[Federal Register Volume 64, Number 128 (Tuesday, July 6, 1999)]
[Notices]
[Pages 36368-36389]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-16945]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
Publication of OIG Compliance Program Guidance for the Durable
Medical Equipment, Prosthetics, Orthotics and Supply Industry
AGENCY: Office of Inspector General (OIG), HHS.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This Federal Register notice sets forth the recently issued
Compliance Program Guidance for the Durable Medical Equipment,
Prosthetics, Orthotics and Supply Industry that has been developed by
the Office of Inspector General in cooperation with, and with input
from, the Health Care Financing Administration (HCFA), the Department
of Justice (DOJ) and representatives of various trade associations and
health care practice groups. The OIG has previously developed and
published compliance program guidance focusing on hospitals, clinical
laboratories, home health agencies, and third-party medical billing
companies. We believe that the development and issuance of this
compliance guidance will serve as a positive step towards promoting a
higher level of ethical and lawful conduct throughout the entire health
care industry.
FOR FURTHER INFORMATION CONTACT: Christine Pullifrone, Office of
Counsel to the Inspector General, (202) 619-2078.
SUPPLEMENTARY INFORMATION:
Background
The creation of compliance program guidances has been an important
undertaking by the OIG in its effort to engage the health care
community in combating fraud and abuse. In formulating this compliance
guidance, the OIG has worked closely with HCFA, and has received input
from interested parties and industry trade associations. The 4
previously-issued compliance program guidances focused on the hospital
industry, home health agencies, clinical laboratories and third-party
medical billing companies. The development of these types of compliance
program guidances are based on our belief that a health care provider
can efficiently use internal controls to monitor adherence to
applicable statutes, regulations and program requirements.
Guidance for the DMEPOS Industry
On August 7, 1998, the OIG published a solicitation notice (63 FR
42409) seeking information and recommendations for developing guidance
for the durable medical equipment, prosthetics, orthotics and supply
(DMEPOS) industry. In response to that solicitation notice, the OIG
received numerous comments from various parts of the industry and from
their representatives. We carefully considered those comments, as well
as consulted with DOJ, HCFA and the durable medical equipment regional
carriers in developing a draft compliance program guidance for the
DMEPOS industry. In an effort to ensure that all parties had a
reasonable opportunity to provide input into a final product, the draft
guidance for the DMEPOS industry was published in the Federal Register
on January 28, 1999 (64 FR 4436) for further comment and
recommendations.
Elements for an Effective Compliance Program
Through experience, the OIG has identified 7 fundamental elements
applicable to an effective compliance program. They are:
Implementing written policies, procedures and standards of
conduct;
Designating a compliance officer and compliance committee;
Conducting effective training and education;
Developing effective lines of communication;
Enforcing standards through well-publicized disciplinary
guidelines;
Conducting internal monitoring and auditing; and
Responding promptly to detected offenses and developing
corrective action.
Using these 7 elements, the OIG has identified specific areas of
DMEPOS industry operations that may prove to be vulnerable to fraud and
abuse. Like previously-issued OIG compliance guidance, adoption of the
Compliance Program Guidance for the Durable Medical Equipment,
Prosthetics, Orthotics and Supply Industry set forth below will be
strictly voluntary.
A reprint of the newly-issued compliance program guidance follows:
Office of Inspector General's Compliance Program Guidance for the
Durable Medical Equipment, Prosthetics, Orthotics and Supply
Industry (June 1999)
I. Introduction
The Office of Inspector General (OIG) of the Department of Health
and Human
[[Page 36369]]
Services (HHS) continues in its efforts to promote voluntarily
developed and implemented compliance programs for the health care
industry. The following compliance program guidance is intended to
assist suppliers 1 of durable medical equipment,2
prosthetics,3 orthotics,4 and supplies
5 (DMEPOS) and their agents and subcontractors (referred to
collectively in this document as DMEPOS suppliers) develop effective
internal controls that promote adherence to applicable Federal and
State law, and the program requirements of Federal, State and private
health plans.6 The adoption and implementation of voluntary
compliance programs significantly advance the prevention of fraud,
abuse, and waste in these health care plans while at the same time
further the fundamental mission of all DMEPOS suppliers, which is to
provide quality items, service, and care to patients.
---------------------------------------------------------------------------
\1\ The term ``supplier'' is defined in this document as an
entity or individual, including a physician or Part A provider, that
sells or rents Part B covered DMEPOS items and meets the Medicare
supplier standards. See 42 CFR 424.57(a).
\2\ The term ``durable medical equipment'' is applied in this
document as defined in 42 U.S.C. 1395x(n).
\3\ The term ``prosthetics'' and ``prosthetic devices'' are
applied in this document as defined in 42 U.S.C. 1395x(s)(9) and
(s)(8), respectively.
\4\ The term ``orthotics'' is applied in this document as
defined in 42 U.S.C. 1395x(s)(9).
\5\ The term ``supplies'' includes home dialysis supplies and
equipment as described in 42 U.S.C. 1395x(s)(2)(f); surgical
dressings and other devices as described in 42 U.S.C. 1395x(s)(5);
immunosuppressive drugs as described in 42 U.S.C. 1395x(s)(2)(J);
and any other items or services designated by the Health Care
Financing Administration (HCFA).
\6\ The OIG recognizes that not every supplier provides durable
medical equipment, prosthetics, orthotics and supplies. However, a
compliance program incorporating the elements in this guidance can
be used by all suppliers regardless of the items/services they
provide.
---------------------------------------------------------------------------
Within this document, the OIG first provides its general views on
the value and fundamental principles of DMEPOS suppliers' compliance
programs, and then provides the specific elements that each DMEPOS
supplier should consider when developing and implementing an effective
compliance program. While this document presents basic procedural and
structural guidance for designing a compliance program, it is not in
itself a compliance program. Rather, it is a set of guidelines to be
considered by a DMEPOS supplier interested in implementing a compliance
program.
The OIG recognizes the size-differential that exists between
operations of the different DMEPOS suppliers and organizations that
compose the DMEPOS industry. Appropriately, this guidance is pertinent
for all DMEPOS suppliers, regardless of size (in terms of employees and
gross revenue); number of locations; type of equipment provided; or
corporate structure. The applicability of the recommendations and
guidelines provided in this document depends on the circumstances of
each individual DMEPOS supplier. However, regardless of a DMEPOS
supplier's size or structure, the OIG believes that every DMEPOS
supplier can and should strive to accomplish the objectives and
principles underlying all of the compliance policies and procedures
recommended within this guidance.
Fundamentally, compliance efforts are designed to establish a
culture within a DMEPOS supplier that promotes prevention, detection,
and resolution of instances of conduct that do not conform to Federal
and State law, and Federal, State and private payor health care program
requirements, as well as the DMEPOS supplier's ethical and business
policies. In practice, the compliance program should effectively
articulate and demonstrate the DMEPOS supplier's commitment to ethical
conduct. Benchmarks that demonstrate implementation and achievements
are essential to any effective compliance program. Eventually, a
compliance program should become part of the fabric of routine DMEPOS
supplier operations.
Specifically, compliance programs guide a DMEPOS supplier's
owner(s), governing body (e.g., board of directors or trustees), chief
executive officer (CEO), president, vice president(s), managers, sales
representatives, billing personnel, and other employees in the
efficient management and operation of a DMEPOS supplier. They are
especially critical as an internal quality assurance control in the
reimbursement and payment areas, where claims and billing operations
are often the source of fraud and abuse, and therefore, historically
have been the focus of Government regulation, scrutiny, prosecution and
sanctions.
It is incumbent upon a DMEPOS supplier's owner(s), corporate
officers, and managers to provide ethical leadership to the
organization and to assure that adequate systems are in place to
facilitate ethical and legal conduct. Employees, managers, and the
Government will focus on the words and actions of a DMEPOS supplier's
leadership as a measure of the organization's commitment to compliance.
Indeed, many DMEPOS suppliers have adopted mission statements
articulating their commitment to high ethical standards. A formal
compliance program, as an additional element in this process, offers a
DMEPOS supplier a further concrete method that may improve quality of
service and reduce waste. Compliance programs also provide a central
coordinating mechanism for furnishing and disseminating information and
guidance on applicable Federal and State statutes, regulations, and
Federal, State and private health care program requirements.
Implementing an effective compliance program requires a substantial
commitment of time, energy, and resources by senior management and the
DMEPOS supplier's governing body.7 Superficial programs that
simply have the appearance of compliance without being wholeheartedly
adopted and implemented by the DMEPOS supplier or programs that are
hastily constructed and implemented without appropriate ongoing
monitoring will likely be ineffective and could expose the DMEPOS
supplier to greater liability than no program at all. Although it may
require significant additional resources or reallocation of existing
resources to implement an effective compliance program, the long term
benefits of implementing the program significantly outweigh the costs.
Undertaking a voluntary compliance program is a beneficial investment
that advances both the DMEPOS supplier's organization and the stability
and solvency of the Medicare program.
---------------------------------------------------------------------------
\7\ Recent case law suggests that the failure of a corporate
Director to attempt in good faith to institute a compliance program
in certain situations may be a breach of a Director's fiduciary
obligation. See, e.g., In re Caremark International Inc. Derivative
Litigation, 698 A.2d 959 (Ct. Chanc. Del. 1996).
---------------------------------------------------------------------------
A. Benefits of a Compliance Program
The OIG believes an effective compliance program provides a
mechanism that brings the public and private sectors together to reach
mutual goals of reducing fraud and abuse, improving operational
quality, improving the quality of health care services and reducing the
cost of health care. Attaining these goals provides positive results to
the DMEPOS supplier, the Government and individual citizens alike. In
addition to fulfilling its legal duty to ensure that it is not
submitting false or inaccurate claims to Government and private payors,
a DMEPOS supplier may gain numerous additional benefits by voluntarily
implementing an effective compliance program. These benefits may
include:
The formulation of effective internal controls to assure
compliance
[[Page 36370]]
with Federal and State statutes, rules, and regulations, and Federal,
State and private payor health care program requirements, and internal
guidelines;
A concrete demonstration to employees and the community at
large of the DMEPOS supplier's strong commitment to honest and
responsible corporate conduct;
The ability to obtain an accurate assessment of employee
and contractor behavior relating to fraud and abuse;
An increased likelihood of identification and prevention
of criminal and unethical conduct;
The ability to more quickly and accurately react to
employees' operational compliance concerns and the capability to
effectively target resources to address those concerns;
Improvement of the quality, efficiency, and consistency of
providing services;
Increased efficiency on the part of employees;
A centralized source for distributing information on
health care statutes, regulations, policies, and other program
directives regarding fraud and abuse and related issues;
Improved internal communication;
A methodology that encourages employees to report
potential problems;
Procedures that allow the prompt, thorough investigation
of alleged misconduct by corporate officers, managers, sales
representatives, employees, independent contractors, consultants,
clinicians and other health care professionals;
Initiation of immediate, appropriate, and decisive
corrective action;
Early detection and reporting, minimizing the loss to the
Government from false claims, and thereby reducing the DMEPOS
supplier's exposure to civil damages and penalties, criminal sanctions,
and administrative remedies, such as program exclusion; \8\ and
---------------------------------------------------------------------------
\8\ The OIG, for example, will consider the existence of an
effective compliance program that pre-dated any governmental
investigation when addressing the appropriateness of administrative
sanctions. However, the burden is on the DMEPOS supplier to
demonstrate the operational effectiveness of a compliance program.
Further, the False Claims Act, 31 U.S.C. 3729-3733, provides that a
person who has violated the Act, but who voluntarily discloses the
violation to the Government within 30 days of detection, in certain
circumstances will be subject to not less than double, as opposed to
treble, damages. See 31 U.S.C. 3729(a). Thus, the ability to react
quickly when violations of the law are discovered may materially
help reduce a DMEPOS supplier's liability.
---------------------------------------------------------------------------
Enhancement of the structure of the DMEPOS supplier's
operations and the consistency between: any related entities of the
DMEPOS supplier; different departments within the DMEPOS supplier; the
DMEPOS supplier's different locations; and the DMEPOS supplier's
separate business units (e.g., franchises, subsidiaries).
Overall, the OIG believes that an effective compliance program is a
sound investment on the part of a DMEPOS supplier.
The OIG recognizes that the implementation of a compliance program
may not entirely eliminate fraud, abuse, and waste from the DMEPOS
supplier's system. However, a sincere effort by the DMEPOS supplier to
comply with applicable Federal and State statutes, rules, and
regulations and Federal, State and private payor health care program
requirements, through the establishment of an effective compliance
program, significantly reduces the risk of unlawful or improper
conduct.
B. Application of Compliance Program Guidance
Given the diversity within the industry, there is no single
``best'' DMEPOS supplier compliance program.9 The OIG
understands the variances and complexities within the DMEPOS supplier
industry and is sensitive to the differences among large national and
regional DMEPOS supplier organizations, and small independent DMEPOS
suppliers. However, elements of this guidance can be used by all DMEPOS
suppliers, regardless of size (in terms of employees and gross
revenue); number of locations; type of equipment provided; or corporate
structure, to establish an effective compliance program. Similarly, a
DMEPOS supplier or corporation that owns a DMEPOS supplier or provides
DMEPOS supplies may incorporate these elements into its system-wide
compliance or managerial structure. We recognize that some DMEPOS
suppliers may not be able to adopt certain elements to the same
comprehensive degree that others with more extensive resources may
achieve. This guidance represents the OIG's suggestions on how a DMEPOS
supplier, regardless of size, can best establish internal controls and
monitor its conduct to correct and prevent fraudulent activities. By no
means should the contents of this guidance be viewed as an exclusive
discussion of the advisable elements of a compliance program. On the
contrary, the OIG strongly encourages DMEPOS suppliers to develop and
implement compliance elements that uniquely address the individual
DMEPOS supplier's risk areas.
---------------------------------------------------------------------------
\9\ This is particularly true in the context of DMEPOS
suppliers, which include many small independent DMEPOS suppliers
with limited financial resources, staff, and product lines as well
as large DMEPOS supplier chains with extensive financial resources,
staff, and product lines.
---------------------------------------------------------------------------
The OIG believes that input and support by individuals and
organizations that will utilize the tools set forth in this document is
critical to the development and success of this compliance program
guidance. In a continuing effort to collaborate closely with the
private sector, the OIG placed a notice in the Federal Register
soliciting recommendations and suggestions on what should be included
in this Compliance Program Guidance.10 Further, the OIG
published the draft Compliance Program Guidance for the DME,
Prosthetics, Orthotics, and Supply Industry in the Federal Register for
public comment.11 In addition, we considered previous OIG
publications, such as Special Fraud Alerts, Advisory
Opinions,12 the findings and recommendations in reports
issued by OIG's Office of Audit Services and Office of Evaluation and
Inspections, as well as the experience of past and recent fraud
investigations related to DMEPOS suppliers conducted by OIG's Office of
Investigations and the Department of Justice.
---------------------------------------------------------------------------
\10\ See 63 FR 42409 (August 7, 1998), Notice for Solicitation
of Information and Recommendations for Developing OIG Compliance
Program Guidance for the Durable Medical Equipment Industry.
\11\ See 64 FR 4435 (January 28, 1999): Draft Compliance Program
Guidance for the DME, Prosthetics, Orthotics, and Supply Industry.
\12\ The OIG periodically issues Advisory Opinions responding to
specific inquiries from members of the public and Special Fraud
Alerts setting forth activities that raise legal and enforcement
issues. Special Fraud Alerts and Advisory Opinions, as well as the
regulations governing the issuance of Advisory Opinions, can be
obtained on the Internet at http://www.dhhs.gov/progorg/oig, in the
Federal Register, or by contacting the OIG's Public Information Desk
at 202-619-1142.
---------------------------------------------------------------------------
As appropriate, this guidance may be modified and expanded as more
information and knowledge is obtained by the OIG, and as changes in the
statutes, rules, regulations, policies, and procedures of Federal,
State, and private health plans occur. The OIG understands DMEPOS
suppliers will need adequate time to react to these modifications and
expansions and to make any necessary changes to their voluntary
compliance programs. New compliance practices may eventually be
incorporated into this guidance if the OIG discovers significant
enhancements to better ensure an effective compliance program.
The OIG recognizes that the development and implementation of
compliance programs in DMEPOS suppliers often raise sensitive and
[[Page 36371]]
complex legal and managerial issues.13 However, the OIG
wishes to offer what it believes is critical guidance for providers who
are sincerely attempting to comply with the relevant health care
statutes and regulations.
---------------------------------------------------------------------------
\13\ Nothing stated within this document should be substituted
for, or used in lieu of, competent legal advice from counsel.
---------------------------------------------------------------------------
At the end of each section, where applicable, the OIG has included
ideas to help aid the small DMEPOS supplier in implementing the
principles espoused in this guidance. There is no all inclusive
definition of a small DMEPOS supplier. However, as previously
mentioned, each DMEPOS supplier should tailor its compliance program
according to its resources.
II. Compliance Program Elements
The elements proposed by these guidelines are similar to those of
the other OIG Compliance Program Guidances 14 and the OIG's
corporate integrity agreements.15 The OIG believes that
every DMEPOS supplier can benefit from the principles espoused in this
guidance, which can be tailored to fit the needs and financial
realities of a particular DMEPOS supplier.
---------------------------------------------------------------------------
\14\ See 63 FR 70138 (December 18, 1998) for the Compliance
Program Guidance for Third Party Medical Billing Companies; 63 FR
42410 (August 7, 1998) for the Compliance Program Guidance for Home
Health Agencies; 63 FR 45076 (August 24, 1998) for the Compliance
Program Guidance for Clinical Laboratories, as revised; 63 FR 8987
(February 23, 1998) for the Compliance Program Guidance for
Hospitals. These documents are also located on the Internet at
http://www.dhhs.gov/progorg/oig.
\15\ Corporate integrity agreements are executed as part of a
civil settlement between a health care provider and the Government
to resolve a case based on allegations of health care fraud or
abuse. These OIG-imposed programs are in effect for a period of
three to five years and require many of the elements included in
this compliance program guidance.
---------------------------------------------------------------------------
The OIG believes that every effective compliance program must begin
with a formal commitment 16 by the DMEPOS supplier's
governing body to include all of the applicable elements listed below,
which are based on the seven steps of the Federal Sentencing
Guidelines.17 The OIG recognizes full implementation of all
elements may not be immediately feasible for all DMEPOS suppliers.
However, as a first step, a good faith and meaningful commitment on the
part of the DMEPOS supplier, especially the owner(s), governing body,
president, vice president(s), CEO, and managing employees, will
substantially contribute to the program's successful implementation. As
the compliance program is implemented, that commitment should cascade
down through the management to every employee of the DMEPOS supplier.
---------------------------------------------------------------------------
\16\ A formal commitment may include a resolution by the board
of directors, owner(s) or president, where applicable. A formal
commitment should include the allocation of adequate resources to
ensure that each of the elements is addressed.
\17\ See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(k). The Federal
Sentencing Guidelines are detailed policies and practices for the
Federal criminal justice system that prescribe the appropriate
sanctions for offenders convicted of Federal crimes.
---------------------------------------------------------------------------
At a minimum, comprehensive compliance programs should include the
following seven elements:
(1) The development and distribution of written standards of
conduct, as well as written policies and procedures that promote the
DMEPOS supplier's commitment to compliance (e.g., by including
adherence to the compliance program as an element in evaluating
managers and employees) and address specific areas of potential fraud,
such as the claims development and submission process, completing
certificates of medical necessity (CMNs), and financial relationships
with physicians and/or other persons authorized 18 to order
DMEPOS;
---------------------------------------------------------------------------
\18\ In some instances, persons other than the treating
physician (e.g., nurse practitioner, physician assistant, clinical
nurse specialist) may be authorized to order DMEPOS for Medicare
beneficiaries if permitted under State law and in accordance with
HCFA policies. A DMEPOS supplier should be aware of any persons,
other than the treating physician, who are authorized to order
DMEPOS.
---------------------------------------------------------------------------
(2) The designation of a compliance officer and other appropriate
bodies, (e.g., a corporate compliance committee), charged with the
responsibility for operating and monitoring the compliance program, and
who report directly to the CEO and the governing body; 19
---------------------------------------------------------------------------
\19\ The integral functions of the compliance officer and the
corporate compliance committee in implementing an effective
compliance program are discussed throughout this compliance program
guidance. However, the OIG recognizes that the differences in the
sizes and structures of DMEPOS suppliers will result in differences
in the ways in which compliance programs are set up. It is important
that a DMEPOS supplier structures its compliance program in such a
way that the program facilitates implementation of the key functions
of the corporate compliance officer and the corporate compliance
committee discussed within this document. See section II.B and
accompanying notes.
---------------------------------------------------------------------------
(3) The development and implementation of regular, effective
education and training for all affected employees; 20
---------------------------------------------------------------------------
\20\ Education and training programs for DMEPOS suppliers should
be detailed and comprehensive. They should cover specific billing
procedures, sales and marketing practices, as well as the general
areas of compliance. See section II.C and accompanying notes.
---------------------------------------------------------------------------
(4) The development of effective lines of communication between the
compliance officer and all employees, including a process, such as a
hotline or other reporting system, to receive complaints, and the
adoption of procedures to protect the anonymity of complainants and to
protect callers from retaliation;
(5) The use of audits and/or other risk evaluation techniques to
monitor compliance, identify problem areas, and assist in the reduction
of identified problem areas; 21
---------------------------------------------------------------------------
\21\ For example, spot-checking the work of coding and billing
personnel periodically and conducting periodic post-payment claim
review should be elements of an effective compliance program. See
section II.E and accompanying notes.
---------------------------------------------------------------------------
(6) The development of appropriate disciplinary mechanisms to
enforce standards and the development of policies addressing (i)
employees who have violated internal compliance policies, applicable
statutes, regulations, or Federal, State or private payor health care
program requirements and (ii) the employment of sanctioned and other
specified individuals; 22 and
---------------------------------------------------------------------------
\22\ The term ``Federal health care program'' is applied in this
document as defined in 42 U.S.C. 1320a-7b(f), and includes any plan
or program that provides health benefits, whether directly, through
insurance, or otherwise, which is funded directly in whole or in
part, by the United States Government (i.e., via programs such as
Medicare, Federal Employees' Compensation Act, Black Lung, or the
Longshore and Harbor Worker's Compensation Act) or any State health
plan (e.g., Medicaid, or a program receiving funds from block grants
for social services or child health services). Also, for the purpose
of this document, the term ``Federal health care program
requirements'' refers to the statutes, regulations, rules
requirements, directives, and instructions governing Medicare,
Medicare, Medicaid, and all other Federal health care programs.
---------------------------------------------------------------------------
(7) The development of policies to respond to detected offenses and
to initiate corrective action to prevent similar offenses.
A. Written Policies and Procedures
Every compliance program should require the development and
distribution of written compliance policies, standards, and practices
that identify specific areas of risk and vulnerability to the
individual DMEPOS supplier. These policies, standards, and practices
should be developed under the direction and supervision of the
compliance officer and the compliance committee (if such a committee is
practicable for the DMEPOS supplier) and, at a minimum, should be
provided to all individuals who are affected by the particular policy
at issue, including the DMEPOS supplier's agents and independent
contractors who may affect billing decisions.23
---------------------------------------------------------------------------
\23\ According to the Federal Sentencing Guidelines, an
organization must have established compliance standards and
procedures to be followed by its employees and other agents in order
to receive sentencing credit for an ``effective'' compliance
program. The Federal Sentencing Guidelines define ``agent'' as ``any
individual, including a director, an officer, an employee, or an
independent contractor, authorized to act on behalf of the
organization.'' See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(d).
---------------------------------------------------------------------------
[[Page 36372]]
In addition to these general policies, it may be necessary to
implement individual policies for the different components of the
DMEPOS supplier.
1. Standards of Conduct
The OIG recommends that the DMEPOS supplier develop standards of
conduct for all affected employees that include a clearly delineated
commitment to compliance by the DMEPOS supplier's senior management,
24 including any related entities or affiliated providers
operating under the DMEPOS supplier's control, 25 and other
health care professionals (e.g., nurses, licensed pharmacists,
physicians, and respiratory therapists). The standards of conduct
should function in the same fashion as a constitution, i.e., as a
foundational document that details the fundamental principles, values,
and framework for action within the DMEPOS supplier. The standards
should articulate the DMEPOS supplier's commitment to comply with all
Federal and State statutes, rules, regulations and Federal, State and
private payor health care program requirements, with an emphasis on
preventing fraud and abuse. They should explicitly state the
organization's mission, goals, and ethical principles relative to
compliance and clearly define the DMEPOS supplier's commitment to
compliance and its expectations for all DMEPOS supplier owners,
governing body members, presidents, vice presidents, corporate
officers, managers, sales representatives, employees, and, where
appropriate, independent contractors and other agents. These standards
should promote integrity, support objectivity, and foster trust.
Standards should not only address compliance with statutes and
regulations, but should also set forth broad principles that guide
employees in conducting business professionally and properly.
---------------------------------------------------------------------------
\24\ The OIG strongly encourages high-level involvement by a
DMEPOS supplier's owner(s), governing body, CEO, president, vice
president(s), as well as other personnel, as appropriate, in the
development of the standards of conduct. Such involvement should
help communicate a strong and explicit organizational commitment to
compliance goals and standards.
\25\ E.g., pharmacies, billing services, and manufacturers.
---------------------------------------------------------------------------
The standards should be distributed to, and comprehensible by, all
affected employees (e.g., translated into other languages when
necessary and written at appropriate reading levels). Further, to
assist in ensuring that employees continuously meet the expected high
standards set forth in the standards of conduct, any employee handbook
delineating or expanding upon these standards should be regularly
updated as applicable statutes, regulations, and Federal, State, and
private payor health care program requirements are modified and/or
clarified.26
---------------------------------------------------------------------------
\26\ The OIG recognizes that not all statutes, rules,
regulations, standards, policies, and procedures need to be
communicated to all employees. However, the OIG believes that the
bulk of the standards that relate to complying with fraud and abuse
laws and other ethical areas should be addressed and made part of
all affected employees' training. A DMEPOS supplier must decide
whether additional educational programs should be targeted to
specific categories of employees based on job functions and areas of
responsibility.
---------------------------------------------------------------------------
When employees first begin working for the DMEPOS supplier, and
each time new standards of conduct are issued, the OIG suggests
employees be asked to sign a statement certifying that they have
received, read, understood, and will abide by the standards of conduct.
The employee's certification should be retained by the DMEPOS supplier
in the employee's personnel file, and available for review by the
compliance officer.
The OIG believes all DMEPOS suppliers, regardless of size, should
operate professionally and ethically. The OIG recognizes that small
DMEPOS suppliers may not have formal written standards of conduct.
However, such unwritten standards of conduct (e.g., the manner in which
the DMEPOS supplier conducts its business) should be relayed to each
employee. Employees should attest, in writing, that they understand and
will abide by these standards.
2. Written Policies for Risk Areas
As part of its commitment to compliance, the DMEPOS supplier should
establish a comprehensive set of written policies and procedures that
take into consideration the particular statutes, rules, regulations,
and program instructions applicable to each function of the DMEPOS
supplier.27 In contrast to the standards of conduct, which
are designed to be a clear and concise collection of fundamental
standards, the written policies should articulate specific procedures
personnel should follow.
---------------------------------------------------------------------------
\27\ A DMEPOS supplier can conduct focus groups, composed of
managers from various departments, to solicit their concerns and
ideas about compliance risks that may be incorporated into the
DMEPOS supplier's policies and procedures. Such employee
participation in the development of the DMEPOS supplier's compliance
program can enhance its credibility and foster employee acceptance
of the program.
---------------------------------------------------------------------------
Consequently, we recommend that the individual policies and
procedures be coordinated with the appropriate training and educational
programs with an emphasis on areas of special concern that have been
identified by the OIG.28 Some of the special areas of OIG
concern include: 29
---------------------------------------------------------------------------
\28\ A DMEPOS supplier's compliance program should require that
the legal staff, compliance officer, or other appropriate personnel
carefully consider any and all Special Fraud Alerts and Advisory
Opinions issued by the OIG that relate to DMEPOS suppliers. See note
12. Moreover, the compliance program should address the
ramifications of failing to cease and correct any conduct criticized
in such a Special Fraud Alert or Advisory Opinion, if applicable to
the DMEPOS supplier, or to take reasonable action to prevent such
conduct from reoccurring in the future. If appropriate, a DMEPOS
supplier should take the steps described in section II.G regarding
investigations, reporting, and correction of identified problems.
\29\ The OIG Work Plan details the various projects the OIG
currently intends to address in the fiscal year. It should be noted
that the priorities in the Work Plan are subject to modification and
revision as the year progresses and does not represent a complete or
final list of areas of concern to the OIG. The Work Plan is
currently available on the Internet at http://www.dhhs.gov/progorg/
oig.
---------------------------------------------------------------------------
Billing for items or services not provided; 30
---------------------------------------------------------------------------
\30\ Billing for items or services not provided involves
submitting a claim representing that the DMEPOS supplier provided an
item or service or part of an item or service that the patient did
not receive. It may also include not fulfilling a contractual
agreement, for example, when the DMEPOS supplier has agreed to
service the rental equipment and does not fulfill this obligation.
---------------------------------------------------------------------------
Billing for services that the DMEPOS supplier believes may
be denied; 31
---------------------------------------------------------------------------
\31\ Billing for services that may be denied involves seeking
reimbursement for a service that is not covered by Medicare or does
not meet the Medicare coverage criteria as documented by the
patient's current medical condition. See 42 U.S.C. 1395y(a)(1)(A).
The OIG recognizes that DMEPOS suppliers cannot make medical
necessity determinations and may not be aware if an item or service
will be denied in every instance. However, civil money penalties
(CMPs) and administrative sanctions may be imposed against any
person who submits a claim for services ``that [the] person knows or
should know are not medically necessary.'' See 42 U.S.C. 1320a-
7a(a). Such conduct may also result in liability under civil and
criminal laws. HCFA does allow DMEPOS suppliers to submit claims
when the DMEPOS supplier believes the item or service may not be
covered, provided, however, that the supplier ``note[s] on the claim
[its] belief that the service is noncovered and that it is being
submitted at the beneficiary's insistence.'' See Medicare Carriers
Manual, section 3043. If the DMEPOS supplier believes the item or
service may be denied for any reason (e.g., not covered, not
medically necessary), the DMEPOS supplier may have the beneficiary
sign a written notice accepting financial responsibility if the item
or service is denied (see Medicare Carriers Manual, section 7300.5).
The DMEPOS supplier should include modifier ``GA'' on the claim for
such item or service. This modifier indicates the beneficiary has
signed a written notice. If the beneficiary signed an advance
written notice, the DMEPOS supplier may directly bill the
beneficiary for the denied item or service. (See section II.A.3.i
for further discussion on written notices). See also discussion in
section II.A.3.a and accompanying notes.
---------------------------------------------------------------------------
[[Page 36373]]
Billing patients for denied chargs without a signed
written notice; \32\
---------------------------------------------------------------------------
\32\ This includes, but is not limited to, billing the patient
for items or services denied as not medically necessary by the
payor, where there has been no written notice signed by the patient,
the written notice has been inappropriately obtained or the written
notice was drafted inappropriately. See Medicare Carrier Manual,
section 7300.5A, regarding the requirements for written notice.
---------------------------------------------------------------------------
Duplicate billing; 33
---------------------------------------------------------------------------
\33\ Duplicate billing occurs when more than one claim for
payment is submitted for the same patient, for the same service, for
the same date of service (by the same or different DMEPOS supplier),
or the same claim is submitted to more than one payor as primary
Although duplicate billing can occur due to simple error (which does
not create civil or criminal liability), fraudulent duplicate
billing is often evidenced by systematic or repeated double billing,
and creates liability under criminal, civil, and administrative law,
particularly if any overpayment is not promptly refunded. See note
72.
---------------------------------------------------------------------------
Billing for items or services not ordered; 34
---------------------------------------------------------------------------
\34\ Billing for items or services not ordered involves seeking
reimbursement for items or services provided, but not ordered by the
treating physician or other authorized person.
---------------------------------------------------------------------------
Using a billing agent whose compensation arrangement
violates the reassignment rule; 35
---------------------------------------------------------------------------
\35\ If a billing agent receives payment on behalf of a DMEPOS
supplier, the billing agent's compensation may not be related in any
way to the dollar amounts billed or collected. See 42 U.S.C.
1395u(b)(6); 42 CFR 424.73; Medicare Carriers Manual, section 3060.
---------------------------------------------------------------------------
Upcoding; 36
---------------------------------------------------------------------------
\36\ Upcoding involves selecting a code to maximize
reimbursement when such code is not the most appropriate descriptor
of the service (e.g., billing for a more expensive piece of
equipment when a less expensive piece of equipment is provided).
---------------------------------------------------------------------------
Unbundling items or supplies; 37
---------------------------------------------------------------------------
\37\ Unbundling items or supplies involves billing for
individual components when a specific HCFA Common Procedure Coding
System (HCPCS) code provides for the components to be billed as a
unit (e.g., providing a wheelchair and billing the individual parts
of the wheelchair, rather than the wheeelchair as a whole).
---------------------------------------------------------------------------
Billing for new equipment and providing used equipment;
38
---------------------------------------------------------------------------
\38\ The DMEPOS supplier must indicate on the Medicare claim
form, through the use of modifiers, whether the item provided is new
or used. The modifier for providing new equipment is ``NU.'' The
modifies for providing used equipment is ``UE.'' A knowing failure
to correctly document the item provided would constitute falsifying
information on the claim form and many constitute a violation of the
False Claims Act. See 31 U.S.C. 3729.
---------------------------------------------------------------------------
Continuing to bill for rental items after they are no
longer medically necessary; 39
---------------------------------------------------------------------------
\39\ Once a rental item is no longer medically necessary, the
DMEPOS supplier required to discontinue billing the payor for it.
The OIG recognizes that DMEPOS suppliers cannot make medical
necessity determinations and may not be aware that a rental item is
no longer medically necessary for a particular patient. As a result,
the OIG recommends that the DMEPOS supplier periodically contact the
treating physician or other authorized person to ensure the rental
item continues to be medically necessary. In addition, the OIG
recommends that the DMEPOS supplier pick up such equipment from the
patient in a timely manner. If the DMEPOS supplier bills for a
rental item after it is no longer medically necessary, the DMEPOS
supplier is financially responsible for that item and must remit any
overpayments for that item. See 42 U.S.C. 1320a-7b(a)(3), which
provides criminal penalties for failure to disclose an overpayment.
---------------------------------------------------------------------------
Resubmission of denied claims with different information
in an attempt to be improperly reimbursed; 40
---------------------------------------------------------------------------
\40\ This practice involves the DMEPOS supplier improperly
changing information on a previously denied claim and continuing to
resubmit the claim in an attempt to receive payment. For example, a
DMEPOS supplier may submit a claim using the accurate HCPCS code for
the item or service provided and the claim is subsequently denied.
It is improper to change the HCPCS code to HCPCS code that the
DMEPOS supplier believes is reimbursable, when such item or service
was not provided.
---------------------------------------------------------------------------
Refusing to submit a claim to Medicare for which payment
is made on a reasonable charge or fee schedule basis; 41
---------------------------------------------------------------------------
\41\ This practice involves a DMEPOS supplier not submitting a
claim on behalf of the beneficiary for items or services that are
Medicare benefits and are reimbursable under the Medicare program.
See 42 U.S.C 1395w-4(g)(4).
---------------------------------------------------------------------------
Inadequate management and oversight of contracted
services, which results in improper billing; 42
---------------------------------------------------------------------------
\42\ The OIG recommends that the DMEPOS supplier create internal
mechanisms to ensure that the use of contractors does not lead to
improper billing practices.
---------------------------------------------------------------------------
Charge limitations; 43
---------------------------------------------------------------------------
\43\ A DMEPOS supplier should ensure that its billing personnel
are informed of the different payment rules of all the Federal,
State, and private health care programs it bills. The supplier
should be aware that billing for items or services furnished
substantially in excess of the supplier's usual charges may result
in exclusion and other sanctions. See 42 U.S.C. 1320a-7(b)(6)(A).
See also OIG Ad. Op. 98-8 (1998).
---------------------------------------------------------------------------
Providing and/or billing for substantially excessive
amounts of DMEPOS items or supplies; 44
---------------------------------------------------------------------------
\44\ This practice, which constitutes overulitization, involves
providing and/or billing for substantially more items or supplies
that are reasonable and necessary for the needs of each individual
patient. The OIG recognizes that DMEPOS suppliers cannot make
medical necessity determinations. The medical need for an item must
be determined by the physician or other authorized person who is
treating the patient. However, the DMEPOS supplier must ensure that
the patient's condition meets coverage, payment and utilization
criteria as established in the payor's medical policies. If the
DMEPOS supplier is providing and/or billing for substantially
excessive amounts of DMEPOS items or supplies, the DMEPOS supplier
is financially responsible for remitting any overpayments relating
to those items or supplies. The OIG recommends that if a DMEPOS
supplier is providing and billing for a large number of items or
supplies for the same patient, it may periodically want to contact
the treating physician or other authorized person to confirm the
medical necessity of the items or supplies. Such contact with the
physician's office should be documented. The practice of billing for
substantially excessive amounts of items or supplies may lead to
exclusion from Federal health care programs and other sanctions. See
42 U.S.C. 1320a-7(b)(6)(B).
---------------------------------------------------------------------------
Providing and/or billing for an item or service that does
not meet the quality and standard of the DMEPOS item claimed;
45
---------------------------------------------------------------------------
\45\ This practice involves providing and./or billing for an
item or service that does not meet the definition and/or requirement
of the item or service ordered by the treating physician or other
authorized person. Generally, such items are inferior in quality,
and therefore do not meet the definition of what was ordered and/or
billed. Sometimes this may mean that certin equipment was never
cleared by the Food and Drug Administration, as required by law.
This practice may lead to billing for items that are not reasonable
and necessary. A DMEPOS supplier should ensure that the iterm or
services it furnishes meet professionally recognized minimum
standards of health care.
---------------------------------------------------------------------------
Capped rentals; 46
---------------------------------------------------------------------------
\46\ See discussion in section II.A.3.k and accompanying notes.
---------------------------------------------------------------------------
Failure to monitor medical necessity on an on-going basis;
47
---------------------------------------------------------------------------
\47\ In order for a patient to continue to receive items or
supplies (e.g., rental equipment, supplies for an on-going
condition) and for the DMEPOS supplier to receive Medicare
reimbursement, the patient must meet the medical necessity criteria
for that specific item or supply on an on-going basis. The item or
supply furnished by the DMEPOS supplier should be replaced or
adjusted, in a timely manner, to reflect changes in the patient's
condition. The OIG recognizes that a DMEPOS supplier cannot make
medical necessity determinations and may not be aware when a
patient's condition changes. However, if a DMEPOS supplier is
billing for items or services that are no longer medically
necessary, the supplier is financially responsible for remitting any
overpayments relating to those items or services. The OIG recommends
that if a DMEPOS supplier is providing the same items or supplies to
a patient on a regular basis, it may periodically want to contact
the treating physician or other authorized person to confirm that
the items or supplies continue to be medically necessary. Such
contact with the physician's office should be documented.
---------------------------------------------------------------------------
Delivering or billing for certain items or supplies prior
to receiving a physician's order and/or appropriate CMN; 48
---------------------------------------------------------------------------
\48\ This practice involves a DMEPOS supplier delivering to the
patient, and/or billing the payor for, items or supplies that have
not yet been ordered by the treating physician or other authorized
person. Medicare requires written orders for certain items before
delivery. See, e.g., 42 CFR 410.38.
---------------------------------------------------------------------------
Falsifying information on the claim form, CMN, and/or
accompanying documentation; 49
---------------------------------------------------------------------------
\49\ This practice invovles supplying false information to be
included on the claim form, the CMN, or other accompanying
documentation. The information reported on these documents should
accurately reflect the patient's information, including medical
information, and the items or services ordere by the treating
physician or other authorized person and provided by the DMEPOS
supplier. See, e.g., 18 U.S.C. 1035, which provides criminal
penalties for falsifying information on such documentation.
---------------------------------------------------------------------------
[[Page 36374]]
Completing portions of CMNs reserved for completion only
by the treating physician or other authorized person; 50
---------------------------------------------------------------------------
\50\ This practice involves not completing the CMN in compliance
with Medicare regulations (i.e., sections B and D should never be
completed by the supplier). Instructions for completing the CMN can
be found on the back of the form. See Medicare Carriers Manual,
section 3312, which provides instructions on how to complete the CMN
and the CMPs that may be assessed for improper completion of the
CMN. See also 42 U.S.C. 1395m(j)(2); section II.A.3.c and
accompanying notes for further discussion on CMNs. Such conduct may
also result in liability under civil and criminal laws.
---------------------------------------------------------------------------
Altering medical records; 51
---------------------------------------------------------------------------
\51\ This practice involves falsifying information on a
patient's medical records to justify reimbursement for an item or
service.
---------------------------------------------------------------------------
Manipulating the patient's diagnosis in an attempt to
receive improper payment; 52
---------------------------------------------------------------------------
\52\ This practice involves altering the treating physician's or
other authorized person's diagnosis in an attempt to receive
reimbursement for a particular item or service. A DMEPOS supplier
should not claim the patient has a particular medical condition in
order to qualify for an item for which the patient would not
otherwise qualify.
---------------------------------------------------------------------------
Failing to maintain medical necessity documentation;
53
---------------------------------------------------------------------------
\53\ This practice involves failing to ensure that the medical
necessity documentation requirements for the item or service billed
are properly met (e.g., failing to maintain the physician orders or
CMNs or failing to ensure that CMNs contain adequate and correct
information). See Medicare Carriers Manual, section 4105.2 for
evidence of medical necessity. See also sections II.A.3.b and
II.A.3.c regarding physician orders and CMNs, respectively.
---------------------------------------------------------------------------
Inappropriate use of place of service codes; 54
---------------------------------------------------------------------------
\54\ This practice involves indicating on the claim form that
the place of service is a location other than where the service was
provided. For example, the patient resides in a skilled nursing
facility (SNF) and a DMEPOS supplier submits a claim with the place
of service as the patient's home. Provided that the DMEPOS items or
services are ordered, provided, reasonable and necessary given the
clinical condition of the patient, the items or services may be
covered if the beneficiary resides at home. However, such items may
not be covered if the beneficiary resides in a SNF. See Medicare
Carriers Manual, section 2100.3 for the definition of a
beneficiary's home.
---------------------------------------------------------------------------
Cover letters that encourage physicians to order medically
unnecessary items or services; 55
---------------------------------------------------------------------------
\55\ See discussion in section II.A.3.m.
---------------------------------------------------------------------------
Improper use of the ZX modifier; 56
---------------------------------------------------------------------------
\56\ This practice involves the improper use of the ZX modifier,
relating to maintaining medical necessity documentation. See
discussion in section II.A.3.l.
---------------------------------------------------------------------------
Routine waiver of deductibles and coinsurance;
57
---------------------------------------------------------------------------
\57\ Throughout this document, the term ``deductibles and
coinsurance'' refers to Medicare as well as to any other health
insurance program requiring deductibles and coinsurance. See
discussion in section II.A.3.j and accompanying notes.
---------------------------------------------------------------------------
Providing incentives to actual or potential referral
sources (e.g., physicians, hospitals, patients, skilled nursing
facilities, home health agencies or others) that may violate the anti-
kickback statute or other similar Federal or State statute or
regulation; 58
---------------------------------------------------------------------------
\58\ Examples of arrangements that may run afoul of the anti-
kickback statute include practices in which a DMEPOS supplier pays a
fee to a physician for each CMN the physician signs, provides free
gifts to physicians for signing CMNs, provides inducements to
beneficiaries, and/or provides items or services for free or below
fair market value to providers or beneficiaries of Federal health
care programs. See 42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b(b);
60 FR 40847 (August 10, 1995). See also discussion in section II.A.4
and accompanying notes.
---------------------------------------------------------------------------
Compensation programs that offer incentives for items or
services ordered and revenue generated; 59
---------------------------------------------------------------------------
\59\ Compensation programs that offer incentives for items or
services ordered or the revenue they generate may lead to the
ordering of medically unnecessary items or supplies and/or the
``dumping'' of such items or supplies in a facility or in a
beneficiary's home (e.g., mail order supply companies that continue
to send the patient supplies when the supplies are no longer
medically necessary).
---------------------------------------------------------------------------
Joint ventures between parties, one of whom can refer
Medicare or Medicaid business to the other; 60
---------------------------------------------------------------------------
\60\ Equally troubling to the OIG is the proliferation of
business arrangements that may violate the anti-kickback statute or
other similar Federal and State statute or regulation. Such
arrangements are generally established between those in a position
to refer business, such as physicians, and those providing items or
services, such as DMEPOS suppliers, for which a Federal health care
program pays. Sometimes established as ``joint ventures,'' these
arrangements may take a variety of forms. The OIG currently has a
number of investigations and audits underway that focus on such
areas of concern. The OIG has also issued a Special Fraud Alert on
Joint Venture Arrangements. This Special Fraud Alert can be found at
59 FR 65372 (December 19, 1994) or on the Internet at http://
www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
Billing for items or services furnished pursuant to a
prohibited referral under the Stark physician self-referral law;
61
---------------------------------------------------------------------------
\61\ Under the Stark physician self-referral law, if a physician
(or an immediate family member of such physician) has a prohibited
financial relationship with a DMEPOS supplier, the physician may not
make a referral to the DMEPOS supplier and the DMEPOS supplier may
not bill for furnishing DMEPOS items or supplies for which payment
may be made under the Federal health care programs. See 42 U.S.C.
1395nn.
---------------------------------------------------------------------------
Improper telemarketing practices; 62
---------------------------------------------------------------------------
\62\ See 42 U.S.C. 1395m(a)(17) or Pub.L. 103-432, section
132(a) for the prohibition on telemarketing. See also discussion in
section II.A.5 and accompanying notes.
---------------------------------------------------------------------------
Improper patient solicitation activities and high-pressure
marketing of noncovered or unnecessary services; 63
---------------------------------------------------------------------------
\63\ The DMEPOS supplier should not utilize prohibited or
inappropriate conduct to carry out its initiatives and activities
designed to maximize business growth and patient retention. Many
cases against DMEPOS suppliers have involved the DMEPOS supplier
giving the beneficiary free gifts such as angora underwear,
microwaves and air conditioners in exchange for providing and
billing for unnecessary items. Any marketing information offered by
the DMEPOS supplier should be clear, correct, non-deceptive, and
fully informative. See discussion in section II.A.5 and accompanying
notes.
---------------------------------------------------------------------------
Co-location of DMEPOS items and supplies with the referral
source; 64
---------------------------------------------------------------------------
\64\ In this situation, a physician allows a DMEPOS supplier to
stock inventory (the storage space may or may not be rented by the
DMEPOS supplier) in a physician's office. When such items and
supplies are dispensed to the patient, Medicare is then billed.
Although such arrangements are not prohibited per se, the OIG
believes that such arrangements may potentially raise anti-kickback
and self-referral issues, particularly when the DMEPOS supplier pays
the physician an amount above fair market value to rent the space.
---------------------------------------------------------------------------
Non-compliance with the Federal, State and private payor
supplier standards; 65
---------------------------------------------------------------------------
\65\ A DMEPOS supplier should have appropriate personnel
acknowledge they have reviewed and will abide by the Medicare
supplier standards. In addition, a DMEPOS supplier should ensure it
is meeting individual State and private payor supplier standards.
See 42 CFR 424.57 for the Medicare supplier standards.
---------------------------------------------------------------------------
Providing false information on the Medicare DMEPOS
supplier enrollment form; 66
---------------------------------------------------------------------------
\66\ Criminal penalties may be imposed against an individual who
knowingly and willfully makes or causes to be made any false
statements or representations of a material fact in any application
for any benefit or payment under a Federal health care program. See
42 U.S.C. 1320a-7b(a)(1). See also 31 U.S.C. 3729(a) (``any person
who * * * knowingly makes, uses, or causes to be made or used, a
false record or statement to get a false or fraudulent claim paid or
approved by the Government * * * is liable to the United States
Government for a civil penalty of not less than $5,000 and not more
than $10,000, plus 3 times the amount of damages which the
Government sustains because of the act of that person * * *'')
---------------------------------------------------------------------------
Not notifying the National Supplier Clearinghouse in a
timely manner of changes to the information previously provided on the
DMEPOS supplier enrollment form; 67
---------------------------------------------------------------------------
\67\ By signing the DMEPOS supplier enrollment application, a
DMEPOS supplier certifies it will notify the Medicare contractor of
any changes in its enrollment information within 30 days of the
effective date of the change.
---------------------------------------------------------------------------
Misrepresenting a person's status as an agent or
representative of Medicare; 68
---------------------------------------------------------------------------
\68\ It is unlawful for a DMEPOS supplier to represent itself as
a Medicare representative. See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------
Knowing misuse of a supplier number, which results in
improper billing; 69
---------------------------------------------------------------------------
\69\ This practice may involve, but is not limited to, using
another DMEPOS supplier's billing number.
---------------------------------------------------------------------------
Failing to meet individual payor requirements;
70
---------------------------------------------------------------------------
\70\ A DMEPOS supplier should be aware of the requirements of
any payor they bill, especially in those situations where there is a
primary and secondary payor.
---------------------------------------------------------------------------
[[Page 36375]]
Performing tests on a beneficiary to establish medical
necessity; 71
---------------------------------------------------------------------------
\71\ E.g., Medicare does not permit DMEPOS suppliers to perform
oxygen tests (e.g., oximetry tests and arterial blood gas tests) to
qualify patients for oxygen and oxygen supplies. See Medicare
Coverage Issues Manual, section 60-4. See also discussion in section
II.A.3.o.
---------------------------------------------------------------------------
Failing to refund overpayments to a health care program;
72
---------------------------------------------------------------------------
\72\ An overpayment is the amount of money received in excess of
the amount due and payable under a health care program. Examples of
overpayments include, but are not limited to, instances where a
DMEPOS supplier is: (i) paid twice for the same service, for the
same beneficiary; or (ii) paid for services that were provided but
not ordered by the treating physician or other authorized person.
The OIG strongly recommends that the DMEPOS supplier institute
procedures to detect overpayments and to promptly remit such
overpayments to the affected payor. See 42 U.S.C. 1320a-7b(a)(3).
See also 18 U.S.C. 669 and 31 U.S.C. 3729(a)(7).
---------------------------------------------------------------------------
Failing to refund overpayments to patients; 73
---------------------------------------------------------------------------
\73\ If a patient is also due money when a DMEPOS supplier
identifies an overpayment to a health care program, the DMEPOS
supplier should make a prompt refund to the patient. See 42 U.S.C.
1395m(j)(4) on limitation of patient liability for non-assigned
claims that are denied due to medical necessity. See also 42 U.S.C.
1395pp(h) on limitation of patient liability for assigned claims
that are denied due to medical necessity.
---------------------------------------------------------------------------
Improper billing resulting from a lack of communication
between the DMEPOS supplier, the physician, and the patient;
74
---------------------------------------------------------------------------
\74\ A lack of communication between the DMEPOS supplier,
physician, and patient may result in the DMEPOS supplier
inappropriately billing for items or supplies (e.g., supplies for an
on-going condition or rental equipment that are no longer medically
necessary). See discussion in section II.A.3.n.
---------------------------------------------------------------------------
Improper billing resulting from a lack of communication
between different departments within the DMEPOS supplier; 75
and
---------------------------------------------------------------------------
\75\ A lack of communication between the different departments
of a DMEPOS supplier may result in the DMEPOS supplier filing
incorrect claims and/or equipment delivery problems.
---------------------------------------------------------------------------
Employing persons excluded from participation in Federal
health care programs.76
---------------------------------------------------------------------------
\76\ This involves hiring or contracting with individuals or
entities who have been excluded from participation in Federal health
care programs or any other Federal procurement or non-procurement
program. See section II.F.2.
---------------------------------------------------------------------------
A DMEPOS supplier's prior history of noncompliance with applicable
statutes, regulations, and Federal, State or private health care
program requirements may indicate additional types of risk areas where
the DMEPOS supplier may be vulnerable and that may require policies and
procedures to prevent recurrence.77 Additional risk areas
should be assessed by the DMEPOS supplier and incorporated into its
written policies and procedures and training programs developed as part
of its compliance program.
---------------------------------------------------------------------------
\77\ ``Recurrence of misconduct similar to that which an
organization has previously committed casts doubt on whether it took
all reasonable steps to prevent such misconduct'' and is a
significant factor in the assessment of whether a compliance program
is effective. See United States Sentencing Commission Guidelines,
Guidelines Manual, 8A1.2, Application Note 3(k)(iii).
---------------------------------------------------------------------------
The OIG believes sound operating policies are essential to all
DMEPOS suppliers, regardless of size. The OIG recommends that small
DMEPOS suppliers focus on the risk areas most potentially problematic
to its business operations. The OIG recognizes some small DMEPOS
suppliers may not have the resources to independently develop a
comprehensive set of written policies and procedures pertaining to such
risk areas. In this case, the OIG recommends that the small DMEPOS
supplier create a manual that is accessible to all employees. Such a
manual should contain the specific statutes, regulations, and DMERC
instructions and bulletins that address the DMEPOS supplier's
identified risk areas. The goal of this manual is to provide employees
direction so they can properly address any concerns/issues/questions
that may arise.
3. Claims Development and Submission
a. Medical Necessity
The OIG recommends that the DMEPOS supplier's compliance program
communicate to physicians and other persons authorized to order items
and services that claims submitted for items and services will only be
paid if the item or service is ordered, provided, covered, reasonable
and necessary for the patient, given his or her clinical condition. The
DMEPOS suppliers should take all reasonable steps to ensure they are
not submitting claims for services that are not: (i) covered; (ii)
reasonable; and (iii) necessary.78 The DMEPOS suppliers must
keep the treating physician's or other authorized person's signed and
dated order or CMN on file for all DMEPOS items and
services.79 Upon a payor's request, the DMEPOS supplier must
be able to provide documentation, such as physician orders, completed
original CMNs,80 proof of delivery, written confirmation of
verbal orders and any other documentation to support the medical
necessity of an item or service the DMEPOS supplier has provided and
billed to a Federal or private health care program.81
Because the DMEPOS supplier is responsible for producing documentation
upon request, the DMEPOS supplier may want to send a written notice to
its clients who write orders and refer patients concerning payors'
documentation requirements.
---------------------------------------------------------------------------
\78\ See note 31.
\79\ See Medicare Carrier Manual, section 3312. See also
Medicare Carrier Manual, section 4105.2 regarding what information
must be included on the physician's order.
\80\ An original CMN is that in which Section B was completed by
the treating physician or other authorized person and contains the
original signature of the treating physician or other authorized
person.
\81\ In order to ensure correct reimbursement, the payor may
conduct a post-payment audit of a DMEPOS supplier's claims. Such
audits may require that the DMEPOS supplier submit documentation to
substantiate that the items or services were ordered by the treating
physician or other authorized person, provided, covered, reasonable
and necessary. See 42 CFR 424.5(a)(6).
---------------------------------------------------------------------------
As a preliminary matter, the OIG recognizes that physicians and
other authorized persons must be able to order any items or services
that they believe are appropriate for the treatment of their patients.
However, Medicare and other Government and private health care plans
will only pay for those services that are covered and that meet the
appropriate medical necessity standards (e.g., ordered, provided,
reasonable, necessary, and meeting criteria established by medical
review policies). ``No payment may be made under Part A or Part B for
any expenses incurred for items or services * * * which are not
reasonable and necessary for the diagnosis or treatment of an illness
or injury or to improve the functioning of a malformed body member.''
82 Therefore, DMEPOS suppliers should be aware that Medicare
may deny payment for an item or service that the treating physician or
other authorized person believes is appropriate, but which does not
meet the Medicare coverage criteria or where the documentation does not
support that the item or service was reasonable and necessary for the
patient. The OIG recommends that the DMEPOS supplier advise its clients
that claims for items or services submitted for Federal, State or
private payor reimbursement must meet program requirements
83 or the claims may be denied.
---------------------------------------------------------------------------
\82\ See 42 U.S.C. 1395y(a)(1)(A).
\83\ See note 31.
---------------------------------------------------------------------------
The DMEPOS supplier should take steps to ensure compliance with the
applicable statutes, regulations and the requirements of Federal, State
and private health plans. The OIG recognizes that DMEPOS suppliers do
not and cannot treat patients or make medical necessity determinations.
However, the DMEPOS supplier must take steps to ensure that the
beneficiary's condition meets coverage, payment and utilization
criteria established in medical policies before it submits a claim to
Federal, State or private health plans. In order to help
[[Page 36376]]
ensure compliance, the OIG recommends that DMEPOS supplier personnel
understand the coverage and payment criteria of each payor they bill.
To help aid supplier personnel, the DMEPOS supplier's compliance
officer may want to create a clear, comprehensive summary of the
``medical necessity'' standards or coverage criteria and applicable
rules of the various Government and private plans. This summary should
be disseminated and explained to the appropriate DMEPOS supplier
personnel.
We also recommend that DMEPOS suppliers formulate internal control
mechanisms through their written policies and procedures to ensure the
medical necessity of the items or services they provide. Such policies
and procedures may include periodic claim reviews, both prior and
subsequent to billing for items and services. Such a procedure will
verify that patients are receiving and the DMEPOS supplier is being
paid for items and/or services that are ordered, provided, covered,
reasonable and necessary. The DMEPOS supplier may choose to incorporate
this claims review function into pre-existing quality assurance
mechanisms.
b. Physician Orders
The DMEPOS supplier's written policies and procedures should state
that the DMEPOS supplier will not bill for an item or service unless
and until it has been ordered by the treating physician or other
authorized person. For all Medicare reimbursed DMEPOS items or
services, the DMEPOS supplier must receive a written order from the
patient's treating physician or other authorized person. Such written
order must be received prior to billing Medicare. When the DMEPOS
supplier receives a verbal order, the DMEPOS supplier should document
the verbal order and must have the treating physician or other
authorized person confirm it in writing prior to billing.
The written policies and procedures should also state, for items
requiring a written order prior to delivery, that the order must be
received by the DMEPOS supplier before it delivers the equipment to the
patient and before it bills the payor.84
---------------------------------------------------------------------------
\84\ See 42 CFR 410.38.
---------------------------------------------------------------------------
c. Certificate of Medical Necessity 85
For some DMEPOS items and services, the DMEPOS supplier must
receive a signed CMN from the treating physician or other authorized
person. Currently, CMNs are required for Medicare reimbursement for
fourteen items. 86 The CMN must be retained in the DMEPOS
supplier's records before it can submit a claim for payment to the
Medicare program. Although faxed CMNs are permitted in order to submit
the claim, the DMERCs have the authority to request the original CMN
from the DMEPOS supplier at any time.87
---------------------------------------------------------------------------
\85\ As defined in 42 U.S.C. 1395m(j)(2)(B). See also OIG
Special Fraud Alert regarding Physician Liability for Certifications
in the Provision of Medical Equipment and Supplies and Home Health
Services, 64 FR 1813 (January 12, 1999). Special Fraud Alerts are
available on the OIG website.
\86\ Items or services requiring CMNs are as follows: Home
oxygen therapy (HCFA form 484); Hospital beds (HCFA form 841);
Support surfaces (HCFA form 842); Motorized wheelchairs (HCFA form
843) (Section C continuation, HCFA form 854); Manual wheelchairs
(HCFA form 844) (Section C continuation, HCFA form 854); Continuous
positive airway pressure (CPAP) devices (HCFA form 845); Lymphedema
pumps (pneumatic compression devices) (HCFA form 846); Osteogenesis
stimulators (HCFA form 847); Transcutaneous electrical nerve
stimulators (TENS) (HCFA form 848); Seat lift mechanisms (HCFA form
849); Power operated vehicles (HCFA form 850); Infusion pumps (HCFA
form 851); Parenteral nutrition (HCFA form 852); and Enteral
nutrition (HCFA form 853).
\87\ See HCFA Program Memorandum B-99-23 (April 1999).
---------------------------------------------------------------------------
Each CMN has four sections: A, B, C, and D. Section A may be
completed by the DMEPOS supplier. Section B may not be completed by the
DMEPOS supplier.88 Section B may only be completed by the
treating physician, a non-physician clinician involved in the care of
the patient or a physician employee who is knowledgeable about the
patient's treatment. If section B is completed by a physician's
employee, the section must be reviewed by the treating physician or
other person authorized to sign section D of the CMN 89 to
ensure the information's accuracy. Section C must be completed by the
DMEPOS supplier prior to the CMN being furnished to the treating
physician or other authorized person for signature.90
Section D is the attestation statement and may only be signed by the
treating physician or other person authorized to sign section
D.91 The DMEPOS supplier's written policies and procedures
on completing CMNs should reflect these standards.
---------------------------------------------------------------------------
\88\ A supplier who knowingly and willfully completes section B
of the form is, at a minimum, subject to a CMP of up to $1,000 for
each form or document completed in such manner. See 42 U.S.C.
1395m(j)(2). That supplier may also face civil and criminal
liability.
\89\ See HCFA Program Memorandum B-98-47 (November, 1998), which
discusses who is authorized to sign section D of the CMN.
\90\ A supplier who knowlingly and willfully fails to include,
in section C, the fee schedule amount and the supplier's charge for
the equipment or supplies being furnished may be subject to a CMP up
to $1,000 for each form or document so distributed. See 42 U.S.C.
1395m(j)(2).
\91\ Physicians or persons authorized to sign section D (see
note 89), should only sign CMNs in which sections A-C are completed
and correct. Signature and date stamps are not acceptable. See
Medicare Carriers Manual, section 3312.
---------------------------------------------------------------------------
The DMEPOS supplier should take all reasonable steps to ensure that
each section of the CMN is completed in accordance with the above
guidelines. The OIG recommends that the DMEPOS supplier's written
policies and procedures, at a minimum, provide that the DMEPOS
supplier:
Does not forward blank CMNs to the treating physician or
other authorized person for signature;
Does not complete section B (Medical Necessity) of the
CMN;
Does not alter or add any information on the CMN after
receiving the completed and signed CMN from the physician or other
authorized person; 92
---------------------------------------------------------------------------
\92\ There have been many investigations centering on DMEPOS
suppliers who alter information in order to affect their
reimbursement (e.g., altering diagnosis code, altering HCPCS code of
service provided).
---------------------------------------------------------------------------
Does not sign the CMN for the treating physician or other
authorized person;
Does not urge physicians or other authorized persons to
order equipment or supplies that exceed what is reasonable and
necessary for the patient;
Does not deliver an item that requires a written order
from the treating physician or other authorized person prior to
receiving the written order; 93
---------------------------------------------------------------------------
\93\ See 42 U.S.C. 1395m(a)(11)(B). See also 42 CFR 410.38.
---------------------------------------------------------------------------
Does not submit a claim for DMEPOS items or services prior
to receiving a written order or CMN from the treating physician or
other authorized person;
Does not submit a claim for DMEPOS items or services until
the CMN is properly and correctly completed by the treating physician
or other authorized person;
Maintains completed and signed CMNs in its files;
Consults with the treating physician or other authorized
person who signed the CMN when there is a question on the order;
Properly complete sections A and C of the CMN and then
forward the CMN to the treating physician or other authorized person
for his/her review, information, and signature; and
Only submit claims for services that the treating
physician or other authorized person attests in section D are ordered
and medically necessary for the patient.
[[Page 36377]]
d. Billing
The DMEPOS supplier should provide in its written policies and
procedures that it will only submit to Medicare or other Federal, State
or private payor health care plans claims that are properly completed,
accurate, and correctly identify the item or service ordered by the
treating physician or other authorized person and furnished to the
patient. Also, prior to submitting the claim, the DMEPOS supplier
should take all reasonable steps to ensure the item or service being
claimed was provided, covered, reasonable and necessary.
The written policies and procedures should also clarify that a
DMEPOS supplier cannot submit bills or receive payment for drugs used
in conjunction with DMEPOS, unless the DMEPOS supplier is licensed to
dispense the drug.94
---------------------------------------------------------------------------
\94\ See Medicare Program Memoranda B-98-6 (February, 1998) and
B-98-18 (May, 1998).
---------------------------------------------------------------------------
e. Selection of HCPCS Codes
The DMEPOS supplier's written policies and procedures should state
that only the HCPCS code that most accurately describes the item or
service ordered and provided should be billed. The OIG views knowing
``upcoding'' (i.e., the selection of a code to maximize reimbursement
when such a code is not the most appropriate descriptor of the service)
as raising, among other things, false claims issues under the Civil
False Claims Act.95 To ensure code accuracy, the OIG
recommends that the DMEPOS supplier include a requirement in its
policies and procedures that the codes be reviewed (random sample or
certain codes) by individuals with technical expertise in coding before
claims containing such codes are submitted to the affected payor. If a
DMEPOS supplier has questions regarding the appropriate code to be
used, it should contact the Statistical Analysis Durable Medical
Equipment Carrier's (SADMERC) HCPCS coding help line.96
---------------------------------------------------------------------------
\95\ See 31 U.S.C. 3729, which provides for the imposition of
penalties of $5,000 to $10,000 per false claim, plus up to three
times the amount of damages suffered by the Federal Government
because of the false claim.
\96\ The phone number for the SADMERC's HCPCS coding help line
is 803-736-6809. The hours of operation are Monday through Friday
from 9:00 am to 4:00 pm, EST. Based on the information provided by
the DMEPOS supplier, the SADMERC will aid the DMEPOS supplier in
choosing the most accurate code for the item or service ordered and
supplied. However, the DMEPOS supplier should be aware that
assigning a HCPCS code to an item or service does not necessarily
guarantee reimbursement.
---------------------------------------------------------------------------
f. Valid Supplier Numbers
The DMEPOS supplier should ensure that appropriate personnel are
knowledgeable in (1) completing the HCFA 855S supplier application;
97 and (2) complying with the Federal requirements of 42 CFR
424.57(e) for updating supplier number applications.
---------------------------------------------------------------------------
\97\ By signing the certification statement on the enrollment
application, the applicant agrees that he/she has read, understood,
meets and will continue to meet the supplier standards and will be
disenrolled from the program if any standards are not met or
violated.
---------------------------------------------------------------------------
The written policies and procedures should state that the DMEPOS
supplier should not bill any other Federal, State or private payor
health care plan without obtaining the necessary billing numbers and
that the billing numbers will be used correctly.98
---------------------------------------------------------------------------
\98\ E.g., if a DMEPOS supplier has more than one location, the
supplier number of the location that filled the physician's or other
authorized person's order will be used on the claim form.
---------------------------------------------------------------------------
Prior to applying for a valid supplier number, a DMEPOS supplier
providing services to Medicare beneficiaries must meet the supplier
standards.99 The DMEPOS supplier should take all affirmative
steps to ensure that no claims for Medicare reimbursement are submitted
prior to the DMEPOS supplier being issued a valid supplier number by
the National Supplier Clearinghouse. A DMEPOS supplier should not have
more than one Medicare supplier number unless it is appropriate to
identify subsidiary or regional entities under the supplier's ownership
or control.100
---------------------------------------------------------------------------
\99\ See 42 CFR 424.57.
\100\ See 42 U.S.C. 1395m(j)(1)(D).
---------------------------------------------------------------------------
g. Mail Order Suppliers
We recommend that any DMEPOS supplier who engages in the mail order
supply business clearly articulate its protocol for this segment of its
business in the company's written policies and procedures.
Mail order supplies should only be delivered in accordance with the
treating physician's or other authorized person's orders. Regularly
shipping supplies without such orders may lead to providing supplies
substantially in excess of the patient's needs.101 We also
recommend that the supplier utilize a tracking system so it will be
able to determine whether or not the patient received the supplies and
will be able to track the location of an item or supply at any given
time.
---------------------------------------------------------------------------
\101\ See note 44.
---------------------------------------------------------------------------
h. Assignment
If a DMEPOS supplier accepts Medicare assignment, its written
policies and procedures should state that it will not charge Medicare
beneficiaries more than the amounts allowed under the Medicare fee
schedule, including coinsurance and deductibles. If the beneficiary
pays the DMEPOS supplier prior to the DMEPOS supplier submitting the
claim, the DMEPOS supplier should ensure it is not charging the
beneficiary more than the coinsurance on the allowed amount under the
fee schedule. In the event that the DMEPOS supplier collects excess
payments from a Medicare beneficiary, it should have mechanisms in
place to promptly refund the overpayment to the beneficiary. The DMEPOS
supplier should be knowledgeable about the Medicare rules and
instructions for accepting assignment and receiving direct payment from
beneficiaries for items or services.
If a DMEPOS supplier chooses not to accept Medicare assignment, it
is still responsible for submitting claims to Medicare on behalf of
beneficiaries.102
---------------------------------------------------------------------------
\102\ See 42 U.S.C. 1395w-4(g)(4).
---------------------------------------------------------------------------
If the DMEPOS supplier chooses to utilize a billing agent, the
DMEPOS supplier should ensure it is complying with all of the relevant
statutes and requirements governing such an arrangement.103
The OIG strongly recommends that the DMEPOS supplier coordinate closely
with the billing company to establish compliance responsibilities. Once
the responsibilities have been clearly delineated, they should be
formalized in the written contract between the DMEPOS supplier and the
billing agent. The OIG recommends that the contract enumerate those
functions that are shared responsibilities and those that are the sole
responsibility of either the billing agent or the DMEPOS supplier.
---------------------------------------------------------------------------
\103\ See 42 U.S.C. 1395u(b)(6); 42 CFR 424.73; Medicare
Carriers Manual, section 3060. See also OIG Ad. Op. 98-1 (1998) and
OIG Ad. Op. 98-4 (1998).
---------------------------------------------------------------------------
i. Liability Issues
The OIG recommends that DMEPOS suppliers avoid submitting claims
for items or services that the DMEPOS supplier believes are not covered
by Medicare. However, HCFA does permit a DMEPOS supplier to submit a
claim for an item or service that the DMEPOS supplier believes is not
covered if (i) the beneficiary insists that the DMEPOS supplier submit
the claim, and (ii) the DMEPOS supplier notes on the claims its belief
that the service is noncovered and that it is being submitted at the
beneficiary's insistence (e.g., submitted for a Medicare determination
of
[[Page 36378]]
coverage and/or to obtain a denial notice in order to bill other
insurers).104
---------------------------------------------------------------------------
\104\ See Medicare Carriers Manual, section 3043.
---------------------------------------------------------------------------
A DMEPOS supplier or Medicare beneficiary is not liable for payment
on assigned claims where the beneficiary did not know, and could not
reasonably have been expected to know, that the payment for such
services would not be made.105 However, when the DMEPOS
supplier knew, or could have been expected to know, the items or
services would be denied, the liability for improperly paid items or
services rests with the DMEPOS supplier.106
---------------------------------------------------------------------------
\105\ See 42 U.S.C. 1395pp.
\106\ Id.
---------------------------------------------------------------------------
In order to protect itself from financial responsibility in such
situations (i.e., situations in which the beneficiary is insisting that
a claim be submitted to Medicare notwithstanding the DMEPOS supplier's
belief that Medicare does not cover the service), the DMEPOS supplier
must inform the patient prior to furnishing the item or service of the
DMEPOS supplier's belief that the claim to Medicare will be denied. In
this situation, the DMEPOS supplier should ask the patient to sign a
written notice.107 The written notice must be in writing,
must clearly identify the particular item or service, must state that
the payment for the particular item or service likely will be denied,
and must give the reason(s) for the belief that payment is likely to be
denied. It is the beneficiary's decision whether or not to sign the
written notice. If the beneficiary does sign the written notice, the
DMEPOS supplier should: (1) include the appropriate modifier on the
claim form; (2) maintain the written notice in its files; and (3) be
able to produce the written notice to the DMERC, upon request.
---------------------------------------------------------------------------
\107\ See Medicare Carriers Manual, section 7300.5.
---------------------------------------------------------------------------
If the DMEPOS supplier improperly bills the beneficiary, Medicare
will indemnify the beneficiary for any payments the beneficiary made to
the DMEPOS supplier, and collect the indemnification amount from the
DMEPOS supplier as an overpayment.
Routine notices to beneficiaries that do no more than state that
denial of payment is possible are not considered acceptable evidence of
written notice. Notices should not be given to beneficiaries unless
there is some genuine doubt regarding the likelihood of payment as
evidenced by the reasons stated on the written notice. Giving notice
for all claims, items or services is not an acceptable practice.
The OIG recommends that the DMEPOS supplier include the foregoing
liability issues in its written policies and procedures.
j. Routine Waiver of Deductibles and Coinsurance
Routine waivers of deductibles and coinsurance may result in false
claims, CMPs for inducements to beneficiaries, and violations of the
anti-kickback statute or similar Federal or State statute or
regulations.108 In addition to the potential problems
regarding kickbacks, false claims, and CMPs, the OIG has programmatic
concerns when DMEPOS suppliers routinely waive deductibles and
coinsurance. When DMEPOS suppliers forgive financial obligations for
reasons other than genuine financial hardship of a particular patient,
they may be inducing the patient to use items or services that are
unnecessary, simply because they are free. Such usage may also lead to
overutilization. DMEPOS suppliers are permitted to waive the Medicare
coinsurance amounts for cases of financial need.109 We
recommend that the DMEPOS supplier develop and maintain written
criteria documenting its policy for determining financial need and
consistently apply this criteria to all cases.\110\ A good faith effort
must be made to collect deductibles and coinsurance.\111\
---------------------------------------------------------------------------
\108\ See 59 FR 31157 (December 19, 1994) or the OIG website at
http://www.dhhs.gov/progorg/oig for the OIG Special Fraud Alert on
Medicare Deductibles and Copayments. See also 31 U.S.C. 3729-3733;
42 U.S.C. 1320a-7a(a)(5); 42 U.S.C. 1320a-7b.
\109\ See Medicare Carriers Manual, section 5520
\110\ What constitutes ``financial need'' varies depending on
the circumstances. However, the OIG believes it is important that a
DMEPOS supplier make determinations of financial need on an
individualized, case by case, basis in accordance with a reasonable
set of income guidelines uniformly applied in all cases. The
guidelines should be based on objective criteria and appropriate for
the applicable locality. It is not appropriate to apply inflated
income guidelines that result in waivers of copayments for persons
not in genuine financial need.
\111\ See 42 CFR 413.80; Provider Reimbursement Manual, Part I,
sections 308 and 310.
---------------------------------------------------------------------------
The DMEPOS supplier's written policies and procedures should state
that it will not routinely waive deductibles and coinsurance for
Medicare beneficiaries. The OIG recommends that such policies and
procedures should include, but not be limited to, statements that
DMEPOS supplier personnel are prohibited from: advertising an intent to
waive deductibles or coinsurance for Medicare beneficiaries;
advertising an intent to discount services for Medicare beneficiaries;
or giving unsolicited advice to Medicare beneficiaries that they need
not pay.
k. Capped Rentals
The DMEPOS supplier's written policies and procedures should
address Government and private payor requirements when providing rental
equipment to beneficiaries (e.g., the purchase option 112
and servicing and maintenance 113). The DMEPOS supplier must
offer a purchase option to beneficiaries during the 10th continuous
rental month.114 The DMEPOS supplier should clearly,
accurately, and non-deceptively discuss the pros and cons of the
different options with the beneficiary. If the beneficiary does not
accept the purchase option, the DMEPOS supplier must continue to
provide the item. After the 15th continuous month of receiving rental
payments from Medicare, providing the item or service continues to be
medically necessary, the DMEPOS supplier must continue to provide the
item without charge to the beneficiary or Medicare.
---------------------------------------------------------------------------
\112\ See 42 CFR 414.229(d).
\113\ See 42 CFR 414.229(e).
\114\ DMEPOS suppliers must offer beneficiaries the option of
purchasing power-driven wheelchairs at the time the DMEPOS supplier
first furnishes the item See 42 CFR 414.229(d)(1).
---------------------------------------------------------------------------
However, the DMEPOS supplier may submit additional claims for the
maintenance and servicing fees associated with the rental
item.115 The DMEPOS supplier should ensure it is performing
basic safety and operational function checks after use by each patient,
and is performing routine and preventative maintenance on equipment.
The DMEPOS supplier must ensure it has qualified staff or contractors
to service, set up, and instruct the patient on the proper use of the
equipment. The DMEPOS supplier should ensure it maintains current
service manuals for all the equipment it supplies. In addition, the OIG
recommends that the DMEPOS supplier's policies and procedures establish
an internal control system that allows the DMEPOS supplier to track the
location of each piece of equipment at any given time.
---------------------------------------------------------------------------
\115\ See 42 CFR 414.229(e).
---------------------------------------------------------------------------
The policies and procedures should also address the guidelines for
determining continuous use and criteria for a new rental
period.116 If a beneficiary dies during a rental period, the
DMEPOS supplier may receive the entire monthly rental
payment.117 However, if the DMEPOS supplier continues to
bill for the item because it did not receive notice of the
beneficiary's death until the following
[[Page 36379]]
month, any payments received for rental items the month after the
beneficiary dies are considered an overpayment and must promptly be
refunded. The DMEPOS supplier should create internal mechanisms to
ensure the correct rental month appears on the claim and the correct
modifier is used.
---------------------------------------------------------------------------
\116\ See 42 CFR 414.230.
\117\ See Medicare Carriers Manual, section 4105.3.
---------------------------------------------------------------------------
In addition, the DMEPOS supplier should ensure it is not submitting
claims for rental equipment when the beneficiary is residing in an
institution. The OIG is aware that some DMEPOS suppliers bring DMEPOS
items to beneficiaries residing in an institution, just prior to the
beneficiary's discharge, in order to train the beneficiary on how to
use the item or to fit the item for the beneficiary. Once the DMEPOS
supplier has trained or fitted the beneficiary, the DMEPOS supplier
should take the item and deliver it to the beneficiary's home on the
date of discharge. As a result, the DMEPOS supplier should file the
claim for this item with the date of delivery/date of service as the
date the beneficiary is discharged from the institution. If the DMEPOS
supplier delivers the item to the beneficiary in the institution prior
to the beneficiary's discharge to be used by the beneficiary while in
the institution, the item should be included in the institution's cost
and the DMEPOS supplier should not submit the claim. The DMEPOS
supplier may not submit the claim prior to the beneficiary's date of
discharge.
l. ZX Modifier
The ZX modifier is used on the claim form to indicate that the
DMEPOS supplier is maintaining medical necessity documentation in its
files. Such documentation only needs to be submitted to the DMERC upon
request.
The DMEPOS supplier should create internal mechanisms to ensure the
proper use of the ZX modifier. Improper use of the modifier may result
in the submission of false claims. The OIG recommends that the DMEPOS
supplier's written policies and procedures address the DMEPOS
supplier's protocol for using the ZX modifier.118
---------------------------------------------------------------------------
\118\ See relevant DMERC supplier manual(s) for guidelines on
proper use.
---------------------------------------------------------------------------
m. Cover Letters
Cover letters are commonly used by the DMEPOS supplier as a method
of communication between the DMEPOS supplier and the treating physician
or other authorized person. The cover letter is not a form required or
regulated by the Government. As a result, the DMERCs do not base
Medicare denials solely on what may be considered inappropriate use of
cover letters. However, the OIG is concerned that cover letters may
influence or direct a physician's or other authorized person's answers
on the CMN, particularly the questions relating to the patient's
medical condition.119 It is the treating physician's or
other authorized person's responsibility to determine both the medical
need for, and the utilization of, health care services. The OIG
encourages the DMEPOS supplier to include language in its cover letter
to remind treating physicians and other authorized persons of their
responsibilities in properly completing CMNs.
---------------------------------------------------------------------------
\119\ Encouraging physicians or other authorized persons to
order unwanted items or supplies may result in submitting claims for
items or services that are not reasonable or necessary. The OIG is
aware of instances where the DMEPOS supplier has copied the CMN,
complieted section B of the copy, and used this completed copy as
its cover letter to physicians.
---------------------------------------------------------------------------
n. Communication
The OIG suggests that the DMEPOS supplier create mechanisms that
increase the communication among treating physicians or other
authorized persons who refer business to the DMEPOS supplier, the
patients, and the DMEPOS supplier. We recommend that such mechanisms be
included in the DMEPOS supplier's written policies and procedures. Such
mechanisms may include: (i) the DMEPOS supplier periodically calling
the patient to ensure the equipment is still being used and is
operating properly; or (ii) periodically calling the treating physician
to ensure the provided items continue to be medically necessary for a
patient.
In addition, we recommend the DMEPOS supplier create mechanisms to
ensure communication between different departments (e.g., sales and
billing) in order to prevent the filing of incorrect claims.
o. Oxygen and Oxygen Equipment
The OIG recommends that the written policies and procedures for
DMEPOS suppliers furnishing oxygen state that the DMEPOS supplier will
ensure that initial claims for oxygen therapy include the written
results of an arterial blood gas study or oximetry test (on the CMN)
that has been ordered and evaluated by the patient's treating
physician. Further, the written policies and procedures should provide
for the DMEPOS supplier to maintain such test results and any other
independent diagnostic treatment facility (IDTF) documents supporting
the patient's medical necessity for the oxygen. The OIG recommends that
the DMEPOS supplier have the IDTFs, from which it receives test
results, submit, all raw test results to the treating physician for the
physician's benefit, and not just a summary of the results. The written
policies and procedures should provide that a DMEPOS supplier is not
qualified to conduct the blood gas study or to prescribe the oxygen
therapy.120
---------------------------------------------------------------------------
\120\ See Coverage Issues Manual, section 60-4.
---------------------------------------------------------------------------
The OIG also recommends, for patient safety purposes, that the
rental of oxygen include established maintenance safeguards and that
steps are taken to ensure the equipment is properly maintained, as
maintenance is included in the rental price of the equipment.
When submitting an oxygen or oxygen equipment claim for
reimbursement, the DMEPOS supplier must ensure it is complying with the
payment rules.121
---------------------------------------------------------------------------
\121\ See 42 CFR 414.226.
---------------------------------------------------------------------------
4. Anti-Kickback and Self-Referral Concerns
The DMEPOS supplier should have policies and procedures in place
with respect to compliance with Federal and State laws, including the
anti-kickback statute, as well as the Stark physician self-referral
law.122 Such policies should provide that:
---------------------------------------------------------------------------
\122\ Towards this end, the DMEPOS supplier should, among other
things, obtain copies of all relevant OIG regulations, Special Fraud
Alerts, and Advisory Opinions (these documents are located on the
Internet at http://www.dhhs.gov/progorg/oig), and ensure that the
DMEPOS supplier's policies reflect the guidance provided by the OIG.
See 42 U.S.C. 1395nn(a) for the Stark physician referral laws. See
also 42 U.S.C. 1320a-7b for prohibited activities under the anti-
kickback statute.
---------------------------------------------------------------------------
All of the DMEPOS supplier's contracts and arrangements
with actual or potential referral sources (e.g., physicians) are
reviewed by counsel and comply with all applicable statutes and
regulations, including the anti-kickback statute and the Stark
physician self-referral law; 123
---------------------------------------------------------------------------
\123\ If the DMEPOS supplier questions an arrangement into which
it may enter, it should consider asking the OIG for an Advisory
Opionion regarding the anti-kickback statute of HCFA for an Advisory
Opinion regarding Stark. See 62 FR 7350 (February 19, 1997) and 63
FR 38,311 (July 16, 1998) for instructions on how to submit an
Advisory Opinion to the OIG. These instructions are also located on
the Internet at http://www.dhhs.gov/progorg/oig. See 63 FR 1645
(January 9, 1998) on how to submit an Advisory Opinion to HCFA.
---------------------------------------------------------------------------
The DMEPOS supplier will not submit or cause to be
submitted to health care programs claims for patients who were referred
to the DMEPOS supplier pursuant to contracts or financial arrangements
that were designed to induce such referrals in violation of the anti-
kickback statute or similar Federal or State statute or regulation or
that otherwise violate the Stark physician self-referral law;
[[Page 36380]]
A DMEPOS supplier does not offer a physician or other
referral source more than fair market value for space rented to store
items or supplies (i.e., consignment closet); and
The DMEPOS supplier does not offer or provide gifts, free
services, or other incentives or things of value to patients, relatives
of patients, physicians, home health agencies, nursing homes,
hospitals, contractors, assisted living facilities, or other potential
referral sources for the purpose of inducing referrals in violation of
the anti-kickback statute or similar Federal or State statute or
regulation.124
---------------------------------------------------------------------------
\124\ See 42 U.S.C. 1320a-7a(a)(5), which provides for CMPs for
improper inducements to beneficiaries.
---------------------------------------------------------------------------
Further, the OIG recommends that the written policies and
procedures should specifically reference and take into account the
OIG's safe harbor regulations, which describe those payment practices
that are immune from criminal and administrative prosecution under the
anti-kickback statute.125
---------------------------------------------------------------------------
\125\ See 42 CFR 1001.952. Simply because an arrangement does
not meet a safe harbor does not necessarily mean it is illegal.
---------------------------------------------------------------------------
The OIG believes all DMEPOS suppliers, regardless of size, should
be concerned with potential anti-kickback and Stark violations. As a
result, all DMEPOS suppliers should be knowledgeable about, and
compliant with, the anti-kickback statute, the Stark physician self-
referral law and other relevant Federal and State statutes or
regulations.
Although all DMEPOS suppliers are responsible for ensuring
compliance with these provisions, the OIG recognizes that the small
DMEPOS supplier may not have the resources to implement the suggestions
in this section to the same extent as a large DMEPOS supplier.
Therefore, the smaller DMEPOS supplier may need to employ a slightly
different mechanism to ensure compliance. For example, the small DMEPOS
supplier may want to choose a sample of contracts or financial
arrangements to review on a periodic basis.
5. Marketing
Where marketing is permitted, the DMEPOS supplier's compliance
program should require honest, straightforward, fully informative and
non-deceptive marketing. It is in the best interest of patients, DMEPOS
suppliers, physicians and health care programs that physicians or other
persons authorized to order DMEPOS fully understand the services
offered by the DMEPOS supplier, the items or services that will be
provided when ordered, and the financial consequences for Medicare as
well as other payors for the items or services ordered. The OIG
recommends that if the DMEPOS supplier services a large number of non-
English speaking patients, it should ensure that its marketing
materials are available in those other languages. The DMEPOS supplier's
written policies and procedures should ensure that its marketing
information is clear, correct, and fully informative.
Salespeople must not offer physicians, patients or other potential
referral sources incentives, in cash or in kind, for their
business.126 Similarly, they must not engage in any
marketing activity that either explicitly or implicitly implies that
Medicare beneficiaries are not obligated to pay their coinsurance or
can receive ``free'' services.127 In addition, DMEPOS
suppliers must not promote items or services to patients or physicians
that are not reasonable or necessary for the treatment of the
individual patient. The OIG suggests that the DMEPOS supplier's written
policies and procedures create internal mechanisms to avoid these
situations.
---------------------------------------------------------------------------
\126\ See anti-kickback statute discussion in section II.A.4.
\127\ See discussion in section II.A.3.j.
---------------------------------------------------------------------------
With respect to marketing and sales, the OIG has a longstanding
concern that percentage compensation arrangements for sales and
marketing personnel may increase the risk of such persons violating the
anti-kickback statute.128 The OIG recommends that the DMEPOS
supplier monitor its sales representatives on a regular basis (e.g.,
rotate sales staff or send a sales manager on some sales calls).
---------------------------------------------------------------------------
\128\ See e.g., 42 U.S.C. 1320a-7b(B); OIG Ad. Op. 98-10 (1998);
section II.A.4.
---------------------------------------------------------------------------
The DMEPOS suppliers are prohibited from making unsolicited
telephone contacts to Medicare beneficiaries.129 We suggest
that the DMEPOS supplier's written policies and procedures reflect this
prohibition.
---------------------------------------------------------------------------
\129\ See 42 U.S.C. 1395m(a)(17), Pub.L. 103-432, section
132(a).
---------------------------------------------------------------------------
The DMEPOS suppliers are also prohibited from using symbols,
emblems, or names in reference to Social Security or Medicare in a
manner that they know or should know would convey the false impression
that an item is approved, endorsed, or authorized by the Social
Security Administration, HCFA, or the Department of Health and Human
Services or that the supplier has some connection with, or
authorization from, any of these agencies.130
---------------------------------------------------------------------------
\130\ See 42 U.S.C. 1320b-10.
---------------------------------------------------------------------------
The OIG believes marketing strategies employed by all DMEPOS
suppliers, regardless of size, should be clear, correct, honest,
straightforward, non-deceptive and fully informative. In addition, all
DMEPOS suppliers should inform their sales people of potential anti-
kickback concerns, the telemarketing law, and the prohibition on
inappropriately using references to Social Security and Medicare.
Although the small DMEPOS supplier may not have extensive written
policies and procedures, every DMEPOS supplier should ensure that its
employees are clear on what is permitted and prohibited with regard to
marketing.
6. Retention of Records
The DMEPOS supplier's compliance program should provide for the
implementation of a records system. The DMEPOS supplier should ensure
that records are maintained for the length of time required by Federal
and State law and private payors, or by the DMEPOS supplier's record
retention policies, whichever is longer. This system should establish
policies and procedures regarding the creation, distribution,
retention, storage, retrieval, and destruction of
documents.131 The three types of documents developed under
this system should include: (1) all records and documentation (e.g.,
billing and claims documentation) required either by Federal or State
law and the program requirements of Federal, State, and private health
plans; (2) records listing the persons responsible for implementing
each part of the compliance program; and (3) all records necessary to
protect the integrity of the DMEPOS supplier's compliance process and
confirm the effectiveness of the program.132 The
documentation necessary to satisfy the third requirement includes, but
is not limited to: evidence of adequate employee training; reports from
the DMEPOS supplier's hotline; results of any investigation conducted
as a consequence of a hotline call; modifications to the compliance
program; self-disclosure; all written notifications to physicians and
payors; 133 and the results of the DMEPOS supplier's
auditing and monitoring efforts.
---------------------------------------------------------------------------
\131\ This records system should be tailored to fit the
individual needs and financial resources of the DMEPOS supplier.
\132\The creation and retention of such documents and reports
may raise a variety of legal issues, such as patient privacy and
confidentiality. These issues are best discussed with legal counsel.
\133\ This should include notifications regarding inappropriate
claims and overpayments.
---------------------------------------------------------------------------
All DMEPOS suppliers, regardless of size, must retain documents
required by the health plans in which they
[[Page 36381]]
participate. In case of a future Government investigation, the OIG
recommends that all DMEPOS suppliers retain documents relating to the
implementation of their compliance programs.
7. Compliance as an Element of a Performance Plan
The DMEPOS supplier's compliance program should require that the
promotion of, and adherence to, the elements of the compliance program
be a factor in evaluating the performance of all employees. Employees
should be periodically trained in new compliance policies and
procedures. In addition, all managers and supervisors should:
Discuss with all supervised employees and relevant
contractors the compliance policies and legal requirements applicable
to their function;
Inform all supervised personnel that strict compliance
with these policies and requirements is a condition of employment; and
Disclose to all supervised personnel that the DMEPOS
supplier will take disciplinary action up to and including termination
for violation of these policies or requirements.
In addition to making performance of these duties an element in
evaluations, the compliance officer or DMEPOS supplier management
should include a policy that managers and supervisors will be
sanctioned for failing to instruct adequately their subordinates or for
failing to detect noncompliance with applicable policies and legal
requirements, where reasonable diligence on the part of the manager or
supervisor would have led to the discovery of any problems or
violations.
The OIG believes all DMEPOS suppliers, regardless of size, should
ensure their employees understand the importance of compliance. If the
small DMEPOS supplier does not have a formal performance evaluation
structure, it should informally convey the employee's compliance
responsibilities and the importance of these responsibilities.
B. Designation of a Compliance Officer and a Compliance Committee
1. Compliance Officer
Every DMEPOS supplier should designate a compliance officer to
serve as the focal point for compliance activities. The compliance
officer should be a person of high integrity. This responsibility may
be the individual's sole duty or added to other management
responsibilities, depending upon the size and resources of the DMEPOS
supplier and the complexity of the task. When a compliance officer has
other duties, the other duties should not be in conflict with the
compliance goals.134
---------------------------------------------------------------------------
\134\ E.g., companies should not choose a sales manager who may
be pressured to achieve high sales, which might result in a conflict
with compliance goals.
---------------------------------------------------------------------------
Designating a compliance officer with the appropriate authority is
critical to the success of the program, necessitating the appointment
of a high-level official in the DMEPOS supplier with direct access to
the DMEPOS supplier's owner(s), president or CEO, governing body, all
other senior management, and legal counsel.135 The
compliance officer should be highly enough placed in the company so
that he or she can exercise independent judgment without fear of
reprisal, and so that employees will know that bringing a problem to
that person's attention is not a wasted exercise. The compliance
officer should have sufficient funding and staff to fully perform his
or her responsibilities. Coordination and communication are the key
functions of the compliance officer with regard to planning,
implementing, and monitoring the compliance program.
---------------------------------------------------------------------------
\135\ The OIG believes that it is not advisable for the
compliance function to be subordinate to the DMEPOS supplier's
general counsel, comptroller or similar DMEPOS supplier financial
officer. Free standing compliance functions help to ensure
independent and objective legal reviews and financial analyses of
the institution's compliance efforts and activities. By separating
the compliance function from the key management positions of general
counsel or chief financial officer (where the size and structure of
the DMEPOS supplier make this a feasible option), a system of checks
and balances is established to more effectively achieve the goals of
the compliance program.
---------------------------------------------------------------------------
The compliance officer's primary responsibilities should include:
Overseeing and monitoring the implementation of the
compliance program; 136
---------------------------------------------------------------------------
\136\ For DMEPOS supplier chains, the OIG encourages
coordination with each DMEPOS supplier location through the use of a
headquarter's compliance officer, communicating with parallel
positions in each facility or regional office, as appropriate.
---------------------------------------------------------------------------
Reporting on a regular basis to the DMEPOS supplier's
owner(s), governing body, CEO, president, and compliance committee (if
applicable) on the progress of implementation, and assisting these
components in establishing methods to improve the DMEPOS supplier's
efficiency and quality of services, and to reduce the DMEPOS supplier's
vulnerability to fraud, abuse, and waste;
Periodically revising the program in light of changes in
the organization's needs, and in the statutes, rules, regulations, and
requirements of Federal, State, and private payor health care plans;
Reviewing employees' certifications that they have
received, read, understood, and will abide by the standards of conduct;
Developing, coordinating, and participating in a
multifaceted educational and training program that focuses on the
elements of the compliance program, and seeks to ensure that all
appropriate employees and managers are knowledgeable of, and comply
with, pertinent Federal, State and private payor health care program
requirements;
Ensuring independent contractors and agents who provide
services (e.g., billing companies, delivery services and sources of
referrals, i.e., physicians and others) to the DMEPOS supplier are
aware of the requirements of the DMEPOS supplier's compliance program
with respect to coverage, billing, marketing, and kickbacks, among
other things;
Coordinating personnel issues with the DMEPOS supplier's
Human Resources/Personnel office (or its equivalent). The OIG
recommends that the DMEPOS supplier check the List of Excluded
Individuals/Entities,137 and the General Services
Administration's List of Parties Excluded from Federal Procurement and
Nonprocurement Programs 138 to ensure employees and
independent contractors have not been excluded or debarred from
participating in Federal programs.139 Depending upon State
requirements or DMEPOS supplier policy, the Compliance Officer may also
conduct a criminal background check of employees;
---------------------------------------------------------------------------
\137\ The List of Excluded Individuals/Entities is an OIG-
produced report available on the Internet at http://www.dhhs.gov/
progorg/oig. It is updated on a regular basis to reflect the status
of individuals and entities who have been excluded from
participation in all Federal health care programs (individuals/
entities excluded before August 5, 1997 were only excluded from
participation in Medicare, Medicaid, Title V and Title XX programs).
The DMEPOS supplier can download the List of Excluded Individuals/
Entities and the subsequent monthly exclusion and reinstatement
supplements or can use the online search feature.
\138\ The List of Parties Excluded from Federal Procurment and
Nonprocurement programs is a GSA-produced report available on the
Internet at http://www.arnet.bov/epls.
\139\ The OIG recognizes that a DMEPOS supplier cannot make
medical necessity determinations and may not be aware when a
patient's condition changes. However, a DMEPOS supplier should be
aware that if it submits a claim in which an excluded physician
provided the referral, Medicare will deny payment.
---------------------------------------------------------------------------
Assisting the DMEPOS supplier's financial management in
coordinating internal compliance review and monitoring activities,
including annual or periodic reviews of departments;
[[Page 36382]]
Independently investigating and acting on matters related
to compliance, including the flexibility to design and coordinate
internal investigations (e.g., responding to reports of problems or
suspected violations) and any resulting corrective action (e.g., making
necessary improvements to DMEPOS supplier policies and practices,
taking appropriate disciplinary action, etc.) with all DMEPOS supplier
departments, independent contractors, and health care professionals;
Developing policies and programs that encourage managers
and employees to report suspected fraud and other improprieties without
fear of retaliation; and
Continuing the momentum of the compliance program and the
accomplishment of its objectives long after the initial years of
implementation.140
---------------------------------------------------------------------------
\140\ Periodic on-site visits of DMEPOS supplier operations,
bulletins with compliance updates and reminders, distribution of
audiotapes or videotapes on different risk areas, lectures at
management and employee meetings, circulation of recent health care
articles covering fraud and abuse, and innovative changes to
compliance training are various examples of approaches and
techniques the compliance officer can employ for the purpose of
ensuring continued interest in the compliance program and the DMEPOS
supplier's commitment to its policies and principles.
---------------------------------------------------------------------------
The compliance officer must have the authority to review all
documents and other information that are relevant to compliance
activities, including, but not limited to, patient records (where
appropriate), billing records, and DMEPOS supplier records concerning
the marketing efforts of the DMEPOS supplier and the DMEPOS supplier's
arrangements with other parties, including employees, home health
agencies, skilled nursing facilities, and treating physicians or other
authorized persons. This policy enables the compliance officer to
review contracts and obligations (seeking the advice of legal counsel,
where appropriate) that may contain referral and payment provisions
that could violate the anti-kickback statute, as well as the Stark
physician self-referral prohibition or other statutory or regulatory
requirements.
In addition, the compliance officer should be copied on the results
of all internal audit reports and work closely with key managers to
identify aberrant trends in the coding and billing areas. The
compliance officer should ascertain patterns that require a change in
policy and forward these issues to the compliance committee to remedy
the problem. The compliance officer should have full authority to stop
the processing of claims that he or she believes are problematic until
such time as the issue in question has been resolved.
The OIG believes all DMEPOS suppliers, regardless of size, should
have a compliance officer or contact who possesses a high degree of
integrity, is knowledgeable about the rules, regulations, and policies
under which the DMEPOS supplier operates and has sufficient authority
to exercise independent judgment. A small DMEPOS supplier may not have
the need or the resources to hire/appoint a full time compliance
officer. However, each DMEPOS supplier should have a person in its
organization (this person may have other functional responsibilities)
who can oversee the DMEPOS supplier's compliance with respect to
applicable statutes, rules, regulations, and policies. The structure
and comprehensiveness of the DMEPOS supplier's compliance program will
help determine the responsibilities of each individual compliance
officer.
2. Compliance Committee
The OIG recommends, where feasible, that a compliance committee be
established to advise the compliance officer and assist in the
implementation of the compliance program.141 When assembling
a team of people to serve as the DMEPOS supplier's compliance
committee, the DMEPOS supplier should include individuals with a
variety of skills.142 The OIG strongly recommends that the
compliance officer manage the compliance committee. Once a DMEPOS
supplier chooses the people that will accept the responsibilities
vested in members of the compliance committee, the DMEPOS supplier must
train these individuals on the policies and procedures of the
compliance program, as well as how to discharge their duties.
---------------------------------------------------------------------------
\141\ The compliance committee benefits from having the
perspectives of individuals with varying responsibilities in the
organization, such as operations, billing, coding, marketing, and
human resources, as well as employees and managers of key operating
units. These individuals should have the requisite seniority and
comprehensive experience within their respective departments to
implement any necessary changes to the DMEPOS supplier's policies
and procedures as recommended by the committee. A compliance
committee for a DMEPOS supplier that is part of another organization
(e.g., home health agency) might benefit from the participation of
officials from other departments in the organization, such as the
accounting and billing departments.
\142\ A DMEPOS supplier should expect its compliance committee
members and compliance officer to demonstrate high integrity, good
judgment, assertiveness, and an approachable demeanor, while
eliciting the respect and trust of employees of the DMEPOS supplier.
The DMEPOS supplier's compliance committee members should also have
significant professional experience working with billing,
documentation, and auditing principles.
---------------------------------------------------------------------------
The committee's responsibilities should include:
Analyzing the organization's regulatory environment, the
legal requirements with which it must comply,143 and
specific risk areas;
---------------------------------------------------------------------------
\143\ This includes, but is not limited to, the civil False
Claims Act, 31 U.S.C. 3729-3733; the criminal false claims statutes,
18 U.S.C. 287, 1001; the fraud and abuse provisions of the Balanced
Budget Act of 1997, Pub.L. 105-33; the Health Insurance Portability
and Accountability Act of 1996, Pub.L. 104-191; and compliance with
the Medicare supplier standards, 42 CFR 424.57.
---------------------------------------------------------------------------
Assessing existing policies and procedures that address
these risk areas for possible incorporation into the compliance
program;
Working with appropriate DMEPOS supplier departments to
develop standards of conduct and policies and procedures that promote
allegiance to the DMEPOS supplier's compliance program;
Recommending and monitoring, in conjunction with the
relevant departments, the development of internal systems and controls
to carry out the organization's standards, policies, and procedures as
part of its daily operations; 144
---------------------------------------------------------------------------
\144\ With respect to national DMEPOS supplier chains, this may
include fostering coordination and communication between those
employees responsible for compliance at headquarters and those
responsible for compliance at the individual supplier branches.
---------------------------------------------------------------------------
Determining the appropriate strategy/approach to promote
compliance with the program and detection of any potential violations,
such as through hotlines and other fraud reporting mechanisms;
Developing a system to solicit, evaluate, and respond to
complaints and problems; and
Monitoring internal and external audits and investigations
for the purpose of identifying troublesome issues and deficient areas
experienced by the DMEPOS supplier, and implementing corrective and
preventive action.
The committee may also address other functions as the compliance
concept becomes part of the overall DMEPOS supplier's operating
structure and daily routine.
The compliance committee is an extension of the compliance officer
and provides the organization with increased oversight. The OIG
recognizes that small DMEPOS suppliers may not have the resources or
the need to establish a compliance committee. However, when potential
problems are identified, the OIG recommends that the small DMEPOS
supplier create a
[[Page 36383]]
``taskforce,'' if appropriate, to address the problem. The members of
the taskforce may vary depending upon the issue.
C. Conducting Effective Training and Education
1. Initial Training in Compliance
The proper education and training of corporate officers, managers,
employees and the continual retraining of current personnel at all
levels, are significant elements of an effective compliance program. In
order to ensure the appropriate information is being disseminated to
the correct individuals, the training should be separated into
sessions. All employees should attend the general session on
compliance, and employees whose job primarily focuses on submission of
claims for reimbursement, or who are involved in sales and marketing,
should receive additional training on these particular subjects. In
addition, the OIG recommends that the DMEPOS supplier inform
physicians, independent contractors, and significant agents that it has
implemented a compliance program.
a. General Sessions
The OIG recommends, as part of its compliance program, that the
DMEPOS supplier require all affected personnel to attend training on an
annual basis, including appropriate training in Federal and State
statutes, regulations and guidelines, HCFA manual instructions, DMERC
medical review policies, the policies of private payors, and training
in corporate ethics. The general training session should emphasize the
DMEPOS supplier's commitment to compliance with these legal
requirements and policies.
These training programs should include sessions highlighting the
DMEPOS supplier's compliance program, summarizing fraud and abuse
statutes and regulations, Federal, State and private payor health care
program requirements, claim submission procedures and marketing
practices that reflect current legal and program standards. The DMEPOS
supplier must take steps to communicate effectively its standards and
procedures to all affected employees (e.g., by requiring participation
in training programs and disseminating publications that explain
specific requirements in a practical manner).145 DMEPOS
suppliers may also wish to offer such training sessions to interested
independent contractors and physicians. Managers of specific
departments can assist in identifying areas that require training and
in carrying out such training.146 Training New employees
should be targeted for training early in their
employment.147
---------------------------------------------------------------------------
\145\ OIG publications such as Special Fraud Alerts, audit and
inspection reports, and Advisory Opinions, as well as the annual OIG
Work Plan, are readily available from the OIG and could be the basis
for standards, educational courses and programs.
\146\ Significant variations in functions and responsibilities
of different departments may create the need for training materials
that are tailored to the compliance concerns associated with
particular operations and duties. instructors may come from outside
or inside the organization.
\147\ Certain positions, such as those involving developing and
submitting claims, as well as sales and marketing, create a greater
organizational legal exposure, and therefore require specialized
training. The DMEPOS supplier should fill such positions with
individuals who have the appropriate educational background,
training, experience, and credentials.
---------------------------------------------------------------------------
As part of the initial training, the standards of conduct should be
distributed to all employees.148 At the end of this training
session, every employee should be required to sign and date a statement
that reflects his or her knowledge of and commitment to the standards
of conduct. This attestation should be retained in the employee's
personnel file.
---------------------------------------------------------------------------
\148\ Where the DMEPOS supplier has a culturally diverse
employee base, the standards of conduct should be translated into
other languages and written at appropriate reading levels.
---------------------------------------------------------------------------
Further, to assist in ensuring that employees continuously meet the
expected high standards of conduct, any employee handbook delineating
or expanding upon these standards should be regularly updated as
applicable statutes, regulations and Federal health care program
requirements are modified.149 The DMEPOS supplier should
provide an additional attestation in the modified standards that
stipulates the employee's knowledge of and commitment to the
modifications.
---------------------------------------------------------------------------
\149\ The OIG recognizes that not all standards, policies and
procedures need to be communicated to all employees. However, the
OIG believes that the bulk of the standards that relate to complying
with fraud and abuse laws and other ethical areas should be
addressed and made part of all employees' training. A DMEPOS
supplier should determine the additional training to provide
categories of employees based upon their job responsibilites.
---------------------------------------------------------------------------
b. Claim Development and Billing Training
In addition to specific training in the risk areas identified in
section II.A.2, above, primary training to appropriate corporate
officers, managers and other claim development and billing staff should
include such topics as:
Specific Government and private payor reimbursement
principles; 150
---------------------------------------------------------------------------
\150\ Government, in this context, includes the appropriate
Medicare DMERC(s).
---------------------------------------------------------------------------
Providing and billing DMEPOS items or services without
proper authorization;
Proper documentation of services rendered, including the
correct application of official ICD-9 and HCPCS coding rules and
guidelines;
Improper alterations to documentation (e.g., patient
records, CMNs);
Compliance with the Federal, State and private payor
supplier standards; and
Duty to report misconduct.
Clarifying and emphasizing these areas of concern through training
and educational programs are particularly relevant to a DMEPOS
supplier's billing and coding personnel, in that the pressure to meet
business goals may render employees vulnerable to engaging in
prohibited practices.
c. Sales and Marketing Training
In addition to specific training in the risk areas identified in
section II.A.2, above, primary training to sales and marketing
personnel should include such topics as:
General prohibition on paying or receiving renumeration to
induce referrals;
Routine waiver of deductibles and/or coinsurance;
Disguising referral fees as salaries;
Offering free items or services to induce referrals;
High pressure marketing of noncovered or unnecessary
services;
Improper patient solicitation; and
Duty to report misconduct.
Clarifying and emphasizing these areas of concern through training
and educational programs are particularly relevant to a DMEPOS
supplier's sales and marketing personnel, in that the pressure to meet
business goals may render employees vulnerable to engaging in
prohibited practices.
The OIG believes all DMEPOS suppliers, regardless of size, should
ensure that their employees are well trained and are abiding by the
applicable statutes, regulations, and policies. Each employee should
know the procedures or who to consult when confronted with a particular
situation.
2. Format of the Training Program
The OIG suggests that all relevant levels of personnel be made part
of various educational and training programs of the DMEPOS
supplier.151
[[Page 36384]]
Employees should be required to have a minimum number of educational
hours per year, as appropriate, as part of their employment
obligations.152 For example, as discussed above, employees
involved in billing functions should be required to attend periodic
training in applicable reimbursement coverage and documentation of
records.153
---------------------------------------------------------------------------
\151\ In addition, where feasible, the OIG recommends that a
DMEPOS supplier afford outside contractors and its physician clients
the opportunity to participate in the DMEPOS supplier's compliance
training and educational programs, or develop their own programs
that complement the DMEPOS supplier's standards of conduct,
compliance requirements and other rules and practices.
\152\ Currently, the OIG is monitoring a significant number of
corporate integrity agreements that require many of these training
elements. The OIG usually requires a minimum of one to three hours
annually for basic training in compliance areas. Additional training
is required for specially fields such as billing, coding, sales and
marketing.
\153\ Appropriate coding and billing depends upon the quality
and completeness of documentation. Therefore, the OIG believes that
the DMEPOS supplier must foster an environment where interactive
communication is encouraged.
---------------------------------------------------------------------------
A variety of teaching methods, such as interactive training and
training in several different languages, particularly where a DMEPOS
supplier has a culturally diverse staff, should be implemented so that
all affected employees are knowledgeable about the DMEPOS supplier's
standards of conduct and procedures for alerting senior management to
problems and concerns.154 Targeted training should be
provided to corporate officers, managers and other employees whose
actions affect the accuracy of the claims submitted to the Government,
such as employees involved in the coding, billing, sales, and marketing
processes. All training materials should be designed to take into
account the skills, knowledge and experience of the individual
trainees. Given the complexity and interdependent relationships of many
departments, it is important for the compliance officer to supervise
and coordinate the training program.
---------------------------------------------------------------------------
\154\ Post training tests can be used to assess the success of
training provided and employee comprehension of the DMEPOS
supplier's policies and procedures.
---------------------------------------------------------------------------
The OIG recommends that attendance and participation in training
programs be made a condition of continued employment and that failure
to comply with training requirements should result in disciplinary
action, including possible termination, when such failure is serious.
Adherence to the provisions of the compliance program, such as training
requirements, should be a factor in the annual evaluation of each
employee. The DMEPOS supplier should retain adequate records of its
training of employees, including attendance logs and material
distributed at training sessions.
The OIG recognizes the format of the training program will vary
depending upon the resources of the DMEPOS supplier. For example, a
small DMEPOS supplier may want to create a video for each type of
training session so new employees can receive training in a timely
manner.
3. Continuing Education on Compliance Issues
It is essential that compliance issues remain at the forefront of
the DMEPOS supplier's priorities. The OIG recommends that the DMEPOS
supplier's compliance program address the need for periodic
professional education courses for DMEPOS supplier personnel. In
particular, the DMEPOS supplier should ensure that coding personnel
receive annual professional training on the updated codes for the
current year and have knowledge of the SADMERC's HCPCS coding helpline.
155
---------------------------------------------------------------------------
\155\ See note 96.
---------------------------------------------------------------------------
In order to maintain a sense of seriousness about compliance in a
DMEPOS supplier's operations, the DMEPOS supplier must continue to
disseminate the compliance message. One effective mechanism for
maintaining a consistent presence of the compliance message is to
publish a monthly newsletter to address compliance concerns. This would
allow the DMEPOS supplier to address specific examples of problems the
company encountered during its ongoing audits and risk analyses, while
reinforcing the DMEPOS supplier's firm commitment to the general
principles of compliance and ethical conduct. The newsletter could also
include the risk areas published by the OIG in its Special Fraud
Alerts. Finally, the DMEPOS supplier could use the newsletter as a
mechanism to address areas of ambiguity in the coding and billing
process and/or its sales and marketing practices. The DMEPOS supplier
should maintain its newsletters in a central location to document the
guidance offered, and provide new employees with access to guidance
previously provided.
The OIG believes it is important that all DMEPOS suppliers,
regardless of size, maintain knowledgeable employees. The OIG
recognizes that regularly sending employees to continuing education
classes or publishing newsletters may not be feasible for small DMEPOS
suppliers. Small DMEPOS suppliers may have their employees meet on a
regular basis to discuss information in the DMERC's Medicare bulletin
(e.g., coding changes, procedural changes, policy changes, etc.). Such
regularly held meetings will help demonstrate the DMEPOS supplier's
commitment to compliance.
D. Developing Effective Lines of Communication
1. Access to the Compliance Officer
An open line of communication between the compliance officer and
DMEPOS supplier employees is equally important to the successful
implementation of a compliance program and the reduction of any
potential for fraud, abuse, and waste. Written confidentiality and non-
retaliation policies should be developed and distributed to all
employees to encourage communication and the reporting of incidents of
potential fraud. 156 The compliance committee should also
develop several independent reporting paths for an employee to report
fraud, waste, or abuse so that such reports cannot be diverted by
supervisors or other personnel.
---------------------------------------------------------------------------
\156\ The OIG believes that whistleblowers should be protected
against retaliation, a concept embodied in the provisions of the
False Claims Act. See 31 U.S.C. 3730(h). In many cases, employees
sue their employers under the False Claims Act's qui tam provisions
out of frustration because of the company's failure to take action
when a questionable, fraudulent, or abusive situation was brought to
the attention of senior corporate officials.
---------------------------------------------------------------------------
The OIG encourages the establishment of a procedure for personnel
to seek clarification from the compliance officer or members of the
compliance committee in the event of any confusion or question
regarding a DMEPOS supplier policy, practice or procedure. Questions
and responses should be documented and dated and, if appropriate,
shared with other staff so that standards, policies, practices, and
procedures can be updated and improved to reflect any necessary changes
or clarifications. The compliance officer may want to solicit employee
input in developing these communication and reporting systems.
2. Hotlines and Other Forms of Communication
The OIG encourages the use of hotlines,157 e-mails,
written memoranda, newsletters, suggestion boxes, and other forms of
information exchange to maintain these open lines of
communication.158 If the DMEPOS
[[Page 36385]]
supplier establishes a hotline, the telephone number should be made
readily available to all employees and independent contractors,
possibly by circulating the number on wallet cards or conspicuously
posting the telephone number in common work areas.159
Employees should be permitted to report matters on an anonymous basis.
Matters reported through the hotline or other communication sources
that suggest substantial violations of compliance policies, Federal,
State or private payor health care program requirements, regulations,
or statutes should be documented and investigated promptly to determine
their veracity. A log should be maintained by the compliance officer
that records such calls, including the nature of any investigation and
its results.160 Such information should be included in
reports to the owner(s), governing body, CEO, president, and compliance
committee.161 Further, while the DMEPOS supplier should
always strive to maintain the confidentiality of an employee's
identity, it should also explicitly communicate that there may be a
point where the individual's identity may become known or may have to
be revealed.
---------------------------------------------------------------------------
\157\ The OIG recognizes that it may not be financially feasible
for a small DMEPOS supplier to maintain a telephone hotline
dedicated to receiving calls solely on compliance issues. These
companies may want to explore alternative methods, e.g., outsourcing
the hotline or establishing a written method of confidential
disclosure.
\158\ In addition to methods of communication used by current
employees, an effective employee exit interview program could be
designed to solicit information from departing employees regarding
potential misconduct and suspected violations of DMEPOS supplier
policies and procedures.
\159\ DMEPOS suppliers should also post in a prominent,
available area the HHS-OIG Hotline telephone number, 1-800-447-8477
(1-800-HHS-TIPS), in addition to any company hotline number that may
be posted.
\160\ To efficiently and accurately fulfill such an obligation,
a DMEPOS supplier should create an intake form for all compliance
issues identified through reporting mechanisms. The form could
include information concerning the date that the potential problem
was reported, the internal investigative methods utilized, the
results of the investigation, any corrective action implemented, any
disciplinary measures imposed, and any overpayments returned.
\161\ Information obtained over the hotline may provide valuable
insight into management practices and operations, whether reported
problems are actual or perceived.
---------------------------------------------------------------------------
The OIG recognizes that assertions of fraud and abuse by employees
who may have participated in illegal conduct or committed other
malfeasance raise numerous complex legal and management issues that
should be examined on a case-by-case basis. The compliance officer
should work closely with legal counsel, who can provide guidance
regarding such issues.
The OIG recognizes that protecting anonymity may be infeasible for
small DMEPOS suppliers. However, the OIG believes all DMEPOS supplier
employees, when seeking answers to questions or reporting potential
instances of fraud and abuse, should know who to consult and should be
able to do so without fear of retribution.
E. Auditing and Monitoring
An ongoing evaluation process is critical to a successful
compliance program. The OIG believes that an effective program should
incorporate thorough monitoring of its implementation and regular
reporting to the DMEPOS supplier's corporate officers.162
Compliance reports created by this ongoing monitoring, including
reports of suspected noncompliance, should be maintained by the
compliance officer and shared with the DMEPOS supplier's corporate
officers and the compliance committee. The extent and frequency of the
audit function may vary depending on factors such as the size of the
DMEPOS supplier, the resources available to the DMEPOS supplier, the
DMEPOS supplier's prior history of noncompliance, and the risk factors
that are prevalent in a particular DMEPOS supplier.
---------------------------------------------------------------------------
\162\ Even when a DMEPOS supplier is owned by a larger corporate
entity, the regular auditing and monitoring of the compliance
activities of an individual DMEPOS supplier location must be a key
feature in any annual review. Appropriate reports on audit findings
should be periodically provided and explained to a parent
organization's senior staff and officers.
---------------------------------------------------------------------------
Although many monitoring techniques are available, one effective
tool to promote and ensure compliance is the performance of regular,
periodic compliance audits by internal or external auditors who have
expertise in Federal and State health care statutes, rules,
regulations, and Federal, State and private payor health care program
requirements. The audits should focus on the different departments
within the DMEPOS supplier, including external relationships with
third-party contractors. At a minimum, these audits should be designed
to address the DMEPOS supplier's compliance with laws governing
kickback arrangements, the physician self-referral prohibition,
pricing, contracts, claim development and submission, reimbursement,
sales and marketing. In addition, the audits and reviews should examine
the DMEPOS supplier's compliance with the Federal, State and private
payor supplier standards and the specific rules and policies that have
been the focus of particular attention on the part of the Medicare
DMERCs, and law enforcement, as evidenced by educational and other
communications from OIG Special Fraud Alerts, Advisory Opinions, OIG
audits and evaluations, and law enforcement's
initiatives.163 In addition, the DMEPOS supplier should
focus on any areas of specific concern identified within that DMEPOS
supplier and those that may have been identified by any entity, whether
Federal, State, private or internal.
---------------------------------------------------------------------------
\163\ See also section II.A.2.
---------------------------------------------------------------------------
Monitoring techniques may include sampling protocols that permit
the compliance officer to identify and review variations from an
established baseline.164 Significant variations from the
baseline should trigger a reasonable inquiry to determine the cause of
the deviation. If the inquiry determines that the deviation occurred
for legitimate, explainable reasons, the compliance officer and DMEPOS
supplier management may want to limit any corrective action or take no
action. If it is determined that the deviation was caused by improper
procedures, misunderstanding of rules, including fraud and systemic
problems, the DMEPOS supplier should take prompt steps to correct the
problem.165 Any overpayments discovered as a result of such
deviations should be returned promptly to the affected payor. The OIG
recommends sending the payor the following information with the
overpayment: (1) that the refund is being made pursuant to a voluntary
compliance program; (2) a description of the complete causes and
circumstances surrounding the overpayment; (3) the methodology by which
the overpayment was determined; (4) the amount of the overpayment; and
(5) any claim-specific information, reviewed as part of the self-audit,
used to determine the overpayment (e.g., beneficiary health insurance
claims number, claim number, date of service, and payment date).
Inclusion of such information with the overpayment will aid the payor
in making the adjustment and may prevent it from requesting additional
information.
---------------------------------------------------------------------------
\164\ The OIG recommends that when a compliance program is
established in a DMEPOS supplier, the compliance officer, with the
assistance of department managers, should take a ``snapshot'' of
operations from a compliance perspective. This assessment can be
undertaken by outside consultants, law or accounting firms, or
internal staff, with authoritative knowledge of health care
compliance requirements. This ``snapshot,'' often used as part of
benchmarking analyses, becomes a baseline for the compliance officer
and other managers to judge the DMEPOS supplier's progress in
reducing or eliminating potential areas of vulnerability.
\165\ In addition, when appropriate, as referenced in section
II.G.2, below, reports of fraud or systemic problems should also be
made to the appropriate governmental authority.
---------------------------------------------------------------------------
An effective compliance program should also incorporate periodic
(at least annual) reviews of whether the
[[Page 36386]]
program's compliance elements have been satisfied, e.g., whether there
has been appropriate dissemination of the program's standards,
training, ongoing educational programs, and disciplinary actions, among
other elements.166 This process will verify actual
conformance by all departments with the compliance program and may
identify the necessity for improvements to be made to the compliance
program, as well as the DMEPOS supplier's operations. Such reviews
could support a determination that appropriate records have been
created and maintained to document the implementation of an effective
program.167 However, when monitoring discloses that
deviations were not detected in a timely manner due to program
deficiencies, appropriate modifications must be implemented. Such
evaluations, when developed with the support of management, can help
ensure compliance with the DMEPOS supplier's policies and procedures.
---------------------------------------------------------------------------
\166\ One way to assess the knowledge, awareness, and
perceptions of a DMEPOS supplier's employees is through the use of a
validated survey instrument (e.g., employee questionnaires,
interviews, or focus groups).
\167\ Such records should include, but not be limited to, logs
of hotline calls, logs of training attendees, training agenda and
materials, and summaries of corrective action and improvements with
respect to DMEPOS supplier policies as a result of compliance
activities.
---------------------------------------------------------------------------
As part of the review process, the compliance officer or reviewers
should consider techniques such as:
Testing billing staff on their knowledge of reimbursement
coverage criteria and official coding guidelines (e.g., present
hypothetical scenarios of situations experienced in daily practice and
assess responses);
On-site visits to all facilities and locations;
Ongoing risk analysis and vulnerability assessments of the
DMEPOS supplier's operations;
Assessment of existing relationships with physicians, and
other potential referral sources;
Unannounced audits, mock surveys, and investigations;
Examination of the DMEPOS supplier's complaint logs;
Checking personnel records to determine whether any
individuals who have been reprimanded for compliance issues in the past
are among those currently engaged in improper conduct;
Interviews with personnel involved in management,
operations, sales and marketing, claim development and submission, and
other related activities;
Questionnaires developed to solicit impressions of the
DMEPOS supplier's employees;
Interviews with physicians or other authorized persons who
order services provided by the DMEPOS supplier;
Interviews with independent contractors who provide
services to the DMEPOS supplier;
Reviews of medical necessity documentation (e.g.,
physicians orders, CMNs), and other documents that support claims for
reimbursement;
Validation of qualifications of physicians or other
authorized persons who order services provided by the DMEPOS supplier;
Evaluation of written materials and documentation
outlining the DMEPOS supplier's policies and procedures; and
Utilization/trend analyses that uncover deviations,
positive or negative, for specific HCPCS codes or types of items over a
given period.
The reviewers should:
Possess the qualifications and experience necessary to
adequately identify potential issues with the subject matter to be
reviewed;
Be objective and independent of line management;\168\
---------------------------------------------------------------------------
\168\ The OIG recognizes that DMEPOS suppliers that are small in
size and have limited resources may not be able to use internal
reviewers who are not part of line management or hire outside
reviewers.
---------------------------------------------------------------------------
Have access to existing audit and health care resources,
relevant personnel, and all relevant areas of operation;
Present written evaluative reports on compliance
activities to the owner(s), president, CEO, governing body, and members
of the compliance committee on a regular basis, but not less than
annually; and
Specifically identify areas where corrective actions are
needed.
We recommend that these audit reports be prepared and submitted to
the compliance officer and senior management to ensure they are aware
of the results. We suggest the reports specifically identify areas
where corrective actions are needed. With these reports, DMEPOS
supplier management can take whatever steps are necessary to correct
past problems and prevent them from recurring. In certain cases,
subsequent reviews or studies would be advisable to ensure that the
recommended corrective actions have been implemented successfully.
A DMEPOS supplier should document its efforts to comply with
applicable Federal and State statutes, rules, and regulations, and
Federal, State and private payor health care program requirements. For
example, where a DMEPOS supplier, in its efforts to comply with a
particular statute, regulation or program requirement, requests advice
from a Government agency (including a Medicare DMERC) charged with
administering a Federal health care program, the DMEPOS supplier should
document and retain a record of the request and any written or oral
response, including the identity and position of the individual
providing the response. The DMEPOS suppliers should take the same steps
when requesting advice from private payors. This step is extremely
important if the DMEPOS supplier intends to rely on that response to
guide it in future decisions, actions, or claim reimbursement requests
or appeals. A log of oral inquiries between the DMEPOS supplier and
third parties will help the organization document its attempts at
compliance. In addition, the DMEPOS supplier should maintain records
relevant to the issue of whether its reliance was ``reasonable'' and
whether it exercised due diligence in developing procedures and
practices to implement the advice.
The OIG recommends that all DMEPOS suppliers, regardless of size,
conduct audits to ensure compliance with the applicable statutes,
regulations and policies. The OIG recognizes that the small DMEPOS
supplier may not have the resources to audit its operations to the
extent suggested previously in this section. At a minimum, the OIG
recommends that the small DMEPOS supplier conduct an internal audit.
The DMEPOS supplier may choose to review a random sample of claims
based on the risk areas it identified. We recommend that the DMEPOS
supplier conduct an initial baseline audit and periodically conduct
follow-up audits. If problems were identified in the baseline audit,
the DMEPOS supplier may want to re-audit the same issue, at a later
date, in order to measure the effectiveness of any corrective action(s)
implemented as a result of the DMEPOS supplier's compliance program.
The DMEPOS supplier should document the results of all audits it
conducts. The DMEPOS supplier may want to use the OIG's Audit Process
handbook to help design the audit.\169\
---------------------------------------------------------------------------
\169\ The Audit Process handbook can be downloaded from the OIG
Office of Audit Services' webpage at http://www.hhs.gov/progorg/oas.
---------------------------------------------------------------------------
The extent of a DMEPOS supplier's audit should depend on the DMEPOS
supplier's identified risk areas and resources. If the DMEPOS supplier
comes under Government scrutiny in the future, the Government will
assess whether or not the DMEPOS supplier developed a comprehensive
audit based upon identified risk areas and resources.
[[Page 36387]]
If the Government determines that the DMEPOS supplier failed to develop
an adequate audit program, given its resources, the Government will be
less likely to afford the DMEPOS supplier favorable treatment under its
various enforcement authorities.
F. Enforcing Standards Through Well-Publicized Disciplinary Guidelines
1. Discipline Policy and Actions
An effective compliance program should include guidance regarding
disciplinary action for corporate officers, managers, independent
agents and other DMEPOS supplier employees who have failed to comply
with the DMEPOS supplier's standards of conduct, policies and
procedures, Federal and State statutes, rules, and regulations or
Federal, State or private payor health care program requirements. It
should also address disciplinary actions for those who have engaged in
wrongdoing, which has the potential to impair the DMEPOS supplier's
status as a reliable, honest, and trustworthy health care provider.
The OIG believes that the compliance program should include a
written policy statement setting forth the degrees of disciplinary
actions that may be imposed upon corporate officers, managers,
independent agents and other DMEPOS supplier employees for failing to
comply with the DMEPOS supplier's standards, policies, and applicable
statutes and regulations. Intentional or reckless noncompliance should
subject transgressors to significant sanctions. Such sanctions could
include oral warnings, suspension, termination, or other sanctions, as
appropriate. Each situation must be considered on a case-by-case basis
to determine the appropriate sanction. The written standards of conduct
should elaborate on the procedures for handling disciplinary problems
and specify those who will be responsible for taking appropriate
action. Some disciplinary actions can be handled by managers, while
others may have to be resolved by the owner(s), president or CEO.
Disciplinary action may be appropriate where a responsible employee's
failure to detect a violation is attributable to his or her negligence
or reckless conduct. Personnel should be advised by the DMEPOS supplier
that disciplinary action will be taken on a fair and equitable basis.
Managers and supervisors should be made aware that they have a
responsibility to discipline employees in an appropriate and consistent
manner.
It is vital to publish and disseminate the range of disciplinary
standards for improper conduct and to educate corporate officers,
managers, and other DMEPOS supplier employees regarding these
standards. The consequences of noncompliance should be consistently
applied and enforced, in order for the disciplinary policy to have the
required deterrent effect. All levels of employees should be subject to
the same types of disciplinary action for the commission of similar
offenses. The commitment to compliance applies to all personnel levels
within a DMEPOS supplier. The OIG believes that corporate officers,
managers, and supervisors should be held accountable for failing to
comply with, or for the foreseeable failure of their subordinates to
adhere to, the applicable standards, statutes, rules, regulations and
procedures.
The OIG believes all DMEPOS suppliers, regardless of size, should
consistently apply the consequences of non-compliance. The OIG
recognizes that small DMEPOS suppliers may not have a written document
detailing the disciplinary actions for non-compliance. However, all
employees should be clearly informed of such consequences.
2. New Employee Policy
For all new employees who have discretionary authority to make
decisions that may involve compliance with the law or compliance
oversight, DMEPOS suppliers should conduct a reasonable and prudent
background investigation, including a reference check,170 as
part of every such employment application. The application should
specifically require the applicant to disclose any criminal conviction,
as defined by 42 U.S.C. 1320a-7(i), or exclusion action. Pursuant to
the compliance program, the DMEPOS supplier's policies should prohibit
the employment of individuals who have been recently convicted of a
criminal offense related to health care or who are listed as debarred,
excluded, or otherwise ineligible for participation in Federal health
care programs (as defined in 42 U.S.C. 1320a-7b(f)).171 In
addition, pending the resolution of any criminal charges or proposed
debarment or exclusion, the OIG recommends that such employees should
be removed from direct responsibility for, or involvement with, the
DMEPOS supplier's business operations related to any Federal health
care program. In addition, we recommend that the DMEPOS supplier remove
such employee from any position(s) for which the employee's salary or
the items or services rendered by the employee are paid in whole or
part, directly or indirectly, by Federal health care programs or
otherwise with Federal funds.172 If resolution of the matter
results in conviction, debarment, or exclusion, then the DMEPOS
supplier should remove the individual from direct responsibility for or
involvement with all Federal health care programs. Similarly, if an
independent contractor or a referring physician or other authorized
person is debarred or excluded from participation in Federal health
care programs, and the DMEPOS supplier is aware of it, the DMEPOS
supplier should not involve that individual/entity in the Federal
health care portion of its business.
---------------------------------------------------------------------------
\170\ See notes 137 and 138. Since the employees of DMEPOS
suppliers have access to potentially vulnerable people and their
property, DMEPOS suppliers should also strictly scrutinize whether
they should employ individuals who have been convicted of crimes of
neglect, violence or financial misconduct.
\171\ Likewise, DMEPOS supplier compliance programs should
establish standards prohibiting the execution of contracts with
companies that have been recently convicted of a criminal offense
related to health care or that are listed by a Federal agency as
debarred, excluded, or otherwise ineligible for participation in
Federal health care programs. See notes 137 and 138.
\172\ Prospective employees who have been officially reinstated
into the Medicare and Medicaid programs by the OIG may be considered
for employment upon proof of such reinstatement.
---------------------------------------------------------------------------
The OIG believes all DMEPOS suppliers, regardless of size, should
ensure that they do not employ or contract with anyone who has been
debarred, excluded or is otherwise ineligible to participate in Federal
health care programs.
G. Responding to Detected Offenses and Developing Corrective Action
Initiatives
1. Violations and Investigations
Violations of a DMEPOS supplier's compliance program, failures to
comply with applicable Federal or State statutes, rules, regulations or
Federal, State or private payor health care program requirements, and
other types of misconduct threaten a DMEPOS supplier's status as a
reliable, honest and trustworthy health care provider. Detected but
uncorrected misconduct can seriously endanger the mission, reputation,
and legal status of the DMEPOS supplier. Consequently, upon reports or
reasonable indications of suspected noncompliance, it is important that
the compliance officer or other management officials immediately
investigate the conduct in question to determine whether a material
violation of applicable law, rules or program instructions or the
requirements of the compliance program has occurred, and if so, take
decisive steps to correct the
[[Page 36388]]
problem.173 As appropriate, such steps may include an
immediate referral to criminal and/or civil law enforcement
authorities, a corrective action plan,174 a report to the
Government,175 and the return of any overpayments, if
applicable.
---------------------------------------------------------------------------
\173\ Instances of non-compliance must be determined on a case-
by-case basis. The existence, or amount, of a monetary loss to a
health care program is not solely determinative of whether or not
the conduct should be investigated and reported to governmental
authorities. In fact, there may be instances where there is no
readily identifiable monetary loss at all, but corrective action and
reporting are still necessary to protect the integrity of the
applicable program and its beneficiaries.
\174\ Advice from the DMEPOS supplier's in-house counsel or an
outside law firm may be sought to determine the extent of the DMEPOS
supplier's liability and to plan the appropriate course of action.
\175\ The OIG currently maintains a provider self-disclosure
protocol that encourages providers to report suspected fraud. The
concept of voluntary self-disclosure is premised on a recognition
that the Government alone cannot protect the integrity of the
Medicare and other Federal health care programs. Health care
providers must be willing to police themselves, correct underlying
problems, and work with the Government to resolve these matters. The
self-disclosure protocol is located on the OIG's web site at http://
www.dhhs.gov/progorg/oig.
---------------------------------------------------------------------------
Where potential fraud or False Claims Act liability is not
involved, the OIG recommends that the DMEPOS supplier promptly return
any overpayments to the affected payor as they are discovered. However,
even if the overpayment detection and return process is working and is
being monitored by the DMEPOS supplier, the OIG still believes that the
compliance officer needs to be made aware of these overpayments,
violations, or deviations that may reveal trends or patterns indicative
of a systemic problem.
Depending upon the nature of the alleged violations, an internal
investigation will probably include interviews and a review of relevant
documents, such as submitted claims and CMNs. The DMEPOS supplier
should consider engaging outside auditors or health care experts to
assist in an investigation. Records of the investigation should contain
documentation of the alleged violation, a description of the
investigative process (including the objectivity of the investigators
and methodologies utilized), copies of interview notes and key
documents, a log of the witnesses interviewed, the documents reviewed,
and the results of the investigation (e.g., any disciplinary action
taken and any corrective action implemented). Although any action taken
as the result of an investigation will necessarily vary depending upon
the DMEPOS supplier and the situation, DMEPOS suppliers should strive
for some consistency by utilizing sound practices and disciplinary
protocols.176 Further, after a reasonable period, the
compliance officer should review the circumstances that formed the
basis for the investigation to determine whether similar problems have
been uncovered or modifications of the compliance program are necessary
to prevent and detect other inappropriate conduct or violations.
---------------------------------------------------------------------------
\176\ The parameters of a claim review subject to an internal
investigation will depend on the circumstances surrounding the
issue(s) identified. By limiting the scope of an internal audit to
current billing, a DMEPOS supplier may fail to identify major
problems and deficiencies in operations, as well as be subject to
certain liability.
---------------------------------------------------------------------------
If an investigation of an alleged violation is undertaken and the
compliance officer believes the integrity of the investigation may be
at stake because of the presence of employees under investigation,
those subjects should be removed from their current work activity until
the investigation is completed (unless an internal or Government-led
undercover operation known to the DMEPOS supplier is in effect). In
addition, the compliance officer should take appropriate steps to
secure or prevent the destruction of documents or other evidence
relevant to the investigation. If the DMEPOS supplier determines
disciplinary action is warranted, it should be prompt and imposed in
accordance with the DMEPOS supplier's written standards of disciplinary
action.
The OIG believes all DMEPOS suppliers, regardless of size, should
ensure that they are responsive to investigating allegations of
potential misconduct.
2. Reporting
If the compliance officer, compliance committee or other management
official discovers credible evidence of misconduct from any source and,
after a reasonable inquiry, has reason to believe that the misconduct
may violate criminal, civil, or administrative law, then the DMEPOS
supplier should promptly report the existence of misconduct to the
appropriate Federal and State authorities 177 within a
reasonable period, but not more than 60 days 178 after
determining that there is credible evidence of a
violation.179 Prompt reporting will demonstrate the DMEPOS
supplier's good faith and willingness to work with governmental
authorities to correct and remedy the problem. In addition, reporting
such conduct will be considered a mitigating factor by the OIG in
determining administrative sanctions (e.g., penalties, assessments, and
exclusion), if the reporting provider becomes the target of an OIG
investigation.180
---------------------------------------------------------------------------
\177\ Appropriate Federal and State authorities include the
Office of Inspector General, Department of Health and Human
Services; the Criminal and Civil Divisions of the Department of
Justice; the U.S. Attorney in the relevant district(s); and the
other investigative arms for the agencies administering the affected
Federal or State health care programs, such as: the State Medicaid
Fraud Control Unit; the Defense Criminal Investigative Service; the
Department of Veterans Affairs; the Office of Inspector General,
U.S. Department of Labor (which has primary criminal jurisdiction
over FECA, Black Lung and Longshore programs); and the Office of
Inspector General, U.S. Office of Personnel Management (which has
primary jurisdiction over the Federal Employee Health Benefits
Program).
\178\ In contrast, to qualify for the ``not less than double
damages'' provision of the False Claims Act, the report must be
provided to the Government within thirty (30) days after the date
when the DMEPOS supplier first obtained the information. See 31
U.S.C. 3729(a).
\179\ The OIG believes that some violations may be so serious
that they warrant immediate notification to governmental
authorities, prior to, or simultaneous with, commencing an internal
investigation, e.g., if the conduct: (1) is a clear violation of
criminal law; (2) has a significant adverse effect on the quality of
care provided to program beneficiaries (in addition to any other
legal obligations regarding quality of care); or (3) indicates
evidence of a systemic failure to comply with applicable laws, rules
or program instructions or an existing corporate integrity
agreement, regardless of the financial impact on Federal health care
programs.
\180\ The OIG has published criteria setting forth those factors
that the OIG takes into consideration in determining whether it is
appropriate to exclude a health care provider from program
participation pursuant to 42 U.S.C. 1320a-7(b)(7) for violations of
various fraud and abuse laws. See 62 FR 67392 (December 24, 1997).
---------------------------------------------------------------------------
When reporting misconduct to the Government, a DMEPOS supplier
should provide all evidence relevant to the alleged violation of
applicable Federal or State law(s) and potential cost impact. The
compliance officer, with advice of counsel, and with guidance from the
governmental authorities, could be requested to continue to investigate
the reported violation. Once the investigation is completed, the
compliance officer should be required to notify the appropriate
governmental authority of the outcome of the investigation, including a
description of the impact of the alleged violation on the operation of
the applicable health care programs or their beneficiaries. If the
investigation ultimately reveals that criminal, civil, or
administrative violations have occurred, the appropriate Federal and
State authorities 181 should be notified immediately.
---------------------------------------------------------------------------
\181\ See note 177.
---------------------------------------------------------------------------
The OIG believes all DMEPOS suppliers, regardless of size, should
ensure that they are reporting the results of any overpayments or
violations to the appropriate entity.
[[Page 36389]]
3. Corrective Actions
As previously stated, the DMEPOS supplier should take appropriate
corrective action, including prompt identification of any overpayment
to the affected payor and the imposition of proper disciplinary action.
If potential fraud or violations of the False Claims Act are involved,
any repayment of the overpayment should be made as part of the
discussion with the Government following a report of the matter to law
enforcement authorities. Otherwise, the overpayment should be promptly
refunded to the affected payor. The OIG recommends that the overpayment
refund include the information as outlined in section II.E. Failure to
disclose overpayments within a reasonable period of time could be
interpreted as an intentional or knowing attempt to conceal the
overpayment from the Government, thereby establishing an independent
basis for a criminal or civil violation with respect to the DMEPOS
supplier, as well as any individuals who may have been involved. For
this reason, DMEPOS supplier compliance programs should emphasize that
overpayments obtained from Medicare or other Federal health care
programs should be promptly disclosed and returned to the payor that
made the erroneous payment.
The OIG believes all DMEPOS suppliers, regardless of size, should
take appropriate corrective action to remedy the identified deficiency.
III. Conclusion
Through this document, the OIG has attempted to provide a
foundation to the process necessary to develop an effective and cost-
efficient DMEPOS supplier compliance program. As previously stated,
however, each program must be tailored to fit the needs and resources
of an individual DMEPOS supplier, depending upon its size; number of
locations; type of equipment provided; or corporate structure. The
Federal and State health care statutes, rules, and regulations and
Federal, State and private payor health care program requirements,
should be integrated into every DMEPOS supplier's compliance program.
The OIG recognizes that the health care industry in this country,
which reaches millions of beneficiaries and expends about a trillion
dollars annually, is constantly evolving. In particular, legislation
has been passed that creates additional Medicare program participation
requirements, such as requiring DMEPOS suppliers to purchase surety
bonds and expanding the Medicare supplier standards.182 As
stated throughout this guidance, compliance is a dynamic process that
helps to ensure that DMEPOS suppliers and other health care providers
are better able to fulfill their commitment to ethical behavior, as
well as meet the changes and challenges being imposed upon them by
Congress and private insurers. Ultimately, it is OIG's hope that a
voluntarily created compliance program will enable DMEPOS suppliers to
meet their goals, improve the quality of service to patients, and
substantially reduce fraud, waste, and abuse, as well as the cost of
health care, to Federal State and private health insurers.
\182\ See 63 FR 2926 (January 20, 1998).
---------------------------------------------------------------------------
Dated: June 29, 1999.
June Gibbs Brown,
Inspector General.
[FR Doc. 99-16945 Filed 7-2-99; 8:45 am]
BILLING CODE 4150-04-P
