to which they are entitled and their ability to acquire accurate and complete information regarding their health care options.

        \32\ It should be noted that Medicare+Choice organizations have ultimate responsibility for the acts and omissions of its marketing agents (42 CFR 422.502(i)).

        Medicare+Choice organizations should also be aware that the OIG and HCFA strongly discourage the use of physicians as marketing agents for several reasons: (1) When a physician acts outside his or her traditional role as care provider, the physician's patients may be confused as to when the physician is acting as an agent of the plan, and when the physician is acting in his or her role as a fiduciary to act in the best interests of the patient; (2) a physician's knowledge of a patient's health status increases the potential for discriminating in favor of Medicare beneficiaries with positive health status when acting as a marketing agent; (3) physicians may not be fully aware of membership plan benefits and costs; and (4) physicians may not be the best source of membership information for their patients.\33\ Therefore, the organization should develop policies to ensure that any provider promotional activities are conducted in accordance with HCFA guidelines (which allow, e.g., the distribution of health plan brochures (exclusive of applications) at a health fair or in their own offices).\34\

        \33\ Marketing Guide, Chapter IV.

        \34\ Id.

        1. Selective marketing and Enrollment

          The OIG is very concerned about the practice known as ``cherry- picking,'' or selective marketing,\35\ in which Medicare+Choice organizations discriminate in the marketing and enrollment process based upon an enrollee's degree of risk for costly or prolonged treatment.\36\ Except for individuals who have been medically determined to have end-stage renal disease, a Medicare+Choice organization may not deny, limit or condition the coverage or furnishing of benefits to individuals eligible to enroll in a Medicare+Choice plan offered by the organization on the basis of any factor that is related to health status, including, but not limited to, the following: (1) Medical condition (including mental illness); (2) claims experience; (3) receipt of health care; (4) medical history; (5) genetic information; (6) evidence of insurability; and (7) disability.\37\ Engaging in practices that would reasonably be expected to have the effect of denying or discouraging enrollment by eligible individuals whose medical condition or history indicates the need for substantial future medical services subjects the Medicare+Choice organization to a CMP or other sanction, such as suspension of enrollment or suspension of payment.\38\

          \35\ OIG is also concerned about a similar problem, known as ``gerrymandering,'' which is an attempt to eliminate certain high dollar risk areas from the Medicare+Choice organization's service area. Medicare+Choice organizations should have policies in place to avoid such practices.

          \36\ Although the Medicare+Choice program has attempted to alleviate many of the selective marketing practices through the use of risk adjustment, the phase-in period for risk-adjustment virtually assures that this will remain a troubling issue through 2004.

          \37\ 42 U.S.C. 1395w-22(b)(1); 42 CFR 422.110.

          \38\ 42 U.S.C. 1395w-27(g)(1)(D); 42 CFR 422.750 through 422.760.

          Certain types of practices clearly fall into the category of cherry-picking and Medicare+Choice organizations should implement policies to prohibit and prevent such practices. For example, organizations should generally prohibit employees from conducting medical screening, i.e., asking the beneficiary medical questions prior to enrollment.\39\ In a 1996 survey, the OIG found that such screening for health status at application was reported by 18 percent of beneficiaries. While this represented a reduction from the 1993 level of 43 percent, it still represents a potentially serious problem.\40\

          \39\ Pursuant to 42 CFR 422.50(a)(2), it would be appropriate to determine whether a potential enrollee has end-stage renal disease.

          \40\ ``Beneficiary Perspectives of Medicare Risk HMOs 1996.'' (OEI-06-95-00430)(March 1998).

          Another way in which Medicare+Choice organizations may inappropriately target healthier beneficiaries is by primarily marketing their plans in places where healthy enrollees are more likely to be present, such as at health and exercise clubs, or in areas that are difficult to access for people with disabilities (e.g., upper floors of buildings that do not have elevators).\41\ Similarly, organizations may inappropriately provide inducements to potential enrollees in a way that would encourage younger, healthier beneficiaries to enroll in the plan. For example, the offering of free gym memberships or kayaking or other sporting lessons would appeal to a healthy class of enrollees and discriminate against those who would not be interested in such activities.\42\ If

          [[Page 61899]]

          a Medicare+Choice organization intends to offer such items as a Medicare+Choice benefit, the item must meet the definitional requirements of a bona fide benefit. The item must be: (1) Related to health care; and (2) costed out in the Medicare+Choice organization's Adjusted Community Rate. Any such items that do not meet these requirements are not valid Medicare+Choice benefits and must be considered ``value added services'' (VAS) subject to all the limitations associated with VAS.

          \41\ In fact, Medicare+Choice organizations are required to allocate part of their resources to marketing to the Medicare population with disabilities (42 CFR 422.80(e)(2)(i)).

          \42\ The statute prohibits the provision of cash or other monetary rebates as an inducement for enrollment in the plan. See 42 U.S.C. 1395w-21(h)(4)(A). However, HCFA allows Medicare+Choice organizations to give Medicare beneficiaries nominal value gifts, provided that the plan offers these gifts whether or not the beneficiary enrolls in the plan. HCFA defines nominal value as an item having little or no resale value (generally, less than $10), which cannot be readily converted into cash. See Marketing Guide, Chapter II. The use of inducements is also discussed in Section II.A.2.f.--Anti-kickback and Other Inducements.

          Other examples of cherry-picking would be: (1) Attempts to give enrollment priority to newly eligible Medicare beneficiaries (who are theoretically younger and healthier), other than as set forth in the regulations; \43\ (2) the tracking of costs incurred by enrollees who were enrolled in different settings (e.g., at the health fair, or at a health club), which could be used to target healthier enrollees in the future; or (3) re-enrollment campaigns targeting past plan subscribers who had low medical costs. There are many other subtle ways in which a Medicare+Choice organization may try to enroll healthy patient populations in a discriminatory manner (i.e., not making similar attempts to enroll less healthy beneficiaries) and the organization should implement policies actively to prevent such practices.

          \43\ 42 CFR 422.66(d).

        2. Disenrollment

          In general, Medicare+Choice organizations are prohibited from disenrolling, or requesting or encouraging (either by action or inaction) an individual to disenroll from any plan it offers.\44\ If a Medicare+Choice organization acts to expel or refuses to reenroll an individual in violation of the statute, a civil money penalty or other sanction can be imposed on the organization.\45\ The OIG is particularly concerned about disenrollment in light of its recent review, which revealed that there was a problem with disenrollment of beneficiaries just prior to receiving expensive inpatient services.\46\

          \44\ Medicare+Choice organizations are entitled to disenroll individuals under certain circumstances, e.g., failure to pay premiums or engagement in disruptive behavior. 42 CFR 422.74.

          \45\ 42 U.S.C. 1395w-27(g)(1)(C).

          \46\ Review of Inpatient Services Performed on Beneficiaries After Disenrolling from Medicare Managed Care.'' (A-07-98-01256) (May 1999).

          In this review, OIG found that Medicare paid for inpatient hospital services amounting to $224 million in fee-for-service (FFS) payments within 3 months of beneficiaries' disenrollment from six risk plans during 1991 through 1996. Had these beneficiaries not disenrolled, Medicare would have paid the HMOs $20 million in monthly capitation payments. Had the beneficiaries remained in the HMOs, Medicare would have saved $204 million in expenditures. Included in the Medicare FFS payments were $41 million for beneficiaries who disenrolled, had FFS procedures performed, and then reenrolled into another or the same managed care plan.

          While this study did not identify the reasons for the disenrollment as part of this review, one partial explanation of the review could be that some managed care plans or their medical personnel may be encouraging sicker beneficiaries to disenroll as a way to avert their own costs at a high cost to the Medicare system.

          Each Medicare+Choice organization must implement policies to ensure that inappropriate disenrollment does not occur.\47\ Such policies should include clarification of when it is appropriate for medical personnel to discuss the concept of disenrollment. Generally speaking, OIG believes it would be inappropriate for medical personnel to initiate discussion of disenrollment or to promote disenrollment (when the topic is initiated by the enrollee), except in the rare circumstance where the Medicare+Choice organization cannot or does not provide the covered medical items or services needed by the patient.

          \47\ Such policies should be consistent with the provisions that prohibit Medicare+Choice organizations from restricting a health care professional from advising patients of the ``health status of the individual or medical care or treatment for the individual's condition or disease, regardless of whether benefits for such care or treatment are provided under the plan.'' See 42 U.S.C. 1852(j)(3)(emphasis added).

        3. Underutilization and Quality of Care

          Medicare+Choice organizations must ensure that all covered services are available and accessible to all enrollees.\48\ The OIG views the inappropriate withholding or delay of services, known as underutilization or ``stinting,'' as a serious issue.\49\ Examples of practices that can lead to underutilization and poor quality include the failure to employ or contract with sufficient institutional and individual providers to accommodate all enrollees, the failure to provide geographically reachable services to enrollees, the delay in approving or failure to approve referrals for covered services, the establishment of utilization review procedures that are so burdensome that an enrollee could not reasonably be expected to fulfill the requirements and the categorical denial of payment of claims.\50\

          \48\ 42 U.S.C. 1395w-22. To this end, Medicare+Choice organizations must comply with the standards contained in the Quality Improvement System for Managed Care (QISMC) for Organizations Contracting with Medicare or Medicaid.

          \49\ Medicare+Choice organizations can be subject to sanctions for failing substantially to provide medically necessary items and services that are required to be provided, if the failure has adversely affected (or has the substantial likelihood of adversely affecting) the individual. 42 U.S.C. 1395w-27(g)(1)(A).

          \50\ See QISMC Standards 2.1.2, 2.2.2 and 3.1.

          There are a wide variety of policies that a Medicare+Choice organization should implement to be sure it is providing all medically necessary services to its enrollees. The regulations and guidelines that implement the Medicare+Choice program contain numerous provisions that deal with this issue. While we have not attempted to develop a comprehensive list in this document, we would like to highlight three types of policies that Medicare+Choice organizations should develop that may help address underutilization and quality of care.

          First, Medicare+Choice organizations should have policies that prohibit interference with health care professionals' advice to enrollees. Also known as the ``gag rule,'' this prohibition extends to advice regarding the patient's health status, medical care, and treatment options, the risks, benefits and consequences of treatment or non-treatment, or the opportunity for the individual to refuse treatment and to express preferences about future treatment options.‹SUP›51‹/SUP› Failure to comply with this requirement can lead to sanctions.‹SUP›52‹/SUP›

          \51 \42 U.S.C. 1395w-22(j)(3), 42 CFR 422.206; QISMC Standard 3.3.1.7.

          \52 \42 U.S.C. 1395w-27(g)(1)(F); 42 CFR 422.750 through 422.760.

          Second, Medicare+Choice organizations should be sure, to they extent that they utilize physician incentive plans (PIPs) in their payment arrangements with individual physicians or physician groups, that they comply with all applicable regulations and that such payment arrangements are fully disclosed to HCFA as required by regulation. The PIPs raise utilization concerns because they are defined as ``any compensation

          [[Page 61900]]

          arrangement to pay a physician or physician group that may directly or indirectly have the effect of reducing or limiting services provided to any plan enrollees.'' ‹SUP›53‹/SUP› Any PIP operated by a Medicare+Choice organization must comply with the following requirements. First, it may make no payments to physicians (such as offerings of monetary value, including, but not limited to, stock options or waivers of debt ‹SUP›54‹/SUP›) to reduce or limit medically necessary services furnished to any particular enrollee. Second, if the PIP puts a physician or physician group at ``substantial financial risk'' ‹SUP›55‹/SUP› for referral services, the Medicare+Choice organization must: (1) survey current and previously enrolled members to assess access to, and satisfaction with, the quality of services; and (2) assure that there is adequate and appropriate stop-loss protection.‹SUP›56‹/SUP› Finally, Medicare+Choice organizations must disclose to HCFA certain information regarding their PIPs. These disclosure requirements apply to direct contracting arrangements, as well as subcontracting arrangements.‹SUP›57‹/SUP›

          \53 \42 CFR 422.208.

          \54 \42 U.S.C. 1395w-22(j)(4); 42 CFR 422.208.

          \55 \``Substantial financial risk'' threshold is set at 25 percent of potential payments for covered services, regardless of the frequency of assessment (i.e., collection) or distribution of payments. 42 CFR 422.208.

          \56 \42 CFR 422.208(c).

          \57 \42 CFR 422.210(a).

          Finally, the OIG is aware of cases in which beneficiaries have received covered services from individuals that were not appropriately licensed. Given the serious quality of care implications of this type of practice, the OIG is particularly concerned that Medicare+Choice organizations have procedures for the selection of providers, including criteria for the credentialing of providers. This process should include an application, verification of information and a site visit, where applicable.‹SUP›58‹/SUP› The information that must be verified includes that the individual has a valid license to practice, clinical privileges in good standing and appropriate educational qualifications.

          \58 \42 CFR 422.204.

        4. Data Collection and Submission Processes

          The regulations implementing the Medicare+Choice program contain numerous requirements relating to the data collection and submission process, ranging from a requirement for an effective system for receiving, controlling and processing election forms ‹SUP›59‹/SUP› to requirements for the timely submission of disenrollment notices.‹SUP›60‹/SUP› These requirements cover the gamut of requirements with which a Medicare+Choice organization must comply and are too detailed to enumerate in this document. Medicare+Choice organizations should establish a policy that all required submissions to HCFA be accurate, timely and complete and that all appropriate reporting requirements are met.‹SUP›61‹/SUP›

          \59 \42 CFR 422.60(e).

          \60 \42 CFR 422.66(b)(3)(i).

          \61 \On a related topic, Medicare+Choice organizations should also be sure that their computer systems are Year 2000 (Y2K) compliant. An OIG report indicates that managed care organizations have made significant progress in this regard, with more than 80% indicating that they are Y2K compliant. ``Y2K Readiness of Managed Care Organizations.'' (OEI-05-98-0591)(October 1999).

          The OIG is particularly concerned that Medicare+Choice organizations submit accurate data when that information determines the amount of payment received from HCFA. The regulations require that when a Medicare+Choice organization requests payment under the contract, the CEO or CFO must certify the accuracy, completeness and truthfulness of relevant data, including enrollment data, encounter data and information provided as part of an adjusted community rate (ACR) proposal.‹SUP›62‹/SUP› When a Medicare+Choice organization submits this type of data to HCFA, it is making a ``claim'' for capitation payment in the amount dictated by the data submitted, or in the case of the ACR submission, a ``claim'' to retain the portion of the capitation amount that is under the average payment rate, rather than providing additional benefits. When a Medicare+Choice organization is claiming payment (or the right to retain payment) based upon information submitted to HCFA, it must take responsibility for having taken reasonable steps to assure the accuracy of this information. The attestation forms developed by HCFA for this purpose require certification that the information submitted is true and accurate based on best knowledge, information and belief.

          \62 \42 CFR 422.502(l) and (m). See also Contract for Year 2000, Attachments A, B and C.

          The requirement that the CEO or CFO certify as to the accuracy, completeness and truthfulness of data, based on best knowledge, information and belief, does not constitute an absolute guarantee of accuracy. Rather, it creates a duty on the Medicare+Choice organization to put in place an information collection and reporting system reasonably designed to yield accurate information. Further, the Medicare+Choice organization should exercise due diligence to ensure that these systems are working properly. The exact methods used by the Medicare+Choice organization to accomplish this can be determined by the organization, however, it should ordinarily conduct sample audits and spot checks of this system to verify whether it is yielding accurate information.

          The knowing submission of false information to HCFA can lead to serious criminal or civil penalties.‹SUP›63‹/SUP› Medicare+Choice organizations should implement policies so that the enrollment, encounter and ACR data submitted to HCFA are accurate, complete and truthful. While information from a variety of sources can affect this data, Medicare+Choice organizations should take note of two reports issued by the OIG that have identified concerns in two aspects of this data.

          \63 \Falsification of documentation in any application for any benefit or payment under a Federal health care program is a Federal offense punishable by not more than $25,000 or imprisonment for 5 years, or both. See 42 U.S.C. 1320a-7b. In addition, a CMP can be imposed for the misrepresentation or falsification of information submitted to HCFA under Medicare+Choice. See 42 U.S.C. 1395w- 27(g)(1)(E).

          First, the OIG recommends that Medicare+Choice organizations have policies and procedures in place that ensure that the administrative component of the ACR is calculated accurately.\64\ As part of this process, Medicare+Choice organizations should have clearly defined criteria for claiming reimbursement for their administrative costs. These costs should not include any costs that are directly associated with furnishing patient care. All such costs should be allocated to the applicable operating component. The OIG has articulated serious concerns about the methodology used by managed care organizations in computing their administrative rate on the ACR proposal.\65\ For example, computing an administrative rate based on the use of a medical utilization factor could generate a payment that is almost three times what would be charged on the commercial side.

          \64\ The administrative component of the ACR covers any management, financial or other costs that are incurred by or allocated to a business unit for the management or administration of the business unit as a whole.

          \65\ See, e.g.,``Administrative Costs Submitted by Risk-Based Health Maintenance Organizations on the Adjusted Community Rate Proposals are Highly Inflated.'' (A-14-97-00202) (July 1998).

          Second, the OIG recommends that Medicare+Choice organizations have adequate internal controls in place to ensure that the institutional status of

          [[Page 61901]]

          beneficiaries is reported accurately.\66\ A recent report issued by the OIG estimated that risk-based HMOs received Medicare overpayments of $22.2 million for beneficiaries incorrectly classified as institutionalized.\67\ The incorrect classification was largely due to deficiencies in the HMOs internal controls in two areas: (1) Verification of beneficiaries' institutional status; and (2) reporting of institutional beneficiaries to HCFA. The results were based on audits of eight randomly selected HMOs.

          \66\ This will remain a concern until risk adjustment is fully implemented.

          \67\ ``Review of Medicare Managed Care Payments for Beneficiaries with Institutional Status.'' (A-05-98-00046)(April 1999).

        5. Anti-Kickback Statute and Other Inducements

          The anti-kickback statute provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit or receive remuneration to induce the referral of business reimbursable under a Federal health care program (including Medicare and Medicaid).\68\ The OIG has promulgated safe harbor regulations that define practices that are not subject to the anti-kickback statute because such practices would be unlikely to result in fraud or abuse.\69\

          \68\ 42 U.S.C. 1320a-7b(b). If it is determined that a party has violated the anti-kickback statute, the individual or entity can be excluded from participation in the Medicare and other Federal health care programs (as defined in 42 U.S.C. 1320a-7b(f)). 42 U.S.C. 1320a-7(b)(7). In addition, there is an administrative CMP provision for violating the anti-kickback statute (42 U.S.C. 1320a-7a(a)(7)).

          \69\ 42 CFR 1001.952. The safe harbors set forth specific conditions that, if met, assure entities involved of not being prosecuted or sanctioned for the arrangement qualifying for the safe harbor. However, safe harbor protection is afforded only to those arrangements that precisely meet all of the conditions set forth in the safe harbor. The failure of an arrangement to fit inside a safe harbor or statutory exception does not mean that the arrangement is illegal. It is incorrect to assume that arrangements outside of a safe harbor are suspect due to that fact alone. That an arrangement does not meet a safe harbor only means that the arrangement does not have guaranteed protection and must be evaluated on a case-by-case basis.

          The anti-kickback statute potentially applies to many managed care arrangements because a common strategy of these arrangements is to offer physicians, hospitals and other providers increased patient volume in return for substantial fee discounts. Because discounts to managed care organizations can constitute ``remuneration'' within the meaning of the anti-kickback statute, a number of health care providers have expressed concern that many relatively innocuous, or even beneficial, commercial managed care arrangements implicate the statute and may subject them to criminal prosecution and administrative sanctions.

          The OIG recognizes that when managed care organizations are paid a capitated amount for all of the services they provide regardless of the dates, frequency or type of services, there is no incentive for them to overutilize. In any event, even if overutilization occurs, the Federal health care programs are not at risk for these increased costs. Accordingly, OIG will be issuing a safe harbor from the anti-kickback statute that will provide protection for certain financial arrangements between managed care organizations (including Medicare+Choice organizations) and individuals or entities with whom they contract for the provision of health care items or services, where a Federal health care program pays such organizations on a capitated basis.\70\

          \70\ This safe harbor was developed in accordance with section 216 of HIPAA and section 14 of the Medicare and Medicaid Patient and Program Protection Act of 1987 (Pub. L. 100-93) through a negotiated rulemaking process that began in the spring of 1997. For a more detailed description of the negotiated rulemaking, see the Committee Statement of the Negotiated Rulemaking Committee on the Shared Risk Exception (January 22, 1998), which can be found on the Internet at http://www.hhs.gov/oig/.

          In general, the safe harbor protects payments between capitated managed care organizations (including Medicare+Choice organizations offering coordinated care plans) and individuals or entities with which it has direct contracts to provide or arrange for the provision of items or services.\71\ While this is a broad exception, there are three important limitations.

          \71\ In addition, arrangements between direct contractors and all subcontractors or successive tiers of subcontractors are protected, as long as the arrangement is for the provision of health care items or services that are covered by the arrangement between the direct contractor and the managed care organization and the arrangement meets the requirements applicable to arrangements between the direct contractor and the managed care organization.

          The first significant limitation is that there is no protection if the financial arrangements under the managed care agreement are implicitly or explicitly part of a broader agreement to steer fee-for- service Federal health care program business to the entity giving the discount to induce the referral of managed care business. Specifically, we understand that most managed care organizations have multiple relationships with their contractors and subcontractors for the provision of services for various product lines, including non-federal HMOs, preferred provider organizations (PPOs) and point of service networks. Consequently, although neither a managed care organization receiving a capitated payment from a Federal health care program nor its contractors or subcontractors has an incentive to overutilize items or services or pass additional costs back to the Federal health care programs under the capitated arrangement, we are concerned that a managed care organization or contractor may offer (or be offered) a reduced rate for its items or services in the Federal capitated arrangement in order to have the opportunity to participate in other product lines that do not have stringent payment or utilization constraints. This practice is a form of a practice known as ``swapping;'' in the case of managed care arrangements, low capitation rates could be traded for access to additional fee-for-service lines of business. We are concerned when these discounts are in exchange for access to fee-for-service lines of business, where there is an incentive to overutilize services provided to Federal health care program beneficiaries.

          For example, we would have concerns where an HMO with a Medicare risk contract under Medicare Part C also has an employer-sponsored PPO that includes retirees and requires participating providers to accept a low capitation rate for the Medicare HMO risk patients in exchange for access to the Medicare fee-for-service patients in the PPO. Although in such circumstances the cost to the Medicare program for the risk-based HMO beneficiaries will not be increased, there may be increased expenditures for Medicare beneficiaries in the PPO arrangement, because the providers may have an incentive to increase services to the Medicare enrollees in the PPO to offset the discounted rates to the Medicare HMO. Accordingly, such arrangements could violate the anti- kickback statute and should not be protected.

          A second limitation on the regulatory safe harbor protection is that it only applies to remuneration for health care items and services and those items or services reasonably related to the provision of health care items and services. It does not cover marketing services or any services provided prior to a beneficiary's enrollment in a health plan.

          Finally, the broad protection is limited to risk-based managed care plans that do not claim any payment from a Federal health care program other than the capitated amount set forth in the managed care organization's agreement with the Federal health care

          [[Page 61902]]

          program. Where the managed care plan, its contractors or its subcontractors are permitted to seek additional payments from any of the Federal health care programs, the regulatory safe harbor protection is significantly more limited. For example, protection is not extended to arrangements with subcontractors when the contract under section 1876 of the Social Security Act is cost-based or where the prime contract is protected solely because the contracting entity is a Federally-qualified HMO.\72\ In the first instance, reimbursement from the Federal health care program is based on costs, and in the latter case, services for Medicare enrollees are reimbursed on a fee-for- services basis. In both instances, reimbursement will increase with utilization, thus providing the same incentive to overutilize as any fee-for-service payment methodology.

          \72\ The arrangements may qualify for other safe harbors, such as the discount or personal services safe harbors.

          While the new safe harbor will provide protection from the anti- kickback statute for most arrangements between Medicare+Choice organizations and their contractors, Medicare+Choice organizations should also have policies in place that ensure that any incentives that the Medicare+Choice organization offers directly or indirectly to beneficiaries and potential beneficiaries do not run afoul of the anti- kickback statute or the new civil money penalty relating to incentives to beneficiaries.\73\ The CMP was enacted in section 231(h) of HIPAA (42 U.S.C. 1320a-7a(a)(5)) and imposes sanctions against individuals or entities that offer remuneration to a program beneficiary that they know, or should know, will influence the beneficiary's decision to order or receive items or services from a particular provider, practitioner or supplier reimbursable by Medicare or the State health care programs.

          \73\ Our concerns regarding the use of inducements in a manner that leads to enrollment of only healthy beneficiaries, such as offering memberships to exercise clubs for purposes of patient screening, is discussed above in Section II.A.2.b.--Selective Marketing and Enrollment.

          Pending the publication of the final rule implementing this CMP, we can provide the following guidance. It is our view that organizations that provide incentives to Federal health care program beneficiaries to enroll in a plan are not offering remuneration to induce the enrollees to use a particular provider, practitioner or supplier. Accordingly, we anticipate that organizations that provide incentives to enroll in a plan will not be subject to sanctions under this provision. However, incentives provided by organizations to induce a beneficiary to use a particular provider, practitioner or supplier once the beneficiary has enrolled in a plan are within the purview of this CMP and are prohibited if they do not meet an exception. For example, incentives given to beneficiaries by a particular physician group within the physician panel of a Medicare+Choice organization to encourage the beneficiary to use that physician group over another physician in the panel would be prohibited. g. Emergency Services

          The OIG and HCFA believe that there may be special concerns regarding the provision of emergency services to enrollees of Medicare+Choice plans. The anti-dumping statute \74\ imposes specific obligations on Medicare-participating hospitals that offer emergency services to individuals presenting themselves at the hospital seeking possible emergency treatment. While the obligations under the anti- dumping statute prohibit a hospital from inquiring into the patient's method of payment or insurance status when it results in the delay of a medical screening examination and/or stabilizing treatment, it has come to our attention that some hospitals routinely seek prior authorization from the patient's primary care physician or from the managed care plan when a managed care patient requests emergency services. Investigations of allegations of the anti-dumping statute across the country have persuaded the OIG that managed care patients may be at risk of being discharged or transferred without receiving a medical screening examination, largely because of the problems inherent in seeking ``prior authorization.''

          \74\ 42 U.S.C. 1395dd.

          To ensure appropriate access to emergency services for Medicare+Choice enrollees, Medicare+Choice organizations should comply with several key provisions. First, Medicare+Choice organizations are prohibited from requiring prior authorization for emergency services and must provide coverage for such services without regard to the emergency care provider's contractual relationship with the Medicare+Choice organization.\75\ Second, payment must be provided for emergency services based on a ``prudent layperson standard,'' which means that the need for emergency services should be determined from a reasonable patient's perspective at the time of presentation of the symptoms \76\ Finally, Medicare+Choice organizations must comply with all guidelines relating to the efficient and timely coordination of appropriate maintenance and post-stabilization of an enrollee after the enrollee has been stabilized under the anti-dumping statute.\77\

          \75\ 42 U.S.C. 1395w-22(d)(1)(E). Medicare+Choice organizations should not offer, or enter into, contracts with hospitals that are inconsistent with the anti-dumping statute.

          \76\ 42 U.S.C. 1395w-22(d)(3).

          \77\ 42 U.S.C. 1395w-22(d)(2).

          Medicare+Choice organizations should be particularly careful of the requirements of the anti-dumping statute in the event that they participate in the so-called ``dual staffing'' of emergency departments. Dual staffing occurs when hospitals enter into arrangements allowing a managed care organization to station its own physicians in the hospital's emergency department for the purpose of screening and treating managed care enrollees. Implementation of dual staffing raises some concerns under the anti-dumping statute, particularly where different procedures and protocols have been established for each staff.

          In addition, Medicare+Choice organizations should be particularly careful in operating ``urgent care'' services and in instructing enrollees to contact such services when enrollees need care. The organizations should ensure that such operations and instructions do not delay or otherwise compromise enrollees' access to services that should be provided in a hospital emergency room. 3. Retention of Records and Information Systems

          Medicare+Choice organizations' compliance programs should provide for the implementation of a records retention system. This system should establish policies and procedures regarding the creation, distribution, retention, storage, retrieval and destruction of documents. The three types of documents developed under this system should include: (1) All records and documentation required by either Federal or State law and the program requirements of Federal and State health plans; \78\ (2) records listing the persons responsible for implementing each part of the compliance plan; and (3) all records necessary to protect the integrity of the Medicare+Choice organization's compliance process and confirm the effectiveness of the program. The documentation necessary to satisfy the third category includes, but is not

          [[Page 61903]]

          limited to the following: evidence of adequate employee training; reports from the Medicare+Choice organization's hotline; results of any investigation conducted as a consequence of a hotline call; modifications to the compliance program; all written notifications to providers regarding compliance activities; \79\ and the results of the Medicare+Choice organization's auditing and monitoring efforts.

          \78\ These documents should be maintained for the periods required by the HCFA Medicare+Choice regulations.

          \79\ This should include notifications regarding: quality of care issues; confusing or inaccurate encounter data; and termination of the contract.

          In light of the increasing reliance on electronic data interchange by the health care industry, Medicare+Choice organizations should take particular care in establishing procedures for maintaining the integrity of its data collection systems. This should include procedures for regularly backing-up data (either by diskette, restricted system or tape) collected in connection with all aspects of the Medicare+Choice program requirements.

          In addition, all Medicare+Choice organizations should develop and implement policies and procedures to ensure the confidentiality and privacy of financial, medical, personnel and other sensitive information in their possession.\80\ These policies should address both electronic and hard copy documents.

          \80\ 42 U.S.C. 1395w-22(h); 42 CFR 422.118.

      2. Compliance as an Element of a Performance Plan

        Compliance programs should require that the promotion of, and adherence to, the elements of the compliance program be a factor in evaluating the performance of all relevant employees. Such employees should be periodically trained in new compliance policies and procedures.

        Policies should require that managers:

        ‹bullet› Discuss with all relevant employees the compliance policies and legal requirements applicable to their function;

        ‹bullet› inform all relevant personnel that strict compliance with these policies and requirements is a condition of employment; and

        ‹bullet› Disclose to all relevant personnel that the Medicare+Choice organization will take disciplinary action up to and including termination for violation of these policies or requirements.

        In addition to making performance of these duties an element in evaluations, the compliance officer or company management should include a policy that managers and supervisors will be sanctioned for failure to instruct adequately their subordinates or for failure to detect noncompliance with applicable policies and legal requirements, where reasonable diligence on the part of the manager or supervisor should have led to the discovery of any problems or violations.

    2. Designation of a Compliance Officer and a Compliance Committee

      1. Compliance Officer

      Every Medicare+Choice organization should designate a compliance officer to serve as the focal point for compliance activities. This responsibility may be the individual's sole duty or added to other management responsibilities, depending upon the size and resources of the Medicare+Choice organization and the complexity of the task.

      Designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official in the Medicare+Choice organization with direct access to the company's governing body, the CEO and all other senior management and legal counsel.\81\ While it is important that the compliance officer have appropriate authority, we are not suggesting that the compliance officer should have operational responsibility for the various aspects of the Medicare+Choice program. For example, the compliance officer should have full authority to stop the submission of data that he or she believes is problematic until such time as the issue in question has been resolved. In addition, the compliance officer should be copied on the results of all internal audit reports and work closely with key managers to identify aberrant trends in the areas that require certification. The compliance officer must have the authority to review all documents and other information that are relevant to compliance activities, including, but not limited to, enrollee records (where appropriate) and records concerning the marketing efforts of the organization and the Medicare+Choice organization arrangements with other parties, including employees, professionals on staff, relevant independent contractors, suppliers, agents and physicians. This policy enables the compliance officer to review contracts and obligations (seeking the advice of legal counsel, where appropriate) that may contain referral and payment provisions that could violate statutory or regulatory requirements.

      \81\ The OIG believes that it is not advisable for the compliance function to be subordinate to the Medicare+Choice organization's general counsel, comptroller or similar company financial officer. Free-standing compliance functions help to ensure independent legal reviews and financial analyses of the institution's compliance activities. By separating the compliance function from the key management positions of general counsel or CFO (where the size and structure of the organization make this a feasible option), a system of checks and balances is established to more effectively achieve the compliance program's goals.

      Coordination and communication are the key functions of the compliance officer with regard to planning, implementing and monitoring the compliance program. With this in mind, the OIG recommends that the Medicare+Choice organization's compliance officer closely coordinate compliance functions with providers' compliance officers.

      The compliance officer should have sufficient funding and staff to fully perform his or her responsibilities. These duties should include:

      ‹bullet› Overseeing and monitoring the implementation of the compliance program; \82\

      \82\ For multi-site Medicare+Choice organizations, the OIG encourages coordination with each facility owned by the Medicare+Choice organization through the use of compliance liaisons at each site.

      ‹bullet› Reporting on a regular basis to the Medicare+Choice organization's governing body, CEO and compliance committee on the progress of implementation;

      ‹bullet› Periodically revising the program in light of changes in the organization's needs and in the law and policies and procedures of Government and private payor health plans;

      ‹bullet› Reviewing employees' certifications stating that they have received, read and understood the standards of conduct;

      ‹bullet› Developing, coordinating and participating in a multifaceted educational and training program that focuses on the elements of the compliance program and seeks to ensure that all appropriate employees and management are knowledgeable of, and comply with, pertinent Federal and State standards;

      ‹bullet› Coordinating personnel issues with the Medicare+Choice organization's human resources/personnel office (or its equivalent) to ensure that providers and employees do not appear in the List of Excluded Individuals/Entities and the General Services Administration (GSA) list of debarred contractors; \83\

      \83\ See note 101.

      ‹bullet› Assisting the Medicare+Choice organization's management in coordinating internal compliance review and monitoring activities, including annual or periodic reviews of departments;

      ‹bullet› Independently investigating and acting on matters related to compliance, including the flexibility to design and

      [[Page 61904]]

      coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action with all departments, providers, agents, and, if appropriate, independent contractors;

      ‹bullet› Developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation; and

      ‹bullet› Continuing the momentum of the compliance program and the accomplishment of its objectives long after the initial years of implementation. 2. Compliance Committee

      The OIG recommends that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.\84\ When assembling a team of people to serve as the Medicare+Choice organization's compliance committee, the company should include individuals with a variety of skills.\85\ The OIG strongly recommends that the compliance officer manage the compliance committee. Once a managed care organization chooses the people that will accept the responsibilities vested in members of the compliance committee, the organization must train these individuals on the policies and procedures of the compliance program.

      \84\ The compliance committee benefits from having the perspectives of individuals with varying responsibilities in the organization, such as operations, finance, audit, human resources, utilization review, medicine, claims processing, information systems, legal, marketing, enrollment and disenrollment as well as employees and managers of key operating units. These individuals should have the requisite seniority and comprehensive experience within their respective departments to implement any necessary changes in the company's policies and procedures. Some organizations have found it helpful to include an outside director on its compliance committee to provide a different perspective.

      \85\ A Medicare+Choice organization should expect its compliance committee members and compliance officer to demonstrate high integrity, good judgment, assertiveness and an approachable demeanor, while eliciting the respect and trust of employees of the organization. The compliance committee members should also have significant professional experience in working with quality assurance, enrollment, marketing, clinical records and auditing principles.

      The committee's responsibilities should include:

      ‹bullet› Analyzing the organization's regulatory environment, the legal requirements with which it must comply and specific risk areas;

      ‹bullet› Assessing existing policies and procedures that address these areas for possible incorporation into the compliance program;

      ‹bullet› Working with appropriate departments, as well as affiliated providers, to develop standards of conduct and policies and procedures that promote allegiance to the organization's compliance program;

      ‹bullet› Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization's standards, policies and procedures as part of its daily operations;

      ‹bullet› Determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms;

      ‹bullet› Developing a system to solicit, evaluate and respond to complaints and problems; and

      ‹bullet› Monitoring internal and external audits and investigations for the purpose of identifying troublesome issues and deficient areas experienced by the Medicare+Choice organization and implementing corrective and preventive action.

      The committee may also address other functions as the compliance concept becomes part of the overall operating structure and daily routine.

    3. Conducting Effective Training and Education

      The proper education and training of corporate officers, managers, employees and the continual retraining of current personnel at all levels are significant elements of an effective compliance program. Where appropriate, the Medicare+Choice organization may afford its contractors the opportunity to participate in the organization's compliance training and educational programs.\86\ The contractors should be encouraged to develop their own compliance programs that complement the Medicare+Choice organization's compliance program.

      \86\ While some Medicare+Choice organizations may encourage providers to participate in education programs designed for its own employees, other organizations may prefer to develop provider- specific education programs about compliance.

      1. Formal Training Programs

      To ensure the appropriate information is being disseminated to the correct individuals, the Medicare+Choice organization training program should include both a general session and specialized sessions on specific risk areas. All employees should attend the general session on compliance. Employees whose job responsibilities implicate specific risk areas (e.g., marketing or data collection and submission) should attend the specialized sessions.

      The OIG recommends that attendance and participation at training programs be made a condition of continued employment and that failure to comply with training requirements should result in disciplinary action, including possible termination, when such failure is serious. The Medicare+Choice organization should retain adequate records of its training of employees, including attendance logs and material distributed at training sessions. New employees should be targeted for training early in their employment, and to the extent that they perform complicated tasks with greater organizational legal exposure, should be monitored closely until all training is completed. a. General Sessions

      As part of their compliance programs, Medicare+Choice organizations should require all employees to attend annual training that emphasizes the organization's commitment to compliance with all Federal and State statutes and requirements, and the policies of private payors. While the OIG recognizes that not all standards, policies and procedures need to be communicated to all employees, it believes that the general message about the importance of complying with fraud and abuse laws and other ethical areas should be addressed and made part of the general training.

      As part of the initial training, the standards of conduct should be distributed to all employees. Every employee should be required to sign and date a statement that reflects the employee's knowledge of, and commitment to the standards of conduct. This attestation should be retained in the employee's personnel file. The standards of conduct should be updated and revised as appropriate. b. Specialized Training

      Because Medicare+Choice organizations are responsible for compliance in all of the risk areas mentioned in section II.A. above, the OIG recommends Medicare+Choice organizations require individuals who are involved in the risk areas to receive specialized training. For example, marketing employees should receive training on the marketing, enrollment, disenrollment and anti-kickback policies. All employees who work with beneficiaries or providers regarding medical services should receive appropriate training on the risks associated with underutilization. Those employees who are involved in developing enrollment, encounter and ACR data should receive training on

      [[Page 61905]]

      HCFA policies in these areas. Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a Medicare+Choice organization's marketing and financial personnel, in that the pressure to meet business goals may render these employees particularly vulnerable to engaging in prohibited practices.

      The OIG recommends Medicare+Choice organizations' compliance programs address the need for periodic professional education courses for relevant personnel. Such courses would be in addition to the internal training sessions provided by the organization. c. Format of the Training Program

      The OIG suggests all relevant levels of personnel be made part of various educational and training programs of the Medicare+Choice organization. Employees should be required to have a minimum number of educational hours per year, as appropriate, as part of their employment responsibilities. A variety of teaching methods, such as interactive training and training in several different languages (including the translation of standards of conducts and other materials), particularly where a Medicare+Choice organization has a culturally diverse staff, should be implemented so that all affected employees are knowledgeable about the institution's standards of conduct and procedures for alerting senior management to problems and concerns. In addition, the materials should be written at appropriate reading levels for targeted employees. All training materials should be designed to take into account the skills, knowledge and experience of the individual trainees. Post-training tests can be used to assess the success of training provided and employee comprehension of the Medicare+Choice organization's policies and procedures. 2. Informal and Ongoing Compliance Training

      It is essential that compliance issues remain at the forefront of the Medicare+Choice organization's priorities. The organization must demonstrate its commitment by continuing to disseminate the compliance message. One effective mechanism to achieve this goal is to publish a monthly compliance newsletter, or devote a section to compliance in a general weekly or monthly existing newsletter. This would allow the Medicare+Choice organization to address specific examples of problems the company encountered during its ongoing audits and risk analysis, while reinforcing the company's firm commitment to the general principles of compliance and ethical conduct. The newsletter could also include the risk areas identified in current OIG publications or investigations. Finally, the Medicare+Choice organization could use the newsletter as a mechanism to notify employees of significant legal or regulatory developments. The Medicare+Choice organization should maintain its newsletters in a central location to document the guidance offered and provide new employees with access to guidance previously provided. Other written materials, such as posters, fliers or articles in other company publications, could also be used to disseminate the compliance message.

      Another effective method of maintaining the presence of the compliance message is to maintain a website devoted to compliance issues. This could be linked to the homepage of the organization. Many organizations have chosen to maintain these sites internally on the Intranet to alleviate any confidentiality concerns. The Intranet (or Internet) also facilitates the use of hypertext links that allow the organization to maintain a centralized source on statutory, regulatory and other program guidance disseminated by HCFA, the OIG, the Department of Justice and the Congress. These links, along with any other webpages that the Medicare+Choice organization deems pertinent and useful can be assembled on a single site that can, by hypertext link, provide access to all of these useful resources.

    4. Developing Effective Lines of Communication

      An open line of communication between the compliance officer and Medicare+Choice organization personnel, as well as among the organization, health care providers and enrollees, is critical to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. Each organization should have in place both a mechanism for the reporting of improper conduct, as well a mechanism for more routine types of communication among the compliance officer and relevant groups. 1. Hotline or Other System for Reports of Potential Misconduct

      Each Medicare+Choice organization should have in place a hotline or other mechanism \87\ through which employees, enrollees or other parties can report potential violations of the organization's compliance policies or of Federal or State health care program requirements. In any event, several independent reporting paths should be created for an employee to report fraud, waste or abuse so that such reports cannot be diverted by supervisors or other personnel. If the organization establishes a hotline, the telephone number should be made readily available to all employees, enrollees and independent contractors, by circulating the number on wallet cards or conspicuously posting the telephone number in common work areas.\88\

      \87\ The OIG recognizes that it may not be financially feasible for a small Medicare+Choice organization to maintain a telephone hotline dedicated to receiving calls solely on compliance issues. These companies may explore alternative methods, e.g., contracting with an independent source to provide hotline services or establishing a written method of confidential disclosure.

      \88\ Medicare+Choice organizations should also post in a prominent, available area the HHS-OIG Hotline telephone number, 1- 800-447-8477 (1-800-HHS-TIPS), in addition to any organization's hotline number that may be posted.

      Matters reported through the hotline or other communication sources that suggest violations of compliance policies, Federal and State health care program requirements, regulations or statutes should be documented and investigated promptly to determine their veracity and significance. A log should be maintained by the compliance officer or authorized designee that records such calls, including the nature of any investigation and its results.\89\ Such information should be included in reports to the governing body, the CEO and compliance committee.

      \89\ To efficiently and accurately fulfill such an obligation, the Medicare+Choice organization should create an intake form for all issues identified through reporting mechanisms. The form could include information concerning the date the potential problem was reported, the internal investigative methods utilized, the results of any investigation, any corrective action implemented, any disciplinary measures imposed and any overpayments and monies returned.

      Employees, enrollees and providers should be permitted to report matters on a confidential basis. To encourage such reporting, written confidentiality and non-retaliation policies should be developed. Employees, enrollees, providers and other contractors should be made aware of these policies to encourage communication and the reporting of incidents of potential fraud.\90\ While the Medicare+Choice

      [[Page 61906]]

      organization should always strive to maintain the confidentiality of the reporter's identity, the policies should explicitly communicate that there may be a point where the individual's identity may become known or may have to be revealed.

      \90\ The OIG believes that whistleblowers should be protected against retaliation, a concept embodied in the provisions of the False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees sue their employers under the False Claims Act's qui tam provisions out of frustration because of the company's failure to take action when a questionable, fraudulent or abusive situation was brought to the attention of senior corporate officials.

      The OIG recognizes that assertions of fraud and abuse by those who may have participated in illegal conduct or committed other malfeasance raise numerous complex legal and management issues that should be examined on a case-by-case basis. The compliance officer may wish to work closely with legal counsel to obtain guidance on these issues. 2. Routine Communication/Access to the Compliance Officer

      While it is crucial that Medicare+Choice organizations have effective systems in place for the reporting of suspected misconduct, it is equally important that the compliance officer foster more routine communication both among its employees and among its health care providers and enrollees.

      With respect to its own employees, the OIG encourages the establishment of procedures for personnel to seek clarification from the compliance officer or members of the compliance committee in the event of any confusion or question regarding a company policy, practice or procedure. Questions and responses should be documented and dated and, if appropriate, shared with other staff so that standards, policies, practices and procedures can be updated and improved to reflect any necessary changes or clarifications. The compliance officer may want to solicit employee input in developing these communication and reporting systems. The methods discussed above relating to ongoing training and education are an integral part of this communication.\91\

      \91\ In addition to methods of communication used by current employees, an effective employee exit interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of the Medicare+Choice organization's policy and procedures.

      The communication and coordination function of the compliance program serves an even more critical role in the context of the managed care environment because the managed care entity serves as an intermediary between the health care provider and the enrollee. In fact, the raison d'etre of a managed care organization is to coordinate the care of its enrollees. As with providers, communications with beneficiaries and communications with HCFA (and its designees) must demonstrate the highest level of integrity, honesty and judgment. The Medicare+Choice organization should implement methods to encourage communication among its enrollees and providers. For example, as appropriate, a Medicare+Choice organization should communicate the results of audits, disenrollment surveys, utilization data and quality of care determinations to its contracting suppliers and providers in order to facilitate open discussion regarding appropriate health care delivery.

    5. Auditing and Monitoring

      An ongoing evaluation process is critical to a successful compliance program.\92\ The OIG believes an effective program should incorporate thorough monitoring of its implementation and regular reporting to senior company officers. Compliance reports created by this ongoing monitoring, including reports of suspected noncompliance, should be maintained by the compliance officer and reviewed with the Medicare+Choice organization's senior management and the compliance committee. The extent and frequency of the audit function may vary depending on factors such as the size of the company, the resources available to the company, the company's prior history of noncompliance and the risk factors that are prevalent in a particular organization. However, all Medicare+Choice organizations have an obligation to establish an adequate audit function and meet all of HCFA's requirements.

      \92\ The OIG recognizes that Medicare+Choice organizations have a variety of ongoing monitoring processes and would most likely incorporate these existing processes, as appropriate, into their compliance program. We do not anticipate that the compliance monitoring function would exist entirely independently of the operational program.

      Although many monitoring techniques are available, one effective tool to promote and ensure compliance is the performance of regular, periodic compliance audits by internal or external auditors who have expertise in Federal and State health care statutes, regulations and Federal health care program requirements. The audits should focus on the Medicare+Choice organization's programs or divisions, including external relationships with third-party contractors, specifically those with substantive exposure to Government enforcement actions. The audits should cover the range of programmatic requirements of the Medicare+Choice program and comply with generally accepted protocols governing such audits. In particular, the audits should focus on the risk areas identified earlier in this document, especially the data and information that affect payments by Medicare. Finally, the Medicare+Choice organization should focus on any areas of specific concern identified within that organization and those that may have been identified by any outside agency, whether Federal or State.

      Monitoring techniques may include sampling protocols that permit the compliance officer to identify and review variations from an established baseline.\93\ Significant variations from the baseline should trigger a reasonable inquiry to determine the cause of the deviation. If the inquiry determines that the deviation occurred for legitimate, explainable reasons, the compliance officer or manager may want to limit any corrective action or take no action. If it is determined that the deviation was caused by improper procedures, misunderstanding of rules, including fraud and systemic problems, the Medicare+Choice organization should take prompt steps to correct the problem.\94\ Any overpayments discovered as a result of such deviations should be reported promptly to HCFA (or its designees), with appropriate documentation and a thorough explanation of the reason for the overpayment.\95\

      \93\ The OIG recommends that when a compliance program is established in a Medicare+Choice organization, the compliance officer, with the assistance of department managers, take a ``snapshot'' of the organization's operations from a compliance perspective. This assessment can be undertaken by outside consultants, law or accounting firms, or internal staff, with authoritative knowledge of health care compliance requirements. This ``snapshot,'' often used as part of bench marking analysis, becomes a baseline for the compliance officer and other managers to judge the Medicare+Choice organization's progress in reducing or eliminating potential areas of vulnerability. Medicare+Choice organizations should track statistical data on utilization review and quality data based on customer satisfaction and renewal data. This will facilitate identification of problem areas and elimination of potential areas of abusive or fraudulent conduct.

      \94\ Prompt steps to correct the problem include contacting the appropriate provider in situations where the provider's actions contributed to the problem.

      \95\ In addition, when appropriate, as referenced in section G, below, reports of fraud or systemic problems should also be made to the appropriate Government authority.

      An effective compliance program should also incorporate periodic (at a minimum, annual) reviews of whether the program's compliance elements have been satisfied, e.g., whether there has been appropriate dissemination of the program's standards, training, ongoing educational programs and

      [[Page 61907]]

      disciplinary actions.\96\ This process will verify actual conformance by all departments with the compliance program. Such reviews may support a determination that appropriate records have been created and maintained to document the implementation of an effective program.

      \96\ One way to assess the knowledge, awareness and perceptions of the Medicare+Choice organization's staff is through the use of a validated survey instrument (e.g., employee questionnaires, interviews or focus groups).

      The reviewers involved in any audits should:

      ‹bullet› Possess the qualifications and experience necessary to adequately identify potential issues with the subject matter to be reviewed;

      ‹bullet› Be independent of the specific functional area examined;

      ‹bullet› Have access to existing audit resources, relevant personnel and all relevant areas of operation;

      ‹bullet› Present written evaluative reports on compliance activities to the CEO, governing body members of the compliance committee on a regular basis, but not less than annually; and

      ‹bullet› Specifically identify areas where corrective actions are needed.

      In the Medicare+Choice context, a variety of different methods will be necessary to adequately monitor and evaluate the ongoing operations of the Medicare+Choice organization. In general, the OIG recommends the use of techniques such as on-site visits, questionnaires (for providers, enrollees and employees), and trend analyses, to name just several.\97\ Because the auditing and monitoring function is very different and much more complex in the managed care context than in any other segment of the health care industry, we have provided additional guidance on the methods to be used in evaluating selected risk areas.

      \97\ Medicare+Choice organizations may want to consult HCFA's Contractor Performance Monitoring System Manual to get additional ideas for monitoring methods. In addition, organizations may want to consult the OAS website for information on conducting audits, including information on statistical sampling (RAT-STATS). See note 10.

      1. Marketing/Enrollment/Diseenrollment

        Developing a system for evaluating the compliance of the marketing, enrollment and disenrollment functions of a Medicare+Choice organization requires innovative techniques. Each Medicare+Choice organization will have to develop an individualized method as to how to obtain this data. Some of the methods that the OIG suggests include: using secret shoppers; surveying \98\ current enrollees; \99\ and conducting exit interviews with former enrollees (particularly those that disenrolled just prior to obtaining an expensive service) on their experience with the Medicare+Choice marketing and enrollment process. Once this data is collected, it must be maintained in a format that can be accessed readily.

        \98\ Medicare+Choice organizations may be able to use response data from already existing surveys, such as from the Health of Seniors survey (HEDIS) and for certain organizations, the mandatory disenrollment surveys required under PIP.

        \99\ It should be noted, while this method may be less expensive, it may not provide unbiased data, particularly in the area of selective marketing. In fact, in the selective marketing area, the data may be skewed significantly in favor of the Medicare+Choice organization.

        In an effort to integrate the monitoring function with its training function, a Medicare+Choice organization may wish to test its marketing staff on their knowledge of the company's policies and procedures, as well as the Federal and State statutes that govern the marketing process. This assessment can be developed using many formats. Many companies have customized interactive software to test employees' knowledge of relevant policies and procedures. It may also be formulated in the traditional written version.

        Methods used to monitor marketing agents include the analysis of disenrollment data to identify marketing agents with high and low percentages of member disenrollments within a set number of days (e.g., 90 days). In addition, Medicare+Choice organizations may want to establish enrollment verification systems requiring that a different individual from the sales agent meet with beneficiaries who have applied for enrollment to ensure that they understand restrictions of the plan, such as the lock-in provision.

        Finally, it is essential for all marketing materials to be reviewed by an independent and competent reviewer, such as an individual in the general counsel's office, to ensure that they do not mislead, confuse or misrepresent any aspect of the plan. Similarly, a Medicare+Choice organization may want to consider having the materials examined by individuals familiar with the claims processing department and utilization review office for consistency with the policies, procedures and practices of these departments. 2. Underutilization and Quality of Care

        Procedures for tracking and reporting utilization review data are vital to the success of any compliance endeavor. Medicare+Choice organizations should periodically review the service areas that are part of the Medicare+Choice organization to ensure that enrollees are receiving adequate access to care. In reviewing service areas, Medicare+Choice organizations should collect data on a variety of topics, including the number of primary care physicians in the service area, the number and type of specialists in the service area, the waiting time for appointments, the telephone access to the Medicare+Choice organization, rates of denial of emergency services claims and the problems associated with the coordination of care. All of this data should be maintained in a database in a format that can be used to generate statistical data and analysis.

        Medicare+Choice organizations should ensure that there are adequate systems in place to monitor underutilization and inappropriate denials. Such procedures include collecting data on utilization patterns and detecting aberrant patterns. This data should be checked against utilization rates in the industry. This function could be performed by a medical affairs department that is responsible for regular review of claims, the payment system, encounter data and medical record review to assess the degree to which care is under (or over) utilized.

        Similarly, the Medicare+Choice organization should survey its enrollees on utilization patterns and whether they felt they were subjected to inadequate health care services, inappropriate denials, type of practitioner providing treatment and whether a beneficiary's request for another provider was denied or approved. Such survey results should be reviewed and investigated, when appropriate. Generally, these may be skewed in favor of the Medicare+Choice organization if the enrollees are current members. Presumably, if an enrollee was truly dissatisfied with the Medicare+Choice organization's attitude toward enrollee rights, the enrollee would have disenrolled from the plan. As a result, a Medicare+Choice organization should evaluate both current enrollee satisfaction surveys and exit interview surveys of former enrollees.

        Medicare+Choice organizations have a good source of information regarding utilization issues, simply by tracking the type of appeals and grievances they receive from beneficiaries. This information should be tracked in a database that can be easily accessed by type of grievance or appeal and results.

        [[Page 61908]]

      2. Data Collection and Submission Processes

        Given the importance of the enrollment, encounter and ACR data, the Medicare+Choice organization should develop ways to audit this information to assure its accuracy, completeness and truthfulness, on best knowledge, information and belief. As indicated earlier, such methods would ordinarily include sample audits and spot checks of the system. These activities should be facilitated by the fact that HCFA requires Medicare+Choice organizations to detail in their contractual relationships with providers the access that they will need to the provider's medical record documentation. 4. Anti-Kickback and Other Inducements

        Medicare+Choice organizations should periodically review their contractual documents and discussions with providers to ensure that ``swapping'' is not occurring. In addition, contracts with marketing personnel should be reviewed by legal counsel to be sure they do not violate the anti-kickback statute and other applicable statutes and regulations.

    6. Enforcing Standards Through Well-Publicized Disciplinary Guidelines and Policies Regarding Dealings With Ineligible Persons

      The OIG recommends that all Medicare +Choice organizations' compliance programs include several key policies in the area of personnel/human resources. The first deals with the establishment, and consistent application of, appropriate disciplinary policies to deal with improper conduct and the second deals with the employment of certain ineligible individuals. 1. Consistent Enforcement of Disciplinary Policies

      An effective compliance program should include guidance regarding disciplinary action for all employees who have failed to comply with the Medicare+Choice organization's standards of conduct, policies and procedures, Federal health care program requirements, or Federal and State laws, or those who have otherwise engaged in wrongdoing. It is vital to publish and disseminate the range of possible disciplinary actions for improper conduct and to educate officers and other staff regarding these standards. Employees should be advised that disciplinary action may be appropriate where a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct. The sanctions could range from oral warnings to suspension, termination or other sanctions, as appropriate. While each situation must be considered on a case-by-case basis to determine the appropriate sanction, intentional or reckless noncompliance should subject transgressors to significant sanctions.

      The written standards of conduct should elaborate on the procedures for handling disciplinary problems and identify who will be responsible for taking appropriate action. For example, while disciplinary actions can be handled by department managers, others may have to be resolved by a more senior official of the organization. Personnel should be advised by the organization that disciplinary action will be taken on a fair and equitable basis, that is, all levels of employees should be subject to similar disciplinary action for the commission of similar offenses. Managers and supervisors should be held accountable to implement the disciplinary policy consistently so that the policy will have the required deterrent effect. 2. Employment of, and Contracting With, Ineligible Persons

      All Medicare+Choice organizations should use care when delegating substantial discretionary authority to make decisions that may involve compliance with the law or compliance oversight. In particular, the organization should ensure that it does not delegate such responsibilities to individuals or entities that it knows, or should have known, have a propensity to engage in inappropriate or improper conduct. Pursuant to the compliance program, a Medicare+Choice organization's policies should prohibit the hiring of, or entering into, contracts with individuals or entities who have been recently convicted of a criminal offense related to health care or who are listed as debarred, excluded or otherwise ineligible for participation in Federal health care programs.\100\ The policies should require the Medicare+Choice organization to utilize Government resources to determine whether such individuals or entities are debarred or excluded. These resources should be used for both potential employees (as part of the employment application process, which should also include a reasonable and prudent background investigation), and should be used to periodically check existing employees and contractors.

      \100\ Prospective employees who have been officially reinstated into the Medicare and Medicaid programs by the OIG may be considered for employment upon proof of such reinstatement.

      Lists of debarred and excluded individuals and entities are currently maintained by both the OIG and the General Services Administration.\101\ By approximately January 2000, the Healthcare Integrity Protection Data Bank (HIPDB) will be available to Medicare+Choice organizations (for a nominal fee) to use in conducting these checks on employees and contractors.\102\ The HIPDB is an electronic data collection program that will collect, store and disseminate reports on practitioners, providers and suppliers that have been the subject of health care related final adverse actions in criminal, civil and administrative proceedings. The final adverse actions to be reported to the HIPDB include criminal convictions or civil judgments related to the delivery of health care, actions by Federal or State agencies responsible for licensing or certification of health care providers, suppliers and practitioners, exclusions from Federal or State health care programs, and certain final adverse actions taken by health plans.\103\ Pending the resolution of any known criminal charges or proposed debarment or exclusion, the OIG recommends that such individuals should be removed from direct responsibility for, or involvement in, any Federal health care program. If labor agreements make such removal legally impermissible, the OIG recommends that the individual be closely supervised in all aspects of his or her duties that relate to Federal health care programs. If the resolution of the matter results in conviction, debarment or exclusion of a current employee or contractor, then the Medicare+Choice organization must not continue to employ or contract with such individual for the provision of health care, utilization review, medical social work or administrative services.\104\

      \101\ OIG's List of Excluded Individuals/Entities is available on the Internet at http://www.hhs.gov/oig/ and the GSA list of debarred contractors is available on the Internet at http:// www.arnet.gov/epls.

      \102\ 42 U.S.C. 1320a-7e.

      \103\ Note that agencies and health plans are required by HIPAA to report to the HIPDB. Failure by a health plan to make the mandated reports to the HIPDB may result in CMPs being assessed against the health plan, pursuant to 42 U.S.C. 1320a-7e(b)(6).

      \104\ 42 CFR 422.752(a)(8).

    7. Responding to Detected Offenses, Developing Corrective Action Initiatives, and Reporting to Government Authorities

      Violations of the Medicare+Choice organization's compliance program, failures to comply with applicable

      [[Page 61909]]

      Federal or State law, rules and program instructions and other types of misconduct may threaten a Medicare+Choice organization's status as a reliable, honest and trustworthy company. Detected but uncorrected misconduct can seriously endanger the mission, reputation and legal status of the organization. Consequently, it is important that the chief compliance officer or other management officials promptly investigate and take appropriate action with respect to any reports or reasonable indications of suspected noncompliance.\105\

      \105\ Instances of non-compliance must be determined on a case- by-case basis. The existence, or amount, of a monetary loss to a health care program is not solely determinative of whether or not the conduct should be investigated and reported to governmental authorities. In fact, there may be instances where there is no readily identifiable monetary loss at all, but corrective action and reporting are still necessary to protect the integrity of the applicable program and its beneficiaries.

      Pending issuance of final HCFA regulations \106\ regarding the obligations of a Medicare+Choice organizations to report misconduct, the OIG recommends that the following procedures be followed when a Medicare+Choice organization discovers from any source evidence of misconduct related to payment or delivery of health care items or services under the Medicare+Choice contract. First, the Medicare+Choice organization should conduct a timely, reasonable inquiry into the misconduct. Second, if after reasonable inquiry, the organization has determined that the misconduct may violate criminal, civil or administrative law, it should report the existence of the misconduct promptly to the appropriate Government authority \107\ within a reasonable period, but not more than 60 days \108\ after a determination that a violation may have occurred.\109\ When reporting potential violations to the Government, a Medicare+Choice organization should provide all evidence relevant to the potential violation, including the impact of the potential violation on beneficiaries and any potential cost impact. Finally, the Medicare+Choice organization should initiate and implement appropriate corrective actions, e.g., repayment of overpayments, disciplinary actions and modifications of procedures to ensure the problem does not recur.

      \106\ 42 CFR 422.501(b)(vi).

      \107\ For example, if the potential violation relates to federal criminal law, the Civil False Claims Act, the civil money penalty authorities (primarily under sections 1128A and 1857 of the Social Security Act) and related statutes administered by the HHS/OIG, the report must be made to that office.

      \108\ While the OIG recommends reporting in 60 days, the organization must report within 30 days in order to attempt to obtain favorable treatment under the Civil False Claims Act. See note 6. In addition, reporting such conduct may be considered a mitigating factor by the OIG in determining administrative sanctions (e.g., penalties, assessments and exclusion), if the reporting company becomes the subject of an OIG investigation. See 62 FR 67392 (12/24/97).

      \109\ The OIG believes that some potential violations may be so serious that they warrant immediate notification to Government authorities, prior to, or simultaneous with, commencing an internal inquiry. Examples of such situations include instances when the misconduct: (1) Is a clear violation of civil fraud or criminal law; (2) has a significant adverse effect on the quality of care provided to program beneficiaries (in addition to any other legal obligations regarding quality of care); or (3) indicates evidence of a systemic failure to comply with applicable laws or an existing corporate integrity agreement, regardless of the financial impact on Federal health care programs.

      Failure to notify HCFA of an overpayment within a reasonable period of time could be interpreted as an intentional attempt to conceal the overpayment from the Government, thereby establishing an independent basis for a criminal violation with respect to the Medicare+Choice organization, as well as any individuals who may have been involved.\110\ For this reason, Medicare+Choice compliance programs should ensure that overpayments are identified quickly and promptly return overpayments obtained from Medicare or other Federal health care programs.

      \110\ 42 U.S.C. 1320a-7b(a)(3).

      The OIG recommends that Medicare+Choice organizations consider the following guidance as they structure internal inquiries. Depending upon the nature of the alleged violations, an internal inquiry will probably include interviews and a review of relevant documents. Medicare+Choice organizations should consider engaging outside counsel, auditors or health care experts to assist in an inquiry. Records of the inquiry should contain documentation of the alleged violation, a description of the process (including the objectivity of the investigators and methodologies utilized), copies of interview notes and key documents, a log of the witnesses interviewed and the documents reviewed, and the results of the investigation, e.g., any disciplinary action taken and any corrective action implemented. Although any action taken as the result of an inquiry will necessarily vary depending upon the Medicare+Choice organization and the situation, Medicare+Choice organizations should strive for some consistency by utilizing sound practices and disciplinary protocols. Further, after a reasonable period, the compliance officer should review the circumstances that formed the basis for the inquiry to determine whether similar problems have been uncovered or modifications of the compliance program are necessary to prevent and detect other inappropriate conduct or violations.

      If an inquiry of an alleged violation is undertaken and the compliance officer believes the integrity of the inquiry may be at stake because of the presence of employees under investigation, those subjects should be removed from their current work activity until the inquiry is completed (unless an internal or Government-led undercover operation known to the Medicare+Choice organization is in effect). In addition, the compliance officer should take appropriate steps to secure or prevent the destruction of documents or other evidence relevant to the inquiry. If the Medicare+Choice organization determines disciplinary action is warranted, it should be prompt and imposed in accordance with the organization's written standards of disciplinary action.

  3. Conclusion

    Through this document, the OIG has attempted to provide a foundation for the development of effective and comprehensive Medicare+Choice compliance programs. These principles can also be used by entities to develop compliance programs applicable to other Federal and health care programs, as well as for their private lines of business. As previously stated, however, each program must be tailored to fit the needs and resources of an individual organization, depending upon its particular corporate structure, mission and employee composition. The statutes, regulations and guidelines of the Federal and State health insurance programs, as well as the policies and procedures of the private health plans, should be integrated into every Medicare+Choice organization's compliance program.

    The OIG recognizes that the health care industry, which reaches millions of beneficiaries and expends about a trillion dollars annually, is constantly evolving. In no area of the industry is this more evident than in the growing area of managed care, particularly Medicare managed care. As a result, the time is right for Medicare+Choice organizations to implement strong, voluntary compliance programs. Compliance is a dynamic process that helps to ensure Medicare+Choice organizations are better able to fulfill their commitment to ethical behavior and to meet the changes and challenges being imposed upon them by the Congress and private insurers. It is

    [[Page 61910]]

    OIG's hope that voluntarily created compliance programs will enable Medicare+Choice organizations to meet their goal of providing efficient and quality health care and, at the same time, substantially reducing fraud, waste and abuse.

    Dated: November 5, 1999. June Gibbs Brown, Inspector General.

    [FR Doc. 99-29632Filed11-12-99; 8:45 am]

    BILLING CODE 4150-04-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT