Reports and guidance documents; availability, etc.: Durable medical equipment, prosthetics, orthotics, and supply industry; compliance program guidance,
[Federal Register: July 6, 1999 (Volume 64, Number 128)]
[Notices]
[Page 36368-36389]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr06jy99-89]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Publication of OIG Compliance Program Guidance for the Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice.
SUMMARY: This Federal Register notice sets forth the recently issued Compliance Program Guidance for the Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry that has been developed by the Office of Inspector General in cooperation with, and with input from, the Health Care Financing Administration (HCFA), the Department of Justice (DOJ) and representatives of various trade associations and health care practice groups. The OIG has previously developed and published compliance program guidance focusing on hospitals, clinical laboratories, home health agencies, and third-party medical billing companies. We believe that the development and issuance of this compliance guidance will serve as a positive step towards promoting a higher level of ethical and lawful conduct throughout the entire health care industry.
FOR FURTHER INFORMATION CONTACT: Christine Pullifrone, Office of Counsel to the Inspector General, (202) 619-2078.
SUPPLEMENTARY INFORMATION:
Background
The creation of compliance program guidances has been an important undertaking by the OIG in its effort to engage the health care community in combating fraud and abuse. In formulating this compliance guidance, the OIG has worked closely with HCFA, and has received input from interested parties and industry trade associations. The 4 previously-issued compliance program guidances focused on the hospital industry, home health agencies, clinical laboratories and third-party medical billing companies. The development of these types of compliance program guidances are based on our belief that a health care provider can efficiently use internal controls to monitor adherence to applicable statutes, regulations and program requirements.
Guidance for the DMEPOS Industry
On August 7, 1998, the OIG published a solicitation notice (63 FR 42409) seeking information and recommendations for developing guidance for the durable medical equipment, prosthetics, orthotics and supply (DMEPOS) industry. In response to that solicitation notice, the OIG received numerous comments from various parts of the industry and from their representatives. We carefully considered those comments, as well as consulted with DOJ, HCFA and the durable medical equipment regional carriers in developing a draft compliance program guidance for the DMEPOS industry. In an effort to ensure that all parties had a reasonable opportunity to provide input into a final product, the draft guidance for the DMEPOS industry was published in the Federal Register on January 28, 1999 (64 FR 4436) for further comment and recommendations.
Elements for an Effective Compliance Program
Through experience, the OIG has identified 7 fundamental elements applicable to an effective compliance program. They are:
‹bullet› Implementing written policies, procedures and standards of conduct;
‹bullet› Designating a compliance officer and compliance committee;
‹bullet› Conducting effective training and education;
‹bullet› Developing effective lines of communication;
‹bullet› Enforcing standards through well-publicized disciplinary guidelines;
‹bullet› Conducting internal monitoring and auditing; and
‹bullet› Responding promptly to detected offenses and developing corrective action.
Using these 7 elements, the OIG has identified specific areas of DMEPOS industry operations that may prove to be vulnerable to fraud and abuse. Like previously-issued OIG compliance guidance, adoption of the Compliance Program Guidance for the Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry set forth below will be strictly voluntary.
A reprint of the newly-issued compliance program guidance follows:
Office of Inspector General's Compliance Program Guidance for the Durable Medical Equipment, Prosthetics, Orthotics and Supply Industry (June 1999)
-
Introduction
The Office of Inspector General (OIG) of the Department of Health and Human
[[Page 36369]]
Services (HHS) continues in its efforts to promote voluntarily developed and implemented compliance programs for the health care industry. The following compliance program guidance is intended to assist suppliers ‹SUP›1‹/SUP› of durable medical equipment,‹SUP›2‹/SUP› prosthetics,‹SUP›3‹/SUP› orthotics,‹SUP›4‹/SUP› and supplies ‹SUP›5‹/SUP› (DMEPOS) and their agents and subcontractors (referred to collectively in this document as DMEPOS suppliers) develop effective internal controls that promote adherence to applicable Federal and State law, and the program requirements of Federal, State and private health plans.‹SUP›6‹/SUP› The adoption and implementation of voluntary compliance programs significantly advance the prevention of fraud, abuse, and waste in these health care plans while at the same time further the fundamental mission of all DMEPOS suppliers, which is to provide quality items, service, and care to patients.
\1\ The term ``supplier'' is defined in this document as an entity or individual, including a physician or Part A provider, that sells or rents Part B covered DMEPOS items and meets the Medicare supplier standards. See 42 CFR 424.57(a).
\2\ The term ``durable medical equipment'' is applied in this document as defined in 42 U.S.C. 1395x(n).
\3\ The term ``prosthetics'' and ``prosthetic devices'' are applied in this document as defined in 42 U.S.C. 1395x(s)(9) and (s)(8), respectively.
\4\ The term ``orthotics'' is applied in this document as defined in 42 U.S.C. 1395x(s)(9).
\5\ The term ``supplies'' includes home dialysis supplies and equipment as described in 42 U.S.C. 1395x(s)(2)(f); surgical dressings and other devices as described in 42 U.S.C. 1395x(s)(5); immunosuppressive drugs as described in 42 U.S.C. 1395x(s)(2)(J); and any other items or services designated by the Health Care Financing Administration (HCFA).
\6\ The OIG recognizes that not every supplier provides durable medical equipment, prosthetics, orthotics and supplies. However, a compliance program incorporating the elements in this guidance can be used by all suppliers regardless of the items/services they provide.
Within this document, the OIG first provides its general views on the value and fundamental principles of DMEPOS suppliers' compliance programs, and then provides the specific elements that each DMEPOS supplier should consider when developing and implementing an effective compliance program. While this document presents basic procedural and structural guidance for designing a compliance program, it is not in itself a compliance program. Rather, it is a set of guidelines to be considered by a DMEPOS supplier interested in implementing a compliance program.
The OIG recognizes the size-differential that exists between operations of the different DMEPOS suppliers and organizations that compose the DMEPOS industry. Appropriately, this guidance is pertinent for all DMEPOS suppliers, regardless of size (in terms of employees and gross revenue); number of locations; type of equipment provided; or corporate structure. The applicability of the recommendations and guidelines provided in this document depends on the circumstances of each individual DMEPOS supplier. However, regardless of a DMEPOS supplier's size or structure, the OIG believes that every DMEPOS supplier can and should strive to accomplish the objectives and principles underlying all of the compliance policies and procedures recommended within this guidance.
Fundamentally, compliance efforts are designed to establish a culture within a DMEPOS supplier that promotes prevention, detection, and resolution of instances of conduct that do not conform to Federal and State law, and Federal, State and private payor health care program requirements, as well as the DMEPOS supplier's ethical and business policies. In practice, the compliance program should effectively articulate and demonstrate the DMEPOS supplier's commitment to ethical conduct. Benchmarks that demonstrate implementation and achievements are essential to any effective compliance program. Eventually, a compliance program should become part of the fabric of routine DMEPOS supplier operations.
Specifically, compliance programs guide a DMEPOS supplier's owner(s), governing body (e.g., board of directors or trustees), chief executive officer (CEO), president, vice president(s), managers, sales representatives, billing personnel, and other employees in the efficient management and operation of a DMEPOS supplier. They are especially critical as an internal quality assurance control in the reimbursement and payment areas, where claims and billing operations are often the source of fraud and abuse, and therefore, historically have been the focus of Government regulation, scrutiny, prosecution and sanctions.
It is incumbent upon a DMEPOS supplier's owner(s), corporate officers, and managers to provide ethical leadership to the organization and to assure that adequate systems are in place to facilitate ethical and legal conduct. Employees, managers, and the Government will focus on the words and actions of a DMEPOS supplier's leadership as a measure of the organization's commitment to compliance. Indeed, many DMEPOS suppliers have adopted mission statements articulating their commitment to high ethical standards. A formal compliance program, as an additional element in this process, offers a DMEPOS supplier a further concrete method that may improve quality of service and reduce waste. Compliance programs also provide a central coordinating mechanism for furnishing and disseminating information and guidance on applicable Federal and State statutes, regulations, and Federal, State and private health care program requirements.
Implementing an effective compliance program requires a substantial commitment of time, energy, and resources by senior management and the DMEPOS supplier's governing body.‹SUP›7‹/SUP› Superficial programs that simply have the appearance of compliance without being wholeheartedly adopted and implemented by the DMEPOS supplier or programs that are hastily constructed and implemented without appropriate ongoing monitoring will likely be ineffective and could expose the DMEPOS supplier to greater liability than no program at all. Although it may require significant additional resources or reallocation of existing resources to implement an effective compliance program, the long term benefits of implementing the program significantly outweigh the costs. Undertaking a voluntary compliance program is a beneficial investment that advances both the DMEPOS supplier's organization and the stability and solvency of the Medicare program.
\7\ Recent case law suggests that the failure of a corporate Director to attempt in good faith to institute a compliance program in certain situations may be a breach of a Director's fiduciary obligation. See, e.g., In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996).
-
Benefits of a Compliance Program
The OIG believes an effective compliance program provides a mechanism that brings the public and private sectors together to reach mutual goals of reducing fraud and abuse, improving operational quality, improving the quality of health care services and reducing the cost of health care. Attaining these goals provides positive results to the DMEPOS supplier, the Government and individual citizens alike. In addition to fulfilling its legal duty to ensure that it is not submitting false or inaccurate claims to Government and private payors, a DMEPOS supplier may gain numerous additional benefits by voluntarily implementing an effective compliance program. These benefits may include:
‹bullet› The formulation of effective internal controls to assure compliance
[[Page 36370]]
with Federal and State statutes, rules, and regulations, and Federal, State and private payor health care program requirements, and internal guidelines;
‹bullet› A concrete demonstration to employees and the community at large of the DMEPOS supplier's strong commitment to honest and responsible corporate conduct;
‹bullet› The ability to obtain an accurate assessment of employee and contractor behavior relating to fraud and abuse;
‹bullet› An increased likelihood of identification and prevention of criminal and unethical conduct;
‹bullet› The ability to more quickly and accurately react to employees' operational compliance concerns and the capability to effectively target resources to address those concerns;
‹bullet› Improvement of the quality, efficiency, and consistency of providing services;
‹bullet› Increased efficiency on the part of employees;
‹bullet› A centralized source for distributing information on health care statutes, regulations, policies, and other program directives regarding fraud and abuse and related issues;
‹bullet› Improved internal communication;
‹bullet› A methodology that encourages employees to report potential problems;
‹bullet› Procedures that allow the prompt, thorough investigation of alleged misconduct by corporate officers, managers, sales representatives, employees, independent contractors, consultants, clinicians and other health care professionals;
‹bullet› Initiation of immediate, appropriate, and decisive corrective action;
‹bullet› Early detection and reporting, minimizing the loss to the Government from false claims, and thereby reducing the DMEPOS supplier's exposure to civil damages and penalties, criminal sanctions, and administrative remedies, such as program exclusion; \8\ and
\8\ The OIG, for example, will consider the existence of an effective compliance program that pre-dated any governmental investigation when addressing the appropriateness of administrative sanctions. However, the burden is on the DMEPOS supplier to demonstrate the operational effectiveness of a compliance program. Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a person who has violated the Act, but who voluntarily discloses the violation to the Government within 30 days of detection, in certain circumstances will be subject to not less than double, as opposed to treble, damages. See 31 U.S.C. 3729(a). Thus, the ability to react quickly when violations of the law are discovered may materially help reduce a DMEPOS supplier's liability.
‹bullet› Enhancement of the structure of the DMEPOS supplier's operations and the consistency between: any related entities of the DMEPOS supplier; different departments within the DMEPOS supplier; the DMEPOS supplier's different locations; and the DMEPOS supplier's separate business units (e.g., franchises, subsidiaries).
Overall, the OIG believes that an effective compliance program is a sound investment on the part of a DMEPOS supplier.
The OIG recognizes that the implementation of a compliance program may not entirely eliminate fraud, abuse, and waste from the DMEPOS supplier's system. However, a sincere effort by the DMEPOS supplier to comply with applicable Federal and State statutes, rules, and regulations and Federal, State and private payor health care program requirements, through the establishment of an effective compliance program, significantly reduces the risk of unlawful or improper conduct.
-
Application of Compliance Program Guidance
Given the diversity within the industry, there is no single ``best'' DMEPOS supplier compliance program.‹SUP›9‹/SUP› The OIG understands the variances and complexities within the DMEPOS supplier industry and is sensitive to the differences among large national and regional DMEPOS supplier organizations, and small independent DMEPOS suppliers. However, elements of this guidance can be used by all DMEPOS suppliers, regardless of size (in terms of employees and gross revenue); number of locations; type of equipment provided; or corporate structure, to establish an effective compliance program. Similarly, a DMEPOS supplier or corporation that owns a DMEPOS supplier or provides DMEPOS supplies may incorporate these elements into its system-wide compliance or managerial structure. We recognize that some DMEPOS suppliers may not be able to adopt certain elements to the same comprehensive degree that others with more extensive resources may achieve. This guidance represents the OIG's suggestions on how a DMEPOS supplier, regardless of size, can best establish internal controls and monitor its conduct to correct and prevent fraudulent activities. By no means should the contents of this guidance be viewed as an exclusive discussion of the advisable elements of a compliance program. On the contrary, the OIG strongly encourages DMEPOS suppliers to develop and implement compliance elements that uniquely address the individual DMEPOS supplier's risk areas.
\9\ This is particularly true in the context of DMEPOS suppliers, which include many small independent DMEPOS suppliers with limited financial resources, staff, and product lines as well as large DMEPOS supplier chains with extensive financial resources, staff, and product lines.
The OIG believes that input and support by individuals and organizations that will utilize the tools set forth in this document is critical to the development and success of this compliance program guidance. In a continuing effort to collaborate closely with the private sector, the OIG placed a notice in the Federal Register soliciting recommendations and suggestions on what should be included in this Compliance Program Guidance.‹SUP›10‹/SUP› Further, the OIG published the draft Compliance Program Guidance for the DME, Prosthetics, Orthotics, and Supply Industry in the Federal Register for public comment.‹SUP›11‹/SUP› In addition, we considered previous OIG publications, such as Special Fraud Alerts, Advisory Opinions,‹SUP›12‹/SUP› the findings and recommendations in reports issued by OIG's Office of Audit Services and Office of Evaluation and Inspections, as well as the experience of past and recent fraud investigations related to DMEPOS suppliers conducted by OIG's Office of Investigations and the Department of Justice.
\10\ See 63 FR 42409 (August 7, 1998), Notice for Solicitation of Information and Recommendations for Developing OIG Compliance Program Guidance for the Durable Medical Equipment Industry.
\11\ See 64 FR 4435 (January 28, 1999): Draft Compliance Program Guidance for the DME, Prosthetics, Orthotics, and Supply Industry.
\12\ The OIG periodically issues Advisory Opinions responding to specific inquiries from members of the public and Special Fraud Alerts setting forth activities that raise legal and enforcement issues. Special Fraud Alerts and Advisory Opinions, as well as the regulations governing the issuance of Advisory Opinions, can be obtained on the Internet at http://www.dhhs.gov/progorg/oig, in the Federal Register, or by contacting the OIG's Public Information Desk at 202-619-1142.
As appropriate, this guidance may be modified and expanded as more information and knowledge is obtained by the OIG, and as changes in the statutes, rules, regulations, policies, and procedures of Federal, State, and private health plans occur. The OIG understands DMEPOS suppliers will need adequate time to react to these modifications and expansions and to make any necessary changes to their voluntary compliance programs. New compliance practices may eventually be incorporated into this guidance if the OIG discovers significant enhancements to better ensure an effective compliance program.
The OIG recognizes that the development and implementation of compliance programs in DMEPOS suppliers often raise sensitive and
[[Page 36371]]
complex legal and managerial issues.‹SUP›13‹/SUP› However, the OIG wishes to offer what it believes is critical guidance for providers who are sincerely attempting to comply with the relevant health care statutes and regulations.
\13\ Nothing stated within this document should be substituted for, or used in lieu of, competent legal advice from counsel.
At the end of each section, where applicable, the OIG has included ideas to help aid the small DMEPOS supplier in implementing the principles espoused in this guidance. There is no all inclusive definition of a small DMEPOS supplier. However, as previously mentioned, each DMEPOS supplier should tailor its compliance program according to its resources.
-
-
Compliance Program Elements
The elements proposed by these guidelines are similar to those of the other OIG Compliance Program Guidances ‹SUP›14‹/SUP› and the OIG's corporate integrity agreements.‹SUP›15‹/SUP› The OIG believes that every DMEPOS supplier can benefit from the principles espoused in this guidance, which can be tailored to fit the needs and financial realities of a particular DMEPOS supplier.
\14\ See 63 FR 70138 (December 18, 1998) for the Compliance Program Guidance for Third Party Medical Billing Companies; 63 FR 42410 (August 7, 1998) for the Compliance Program Guidance for Home Health Agencies; 63 FR 45076 (August 24, 1998) for the Compliance Program Guidance for Clinical Laboratories, as revised; 63 FR 8987 (February 23, 1998) for the Compliance Program Guidance for Hospitals. These documents are also located on the Internet at http://www.dhhs.gov/progorg/oig.
\15\ Corporate integrity agreements are executed as part of a civil settlement between a health care provider and the Government to resolve a case based on allegations of health care fraud or abuse. These OIG-imposed programs are in effect for a period of three to five years and require many of the elements included in this compliance program guidance.
The OIG believes that every effective compliance program must begin with a formal commitment ‹SUP›16‹/SUP› by the DMEPOS supplier's governing body to include all of the applicable elements listed below, which are based on the seven steps of the Federal Sentencing Guidelines.‹SUP›17‹/SUP› The OIG recognizes full implementation of all elements may not be immediately feasible for all DMEPOS suppliers. However, as a first step, a good faith and meaningful commitment on the part of the DMEPOS supplier, especially the owner(s), governing body, president, vice president(s), CEO, and managing employees, will substantially contribute to the program's successful implementation. As the compliance program is implemented, that commitment should cascade down through the management to every employee of the DMEPOS supplier.
\16\ A formal commitment may include a resolution by the board of directors, owner(s) or president, where applicable. A formal commitment should include the allocation of adequate resources to ensure that each of the elements is addressed.
\17\ See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(k). The Federal Sentencing Guidelines are detailed policies and practices for the Federal criminal justice system that prescribe the appropriate sanctions for offenders convicted of Federal crimes.
At a minimum, comprehensive compliance programs should include the following seven elements:
(1) The development and distribution of written standards of conduct, as well as written policies and procedures that promote the DMEPOS supplier's commitment to compliance (e.g., by including adherence to the compliance program as an element in evaluating managers and employees) and address specific areas of potential fraud, such as the claims development and submission process, completing certificates of medical necessity (CMNs), and financial relationships with physicians and/or other persons authorized ‹SUP›18‹/SUP› to order DMEPOS;
\18\ In some instances, persons other than the treating physician (e.g., nurse practitioner, physician assistant, clinical nurse specialist) may be authorized to order DMEPOS for Medicare beneficiaries if permitted under State law and in accordance with HCFA policies. A DMEPOS supplier should be aware of any persons, other than the treating physician, who are authorized to order DMEPOS.
(2) The designation of a compliance officer and other appropriate bodies, (e.g., a corporate compliance committee), charged with the responsibility for operating and monitoring the compliance program, and who report directly to the CEO and the governing body; ‹SUP›19‹/SUP›
\19\ The integral functions of the compliance officer and the corporate compliance committee in implementing an effective compliance program are discussed throughout this compliance program guidance. However, the OIG recognizes that the differences in the sizes and structures of DMEPOS suppliers will result in differences in the ways in which compliance programs are set up. It is important that a DMEPOS supplier structures its compliance program in such a way that the program facilitates implementation of the key functions of the corporate compliance officer and the corporate compliance committee discussed within this document. See section II.B and accompanying notes.
(3) The development and implementation of regular, effective education and training for all affected employees; ‹SUP›20‹/SUP›
\20\ Education and training programs for DMEPOS suppliers should be detailed and comprehensive. They should cover specific billing procedures, sales and marketing practices, as well as the general areas of compliance. See section II.C and accompanying notes.
(4) The development of effective lines of communication between the compliance officer and all employees, including a process, such as a hotline or other reporting system, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect callers from retaliation;
(5) The use of audits and/or other risk evaluation techniques to monitor compliance, identify problem areas, and assist in the reduction of identified problem areas; ‹SUP›21‹/SUP›
\21\ For example, spot-checking the work of coding and billing personnel periodically and conducting periodic post-payment claim review should be elements of an effective compliance program. See section II.E and accompanying notes.
(6) The development of appropriate disciplinary mechanisms to enforce standards and the development of policies addressing (i) employees who have violated internal compliance policies, applicable statutes, regulations, or Federal, State or private payor health care program requirements and (ii) the employment of sanctioned and other specified individuals; ‹SUP›22‹/SUP› and
\22\ The term ``Federal health care program'' is applied in this document as defined in 42 U.S.C. 1320a-7b(f), and includes any plan or program that provides health benefits, whether directly, through insurance, or otherwise, which is funded directly in whole or in part, by the United States Government (i.e., via programs such as Medicare, Federal Employees' Compensation Act, Black Lung, or the Longshore and Harbor Worker's Compensation Act) or any State health plan (e.g., Medicaid, or a program receiving funds from block grants for social services or child health services). Also, for the purpose of this document, the term ``Federal health care program requirements'' refers to the statutes, regulations, rules requirements, directives, and instructions governing Medicare, Medicare, Medicaid, and all other Federal health care programs.
(7) The development of policies to respond to detected offenses and to initiate corrective action to prevent similar offenses.
-
Written Policies and Procedures
Every compliance program should require the development and distribution of written compliance policies, standards, and practices that identify specific areas of risk and vulnerability to the individual DMEPOS supplier. These policies, standards, and practices should be developed under the direction and supervision of the compliance officer and the compliance committee (if such a committee is practicable for the DMEPOS supplier) and, at a minimum, should be provided to all individuals who are affected by the particular policy at issue, including the DMEPOS supplier's agents and independent contractors who may affect billing decisions.‹SUP›23‹/SUP›
\23\ According to the Federal Sentencing Guidelines, an organization must have established compliance standards and procedures to be followed by its employees and other agents in order to receive sentencing credit for an ``effective'' compliance program. The Federal Sentencing Guidelines define ``agent'' as ``any individual, including a director, an officer, an employee, or an independent contractor, authorized to act on behalf of the organization.'' See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(d).
[[Page 36372]]
In addition to these general policies, it may be necessary to implement individual policies for the different components of the DMEPOS supplier. 1. Standards of Conduct
The OIG recommends that the DMEPOS supplier develop standards of conduct for all affected employees that include a clearly delineated commitment to compliance by the DMEPOS supplier's senior management, ‹SUP›24‹/SUP› including any related entities or affiliated providers operating under the DMEPOS supplier's control, ‹SUP›25‹/SUP› and other health care professionals (e.g., nurses, licensed pharmacists, physicians, and respiratory therapists). The standards of conduct should function in the same fashion as a constitution, i.e., as a foundational document that details the fundamental principles, values, and framework for action within the DMEPOS supplier. The standards should articulate the DMEPOS supplier's commitment to comply with all Federal and State statutes, rules, regulations and Federal, State and private payor health care program requirements, with an emphasis on preventing fraud and abuse. They should explicitly state the organization's mission, goals, and ethical principles relative to compliance and clearly define the DMEPOS supplier's commitment to compliance and its expectations for all DMEPOS supplier owners, governing body members, presidents, vice presidents, corporate officers, managers, sales representatives, employees, and, where appropriate, independent contractors and other agents. These standards should promote integrity, support objectivity, and foster trust. Standards should not only address compliance with statutes and regulations, but should also set forth broad principles that guide employees in conducting business professionally and properly.
\24\ The OIG strongly encourages high-level involvement by a DMEPOS supplier's owner(s), governing body, CEO, president, vice president(s), as well as other personnel, as appropriate, in the development of the standards of conduct. Such involvement should help communicate a strong and explicit organizational commitment to compliance goals and standards.
\25\ E.g., pharmacies, billing services, and manufacturers.
The standards should be distributed to, and comprehensible by, all affected employees (e.g., translated into other languages when necessary and written at appropriate reading levels). Further, to assist in ensuring that employees continuously meet the expected high standards set forth in the standards of conduct, any employee handbook delineating or expanding upon these standards should be regularly updated as applicable statutes, regulations, and Federal, State, and private payor health care program requirements are modified and/or clarified.‹SUP›26‹/SUP›
\26\ The OIG recognizes that not all statutes, rules, regulations, standards, policies, and procedures need to be communicated to all employees. However, the OIG believes that the bulk of the standards that relate to complying with fraud and abuse laws and other ethical areas should be addressed and made part of all affected employees' training. A DMEPOS supplier must decide whether additional educational programs should be targeted to specific categories of employees based on job functions and areas of responsibility.
When employees first begin working for the DMEPOS supplier, and each time new standards of conduct are issued, the OIG suggests employees be asked to sign a statement certifying that they have received, read, understood, and will abide by the standards of conduct. The employee's certification should be retained by the DMEPOS supplier in the employee's personnel file, and available for review by the compliance officer.
The OIG believes all DMEPOS suppliers, regardless of size, should operate professionally and ethically. The OIG recognizes that small DMEPOS suppliers may not have formal written standards of conduct. However, such unwritten standards of conduct (e.g., the manner in which the DMEPOS supplier conducts its business) should be relayed to each employee. Employees should attest, in writing, that they understand and will abide by these standards. 2. Written Policies for Risk Areas
As part of its commitment to compliance, the DMEPOS supplier should establish a comprehensive set of written policies and procedures that take into consideration the particular statutes, rules, regulations, and program instructions applicable to each function of the DMEPOS supplier.‹SUP›27‹/SUP› In contrast to the standards of conduct, which are designed to be a clear and concise collection of fundamental standards, the written policies should articulate specific procedures personnel should follow.
\27\ A DMEPOS supplier can conduct focus groups, composed of managers from various departments, to solicit their concerns and ideas about compliance risks that may be incorporated into the DMEPOS supplier's policies and procedures. Such employee participation in the development of the DMEPOS supplier's compliance program can enhance its credibility and foster employee acceptance of the program.
Consequently, we recommend that the individual policies and procedures be coordinated with the appropriate training and educational programs with an emphasis on areas of special concern that have been identified by the OIG.‹SUP›28‹/SUP› Some of the special areas of OIG concern include: ‹SUP›29‹/SUP›
\28\ A DMEPOS supplier's compliance program should require that the legal staff, compliance officer, or other appropriate personnel carefully consider any and all Special Fraud Alerts and Advisory Opinions issued by the OIG that relate to DMEPOS suppliers. See note 12. Moreover, the compliance program should address the ramifications of failing to cease and correct any conduct criticized in such a Special Fraud Alert or Advisory Opinion, if applicable to the DMEPOS supplier, or to take reasonable action to prevent such conduct from reoccurring in the future. If appropriate, a DMEPOS supplier should take the steps described in section II.G regarding investigations, reporting, and correction of identified problems.
\29\ The OIG Work Plan details the various projects the OIG currently intends to address in the fiscal year. It should be noted that the priorities in the Work Plan are subject to modification and revision as the year progresses and does not represent a complete or final list of areas of concern to the OIG. The Work Plan is currently available on the Internet at http://www.dhhs.gov/progorg/ oig.
‹bullet› Billing for items or services not provided; ‹SUP›30‹/SUP›
\30\ Billing for items or services not provided involves submitting a claim representing that the DMEPOS supplier provided an item or service or part of an item or service that the patient did not receive. It may also include not fulfilling a contractual agreement, for example, when the DMEPOS supplier has agreed to service the rental equipment and does not fulfill this obligation.
‹bullet› Billing for services that the DMEPOS supplier believes may be denied; ‹SUP›31‹/SUP›
\31\ Billing for services that may be denied involves seeking reimbursement for a service that is not covered by Medicare or does not meet the Medicare coverage criteria as documented by the patient's current medical condition. See 42 U.S.C. 1395y(a)(1)(A). The OIG recognizes that DMEPOS suppliers cannot make medical necessity determinations and may not be aware if an item or service will be denied in every instance. However, civil money penalties (CMPs) and administrative sanctions may be imposed against any person who submits a claim for services ``that [the] person knows or should know are not medically necessary.'' See 42 U.S.C. 1320a- 7a(a). Such conduct may also result in liability under civil and criminal laws. HCFA does allow DMEPOS suppliers to submit claims when the DMEPOS supplier believes the item or service may not be covered, provided, however, that the supplier ``note[s] on the claim
[its] belief that the service is noncovered and that it is being submitted at the beneficiary's insistence.'' See Medicare Carriers Manual, section 3043. If the DMEPOS supplier believes the item or service may be denied for any reason (e.g., not covered, not medically necessary), the DMEPOS supplier may have the beneficiary sign a written notice accepting financial responsibility if the item or service is denied (see Medicare Carriers Manual, section 7300.5). The DMEPOS supplier should include modifier ``GA'' on the claim for such item or service. This modifier indicates the beneficiary has signed a written notice. If the beneficiary signed an advance written notice, the DMEPOS supplier may directly bill the beneficiary for the denied item or service. (See section II.A.3.i for further discussion on written notices). See also discussion in section II.A.3.a and accompanying notes.
[[Page 36373]]
‹bullet› Billing patients for denied chargs without a signed written notice; \32\
\32\ This includes, but is not limited to, billing the patient for items or services denied as not medically necessary by the payor, where there has been no written notice signed by the patient, the written notice has been inappropriately obtained or the written notice was drafted inappropriately. See Medicare Carrier Manual, section 7300.5A, regarding the requirements for written notice.
‹bullet› Duplicate billing; ‹SUP›33‹/SUP›
\33\ Duplicate billing occurs when more than one claim for payment is submitted for the same patient, for the same service, for the same date of service (by the same or different DMEPOS supplier), or the same claim is submitted to more than one payor as primary Although duplicate billing can occur due to simple error (which does not create civil or criminal liability), fraudulent duplicate billing is often evidenced by systematic or repeated double billing, and creates liability under criminal, civil, and administrative law, particularly if any overpayment is not promptly refunded. See note 72.
‹bullet› Billing for items or services not ordered; ‹SUP›34‹/SUP›
\34\ Billing for items or services not ordered involves seeking reimbursement for items or services provided, but not ordered by the treating physician or other authorized person.
‹bullet› Using a billing agent whose compensation arrangement violates the reassignment rule; ‹SUP›35‹/SUP›
\35\ If a billing agent receives payment on behalf of a DMEPOS supplier, the billing agent's compensation may not be related in any way to the dollar amounts billed or collected. See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual, section 3060.
‹bullet› Upcoding; ‹SUP›36‹/SUP›
\36\ Upcoding involves selecting a code to maximize reimbursement when such code is not the most appropriate descriptor of the service (e.g., billing for a more expensive piece of equipment when a less expensive piece of equipment is provided).
‹bullet› Unbundling items or supplies; ‹SUP›37‹/SUP›
\37\ Unbundling items or supplies involves billing for individual components when a specific HCFA Common Procedure Coding System (HCPCS) code provides for the components to be billed as a unit (e.g., providing a wheelchair and billing the individual parts of the wheelchair, rather than the wheeelchair as a whole).
‹bullet› Billing for new equipment and providing used equipment; ‹SUP›38‹/SUP›
\38\ The DMEPOS supplier must indicate on the Medicare claim form, through the use of modifiers, whether the item provided is new or used. The modifier for providing new equipment is ``NU.'' The modifies for providing used equipment is ``UE.'' A knowing failure to correctly document the item provided would constitute falsifying information on the claim form and many constitute a violation of the False Claims Act. See 31 U.S.C. 3729.
‹bullet› Continuing to bill for rental items after they are no longer medically necessary; ‹SUP›39‹/SUP›
\39\ Once a rental item is no longer medically necessary, the DMEPOS supplier required to discontinue billing the payor for it. The OIG recognizes that DMEPOS suppliers cannot make medical necessity determinations and may not be aware that a rental item is no longer medically necessary for a particular patient. As a result, the OIG recommends that the DMEPOS supplier periodically contact the treating physician or other authorized person to ensure the rental item continues to be medically necessary. In addition, the OIG recommends that the DMEPOS supplier pick up such equipment from the patient in a timely manner. If the DMEPOS supplier bills for a rental item after it is no longer medically necessary, the DMEPOS supplier is financially responsible for that item and must remit any overpayments for that item. See 42 U.S.C. 1320a-7b(a)(3), which provides criminal penalties for failure to disclose an overpayment.
‹bullet› Resubmission of denied claims with different information in an attempt to be improperly reimbursed; ‹SUP›40‹/SUP›
\40\ This practice involves the DMEPOS supplier improperly changing information on a previously denied claim and continuing to resubmit the claim in an attempt to receive payment. For example, a DMEPOS supplier may submit a claim using the accurate HCPCS code for the item or service provided and the claim is subsequently denied. It is improper to change the HCPCS code to HCPCS code that the DMEPOS supplier believes is reimbursable, when such item or service was not provided.
‹bullet› Refusing to submit a claim to Medicare for which payment is made on a reasonable charge or fee schedule basis; ‹SUP›41‹/SUP›
\41\ This practice involves a DMEPOS supplier not submitting a claim on behalf of the beneficiary for items or services that are Medicare benefits and are reimbursable under the Medicare program. See 42 U.S.C 1395w-4(g)(4).
‹bullet› Inadequate management and oversight of contracted services, which results in improper billing; ‹SUP›42‹/SUP›
\42\ The OIG recommends that the DMEPOS supplier create internal mechanisms to ensure that the use of contractors does not lead to improper billing practices.
‹bullet› Charge limitations; ‹SUP›43‹/SUP›
\43\ A DMEPOS supplier should ensure that its billing personnel are informed of the different payment rules of all the Federal, State, and private health care programs it bills. The supplier should be aware that billing for items or services furnished substantially in excess of the supplier's usual charges may result in exclusion and other sanctions. See 42 U.S.C. 1320a-7(b)(6)(A). See also OIG Ad. Op. 98-8 (1998).
‹bullet› Providing and/or billing for substantially excessive amounts of DMEPOS items or supplies; ‹SUP›44‹/SUP›
\44\ This practice, which constitutes overulitization, involves providing and/or billing for substantially more items or supplies that are reasonable and necessary for the needs of each individual patient. The OIG recognizes that DMEPOS suppliers cannot make medical necessity determinations. The medical need for an item must be determined by the physician or other authorized person who is treating the patient. However, the DMEPOS supplier must ensure that the patient's condition meets coverage, payment and utilization criteria as established in the payor's medical policies. If the DMEPOS supplier is providing and/or billing for substantially excessive amounts of DMEPOS items or supplies, the DMEPOS supplier is financially responsible for remitting any overpayments relating to those items or supplies. The OIG recommends that if a DMEPOS supplier is providing and billing for a large number of items or supplies for the same patient, it may periodically want to contact the treating physician or other authorized person to confirm the medical necessity of the items or supplies. Such contact with the physician's office should be documented. The practice of billing for substantially excessive amounts of items or supplies may lead to exclusion from Federal health care programs and other sanctions. See 42 U.S.C. 1320a-7(b)(6)(B).
‹bullet› Providing and/or billing for an item or service that does not meet the quality and standard of the DMEPOS item claimed; ‹SUP›45‹/SUP›
\45\ This practice involves providing and./or billing for an item or service that does not meet the definition and/or requirement of the item or service ordered by the treating physician or other authorized person. Generally, such items are inferior in quality, and therefore do not meet the definition of what was ordered and/or billed. Sometimes this may mean that certin equipment was never cleared by the Food and Drug Administration, as required by law. This practice may lead to billing for items that are not reasonable and necessary. A DMEPOS supplier should ensure that the iterm or services it furnishes meet professionally recognized minimum standards of health care.
‹bullet› Capped rentals; ‹SUP›46‹/SUP›
\46\ See discussion in section II.A.3.k and accompanying notes.
‹bullet› Failure to monitor medical necessity on an on-going basis; ‹SUP›47‹/SUP›
\47\ In order for a patient to continue to receive items or supplies (e.g., rental equipment, supplies for an on-going condition) and for the DMEPOS supplier to receive Medicare reimbursement, the patient must meet the medical necessity criteria for that specific item or supply on an on-going basis. The item or supply furnished by the DMEPOS supplier should be replaced or adjusted, in a timely manner, to reflect changes in the patient's condition. The OIG recognizes that a DMEPOS supplier cannot make medical necessity determinations and may not be aware when a patient's condition changes. However, if a DMEPOS supplier is billing for items or services that are no longer medically necessary, the supplier is financially responsible for remitting any overpayments relating to those items or services. The OIG recommends that if a DMEPOS supplier is providing the same items or supplies to a patient on a regular basis, it may periodically want to contact the treating physician or other authorized person to confirm that the items or supplies continue to be medically necessary. Such contact with the physician's office should be documented.
‹bullet› Delivering or billing for certain items or supplies prior to receiving a physician's order and/or appropriate CMN; ‹SUP›48‹/SUP›
\48\ This practice involves a DMEPOS supplier delivering to the patient, and/or billing the payor for, items or supplies that have not yet been ordered by the treating physician or other authorized person. Medicare requires written orders for certain items before delivery. See, e.g., 42 CFR 410.38.
‹bullet› Falsifying information on the claim form, CMN, and/or accompanying documentation; ‹SUP›49‹/SUP›
\49\ This practice invovles supplying false information to be included on the claim form, the CMN, or other accompanying documentation. The information reported on these documents should accurately reflect the patient's information, including medical information, and the items or services ordere by the treating physician or other authorized person and provided by the DMEPOS supplier. See, e.g., 18 U.S.C. 1035, which provides criminal penalties for falsifying information on such documentation.
[[Page 36374]]
‹bullet› Completing portions of CMNs reserved for completion only by the treating physician or other authorized person; ‹SUP›50‹/SUP›
\50\ This practice involves not completing the CMN in compliance with Medicare regulations (i.e., sections B and D should never be completed by the supplier). Instructions for completing the CMN can be found on the back of the form. See Medicare Carriers Manual, section 3312, which provides instructions on how to complete the CMN and the CMPs that may be assessed for improper completion of the CMN. See also 42 U.S.C. 1395m(j)(2); section II.A.3.c and accompanying notes for further discussion on CMNs. Such conduct may also result in liability under civil and criminal laws.
‹bullet› Altering medical records; ‹SUP›51‹/SUP›
\51\ This practice involves falsifying information on a patient's medical records to justify reimbursement for an item or service.
‹bullet› Manipulating the patient's diagnosis in an attempt to receive improper payment; ‹SUP›52‹/SUP›
\52\ This practice involves altering the treating physician's or other authorized person's diagnosis in an attempt to receive reimbursement for a particular item or service. A DMEPOS supplier should not claim the patient has a particular medical condition in order to qualify for an item for which the patient would not otherwise qualify.
‹bullet› Failing to maintain medical necessity documentation; ‹SUP›53‹/SUP›
\53\ This practice involves failing to ensure that the medical necessity documentation requirements for the item or service billed are properly met (e.g., failing to maintain the physician orders or CMNs or failing to ensure that CMNs contain adequate and correct information). See Medicare Carriers Manual, section 4105.2 for evidence of medical necessity. See also sections II.A.3.b and II.A.3.c regarding physician orders and CMNs, respectively.
‹bullet› Inappropriate use of place of service codes; ‹SUP›54‹/SUP›
\54\ This practice involves indicating on the claim form that the place of service is a location other than where the service was provided. For example, the patient resides in a skilled nursing facility (SNF) and a DMEPOS supplier submits a claim with the place of service as the patient's home. Provided that the DMEPOS items or services are ordered, provided, reasonable and necessary given the clinical condition of the patient, the items or services may be covered if the beneficiary resides at home. However, such items may not be covered if the beneficiary resides in a SNF. See Medicare Carriers Manual, section 2100.3 for the definition of a beneficiary's home.
‹bullet› Cover letters that encourage physicians to order medically unnecessary items or services; ‹SUP›55‹/SUP›
\55\ See discussion in section II.A.3.m.
‹bullet› Improper use of the ZX modifier; ‹SUP›56‹/SUP›
\56\ This practice involves the improper use of the ZX modifier, relating to maintaining medical necessity documentation. See discussion in section II.A.3.l.
‹bullet› Routine waiver of deductibles and coinsurance; ‹SUP›57‹/SUP›
\57\ Throughout this document, the term ``deductibles and coinsurance'' refers to Medicare as well as to any other health insurance program requiring deductibles and coinsurance. See discussion in section II.A.3.j and accompanying notes.
‹bullet› Providing incentives to actual or potential referral sources (e.g., physicians, hospitals, patients, skilled nursing facilities, home health agencies or others) that may violate the anti- kickback statute or other similar Federal or State statute or regulation; ‹SUP›58‹/SUP›
\58\ Examples of arrangements that may run afoul of the anti- kickback statute include practices in which a DMEPOS supplier pays a fee to a physician for each CMN the physician signs, provides free gifts to physicians for signing CMNs, provides inducements to beneficiaries, and/or provides items or services for free or below fair market value to providers or beneficiaries of Federal health care programs. See 42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b(b); 60 FR 40847 (August 10, 1995). See also discussion in section II.A.4 and accompanying notes.
‹bullet› Compensation programs that offer incentives for items or services ordered and revenue generated; ‹SUP›59‹/SUP›
\59\ Compensation programs that offer incentives for items or services ordered or the revenue they generate may lead to the ordering of medically unnecessary items or supplies and/or the ``dumping'' of such items or supplies in a facility or in a beneficiary's home (e.g., mail order supply companies that continue to send the patient supplies when the supplies are no longer medically necessary).
‹bullet› Joint ventures between parties, one of whom can refer Medicare or Medicaid business to the other; ‹SUP›60‹/SUP›
\60\ Equally troubling to the OIG is the proliferation of business arrangements that may violate the anti-kickback statute or other similar Federal and State statute or regulation. Such arrangements are generally established between those in a position to refer business, such as physicians, and those providing items or services, such as DMEPOS suppliers, for which a Federal health care program pays. Sometimes established as ``joint ventures,'' these arrangements may take a variety of forms. The OIG currently has a number of investigations and audits underway that focus on such areas of concern. The OIG has also issued a Special Fraud Alert on Joint Venture Arrangements. This Special Fraud Alert can be found at 59 FR 65372 (December 19, 1994) or on the Internet at http:// www.dhhs.gov/progorg/oig.
‹bullet› Billing for items or services furnished pursuant to a prohibited referral under the Stark physician self-referral law; ‹SUP›61‹/SUP›
\61\ Under the Stark physician self-referral law, if a physician (or an immediate family member of such physician) has a prohibited financial relationship with a DMEPOS supplier, the physician may not make a referral to the DMEPOS supplier and the DMEPOS supplier may not bill for furnishing DMEPOS items or supplies for which payment may be made under the Federal health care programs. See 42 U.S.C. 1395nn.
‹bullet› Improper telemarketing practices; ‹SUP›62‹/SUP›
\62\ See 42 U.S.C. 1395m(a)(17) or Pub.L. 103-432, section 132(a) for the prohibition on telemarketing. See also discussion in section II.A.5 and accompanying notes.
‹bullet› Improper patient solicitation activities and high-pressure marketing of noncovered or unnecessary services; ‹SUP›63‹/SUP›
\63\ The DMEPOS supplier should not utilize prohibited or inappropriate conduct to carry out its initiatives and activities designed to maximize business growth and patient retention. Many cases against DMEPOS suppliers have involved the DMEPOS supplier giving the beneficiary free gifts such as angora underwear, microwaves and air conditioners in exchange for providing and billing for unnecessary items. Any marketing information offered by the DMEPOS supplier should be clear, correct, non-deceptive, and fully informative. See discussion in section II.A.5 and accompanying notes.
‹bullet› Co-location of DMEPOS items and supplies with the referral source; ‹SUP›64‹/SUP›
\64\ In this situation, a physician allows a DMEPOS supplier to stock inventory (the storage space may or may not be rented by the DMEPOS supplier) in a physician's office. When such items and supplies are dispensed to the patient, Medicare is then billed. Although such arrangements are not prohibited per se, the OIG believes that such arrangements may potentially raise anti-kickback and self-referral issues, particularly when the DMEPOS supplier pays the physician an amount above fair market value to rent the space.
‹bullet› Non-compliance with the Federal, State and private payor supplier standards; ‹SUP›65‹/SUP›
\65\ A DMEPOS supplier should have appropriate personnel acknowledge they have reviewed and will abide by the Medicare supplier standards. In addition, a DMEPOS supplier should ensure it is meeting individual State and private payor supplier standards. See 42 CFR 424.57 for the Medicare supplier standards.
‹bullet› Providing false information on the Medicare DMEPOS supplier enrollment form; ‹SUP›66‹/SUP›
\66\ Criminal penalties may be imposed against an individual who knowingly and willfully makes or causes to be made any false statements or representations of a material fact in any application for any benefit or payment under a Federal health care program. See 42 U.S.C. 1320a-7b(a)(1). See also 31 U.S.C. 3729(a) (``any person who * * * knowingly makes, uses, or causes to be made or used, a false record or statement to get a false or fraudulent claim paid or approved by the Government * * * is liable to the United States Government for a civil penalty of not less than $5,000 and not more than $10,000, plus 3 times the amount of damages which the Government sustains because of the act of that person * * *'')
‹bullet› Not notifying the National Supplier Clearinghouse in a timely manner of changes to the information previously provided on the DMEPOS supplier enrollment form; ‹SUP›67‹/SUP›
\67\ By signing the DMEPOS supplier enrollment application, a DMEPOS supplier certifies it will notify the Medicare contractor of any changes in its enrollment information within 30 days of the effective date of the change.
‹bullet› Misrepresenting a person's status as an agent or representative of Medicare; ‹SUP›68‹/SUP›
\68\ It is unlawful for a DMEPOS supplier to represent itself as a Medicare representative. See 42 U.S.C. 1320b-10.
‹bullet› Knowing misuse of a supplier number, which results in improper billing; ‹SUP›69‹/SUP›
\69\ This practice may involve, but is not limited to, using another DMEPOS supplier's billing number.
‹bullet› Failing to meet individual payor requirements; ‹SUP›70‹/SUP›
\70\ A DMEPOS supplier should be aware of the requirements of any payor they bill, especially in those situations where there is a primary and secondary payor.
[[Page 36375]]
‹bullet› Performing tests on a beneficiary to establish medical necessity; ‹SUP›71‹/SUP›
\71\ E.g., Medicare does not permit DMEPOS suppliers to perform oxygen tests (e.g., oximetry tests and arterial blood gas tests) to qualify patients for oxygen and oxygen supplies. See Medicare Coverage Issues Manual, section 60-4. See also discussion in section II.A.3.o.
‹bullet› Failing to refund overpayments to a health care program; ‹SUP›72‹/SUP›
\72\ An overpayment is the amount of money received in excess of the amount due and payable under a health care program. Examples of overpayments include, but are not limited to, instances where a DMEPOS supplier is: (i) paid twice for the same service, for the same beneficiary; or (ii) paid for services that were provided but not ordered by the treating physician or other authorized person. The OIG strongly recommends that the DMEPOS supplier institute procedures to detect overpayments and to promptly remit such overpayments to the affected payor. See 42 U.S.C. 1320a-7b(a)(3). See also 18 U.S.C. 669 and 31 U.S.C. 3729(a)(7).
‹bullet› Failing to refund overpayments to patients; ‹SUP›73‹/SUP›
\73\ If a patient is also due money when a DMEPOS supplier identifies an overpayment to a health care program, the DMEPOS supplier should make a prompt refund to the patient. See 42 U.S.C. 1395m(j)(4) on limitation of patient liability for non-assigned claims that are denied due to medical necessity. See also 42 U.S.C. 1395pp(h) on limitation of patient liability for assigned claims that are denied due to medical necessity.
‹bullet› Improper billing resulting from a lack of communication between the DMEPOS supplier, the physician, and the patient; ‹SUP›74‹/SUP›
\74\ A lack of communication between the DMEPOS supplier, physician, and patient may result in the DMEPOS supplier inappropriately billing for items or supplies (e.g., supplies for an on-going condition or rental equipment that are no longer medically necessary). See discussion in section II.A.3.n.
‹bullet› Improper billing resulting from a lack of communication between different departments within the DMEPOS supplier; ‹SUP›75‹/SUP› and
\75\ A lack of communication between the different departments of a DMEPOS supplier may result in the DMEPOS supplier filing incorrect claims and/or equipment delivery problems.
‹bullet› Employing persons excluded from participation in Federal health care programs.‹SUP›76‹/SUP›
\76\ This involves hiring or contracting with individuals or entities who have been excluded from participation in Federal health care programs or any other Federal procurement or non-procurement program. See section II.F.2.
A DMEPOS supplier's prior history of noncompliance with applicable statutes, regulations, and Federal, State or private health care program requirements may indicate additional types of risk areas where the DMEPOS supplier may be vulnerable and that may require policies and procedures to prevent recurrence.‹SUP›77‹/SUP› Additional risk areas should be assessed by the DMEPOS supplier and incorporated into its written policies and procedures and training programs developed as part of its compliance program.
\77\ ``Recurrence of misconduct similar to that which an organization has previously committed casts doubt on whether it took all reasonable steps to prevent such misconduct'' and is a significant factor in the assessment of whether a compliance program is effective. See United States Sentencing Commission Guidelines, Guidelines Manual, 8A1.2, Application Note 3(k)(iii).
The OIG believes sound operating policies are essential to all DMEPOS suppliers, regardless of size. The OIG recommends that small DMEPOS suppliers focus on the risk areas most potentially problematic to its business operations. The OIG recognizes some small DMEPOS suppliers may not have the resources to independently develop a comprehensive set of written policies and procedures pertaining to such risk areas. In this case, the OIG recommends that the small DMEPOS supplier create a manual that is accessible to all employees. Such a manual should contain the specific statutes, regulations, and DMERC instructions and bulletins that address the DMEPOS supplier's identified risk areas. The goal of this manual is to provide employees direction so they can properly address any concerns/issues/questions that may arise. 3. Claims Development and Submission a. Medical Necessity
The OIG recommends that the DMEPOS supplier's compliance program communicate to physicians and other persons authorized to order items and services that claims submitted for items and services will only be paid if the item or service is ordered, provided, covered, reasonable and necessary for the patient, given his or her clinical condition. The DMEPOS suppliers should take all reasonable steps to ensure they are not submitting claims for services that are not: (i) covered; (ii) reasonable; and (iii) necessary.‹SUP›78‹/SUP› The DMEPOS suppliers must keep the treating physician's or other authorized person's signed and dated order or CMN on file for all DMEPOS items and services.‹SUP›79‹/SUP› Upon a payor's request, the DMEPOS supplier must be able to provide documentation, such as physician orders, completed original CMNs,‹SUP›80‹/SUP› proof of delivery, written confirmation of verbal orders and any other documentation to support the medical necessity of an item or service the DMEPOS supplier has provided and billed to a Federal or private health care program.‹SUP›81‹/SUP› Because the DMEPOS supplier is responsible for producing documentation upon request, the DMEPOS supplier may want to send a written notice to its clients who write orders and refer patients concerning payors' documentation requirements.
\78\ See note 31.
\79\ See Medicare Carrier Manual, section 3312. See also Medicare Carrier Manual, section 4105.2 regarding what information must be included on the physician's order.
\80\ An original CMN is that in which Section B was completed by the treating physician or other authorized person and contains the original signature of the treating physician or other authorized person.
\81\ In order to ensure correct reimbursement, the payor may conduct a post-payment audit of a DMEPOS supplier's claims. Such audits may require that the DMEPOS supplier submit documentation to substantiate that the items or services were ordered by the treating physician or other authorized person, provided, covered, reasonable and necessary. See 42 CFR 424.5(a)(6).
As a preliminary matter, the OIG recognizes that physicians and other authorized persons must be able to order any items or services that they believe are appropriate for the treatment of their patients. However, Medicare and other Government and private health care plans will only pay for those services that are covered and that meet the appropriate medical necessity standards (e.g., ordered, provided, reasonable, necessary, and meeting criteria established by medical review policies). ``No payment may be made under Part A or Part B for any expenses incurred for items or services * * * which are not reasonable and necessary for the diagnosis or treatment of an illness or injury or to improve the functioning of a malformed body member.'' ‹SUP›82‹/SUP› Therefore, DMEPOS suppliers should be aware that Medicare may deny payment for an item or service that the treating physician or other authorized person believes is appropriate, but which does not meet the Medicare coverage criteria or where the documentation does not support that the item or service was reasonable and necessary for the patient. The OIG recommends that the DMEPOS supplier advise its clients that claims for items or services submitted for Federal, State or private payor reimbursement must meet program requirements ‹SUP›83‹/SUP› or the claims may be denied.
\82\ See 42 U.S.C. 1395y(a)(1)(A).
\83\ See note 31.
The DMEPOS supplier should take steps to ensure compliance with the applicable statutes, regulations and the requirements of Federal, State and private health plans. The OIG recognizes that DMEPOS suppliers do not and cannot treat patients or make medical necessity determinations. However, the DMEPOS supplier must take steps to ensure that the beneficiary's condition meets coverage, payment and utilization criteria established in medical policies before it submits a claim to Federal, State or private health plans. In order to help
[[Page 36376]]
ensure compliance, the OIG recommends that DMEPOS supplier personnel understand the coverage and payment criteria of each payor they bill. To help aid supplier personnel, the DMEPOS supplier's compliance officer may want to create a clear, comprehensive summary of the ``medical necessity'' standards or coverage criteria and applicable rules of the various Government and private plans. This summary should be disseminated and explained to the appropriate DMEPOS supplier personnel.
We also recommend that DMEPOS suppliers formulate internal control mechanisms through their written policies and procedures to ensure the medical necessity of the items or services they provide. Such policies and procedures may include periodic claim reviews, both prior and subsequent to billing for items and services. Such a procedure will verify that patients are receiving and the DMEPOS supplier is being paid for items and/or services that are ordered, provided, covered, reasonable and necessary. The DMEPOS supplier may choose to incorporate this claims review function into pre-existing quality assurance mechanisms. b. Physician Orders
The DMEPOS supplier's written policies and procedures should state that the DMEPOS supplier will not bill for an item or service unless and until it has been ordered by the treating physician or other authorized person. For all Medicare reimbursed DMEPOS items or services, the DMEPOS supplier must receive a written order from the patient's treating physician or other authorized person. Such written order must be received prior to billing Medicare. When the DMEPOS supplier receives a verbal order, the DMEPOS supplier should document the verbal order and must have the treating physician or other authorized person confirm it in writing prior to billing.
The written policies and procedures should also state, for items requiring a written order prior to delivery, that the order must be received by the DMEPOS supplier before it delivers the equipment to the patient and before it bills the payor.‹SUP›84‹/SUP›
\84\ See 42 CFR 410.38.
-
Certificate of Medical Necessity ‹SUP›85‹/SUP›
For some DMEPOS items and services, the DMEPOS supplier must receive a signed CMN from the treating physician or other authorized person. Currently, CMNs are required for Medicare reimbursement for fourteen items. ‹SUP›86‹/SUP› The CMN must be retained in the DMEPOS supplier's records before it can submit a claim for payment to the Medicare program. Although faxed CMNs are permitted in order to submit the claim, the DMERCs have the authority to request the original CMN from the DMEPOS supplier at any time.‹SUP›87‹/SUP›
\85\ As defined in 42 U.S.C. 1395m(j)(2)(B). See also OIG Special Fraud Alert regarding Physician Liability for Certifications in the Provision of Medical Equipment and Supplies and Home Health Services, 64 FR 1813 (January 12, 1999). Special Fraud Alerts are available on the OIG website.
\86\ Items or services requiring CMNs are as follows: Home oxygen therapy (HCFA form 484); Hospital beds (HCFA form 841); Support surfaces (HCFA form 842); Motorized wheelchairs (HCFA form 843) (Section C continuation, HCFA form 854); Manual wheelchairs (HCFA form 844) (Section C continuation, HCFA form 854); Continuous positive airway pressure (CPAP) devices (HCFA form 845); Lymphedema pumps (pneumatic compression devices) (HCFA form 846); Osteogenesis stimulators (HCFA form 847); Transcutaneous electrical nerve stimulators (TENS) (HCFA form 848); Seat lift mechanisms (HCFA form 849); Power operated vehicles (HCFA form 850); Infusion pumps (HCFA form 851); Parenteral nutrition (HCFA form 852); and Enteral nutrition (HCFA form 853).
\87\ See HCFA Program Memorandum B-99-23 (April 1999).
Each CMN has four sections: A, B, C, and D. Section A may be completed by the DMEPOS supplier. Section B may not be completed by the DMEPOS supplier.‹SUP›88‹/SUP› Section B may only be completed by the treating physician, a non-physician clinician involved in the care of the patient or a physician employee who is knowledgeable about the patient's treatment. If section B is completed by a physician's employee, the section must be reviewed by the treating physician or other person authorized to sign section D of the CMN ‹SUP›89‹/SUP› to ensure the information's accuracy. Section C must be completed by the DMEPOS supplier prior to the CMN being furnished to the treating physician or other authorized person for signature.‹SUP›90‹/SUP› Section D is the attestation statement and may only be signed by the treating physician or other person authorized to sign section D.‹SUP›91‹/SUP› The DMEPOS supplier's written policies and procedures on completing CMNs should reflect these standards.
\88\ A supplier who knowingly and willfully completes section B of the form is, at a minimum, subject to a CMP of up to $1,000 for each form or document completed in such manner. See 42 U.S.C. 1395m(j)(2). That supplier may also face civil and criminal liability.
\89\ See HCFA Program Memorandum B-98-47 (November, 1998), which discusses who is authorized to sign section D of the CMN.
\90\ A supplier who knowlingly and willfully fails to include, in section C, the fee schedule amount and the supplier's charge for the equipment or supplies being furnished may be subject to a CMP up to $1,000 for each form or document so distributed. See 42 U.S.C. 1395m(j)(2).
\91\ Physicians or persons authorized to sign section D (see note 89), should only sign CMNs in which sections A-C are completed and correct. Signature and date stamps are not acceptable. See Medicare Carriers Manual, section 3312.
The DMEPOS supplier should take all reasonable steps to ensure that each section of the CMN is completed in accordance with the above guidelines. The OIG recommends that the DMEPOS supplier's written policies and procedures, at a minimum, provide that the DMEPOS supplier:
‹bullet› Does not forward blank CMNs to the treating physician or other authorized person for signature;
‹bullet› Does not complete section B (Medical Necessity) of the CMN;
‹bullet› Does not alter or add any information on the CMN after receiving the completed and signed CMN from the physician or other authorized person; ‹SUP›92‹/SUP›
\92\ There have been many investigations centering on DMEPOS suppliers who alter information in order to affect their reimbursement (e.g., altering diagnosis code, altering HCPCS code of service provided).
‹bullet› Does not sign the CMN for the treating physician or other authorized person;
‹bullet› Does not urge physicians or other authorized persons to order equipment or supplies that exceed what is reasonable and necessary for the patient;
‹bullet› Does not deliver an item that requires a written order from the treating physician or other authorized person prior to receiving the written order; ‹SUP›93‹/SUP›
\93\ See 42 U.S.C. 1395m(a)(11)(B). See also 42 CFR 410.38.
‹bullet› Does not submit a claim for DMEPOS items or services prior to receiving a written order or CMN from the treating physician or other authorized person;
‹bullet› Does not submit a claim for DMEPOS items or services until the CMN is properly and correctly completed by the treating physician or other authorized person;
‹bullet› Maintains completed and signed CMNs in its files;
‹bullet› Consults with the treating physician or other authorized person who signed the CMN when there is a question on the order;
‹bullet› Properly complete sections A and C of the CMN and then forward the CMN to the treating physician or other authorized person for his/her review, information, and signature; and
‹bullet› Only submit claims for services that the treating physician or other authorized person attests in section D are ordered and medically necessary for the patient.
[[Page 36377]]
-
Billing
The DMEPOS supplier should provide in its written policies and procedures that it will only submit to Medicare or other Federal, State or private payor health care plans claims that are properly completed, accurate, and correctly identify the item or service ordered by the treating physician or other authorized person and furnished to the patient. Also, prior to submitting the claim, the DMEPOS supplier should take all reasonable steps to ensure the item or service being claimed was provided, covered, reasonable and necessary.
The written policies and procedures should also clarify that a DMEPOS supplier cannot submit bills or receive payment for drugs used in conjunction with DMEPOS, unless the DMEPOS supplier is licensed to dispense the drug.‹SUP›94‹/SUP›
\94\ See Medicare Program Memoranda B-98-6 (February, 1998) and B-98-18 (May, 1998).
-
Selection of HCPCS Codes
The DMEPOS supplier's written policies and procedures should state that only the HCPCS code that most accurately describes the item or service ordered and provided should be billed. The OIG views knowing ``upcoding'' (i.e., the selection of a code to maximize reimbursement when such a code is not the most appropriate descriptor of the service) as raising, among other things, false claims issues under the Civil False Claims Act.‹SUP›95‹/SUP› To ensure code accuracy, the OIG recommends that the DMEPOS supplier include a requirement in its policies and procedures that the codes be reviewed (random sample or certain codes) by individuals with technical expertise in coding before claims containing such codes are submitted to the affected payor. If a DMEPOS supplier has questions regarding the appropriate code to be used, it should contact the Statistical Analysis Durable Medical Equipment Carrier's (SADMERC) HCPCS coding help line.‹SUP›96‹/SUP›
\95\ See 31 U.S.C. 3729, which provides for the imposition of penalties of $5,000 to $10,000 per false claim, plus up to three times the amount of damages suffered by the Federal Government because of the false claim.
\96\ The phone number for the SADMERC's HCPCS coding help line is 803-736-6809. The hours of operation are Monday through Friday from 9:00 am to 4:00 pm, EST. Based on the information provided by the DMEPOS supplier, the SADMERC will aid the DMEPOS supplier in choosing the most accurate code for the item or service ordered and supplied. However, the DMEPOS supplier should be aware that assigning a HCPCS code to an item or service does not necessarily guarantee reimbursement.
-
Valid Supplier Numbers
The DMEPOS supplier should ensure that appropriate personnel are knowledgeable in (1) completing the HCFA 855S supplier application; ‹SUP›97‹/SUP› and (2) complying with the Federal requirements of 42 CFR 424.57(e) for updating supplier number applications.
\97\ By signing the certification statement on the enrollment application, the applicant agrees that he/she has read, understood, meets and will continue to meet the supplier standards and will be disenrolled from the program if any standards are not met or violated.
The written policies and procedures should state that the DMEPOS supplier should not bill any other Federal, State or private payor health care plan without obtaining the necessary billing numbers and that the billing numbers will be used correctly.‹SUP›98‹/SUP›
\98\ E.g., if a DMEPOS supplier has more than one location, the supplier number of the location that filled the physician's or other authorized person's order will be used on the claim form.
Prior to applying for a valid supplier number, a DMEPOS supplier providing services to Medicare beneficiaries must meet the supplier standards.‹SUP›99‹/SUP› The DMEPOS supplier should take all affirmative steps to ensure that no claims for Medicare reimbursement are submitted prior to the DMEPOS supplier being issued a valid supplier number by the National Supplier Clearinghouse. A DMEPOS supplier should not have more than one Medicare supplier number unless it is appropriate to identify subsidiary or regional entities under the supplier's ownership or control.‹SUP›100‹/SUP›
\99\ See 42 CFR 424.57.
\100\ See 42 U.S.C. 1395m(j)(1)(D).
-
Mail Order Suppliers
We recommend that any DMEPOS supplier who engages in the mail order supply business clearly articulate its protocol for this segment of its business in the company's written policies and procedures.
Mail order supplies should only be delivered in accordance with the treating physician's or other authorized person's orders. Regularly shipping supplies without such orders may lead to providing supplies substantially in excess of the patient's needs.‹SUP›101‹/SUP› We also recommend that the supplier utilize a tracking system so it will be able to determine whether or not the patient received the supplies and will be able to track the location of an item or supply at any given time.
\101\ See note 44.
-
Assignment
If a DMEPOS supplier accepts Medicare assignment, its written policies and procedures should state that it will not charge Medicare beneficiaries more than the amounts allowed under the Medicare fee schedule, including coinsurance and deductibles. If the beneficiary pays the DMEPOS supplier prior to the DMEPOS supplier submitting the claim, the DMEPOS supplier should ensure it is not charging the beneficiary more than the coinsurance on the allowed amount under the fee schedule. In the event that the DMEPOS supplier collects excess payments from a Medicare beneficiary, it should have mechanisms in place to promptly refund the overpayment to the beneficiary. The DMEPOS supplier should be knowledgeable about the Medicare rules and instructions for accepting assignment and receiving direct payment from beneficiaries for items or services.
If a DMEPOS supplier chooses not to accept Medicare assignment, it is still responsible for submitting claims to Medicare on behalf of beneficiaries.‹SUP›102‹/SUP›
\102\ See 42 U.S.C. 1395w-4(g)(4).
If the DMEPOS supplier chooses to utilize a billing agent, the DMEPOS supplier should ensure it is complying with all of the relevant statutes and requirements governing such an arrangement.‹SUP›103‹/SUP› The OIG strongly recommends that the DMEPOS supplier coordinate closely with the billing company to establish compliance responsibilities. Once the responsibilities have been clearly delineated, they should be formalized in the written contract between the DMEPOS supplier and the billing agent. The OIG recommends that the contract enumerate those functions that are shared responsibilities and those that are the sole responsibility of either the billing agent or the DMEPOS supplier.
\103\ See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual, section 3060. See also OIG Ad. Op. 98-1 (1998) and OIG Ad. Op. 98-4 (1998).
-
Liability Issues
The OIG recommends that DMEPOS suppliers avoid submitting claims for items or services that the DMEPOS supplier believes are not covered by Medicare. However, HCFA does permit a DMEPOS supplier to submit a claim for an item or service that the DMEPOS supplier believes is not covered if (i) the beneficiary insists that the DMEPOS supplier submit the claim, and (ii) the DMEPOS supplier notes on the claims its belief that the service is noncovered and that it is being submitted at the beneficiary's insistence (e.g., submitted for a Medicare determination of
[[Page 36378]]
coverage and/or to obtain a denial notice in order to bill other insurers).‹SUP›104‹/SUP›
\104\ See Medicare Carriers Manual, section 3043.
A DMEPOS supplier or Medicare beneficiary is not liable for payment on assigned claims where the beneficiary did not know, and could not reasonably have been expected to know, that the payment for such services would not be made.‹SUP›105‹/SUP› However, when the DMEPOS supplier knew, or could have been expected to know, the items or services would be denied, the liability for improperly paid items or services rests with the DMEPOS supplier.‹SUP›106‹/SUP›
\105\ See 42 U.S.C. 1395pp.
\106\ Id.
In order to protect itself from financial responsibility in such situations (i.e., situations in which the beneficiary is insisting that a claim be submitted to Medicare notwithstanding the DMEPOS supplier's belief that Medicare does not cover the service), the DMEPOS supplier must inform the patient prior to furnishing the item or service of the DMEPOS supplier's belief that the claim to Medicare will be denied. In this situation, the DMEPOS supplier should ask the patient to sign a written notice.‹SUP›107‹/SUP› The written notice must be in writing, must clearly identify the particular item or service, must state that the payment for the particular item or service likely will be denied, and must give the reason(s) for the belief that payment is likely to be denied. It is the beneficiary's decision whether or not to sign the written notice. If the beneficiary does sign the written notice, the DMEPOS supplier should: (1) include the appropriate modifier on the claim form; (2) maintain the written notice in its files; and (3) be able to produce the written notice to the DMERC, upon request.
\107\ See Medicare Carriers Manual, section 7300.5.
If the DMEPOS supplier improperly bills the beneficiary, Medicare will indemnify the beneficiary for any payments the beneficiary made to the DMEPOS supplier, and collect the indemnification amount from the DMEPOS supplier as an overpayment.
Routine notices to beneficiaries that do no more than state that denial of payment is possible are not considered acceptable evidence of written notice. Notices should not be given to beneficiaries unless there is some genuine doubt regarding the likelihood of payment as evidenced by the reasons stated on the written notice. Giving notice for all claims, items or services is not an acceptable practice.
The OIG recommends that the DMEPOS supplier include the foregoing liability issues in its written policies and procedures. j. Routine Waiver of Deductibles and Coinsurance
Routine waivers of deductibles and coinsurance may result in false claims, CMPs for inducements to beneficiaries, and violations of the anti-kickback statute or similar Federal or State statute or regulations.‹SUP›108‹/SUP› In addition to the potential problems regarding kickbacks, false claims, and CMPs, the OIG has programmatic concerns when DMEPOS suppliers routinely waive deductibles and coinsurance. When DMEPOS suppliers forgive financial obligations for reasons other than genuine financial hardship of a particular patient, they may be inducing the patient to use items or services that are unnecessary, simply because they are free. Such usage may also lead to overutilization. DMEPOS suppliers are permitted to waive the Medicare coinsurance amounts for cases of financial need.‹SUP›109‹/SUP› We recommend that the DMEPOS supplier develop and maintain written criteria documenting its policy for determining financial need and consistently apply this criteria to all cases.\110\ A good faith effort must be made to collect deductibles and coinsurance.\111\
\108\ See 59 FR 31157 (December 19, 1994) or the OIG website at http://www.dhhs.gov/progorg/oig for the OIG Special Fraud Alert on Medicare Deductibles and Copayments. See also 31 U.S.C. 3729-3733; 42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b.
\109\ See Medicare Carriers Manual, section 5520
\110\ What constitutes ``financial need'' varies depending on the circumstances. However, the OIG believes it is important that a DMEPOS supplier make determinations of financial need on an individualized, case by case, basis in accordance with a reasonable set of income guidelines uniformly applied in all cases. The guidelines should be based on objective criteria and appropriate for the applicable locality. It is not appropriate to apply inflated income guidelines that result in waivers of copayments for persons not in genuine financial need.
\111\ See 42 CFR 413.80; Provider Reimbursement Manual, Part I, sections 308 and 310.
The DMEPOS supplier's written policies and procedures should state that it will not routinely waive deductibles and coinsurance for Medicare beneficiaries. The OIG recommends that such policies and procedures should include, but not be limited to, statements that DMEPOS supplier personnel are prohibited from: advertising an intent to waive deductibles or coinsurance for Medicare beneficiaries; advertising an intent to discount services for Medicare beneficiaries; or giving unsolicited advice to Medicare beneficiaries that they need not pay. k. Capped Rentals
The DMEPOS supplier's written policies and procedures should address Government and private payor requirements when providing rental equipment to beneficiaries (e.g., the purchase option ‹SUP›112‹/SUP› and servicing and maintenance ‹SUP›113‹/SUP›). The DMEPOS supplier must offer a purchase option to beneficiaries during the 10th continuous rental month.‹SUP›114‹/SUP› The DMEPOS supplier should clearly, accurately, and non-deceptively discuss the pros and cons of the different options with the beneficiary. If the beneficiary does not accept the purchase option, the DMEPOS supplier must continue to provide the item. After the 15th continuous month of receiving rental payments from Medicare, providing the item or service continues to be medically necessary, the DMEPOS supplier must continue to provide the item without charge to the beneficiary or Medicare.
\112\ See 42 CFR 414.229(d).
\113\ See 42 CFR 414.229(e).
\114\ DMEPOS suppliers must offer beneficiaries the option of purchasing power-driven wheelchairs at the time the DMEPOS supplier first furnishes the item See 42 CFR 414.229(d)(1).
However, the DMEPOS supplier may submit additional claims for the maintenance and servicing fees associated with the rental item.‹SUP›115‹/SUP› The DMEPOS supplier should ensure it is performing basic safety and operational function checks after use by each patient, and is performing routine and preventative maintenance on equipment. The DMEPOS supplier must ensure it has qualified staff or contractors to service, set up, and instruct the patient on the proper use of the equipment. The DMEPOS supplier should ensure it maintains current service manuals for all the equipment it supplies. In addition, the OIG recommends that the DMEPOS supplier's policies and procedures establish an internal control system that allows the DMEPOS supplier to track the location of each piece of equipment at any given time.
\115\ See 42 CFR 414.229(e).
The policies and procedures should also address the guidelines for determining continuous use and criteria for a new rental period.‹SUP›116‹/SUP› If a beneficiary dies during a rental period, the DMEPOS supplier may receive the entire monthly rental payment.‹SUP›117‹/SUP› However, if the DMEPOS supplier continues to bill for the item because it did not receive notice of the beneficiary's death until the following
[[Page 36379]]
month, any payments received for rental items the month after the beneficiary dies are considered an overpayment and must promptly be refunded. The DMEPOS supplier should create internal mechanisms to ensure the correct rental month appears on the claim and the correct modifier is used.
\116\ See 42 CFR 414.230.
\117\ See Medicare Carriers Manual, section 4105.3.
In addition, the DMEPOS supplier should ensure it is not submitting claims for rental equipment when the beneficiary is residing in an institution. The OIG is aware that some DMEPOS suppliers bring DMEPOS items to beneficiaries residing in an institution, just prior to the beneficiary's discharge, in order to train the beneficiary on how to use the item or to fit the item for the beneficiary. Once the DMEPOS supplier has trained or fitted the beneficiary, the DMEPOS supplier should take the item and deliver it to the beneficiary's home on the date of discharge. As a result, the DMEPOS supplier should file the claim for this item with the date of delivery/date of service as the date the beneficiary is discharged from the institution. If the DMEPOS supplier delivers the item to the beneficiary in the institution prior to the beneficiary's discharge to be used by the beneficiary while in the institution, the item should be included in the institution's cost and the DMEPOS supplier should not submit the claim. The DMEPOS supplier may not submit the claim prior to the beneficiary's date of discharge. l. ZX Modifier
The ZX modifier is used on the claim form to indicate that the DMEPOS supplier is maintaining medical necessity documentation in its files. Such documentation only needs to be submitted to the DMERC upon request.
The DMEPOS supplier should create internal mechanisms to ensure the proper use of the ZX modifier. Improper use of the modifier may result in the submission of false claims. The OIG recommends that the DMEPOS supplier's written policies and procedures address the DMEPOS supplier's protocol for using the ZX modifier.‹SUP›118‹/SUP›
\118\ See relevant DMERC supplier manual(s) for guidelines on proper use.
-
Cover Letters
Cover letters are commonly used by the DMEPOS supplier as a method of communication between the DMEPOS supplier and the treating physician or other authorized person. The cover letter is not a form required or regulated by the Government. As a result, the DMERCs do not base Medicare denials solely on what may be considered inappropriate use of cover letters. However, the OIG is concerned that cover letters may influence or direct a physician's or other authorized person's answers on the CMN, particularly the questions relating to the patient's medical condition.‹SUP›119‹/SUP› It is the treating physician's or other authorized person's responsibility to determine both the medical need for, and the utilization of, health care services. The OIG encourages the DMEPOS supplier to include language in its cover letter to remind treating physicians and other authorized persons of their responsibilities in properly completing CMNs.
\119\ Encouraging physicians or other authorized persons to order unwanted items or supplies may result in submitting claims for items or services that are not reasonable or necessary. The OIG is aware of instances where the DMEPOS supplier has copied the CMN, complieted section B of the copy, and used this completed copy as its cover letter to physicians.
-
Communication
The OIG suggests that the DMEPOS supplier create mechanisms that increase the communication among treating physicians or other authorized persons who refer business to the DMEPOS supplier, the patients, and the DMEPOS supplier. We recommend that such mechanisms be included in the DMEPOS supplier's written policies and procedures. Such mechanisms may include: (i) the DMEPOS supplier periodically calling the patient to ensure the equipment is still being used and is operating properly; or (ii) periodically calling the treating physician to ensure the provided items continue to be medically necessary for a patient.
In addition, we recommend the DMEPOS supplier create mechanisms to ensure communication between different departments (e.g., sales and billing) in order to prevent the filing of incorrect claims. o. Oxygen and Oxygen Equipment
The OIG recommends that the written policies and procedures for DMEPOS suppliers furnishing oxygen state that the DMEPOS supplier will ensure that initial claims for oxygen therapy include the written results of an arterial blood gas study or oximetry test (on the CMN) that has been ordered and evaluated by the patient's treating physician. Further, the written policies and procedures should provide for the DMEPOS supplier to maintain such test results and any other independent diagnostic treatment facility (IDTF) documents supporting the patient's medical necessity for the oxygen. The OIG recommends that the DMEPOS supplier have the IDTFs, from which it receives test results, submit, all raw test results to the treating physician for the physician's benefit, and not just a summary of the results. The written policies and procedures should provide that a DMEPOS supplier is not qualified to conduct the blood gas study or to prescribe the oxygen therapy.‹SUP›120‹/SUP›
\120\ See Coverage Issues Manual, section 60-4.
The OIG also recommends, for patient safety purposes, that the rental of oxygen include established maintenance safeguards and that steps are taken to ensure the equipment is properly maintained, as maintenance is included in the rental price of the equipment.
When submitting an oxygen or oxygen equipment claim for reimbursement, the DMEPOS supplier must ensure it is complying with the payment rules.‹SUP›121‹/SUP›
\121\ See 42 CFR 414.226.
-
Anti-Kickback and Self-Referral Concerns
The DMEPOS supplier should have policies and procedures in place with respect to compliance with Federal and State laws, including the anti-kickback statute, as well as the Stark physician self-referral law.‹SUP›122‹/SUP› Such policies should provide that:
\122\ Towards this end, the DMEPOS supplier should, among other things, obtain copies of all relevant OIG regulations, Special Fraud Alerts, and Advisory Opinions (these documents are located on the Internet at http://www.dhhs.gov/progorg/oig), and ensure that the DMEPOS supplier's policies reflect the guidance provided by the OIG. See 42 U.S.C. 1395nn(a) for the Stark physician referral laws. See also 42 U.S.C. 1320a-7b for prohibited activities under the anti- kickback statute.
‹bullet› All of the DMEPOS supplier's contracts and arrangements with actual or potential referral sources (e.g., physicians) are reviewed by counsel and comply with all applicable statutes and regulations, including the anti-kickback statute and the Stark physician self-referral law; ‹SUP›123‹/SUP›
\123\ If the DMEPOS supplier questions an arrangement into which it may enter, it should consider asking the OIG for an Advisory Opionion regarding the anti-kickback statute of HCFA for an Advisory Opinion regarding Stark. See 62 FR 7350 (February 19, 1997) and 63 FR 38,311 (July 16, 1998) for instructions on how to submit an Advisory Opinion to the OIG. These instructions are also located on the Internet at http://www.dhhs.gov/progorg/oig. See 63 FR 1645 (January 9, 1998) on how to submit an Advisory Opinion to HCFA.
‹bullet› The DMEPOS supplier will not submit or cause to be submitted to health care programs claims for patients who were referred to the DMEPOS supplier pursuant to contracts or financial arrangements that were designed to induce such referrals in violation of the anti- kickback statute or similar Federal or State statute or regulation or that otherwise violate the Stark physician self-referral law;
[[Page 36380]]
‹bullet› A DMEPOS supplier does not offer a physician or other referral source more than fair market value for space rented to store items or supplies (i.e., consignment closet); and
‹bullet› The DMEPOS supplier does not offer or provide gifts, free services, or other incentives or things of value to patients, relatives of patients, physicians, home health agencies, nursing homes, hospitals, contractors, assisted living facilities, or other potential referral sources for the purpose of inducing referrals in violation of the anti-kickback statute or similar Federal or State statute or regulation.‹SUP›124‹/SUP›
\124\ See 42 U.S.C. 1320a-7a(a)(5), which provides for CMPs for improper inducements to beneficiaries.
Further, the OIG recommends that the written policies and procedures should specifically reference and take into account the OIG's safe harbor regulations, which describe those payment practices that are immune from criminal and administrative prosecution under the anti-kickback statute.‹SUP›125‹/SUP›
\125\ See 42 CFR 1001.952. Simply because an arrangement does not meet a safe harbor does not necessarily mean it is illegal.
The OIG believes all DMEPOS suppliers, regardless of size, should be concerned with potential anti-kickback and Stark violations. As a result, all DMEPOS suppliers should be knowledgeable about, and compliant with, the anti-kickback statute, the Stark physician self- referral law and other relevant Federal and State statutes or regulations.
Although all DMEPOS suppliers are responsible for ensuring compliance with these provisions, the OIG recognizes that the small DMEPOS supplier may not have the resources to implement the suggestions in this section to the same extent as a large DMEPOS supplier. Therefore, the smaller DMEPOS supplier may need to employ a slightly different mechanism to ensure compliance. For example, the small DMEPOS supplier may want to choose a sample of contracts or financial arrangements to review on a periodic basis. 5. Marketing
Where marketing is permitted, the DMEPOS supplier's compliance program should require honest, straightforward, fully informative and non-deceptive marketing. It is in the best interest of patients, DMEPOS suppliers, physicians and health care programs that physicians or other persons authorized to order DMEPOS fully understand the services offered by the DMEPOS supplier, the items or services that will be provided when ordered, and the financial consequences for Medicare as well as other payors for the items or services ordered. The OIG recommends that if the DMEPOS supplier services a large number of non- English speaking patients, it should ensure that its marketing materials are available in those other languages. The DMEPOS supplier's written policies and procedures should ensure that its marketing information is clear, correct, and fully informative.
Salespeople must not offer physicians, patients or other potential referral sources incentives, in cash or in kind, for their business.‹SUP›126‹/SUP› Similarly, they must not engage in any marketing activity that either explicitly or implicitly implies that Medicare beneficiaries are not obligated to pay their coinsurance or can receive ``free'' services.‹SUP›127‹/SUP› In addition, DMEPOS suppliers must not promote items or services to patients or physicians that are not reasonable or necessary for the treatment of the individual patient. The OIG suggests that the DMEPOS supplier's written policies and procedures create internal mechanisms to avoid these situations.
\126\ See anti-kickback statute discussion in section II.A.4.
\127\ See discussion in section II.A.3.j.
With respect to marketing and sales, the OIG has a longstanding concern that percentage compensation arrangements for sales and marketing personnel may increase the risk of such persons violating the anti-kickback statute.‹SUP›128‹/SUP› The OIG recommends that the DMEPOS supplier monitor its sales representatives on a regular basis (e.g., rotate sales staff or send a sales manager on some sales calls).
\128\ See e.g., 42 U.S.C. 1320a-7b(B); OIG Ad. Op. 98-10 (1998); section II.A.4.
The DMEPOS suppliers are prohibited from making unsolicited telephone contacts to Medicare beneficiaries.‹SUP›129‹/SUP› We suggest that the DMEPOS supplier's written policies and procedures reflect this prohibition.
\129\ See 42 U.S.C. 1395m(a)(17), Pub.L. 103-432, section 132(a).
The DMEPOS suppliers are also prohibited from using symbols, emblems, or names in reference to Social Security or Medicare in a manner that they know or should know would convey the false impression that an item is approved, endorsed, or authorized by the Social Security Administration, HCFA, or the Department of Health and Human Services or that the supplier has some connection with, or authorization from, any of these agencies.‹SUP›130‹/SUP›
\130\ See 42 U.S.C. 1320b-10.
The OIG believes marketing strategies employed by all DMEPOS suppliers, regardless of size, should be clear, correct, honest, straightforward, non-deceptive and fully informative. In addition, all DMEPOS suppliers should inform their sales people of potential anti- kickback concerns, the telemarketing law, and the prohibition on inappropriately using references to Social Security and Medicare. Although the small DMEPOS supplier may not have extensive written policies and procedures, every DMEPOS supplier should ensure that its employees are clear on what is permitted and prohibited with regard to marketing. 6. Retention of Records
The DMEPOS supplier's compliance program should provide for the implementation of a records system. The DMEPOS supplier should ensure that records are maintained for the length of time required by Federal and State law and private payors, or by the DMEPOS supplier's record retention policies, whichever is longer. This system should establish policies and procedures regarding the creation, distribution, retention, storage, retrieval, and destruction of documents.‹SUP›131‹/SUP› The three types of documents developed under this system should include: (1) all records and documentation (e.g., billing and claims documentation) required either by Federal or State law and the program requirements of Federal, State, and private health plans; (2) records listing the persons responsible for implementing each part of the compliance program; and (3) all records necessary to protect the integrity of the DMEPOS supplier's compliance process and confirm the effectiveness of the program.‹SUP›132‹/SUP› The documentation necessary to satisfy the third requirement includes, but is not limited to: evidence of adequate employee training; reports from the DMEPOS supplier's hotline; results of any investigation conducted as a consequence of a hotline call; modifications to the compliance program; self-disclosure; all written notifications to physicians and payors; ‹SUP›133‹/SUP› and the results of the DMEPOS supplier's auditing and monitoring efforts.
\131\ This records system should be tailored to fit the individual needs and financial resources of the DMEPOS supplier.
\132\The creation and retention of such documents and reports may raise a variety of legal issues, such as patient privacy and confidentiality. These issues are best discussed with legal counsel.
\133\ This should include notifications regarding inappropriate claims and overpayments.
All DMEPOS suppliers, regardless of size, must retain documents required by the health plans in which they
[[Page 36381]]
participate. In case of a future Government investigation, the OIG recommends that all DMEPOS suppliers retain documents relating to the implementation of their compliance programs. 7. Compliance as an Element of a Performance Plan
The DMEPOS supplier's compliance program should require that the promotion of, and adherence to, the elements of the compliance program be a factor in evaluating the performance of all employees. Employees should be periodically trained in new compliance policies and procedures. In addition, all managers and supervisors should:
‹bullet› Discuss with all supervised employees and relevant contractors the compliance policies and legal requirements applicable to their function;
‹bullet› Inform all supervised personnel that strict compliance with these policies and requirements is a condition of employment; and
‹bullet› Disclose to all supervised personnel that the DMEPOS supplier will take disciplinary action up to and including termination for violation of these policies or requirements.
In addition to making performance of these duties an element in evaluations, the compliance officer or DMEPOS supplier management should include a policy that managers and supervisors will be sanctioned for failing to instruct adequately their subordinates or for failing to detect noncompliance with applicable policies and legal requirements, where reasonable diligence on the part of the manager or supervisor would have led to the discovery of any problems or violations.
The OIG believes all DMEPOS suppliers, regardless of size, should ensure their employees understand the importance of compliance. If the small DMEPOS supplier does not have a formal performance evaluation structure, it should informally convey the employee's compliance responsibilities and the importance of these responsibilities.
-
-
-
Designation of a Compliance Officer and a Compliance Committee
-
Compliance Officer
Every DMEPOS supplier should designate a compliance officer to serve as the focal point for compliance activities. The compliance officer should be a person of high integrity. This responsibility may be the individual's sole duty or added to other management responsibilities, depending upon the size and resources of the DMEPOS supplier and the complexity of the task. When a compliance officer has other duties, the other duties should not be in conflict with the compliance goals.‹SUP›134‹/SUP›
\134\ E.g., companies should not choose a sales manager who may be pressured to achieve high sales, which might result in a conflict with compliance goals.
Designating a compliance officer with the appropriate authority is critical to the success of the program, necessitating the appointment of a high-level official in the DMEPOS supplier with direct access to the DMEPOS supplier's owner(s), president or CEO, governing body, all other senior management, and legal counsel.‹SUP›135‹/SUP› The compliance officer should be highly enough placed in the company so that he or she can exercise independent judgment without fear of reprisal, and so that employees will know that bringing a problem to that person's attention is not a wasted exercise. The compliance officer should have sufficient funding and staff to fully perform his or her responsibilities. Coordination and communication are the key functions of the compliance officer with regard to planning, implementing, and monitoring the compliance program.
\135\ The OIG believes that it is not advisable for the compliance function to be subordinate to the DMEPOS supplier's general counsel, comptroller or similar DMEPOS supplier financial officer. Free standing compliance functions help to ensure independent and objective legal reviews and financial analyses of the institution's compliance efforts and activities. By separating the compliance function from the key management positions of general counsel or chief financial officer (where the size and structure of the DMEPOS supplier make this a feasible option), a system of checks and balances is established to more effectively achieve the goals of the compliance program.
The compliance officer's primary responsibilities should include:
‹bullet› Overseeing and monitoring the implementation of the compliance program; ‹SUP›136‹/SUP›
\136\ For DMEPOS supplier chains, the OIG encourages coordination with each DMEPOS supplier location through the use of a headquarter's compliance officer, communicating with parallel positions in each facility or regional office, as appropriate.
‹bullet› Reporting on a regular basis to the DMEPOS supplier's owner(s), governing body, CEO, president, and compliance committee (if applicable) on the progress of implementation, and assisting these components in establishing methods to improve the DMEPOS supplier's efficiency and quality of services, and to reduce the DMEPOS supplier's vulnerability to fraud, abuse, and waste;
‹bullet› Periodically revising the program in light of changes in the organization's needs, and in the statutes, rules, regulations, and requirements of Federal, State, and private payor health care plans;
‹bullet› Reviewing employees' certifications that they have received, read, understood, and will abide by the standards of conduct;
‹bullet› Developing, coordinating, and participating in a multifaceted educational and training program that focuses on the elements of the compliance program, and seeks to ensure that all appropriate employees and managers are knowledgeable of, and comply with, pertinent Federal, State and private payor health care program requirements;
‹bullet› Ensuring independent contractors and agents who provide services (e.g., billing companies, delivery services and sources of referrals, i.e., physicians and others) to the DMEPOS supplier are aware of the requirements of the DMEPOS supplier's compliance program with respect to coverage, billing, marketing, and kickbacks, among other things;
‹bullet› Coordinating personnel issues with the DMEPOS supplier's Human Resources/Personnel office (or its equivalent). The OIG recommends that the DMEPOS supplier check the List of Excluded Individuals/Entities,‹SUP›137‹/SUP› and the General Services Administration's List of Parties Excluded from Federal Procurement and Nonprocurement Programs ‹SUP›138‹/SUP› to ensure employees and independent contractors have not been excluded or debarred from participating in Federal programs.‹SUP›139‹/SUP› Depending upon State requirements or DMEPOS supplier policy, the Compliance Officer may also conduct a criminal background check of employees;
\137\ The List of Excluded Individuals/Entities is an OIG- produced report available on the Internet at http://www.dhhs.gov/ progorg/oig. It is updated on a regular basis to reflect the status of individuals and entities who have been excluded from participation in all Federal health care programs (individuals/ entities excluded before August 5, 1997 were only excluded from participation in Medicare, Medicaid, Title V and Title XX programs). The DMEPOS supplier can download the List of Excluded Individuals/ Entities and the subsequent monthly exclusion and reinstatement supplements or can use the online search feature.
\138\ The List of Parties Excluded from Federal Procurment and Nonprocurement programs is a GSA-produced report available on the Internet at http://www.arnet.bov/epls.
\139\ The OIG recognizes that a DMEPOS supplier cannot make medical necessity determinations and may not be aware when a patient's condition changes. However, a DMEPOS supplier should be aware that if it submits a claim in which an excluded physician provided the referral, Medicare will deny payment.
‹bullet› Assisting the DMEPOS supplier's financial management in coordinating internal compliance review and monitoring activities, including annual or periodic reviews of departments;
[[Page 36382]]
‹bullet› Independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports of problems or suspected violations) and any resulting corrective action (e.g., making necessary improvements to DMEPOS supplier policies and practices, taking appropriate disciplinary action, etc.) with all DMEPOS supplier departments, independent contractors, and health care professionals;
‹bullet› Developing policies and programs that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation; and
‹bullet› Continuing the momentum of the compliance program and the accomplishment of its objectives long after the initial years of implementation.‹SUP›140‹/SUP›
\140\ Periodic on-site visits of DMEPOS supplier operations, bulletins with compliance updates and reminders, distribution of audiotapes or videotapes on different risk areas, lectures at management and employee meetings, circulation of recent health care articles covering fraud and abuse, and innovative changes to compliance training are various examples of approaches and techniques the compliance officer can employ for the purpose of ensuring continued interest in the compliance program and the DMEPOS supplier's commitment to its policies and principles.
The compliance officer must have the authority to review all documents and other information that are relevant to compliance activities, including, but not limited to, patient records (where appropriate), billing records, and DMEPOS supplier records concerning the marketing efforts of the DMEPOS supplier and the DMEPOS supplier's arrangements with other parties, including employees, home health agencies, skilled nursing facilities, and treating physicians or other authorized persons. This policy enables the compliance officer to review contracts and obligations (seeking the advice of legal counsel, where appropriate) that may contain referral and payment provisions that could violate the anti-kickback statute, as well as the Stark physician self-referral prohibition or other statutory or regulatory requirements.
In addition, the compliance officer should be copied on the results of all internal audit reports and work closely with key managers to identify aberrant trends in the coding and billing areas. The compliance officer should ascertain patterns that require a change in policy and forward these issues to the compliance committee to remedy the problem. The compliance officer should have full authority to stop the processing of claims that he or she believes are problematic until such time as the issue in question has been resolved.
The OIG believes all DMEPOS suppliers, regardless of size, should have a compliance officer or contact who possesses a high degree of integrity, is knowledgeable about the rules, regulations, and policies under which the DMEPOS supplier operates and has sufficient authority to exercise independent judgment. A small DMEPOS supplier may not have the need or the resources to hire/appoint a full time compliance officer. However, each DMEPOS supplier should have a person in its organization (this person may have other functional responsibilities) who can oversee the DMEPOS supplier's compliance with respect to applicable statutes, rules, regulations, and policies. The structure and comprehensiveness of the DMEPOS supplier's compliance program will help determine the responsibilities of each individual compliance officer. 2. Compliance Committee
The OIG recommends, where feasible, that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.‹SUP›141‹/SUP› When assembling a team of people to serve as the DMEPOS supplier's compliance committee, the DMEPOS supplier should include individuals with a variety of skills.‹SUP›142‹/SUP› The OIG strongly recommends that the compliance officer manage the compliance committee. Once a DMEPOS supplier chooses the people that will accept the responsibilities vested in members of the compliance committee, the DMEPOS supplier must train these individuals on the policies and procedures of the compliance program, as well as how to discharge their duties.
\141\ The compliance committee benefits from having the perspectives of individuals with varying responsibilities in the organization, such as operations, billing, coding, marketing, and human resources, as well as employees and managers of key operating units. These individuals should have the requisite seniority and comprehensive experience within their respective departments to implement any necessary changes to the DMEPOS supplier's policies and procedures as recommended by the committee. A compliance committee for a DMEPOS supplier that is part of another organization (e.g., home health agency) might benefit from the participation of officials from other departments in the organization, such as the accounting and billing departments.
\142\ A DMEPOS supplier should expect its compliance committee members and compliance officer to demonstrate high integrity, good judgment, assertiveness, and an approachable demeanor, while eliciting the respect and trust of employees of the DMEPOS supplier. The DMEPOS supplier's compliance committee members should also have significant professional experience working with billing, documentation, and auditing principles.
The committee's responsibilities should include:
‹bullet› Analyzing the organization's regulatory environment, the legal requirements with which it must comply,‹SUP›143‹/SUP› and specific risk areas;
\143\ This includes, but is not limited to, the civil False Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes, 18 U.S.C. 287, 1001; the fraud and abuse provisions of the Balanced Budget Act of 1997, Pub.L. 105-33; the Health Insurance Portability and Accountability Act of 1996, Pub.L. 104-191; and compliance with the Medicare supplier standards, 42 CFR 424.57.
‹bullet› Assessing existing policies and procedures that address these risk areas for possible incorporation into the compliance program;
‹bullet› Working with appropriate DMEPOS supplier departments to develop standards of conduct and policies and procedures that promote allegiance to the DMEPOS supplier's compliance program;
‹bullet› Recommending and monitoring, in conjunction with the relevant departments, the development of internal systems and controls to carry out the organization's standards, policies, and procedures as part of its daily operations; ‹SUP›144‹/SUP›
\144\ With respect to national DMEPOS supplier chains, this may include fostering coordination and communication between those employees responsible for compliance at headquarters and those responsible for compliance at the individual supplier branches.
‹bullet› Determining the appropriate strategy/approach to promote compliance with the program and detection of any potential violations, such as through hotlines and other fraud reporting mechanisms;
‹bullet› Developing a system to solicit, evaluate, and respond to complaints and problems; and
‹bullet› Monitoring internal and external audits and investigations for the purpose of identifying troublesome issues and deficient areas experienced by the DMEPOS supplier, and implementing corrective and preventive action.
The committee may also address other functions as the compliance concept becomes part of the overall DMEPOS supplier's operating structure and daily routine.
The compliance committee is an extension of the compliance officer and provides the organization with increased oversight. The OIG recognizes that small DMEPOS suppliers may not have the resources or the need to establish a compliance committee. However, when potential problems are identified, the OIG recommends that the small DMEPOS supplier create a
[[Page 36383]]
``taskforce,'' if appropriate, to address the problem. The members of the taskforce may vary depending upon the issue.
-
-
Conducting Effective Training and Education
-
Initial Training in Compliance
The proper education and training of corporate officers, managers, employees and the continual retraining of current personnel at all levels, are significant elements of an effective compliance program. In order to ensure the appropriate information is being disseminated to the correct individuals, the training should be separated into sessions. All employees should attend the general session on compliance, and employees whose job primarily focuses on submission of claims for reimbursement, or who are involved in sales and marketing, should receive additional training on these particular subjects. In addition, the OIG recommends that the DMEPOS supplier inform physicians, independent contractors, and significant agents that it has implemented a compliance program. a. General Sessions
The OIG recommends, as part of its compliance program, that the DMEPOS supplier require all affected personnel to attend training on an annual basis, including appropriate training in Federal and State statutes, regulations and guidelines, HCFA manual instructions, DMERC medical review policies, the policies of private payors, and training in corporate ethics. The general training session should emphasize the DMEPOS supplier's commitment to compliance with these legal requirements and policies.
These training programs should include sessions highlighting the DMEPOS supplier's compliance program, summarizing fraud and abuse statutes and regulations, Federal, State and private payor health care program requirements, claim submission procedures and marketing practices that reflect current legal and program standards. The DMEPOS supplier must take steps to communicate effectively its standards and procedures to all affected employees (e.g., by requiring participation in training programs and disseminating publications that explain specific requirements in a practical manner).‹SUP›145‹/SUP› DMEPOS suppliers may also wish to offer such training sessions to interested independent contractors and physicians. Managers of specific departments can assist in identifying areas that require training and in carrying out such training.‹SUP›146‹/SUP› Training New employees should be targeted for training early in their employment.‹SUP›147‹/SUP›
\145\ OIG publications such as Special Fraud Alerts, audit and inspection reports, and Advisory Opinions, as well as the annual OIG Work Plan, are readily available from the OIG and could be the basis for standards, educational courses and programs.
\146\ Significant variations in functions and responsibilities of different departments may create the need for training materials that are tailored to the compliance concerns associated with particular operations and duties. instructors may come from outside or inside the organization.
\147\ Certain positions, such as those involving developing and submitting claims, as well as sales and marketing, create a greater organizational legal exposure, and therefore require specialized training. The DMEPOS supplier should fill such positions with individuals who have the appropriate educational background, training, experience, and credentials.
As part of the initial training, the standards of conduct should be distributed to all employees.‹SUP›148‹/SUP› At the end of this training session, every employee should be required to sign and date a statement that reflects his or her knowledge of and commitment to the standards of conduct. This attestation should be retained in the employee's personnel file.
\148\ Where the DMEPOS supplier has a culturally diverse employee base, the standards of conduct should be translated into other languages and written at appropriate reading levels.
Further, to assist in ensuring that employees continuously meet the expected high standards of conduct, any employee handbook delineating or expanding upon these standards should be regularly updated as applicable statutes, regulations and Federal health care program requirements are modified.‹SUP›149‹/SUP› The DMEPOS supplier should provide an additional attestation in the modified standards that stipulates the employee's knowledge of and commitment to the modifications.
\149\ The OIG recognizes that not all standards, policies and procedures need to be communicated to all employees. However, the OIG believes that the bulk of the standards that relate to complying with fraud and abuse laws and other ethical areas should be addressed and made part of all employees' training. A DMEPOS supplier should determine the additional training to provide categories of employees based upon their job responsibilites.
-
Claim Development and Billing Training
In addition to specific training in the risk areas identified in section II.A.2, above, primary training to appropriate corporate officers, managers and other claim development and billing staff should include such topics as:
‹bullet› Specific Government and private payor reimbursement principles; ‹SUP›150‹/SUP›
\150\ Government, in this context, includes the appropriate Medicare DMERC(s).
‹bullet› Providing and billing DMEPOS items or services without proper authorization;
‹bullet› Proper documentation of services rendered, including the correct application of official ICD-9 and HCPCS coding rules and guidelines;
‹bullet› Improper alterations to documentation (e.g., patient records, CMNs);
‹bullet› Compliance with the Federal, State and private payor supplier standards; and
‹bullet› Duty to report misconduct.
Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a DMEPOS supplier's billing and coding personnel, in that the pressure to meet business goals may render employees vulnerable to engaging in prohibited practices. c. Sales and Marketing Training
In addition to specific training in the risk areas identified in section II.A.2, above, primary training to sales and marketing personnel should include such topics as:
‹bullet› General prohibition on paying or receiving renumeration to induce referrals;
‹bullet› Routine waiver of deductibles and/or coinsurance;
‹bullet› Disguising referral fees as salaries;
‹bullet› Offering free items or services to induce referrals;
‹bullet› High pressure marketing of noncovered or unnecessary services;
‹bullet› Improper patient solicitation; and
‹bullet› Duty to report misconduct.
Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to a DMEPOS supplier's sales and marketing personnel, in that the pressure to meet business goals may render employees vulnerable to engaging in prohibited practices.
The OIG believes all DMEPOS suppliers, regardless of size, should ensure that their employees are well trained and are abiding by the applicable statutes, regulations, and policies. Each employee should know the procedures or who to consult when confronted with a particular situation. 2. Format of the Training Program
The OIG suggests that all relevant levels of personnel be made part of various educational and training programs of the DMEPOS supplier.‹SUP›151‹/SUP›
[[Page 36384]]
Employees should be required to have a minimum number of educational hours per year, as appropriate, as part of their employment obligations.‹SUP›152‹/SUP› For example, as discussed above, employees involved in billing functions should be required to attend periodic training in applicable reimbursement coverage and documentation of records.‹SUP›153‹/SUP›
\151\ In addition, where feasible, the OIG recommends that a DMEPOS supplier afford outside contractors and its physician clients the opportunity to participate in the DMEPOS supplier's compliance training and educational programs, or develop their own programs that complement the DMEPOS supplier's standards of conduct, compliance requirements and other rules and practices.
\152\ Currently, the OIG is monitoring a significant number of corporate integrity agreements that require many of these training elements. The OIG usually requires a minimum of one to three hours annually for basic training in compliance areas. Additional training is required for specially fields such as billing, coding, sales and marketing.
\153\ Appropriate coding and billing depends upon the quality and completeness of documentation. Therefore, the OIG believes that the DMEPOS supplier must foster an environment where interactive communication is encouraged.
A variety of teaching methods, such as interactive training and training in several different languages, particularly where a DMEPOS supplier has a culturally diverse staff, should be implemented so that all affected employees are knowledgeable about the DMEPOS supplier's standards of conduct and procedures for alerting senior management to problems and concerns.‹SUP›154‹/SUP› Targeted training should be provided to corporate officers, managers and other employees whose actions affect the accuracy of the claims submitted to the Government, such as employees involved in the coding, billing, sales, and marketing processes. All training materials should be designed to take into account the skills, knowledge and experience of the individual trainees. Given the complexity and interdependent relationships of many departments, it is important for the compliance officer to supervise and coordinate the training program.
\154\ Post training tests can be used to assess the success of training provided and employee comprehension of the DMEPOS supplier's policies and procedures.
The OIG recommends that attendance and participation in training programs be made a condition of continued employment and that failure to comply with training requirements should result in disciplinary action, including possible termination, when such failure is serious. Adherence to the provisions of the compliance program, such as training requirements, should be a factor in the annual evaluation of each employee. The DMEPOS supplier should retain adequate records of its training of employees, including attendance logs and material distributed at training sessions.
The OIG recognizes the format of the training program will vary depending upon the resources of the DMEPOS supplier. For example, a small DMEPOS supplier may want to create a video for each type of training session so new employees can receive training in a timely manner. 3. Continuing Education on Compliance Issues
It is essential that compliance issues remain at the forefront of the DMEPOS supplier's priorities. The OIG recommends that the DMEPOS supplier's compliance program address the need for periodic professional education courses for DMEPOS supplier personnel. In particular, the DMEPOS supplier should ensure that coding personnel receive annual professional training on the updated codes for the current year and have knowledge of the SADMERC's HCPCS coding helpline. ‹SUP›155‹/SUP›
\155\ See note 96.
In order to maintain a sense of seriousness about compliance in a DMEPOS supplier's operations, the DMEPOS supplier must continue to disseminate the compliance message. One effective mechanism for maintaining a consistent presence of the compliance message is to publish a monthly newsletter to address compliance concerns. This would allow the DMEPOS supplier to address specific examples of problems the company encountered during its ongoing audits and risk analyses, while reinforcing the DMEPOS supplier's firm commitment to the general principles of compliance and ethical conduct. The newsletter could also include the risk areas published by the OIG in its Special Fraud Alerts. Finally, the DMEPOS supplier could use the newsletter as a mechanism to address areas of ambiguity in the coding and billing process and/or its sales and marketing practices. The DMEPOS supplier should maintain its newsletters in a central location to document the guidance offered, and provide new employees with access to guidance previously provided.
The OIG believes it is important that all DMEPOS suppliers, regardless of size, maintain knowledgeable employees. The OIG recognizes that regularly sending employees to continuing education classes or publishing newsletters may not be feasible for small DMEPOS suppliers. Small DMEPOS suppliers may have their employees meet on a regular basis to discuss information in the DMERC's Medicare bulletin (e.g., coding changes, procedural changes, policy changes, etc.). Such regularly held meetings will help demonstrate the DMEPOS supplier's commitment to compliance.
-
-
Developing Effective Lines of Communication
-
Access to the Compliance Officer
An open line of communication between the compliance officer and DMEPOS supplier employees is equally important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse, and waste. Written confidentiality and non- retaliation policies should be developed and distributed to all employees to encourage communication and the reporting of incidents of potential fraud. ‹SUP›156‹/SUP› The compliance committee should also develop several independent reporting paths for an employee to report fraud, waste, or abuse so that such reports cannot be diverted by supervisors or other personnel.
\156\ The OIG believes that whistleblowers should be protected against retaliation, a concept embodied in the provisions of the False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees sue their employers under the False Claims Act's qui tam provisions out of frustration because of the company's failure to take action when a questionable, fraudulent, or abusive situation was brought to the attention of senior corporate officials.
The OIG encourages the establishment of a procedure for personnel to seek clarification from the compliance officer or members of the compliance committee in the event of any confusion or question regarding a DMEPOS supplier policy, practice or procedure. Questions and responses should be documented and dated and, if appropriate, shared with other staff so that standards, policies, practices, and procedures can be updated and improved to reflect any necessary changes or clarifications. The compliance officer may want to solicit employee input in developing these communication and reporting systems. 2. Hotlines and Other Forms of Communication
The OIG encourages the use of hotlines,‹SUP›157‹/SUP› e-mails, written memoranda, newsletters, suggestion boxes, and other forms of information exchange to maintain these open lines of communication.‹SUP›158‹/SUP› If the DMEPOS
[[Page 36385]]
supplier establishes a hotline, the telephone number should be made readily available to all employees and independent contractors, possibly by circulating the number on wallet cards or conspicuously posting the telephone number in common work areas.‹SUP›159‹/SUP› Employees should be permitted to report matters on an anonymous basis. Matters reported through the hotline or other communication sources that suggest substantial violations of compliance policies, Federal, State or private payor health care program requirements, regulations, or statutes should be documented and investigated promptly to determine their veracity. A log should be maintained by the compliance officer that records such calls, including the nature of any investigation and its results.‹SUP›160‹/SUP› Such information should be included in reports to the owner(s), governing body, CEO, president, and compliance committee.‹SUP›161‹/SUP› Further, while the DMEPOS supplier should always strive to maintain the confidentiality of an employee's identity, it should also explicitly communicate that there may be a point where the individual's identity may become known or may have to be revealed.
\157\ The OIG recognizes that it may not be financially feasible for a small DMEPOS supplier to maintain a telephone hotline dedicated to receiving calls solely on compliance issues. These companies may want to explore alternative methods, e.g., outsourcing the hotline or establishing a written method of confidential disclosure.
\158\ In addition to methods of communication used by current employees, an effective employee exit interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of DMEPOS supplier policies and procedures.
\159\ DMEPOS suppliers should also post in a prominent, available area the HHS-OIG Hotline telephone number, 1-800-447-8477 (1-800-HHS-TIPS), in addition to any company hotline number that may be posted.
\160\ To efficiently and accurately fulfill such an obligation, a DMEPOS supplier should create an intake form for all compliance issues identified through reporting mechanisms. The form could include information concerning the date that the potential problem was reported, the internal investigative methods utilized, the results of the investigation, any corrective action implemented, any disciplinary measures imposed, and any overpayments returned.
\161\ Information obtained over the hotline may provide valuable insight into management practices and operations, whether reported problems are actual or perceived.
The OIG recognizes that assertions of fraud and abuse by employees who may have participated in illegal conduct or committed other malfeasance raise numerous complex legal and management issues that should be examined on a case-by-case basis. The compliance officer should work closely with legal counsel, who can provide guidance regarding such issues.
The OIG recognizes that protecting anonymity may be infeasible for small DMEPOS suppliers. However, the OIG believes all DMEPOS supplier employees, when seeking answers to questions or reporting potential instances of fraud and abuse, should know who to consult and should be able to do so without fear of retribution.
-
-
Auditing and Monitoring
An ongoing evaluation process is critical to a successful compliance program. The OIG believes that an effective program should incorporate thorough monitoring of its implementation and regular reporting to the DMEPOS supplier's corporate officers.‹SUP›162‹/SUP› Compliance reports created by this ongoing monitoring, including reports of suspected noncompliance, should be maintained by the compliance officer and shared with the DMEPOS supplier's corporate officers and the compliance committee. The extent and frequency of the audit function may vary depending on factors such as the size of the DMEPOS supplier, the resources available to the DMEPOS supplier, the DMEPOS supplier's prior history of noncompliance, and the risk factors that are prevalent in a particular DMEPOS supplier.
\162\ Even when a DMEPOS supplier is owned by a larger corporate entity, the regular auditing and monitoring of the compliance activities of an individual DMEPOS supplier location must be a key feature in any annual review. Appropriate reports on audit findings should be periodically provided and explained to a parent organization's senior staff and officers.
Although many monitoring techniques are available, one effective tool to promote and ensure compliance is the performance of regular, periodic compliance audits by internal or external auditors who have expertise in Federal and State health care statutes, rules, regulations, and Federal, State and private payor health care program requirements. The audits should focus on the different departments within the DMEPOS supplier, including external relationships with third-party contractors. At a minimum, these audits should be designed to address the DMEPOS supplier's compliance with laws governing kickback arrangements, the physician self-referral prohibition, pricing, contracts, claim development and submission, reimbursement, sales and marketing. In addition, the audits and reviews should examine the DMEPOS supplier's compliance with the Federal, State and private payor supplier standards and the specific rules and policies that have been the focus of particular attention on the part of the Medicare DMERCs, and law enforcement, as evidenced by educational and other communications from OIG Special Fraud Alerts, Advisory Opinions, OIG audits and evaluations, and law enforcement's initiatives.‹SUP›163‹/SUP› In addition, the DMEPOS supplier should focus on any areas of specific concern identified within that DMEPOS supplier and those that may have been identified by any entity, whether Federal, State, private or internal.
\163\ See also section II.A.2.
Monitoring techniques may include sampling protocols that permit the compliance officer to identify and review variations from an established baseline.‹SUP›164‹/SUP› Significant variations from the baseline should trigger a reasonable inquiry to determine the cause of the deviation. If the inquiry determines that the deviation occurred for legitimate, explainable reasons, the compliance officer and DMEPOS supplier management may want to limit any corrective action or take no action. If it is determined that the deviation was caused by improper procedures, misunderstanding of rules, including fraud and systemic problems, the DMEPOS supplier should take prompt steps to correct the problem.‹SUP›165‹/SUP› Any overpayments discovered as a result of such deviations should be returned promptly to the affected payor. The OIG recommends sending the payor the following information with the overpayment: (1) that the refund is being made pursuant to a voluntary compliance program; (2) a description of the complete causes and circumstances surrounding the overpayment; (3) the methodology by which the overpayment was determined; (4) the amount of the overpayment; and (5) any claim-specific information, reviewed as part of the self-audit, used to determine the overpayment (e.g., beneficiary health insurance claims number, claim number, date of service, and payment date). Inclusion of such information with the overpayment will aid the payor in making the adjustment and may prevent it from requesting additional information.
\164\ The OIG recommends that when a compliance program is established in a DMEPOS supplier, the compliance officer, with the assistance of department managers, should take a ``snapshot'' of operations from a compliance perspective. This assessment can be undertaken by outside consultants, law or accounting firms, or internal staff, with authoritative knowledge of health care compliance requirements. This ``snapshot,'' often used as part of benchmarking analyses, becomes a baseline for the compliance officer and other managers to judge the DMEPOS supplier's progress in reducing or eliminating potential areas of vulnerability.
\165\ In addition, when appropriate, as referenced in section II.G.2, below, reports of fraud or systemic problems should also be made to the appropriate governmental authority.
An effective compliance program should also incorporate periodic (at least annual) reviews of whether the
[[Page 36386]]
program's compliance elements have been satisfied, e.g., whether there has been appropriate dissemination of the program's standards, training, ongoing educational programs, and disciplinary actions, among other elements.‹SUP›166‹/SUP› This process will verify actual conformance by all departments with the compliance program and may identify the necessity for improvements to be made to the compliance program, as well as the DMEPOS supplier's operations. Such reviews could support a determination that appropriate records have been created and maintained to document the implementation of an effective program.‹SUP›167‹/SUP› However, when monitoring discloses that deviations were not detected in a timely manner due to program deficiencies, appropriate modifications must be implemented. Such evaluations, when developed with the support of management, can help ensure compliance with the DMEPOS supplier's policies and procedures.
\166\ One way to assess the knowledge, awareness, and perceptions of a DMEPOS supplier's employees is through the use of a validated survey instrument (e.g., employee questionnaires, interviews, or focus groups).
\167\ Such records should include, but not be limited to, logs of hotline calls, logs of training attendees, training agenda and materials, and summaries of corrective action and improvements with respect to DMEPOS supplier policies as a result of compliance activities.
As part of the review process, the compliance officer or reviewers should consider techniques such as:
‹bullet› Testing billing staff on their knowledge of reimbursement coverage criteria and official coding guidelines (e.g., present hypothetical scenarios of situations experienced in daily practice and assess responses);
‹bullet› On-site visits to all facilities and locations;
‹bullet› Ongoing risk analysis and vulnerability assessments of the DMEPOS supplier's operations;
‹bullet› Assessment of existing relationships with physicians, and other potential referral sources;
‹bullet› Unannounced audits, mock surveys, and investigations;
‹bullet› Examination of the DMEPOS supplier's complaint logs;
‹bullet› Checking personnel records to determine whether any individuals who have been reprimanded for compliance issues in the past are among those currently engaged in improper conduct;
‹bullet› Interviews with personnel involved in management, operations, sales and marketing, claim development and submission, and other related activities;
‹bullet› Questionnaires developed to solicit impressions of the DMEPOS supplier's employees;
‹bullet› Interviews with physicians or other authorized persons who order services provided by the DMEPOS supplier;
‹bullet› Interviews with independent contractors who provide services to the DMEPOS supplier;
‹bullet› Reviews of medical necessity documentation (e.g., physicians orders, CMNs), and other documents that support claims for reimbursement;
‹bullet› Validation of qualifications of physicians or other authorized persons who order services provided by the DMEPOS supplier;
‹bullet› Evaluation of written materials and documentation outlining the DMEPOS supplier's policies and procedures; and
‹bullet› Utilization/trend analyses that uncover deviations, positive or negative, for specific HCPCS codes or types of items over a given period.
The reviewers should:
‹bullet› Possess the qualifications and experience necessary to adequately identify potential issues with the subject matter to be reviewed;
‹bullet› Be objective and independent of line management;\168\
\168\ The OIG recognizes that DMEPOS suppliers that are small in size and have limited resources may not be able to use internal reviewers who are not part of line management or hire outside reviewers.
‹bullet› Have access to existing audit and health care resources, relevant personnel, and all relevant areas of operation;
‹bullet› Present written evaluative reports on compliance activities to the owner(s), president, CEO, governing body, and members of the compliance committee on a regular basis, but not less than annually; and
‹bullet› Specifically identify areas where corrective actions are needed.
We recommend that these audit reports be prepared and submitted to the compliance officer and senior management to ensure they are aware of the results. We suggest the reports specifically identify areas where corrective actions are needed. With these reports, DMEPOS supplier management can take whatever steps are necessary to correct past problems and prevent them from recurring. In certain cases, subsequent reviews or studies would be advisable to ensure that the recommended corrective actions have been implemented successfully.
A DMEPOS supplier should document its efforts to comply with applicable Federal and State statutes, rules, and regulations, and Federal, State and private payor health care program requirements. For example, where a DMEPOS supplier, in its efforts to comply with a particular statute, regulation or program requirement, requests advice from a Government agency (including a Medicare DMERC) charged with administering a Federal health care program, the DMEPOS supplier should document and retain a record of the request and any written or oral response, including the identity and position of the individual providing the response. The DMEPOS suppliers should take the same steps when requesting advice from private payors. This step is extremely important if the DMEPOS supplier intends to rely on that response to guide it in future decisions, actions, or claim reimbursement requests or appeals. A log of oral inquiries between the DMEPOS supplier and third parties will help the organization document its attempts at compliance. In addition, the DMEPOS supplier should maintain records relevant to the issue of whether its reliance was ``reasonable'' and whether it exercised due diligence in developing procedures and practices to implement the advice.
The OIG recommends that all DMEPOS suppliers, regardless of size, conduct audits to ensure compliance with the applicable statutes, regulations and policies. The OIG recognizes that the small DMEPOS supplier may not have the resources to audit its operations to the extent suggested previously in this section. At a minimum, the OIG recommends that the small DMEPOS supplier conduct an internal audit. The DMEPOS supplier may choose to review a random sample of claims based on the risk areas it identified. We recommend that the DMEPOS supplier conduct an initial baseline audit and periodically conduct follow-up audits. If problems were identified in the baseline audit, the DMEPOS supplier may want to re-audit the same issue, at a later date, in order to measure the effectiveness of any corrective action(s) implemented as a result of the DMEPOS supplier's compliance program. The DMEPOS supplier should document the results of all audits it conducts. The DMEPOS supplier may want to use the OIG's Audit Process handbook to help design the audit.\169\
\169\ The Audit Process handbook can be downloaded from the OIG Office of Audit Services' webpage at http://www.hhs.gov/progorg/oas.
The extent of a DMEPOS supplier's audit should depend on the DMEPOS supplier's identified risk areas and resources. If the DMEPOS supplier comes under Government scrutiny in the future, the Government will assess whether or not the DMEPOS supplier developed a comprehensive audit based upon identified risk areas and resources.
[[Page 36387]]
If the Government determines that the DMEPOS supplier failed to develop an adequate audit program, given its resources, the Government will be less likely to afford the DMEPOS supplier favorable treatment under its various enforcement authorities.
-
Enforcing Standards Through Well-Publicized Disciplinary Guidelines
-
Discipline Policy and Actions
An effective compliance program should include guidance regarding disciplinary action for corporate officers, managers, independent agents and other DMEPOS supplier employees who have failed to comply with the DMEPOS supplier's standards of conduct, policies and procedures, Federal and State statutes, rules, and regulations or Federal, State or private payor health care program requirements. It should also address disciplinary actions for those who have engaged in wrongdoing, which has the potential to impair the DMEPOS supplier's status as a reliable, honest, and trustworthy health care provider.
The OIG believes that the compliance program should include a written policy statement setting forth the degrees of disciplinary actions that may be imposed upon corporate officers, managers, independent agents and other DMEPOS supplier employees for failing to comply with the DMEPOS supplier's standards, policies, and applicable statutes and regulations. Intentional or reckless noncompliance should subject transgressors to significant sanctions. Such sanctions could include oral warnings, suspension, termination, or other sanctions, as appropriate. Each situation must be considered on a case-by-case basis to determine the appropriate sanction. The written standards of conduct should elaborate on the procedures for handling disciplinary problems and specify those who will be responsible for taking appropriate action. Some disciplinary actions can be handled by managers, while others may have to be resolved by the owner(s), president or CEO. Disciplinary action may be appropriate where a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct. Personnel should be advised by the DMEPOS supplier that disciplinary action will be taken on a fair and equitable basis. Managers and supervisors should be made aware that they have a responsibility to discipline employees in an appropriate and consistent manner.
It is vital to publish and disseminate the range of disciplinary standards for improper conduct and to educate corporate officers, managers, and other DMEPOS supplier employees regarding these standards. The consequences of noncompliance should be consistently applied and enforced, in order for the disciplinary policy to have the required deterrent effect. All levels of employees should be subject to the same types of disciplinary action for the commission of similar offenses. The commitment to compliance applies to all personnel levels within a DMEPOS supplier. The OIG believes that corporate officers, managers, and supervisors should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, statutes, rules, regulations and procedures.
The OIG believes all DMEPOS suppliers, regardless of size, should consistently apply the consequences of non-compliance. The OIG recognizes that small DMEPOS suppliers may not have a written document detailing the disciplinary actions for non-compliance. However, all employees should be clearly informed of such consequences. 2. New Employee Policy
For all new employees who have discretionary authority to make decisions that may involve compliance with the law or compliance oversight, DMEPOS suppliers should conduct a reasonable and prudent background investigation, including a reference check,‹SUP›170‹/SUP› as part of every such employment application. The application should specifically require the applicant to disclose any criminal conviction, as defined by 42 U.S.C. 1320a-7(i), or exclusion action. Pursuant to the compliance program, the DMEPOS supplier's policies should prohibit the employment of individuals who have been recently convicted of a criminal offense related to health care or who are listed as debarred, excluded, or otherwise ineligible for participation in Federal health care programs (as defined in 42 U.S.C. 1320a-7b(f)).‹SUP›171‹/SUP› In addition, pending the resolution of any criminal charges or proposed debarment or exclusion, the OIG recommends that such employees should be removed from direct responsibility for, or involvement with, the DMEPOS supplier's business operations related to any Federal health care program. In addition, we recommend that the DMEPOS supplier remove such employee from any position(s) for which the employee's salary or the items or services rendered by the employee are paid in whole or part, directly or indirectly, by Federal health care programs or otherwise with Federal funds.‹SUP›172‹/SUP› If resolution of the matter results in conviction, debarment, or exclusion, then the DMEPOS supplier should remove the individual from direct responsibility for or involvement with all Federal health care programs. Similarly, if an independent contractor or a referring physician or other authorized person is debarred or excluded from participation in Federal health care programs, and the DMEPOS supplier is aware of it, the DMEPOS supplier should not involve that individual/entity in the Federal health care portion of its business.
\170\ See notes 137 and 138. Since the employees of DMEPOS suppliers have access to potentially vulnerable people and their property, DMEPOS suppliers should also strictly scrutinize whether they should employ individuals who have been convicted of crimes of neglect, violence or financial misconduct.
\171\ Likewise, DMEPOS supplier compliance programs should establish standards prohibiting the execution of contracts with companies that have been recently convicted of a criminal offense related to health care or that are listed by a Federal agency as debarred, excluded, or otherwise ineligible for participation in Federal health care programs. See notes 137 and 138.
\172\ Prospective employees who have been officially reinstated into the Medicare and Medicaid programs by the OIG may be considered for employment upon proof of such reinstatement.
The OIG believes all DMEPOS suppliers, regardless of size, should ensure that they do not employ or contract with anyone who has been debarred, excluded or is otherwise ineligible to participate in Federal health care programs.
-
-
Responding to Detected Offenses and Developing Corrective Action Initiatives
-
Violations and Investigations
Violations of a DMEPOS supplier's compliance program, failures to comply with applicable Federal or State statutes, rules, regulations or Federal, State or private payor health care program requirements, and other types of misconduct threaten a DMEPOS supplier's status as a reliable, honest and trustworthy health care provider. Detected but uncorrected misconduct can seriously endanger the mission, reputation, and legal status of the DMEPOS supplier. Consequently, upon reports or reasonable indications of suspected noncompliance, it is important that the compliance officer or other management officials immediately investigate the conduct in question to determine whether a material violation of applicable law, rules or program instructions or the requirements of the compliance program has occurred, and if so, take decisive steps to correct the
[[Page 36388]]
problem.‹SUP›173‹/SUP› As appropriate, such steps may include an immediate referral to criminal and/or civil law enforcement authorities, a corrective action plan,‹SUP›174‹/SUP› a report to the Government,‹SUP›175‹/SUP› and the return of any overpayments, if applicable.
\173\ Instances of non-compliance must be determined on a case- by-case basis. The existence, or amount, of a monetary loss to a health care program is not solely determinative of whether or not the conduct should be investigated and reported to governmental authorities. In fact, there may be instances where there is no readily identifiable monetary loss at all, but corrective action and reporting are still necessary to protect the integrity of the applicable program and its beneficiaries.
\174\ Advice from the DMEPOS supplier's in-house counsel or an outside law firm may be sought to determine the extent of the DMEPOS supplier's liability and to plan the appropriate course of action.
\175\ The OIG currently maintains a provider self-disclosure protocol that encourages providers to report suspected fraud. The concept of voluntary self-disclosure is premised on a recognition that the Government alone cannot protect the integrity of the Medicare and other Federal health care programs. Health care providers must be willing to police themselves, correct underlying problems, and work with the Government to resolve these matters. The self-disclosure protocol is located on the OIG's web site at http:// www.dhhs.gov/progorg/oig.
Where potential fraud or False Claims Act liability is not involved, the OIG recommends that the DMEPOS supplier promptly return any overpayments to the affected payor as they are discovered. However, even if the overpayment detection and return process is working and is being monitored by the DMEPOS supplier, the OIG still believes that the compliance officer needs to be made aware of these overpayments, violations, or deviations that may reveal trends or patterns indicative of a systemic problem.
Depending upon the nature of the alleged violations, an internal investigation will probably include interviews and a review of relevant documents, such as submitted claims and CMNs. The DMEPOS supplier should consider engaging outside auditors or health care experts to assist in an investigation. Records of the investigation should contain documentation of the alleged violation, a description of the investigative process (including the objectivity of the investigators and methodologies utilized), copies of interview notes and key documents, a log of the witnesses interviewed, the documents reviewed, and the results of the investigation (e.g., any disciplinary action taken and any corrective action implemented). Although any action taken as the result of an investigation will necessarily vary depending upon the DMEPOS supplier and the situation, DMEPOS suppliers should strive for some consistency by utilizing sound practices and disciplinary protocols.‹SUP›176‹/SUP› Further, after a reasonable period, the compliance officer should review the circumstances that formed the basis for the investigation to determine whether similar problems have been uncovered or modifications of the compliance program are necessary to prevent and detect other inappropriate conduct or violations.
\176\ The parameters of a claim review subject to an internal investigation will depend on the circumstances surrounding the issue(s) identified. By limiting the scope of an internal audit to current billing, a DMEPOS supplier may fail to identify major problems and deficiencies in operations, as well as be subject to certain liability.
If an investigation of an alleged violation is undertaken and the compliance officer believes the integrity of the investigation may be at stake because of the presence of employees under investigation, those subjects should be removed from their current work activity until the investigation is completed (unless an internal or Government-led undercover operation known to the DMEPOS supplier is in effect). In addition, the compliance officer should take appropriate steps to secure or prevent the destruction of documents or other evidence relevant to the investigation. If the DMEPOS supplier determines disciplinary action is warranted, it should be prompt and imposed in accordance with the DMEPOS supplier's written standards of disciplinary action.
The OIG believes all DMEPOS suppliers, regardless of size, should ensure that they are responsive to investigating allegations of potential misconduct. 2. Reporting
If the compliance officer, compliance committee or other management official discovers credible evidence of misconduct from any source and, after a reasonable inquiry, has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the DMEPOS supplier should promptly report the existence of misconduct to the appropriate Federal and State authorities ‹SUP›177‹/SUP› within a reasonable period, but not more than 60 days ‹SUP›178‹/SUP› after determining that there is credible evidence of a violation.‹SUP›179‹/SUP› Prompt reporting will demonstrate the DMEPOS supplier's good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct will be considered a mitigating factor by the OIG in determining administrative sanctions (e.g., penalties, assessments, and exclusion), if the reporting provider becomes the target of an OIG investigation.‹SUP›180‹/SUP›
\177\ Appropriate Federal and State authorities include the Office of Inspector General, Department of Health and Human Services; the Criminal and Civil Divisions of the Department of Justice; the U.S. Attorney in the relevant district(s); and the other investigative arms for the agencies administering the affected Federal or State health care programs, such as: the State Medicaid Fraud Control Unit; the Defense Criminal Investigative Service; the Department of Veterans Affairs; the Office of Inspector General, U.S. Department of Labor (which has primary criminal jurisdiction over FECA, Black Lung and Longshore programs); and the Office of Inspector General, U.S. Office of Personnel Management (which has primary jurisdiction over the Federal Employee Health Benefits Program).
\178\ In contrast, to qualify for the ``not less than double damages'' provision of the False Claims Act, the report must be provided to the Government within thirty (30) days after the date when the DMEPOS supplier first obtained the information. See 31 U.S.C. 3729(a).
\179\ The OIG believes that some violations may be so serious that they warrant immediate notification to governmental authorities, prior to, or simultaneous with, commencing an internal investigation, e.g., if the conduct: (1) is a clear violation of criminal law; (2) has a significant adverse effect on the quality of care provided to program beneficiaries (in addition to any other legal obligations regarding quality of care); or (3) indicates evidence of a systemic failure to comply with applicable laws, rules or program instructions or an existing corporate integrity agreement, regardless of the financial impact on Federal health care programs.
\180\ The OIG has published criteria setting forth those factors that the OIG takes into consideration in determining whether it is appropriate to exclude a health care provider from program participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of various fraud and abuse laws. See 62 FR 67392 (December 24, 1997).
When reporting misconduct to the Government, a DMEPOS supplier should provide all evidence relevant to the alleged violation of applicable Federal or State law(s) and potential cost impact. The compliance officer, with advice of counsel, and with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, the compliance officer should be required to notify the appropriate governmental authority of the outcome of the investigation, including a description of the impact of the alleged violation on the operation of the applicable health care programs or their beneficiaries. If the investigation ultimately reveals that criminal, civil, or administrative violations have occurred, the appropriate Federal and State authorities ‹SUP›181‹/SUP› should be notified immediately.
\181\ See note 177.
The OIG believes all DMEPOS suppliers, regardless of size, should ensure that they are reporting the results of any overpayments or violations to the appropriate entity.
[[Page 36389]]
-
Corrective Actions
As previously stated, the DMEPOS supplier should take appropriate corrective action, including prompt identification of any overpayment to the affected payor and the imposition of proper disciplinary action. If potential fraud or violations of the False Claims Act are involved, any repayment of the overpayment should be made as part of the discussion with the Government following a report of the matter to law enforcement authorities. Otherwise, the overpayment should be promptly refunded to the affected payor. The OIG recommends that the overpayment refund include the information as outlined in section II.E. Failure to disclose overpayments within a reasonable period of time could be interpreted as an intentional or knowing attempt to conceal the overpayment from the Government, thereby establishing an independent basis for a criminal or civil violation with respect to the DMEPOS supplier, as well as any individuals who may have been involved. For this reason, DMEPOS supplier compliance programs should emphasize that overpayments obtained from Medicare or other Federal health care programs should be promptly disclosed and returned to the payor that made the erroneous payment.
The OIG believes all DMEPOS suppliers, regardless of size, should take appropriate corrective action to remedy the identified deficiency.
-
-
-
Conclusion
Through this document, the OIG has attempted to provide a foundation to the process necessary to develop an effective and cost- efficient DMEPOS supplier compliance program. As previously stated, however, each program must be tailored to fit the needs and resources of an individual DMEPOS supplier, depending upon its size; number of locations; type of equipment provided; or corporate structure. The Federal and State health care statutes, rules, and regulations and Federal, State and private payor health care program requirements, should be integrated into every DMEPOS supplier's compliance program.
The OIG recognizes that the health care industry in this country, which reaches millions of beneficiaries and expends about a trillion dollars annually, is constantly evolving. In particular, legislation has been passed that creates additional Medicare program participation requirements, such as requiring DMEPOS suppliers to purchase surety bonds and expanding the Medicare supplier standards.‹SUP›182‹/SUP› As stated throughout this guidance, compliance is a dynamic process that helps to ensure that DMEPOS suppliers and other health care providers are better able to fulfill their commitment to ethical behavior, as well as meet the changes and challenges being imposed upon them by Congress and private insurers. Ultimately, it is OIG's hope that a voluntarily created compliance program will enable DMEPOS suppliers to meet their goals, improve the quality of service to patients, and substantially reduce fraud, waste, and abuse, as well as the cost of health care, to Federal State and private health insurers.
\182\ See 63 FR 2926 (January 20, 1998).
Dated: June 29, 1999. June Gibbs Brown, Inspector General.
[FR Doc. 99-16945Filed7-2-99; 8:45 am]
BILLING CODE 4150-04-P
