Health Care Law

Every healthcare provider—from solo practitioners to large health systems—faces a complex web of federal and state regulations. Whether it's Medicare billing rules, the Stark Law, the Anti-Kickback Statute, HIPAA privacy requirements, or state licensing regulations, the regulatory landscape is vast and constantly evolving. An effective compliance program isn't just a defensive measure against government enforcement—it's a strategic tool that protects your organization, improves operations, and demonstrates your commitment to quality care.

The Office of Inspector General (OIG) has long advocated for healthcare providers to adopt compliance programs based on seven fundamental elements. These elements, first outlined in the OIG's 1998 Compliance Program Guidance and refined over the years, provide a practical framework for managing regulatory risk. While compliance programs should be tailored to the size and complexity of each organization, these seven core elements remain the foundation of effective healthcare compliance.

Written Policies and Procedures

The foundation of any compliance program is a clear set of written policies and procedures that address the specific regulatory risks your organization faces. These aren't meant to sit on a shelf collecting dust—they're practical guides that help your staff navigate complex regulations in their daily work. Your policies should cover areas like:

• Billing and coding practices - Documentation requirements, claim submission procedures, and processes for correcting billing errors
• Federal fraud and abuse laws - Guidance on physician financial relationships, referral arrangements, and kickback prohibitions
• HIPAA privacy and security - Protected health information handling, breach notification procedures, and business associate agreements
• Clinical documentation - Medical necessity standards, progress note requirements, and signature protocols
• Conflicts of interest - Financial disclosures, outside business activities, and family relationships

Effective policies are written in plain language, include real-world examples, and are easily accessible to staff. They should be reviewed and updated regularly as regulations change and new risks emerge.

Designated Compliance Officer and Compliance Committee

Someone needs to own compliance in your organization. The compliance officer serves as the central point of contact for compliance activities, monitoring regulatory changes, coordinating training, investigating potential issues, and reporting to leadership. For a solo practice or small group, this role might be part-time and combined with other administrative duties. For larger organizations, it may be a full-time dedicated position. Regardless of size, the compliance officer should have:

• Direct access to senior leadership and the governing body
• Authority to review documents, access systems, and interview personnel
• Adequate resources and budget to fulfill compliance responsibilities
• Protection from retaliation when raising compliance concerns

A compliance committee provides additional oversight and brings diverse perspectives to compliance decisions. The committee typically includes representatives from clinical, financial, legal, and administrative areas who meet regularly to review compliance activities, discuss emerging risks, and recommend policy changes.

Effective Training and Education

Regulations don't enforce themselves—your staff needs to understand what's required and why it matters. Effective compliance training goes beyond annual check-the-box exercises. It should be:

• Targeted - Billing staff need different training than clinicians; nurses have different compliance risks than physicians
• Practical - Use real scenarios from your practice, not generic examples
• Regular - Initial orientation plus ongoing updates as regulations change
• Documented - Track who attended, what was covered, and when it occurred

Training topics should address your organization's specific risk areas. For example, a behavioral health provider needs robust HIPAA and 42 CFR Part 2 training, while an ambulatory surgery center should focus heavily on Medicare conditions of participation and billing rules. New hire training establishes expectations from day one. Annual refresher training reinforces key concepts and addresses new regulatory developments. And when problems are identified through audits or investigations, targeted corrective training addresses specific gaps.

Effective Lines of Communication

Compliance only works when people can report concerns without fear of retaliation. Your program should provide multiple channels for staff to raise questions, report potential violations, and seek guidance on compliance issues. This includes:

• Open-door policy - Staff should feel comfortable approaching the compliance officer or supervisors with questions
• Anonymous hotline - Some employees prefer to report concerns anonymously, particularly for sensitive matters
• Written procedures - Clear guidance on how and to whom potential compliance issues should be reported
• Non-retaliation policy - Explicit protection for anyone who reports concerns in good faith

Just as important as reporting channels is how you respond to reports. Every concern should be acknowledged, investigated appropriately, and resolved with documented outcomes. When staff see that reports are taken seriously and addressed, they're more likely to speak up early before small problems become major violations.

Well-Publicized Disciplinary Standards

Your compliance program needs teeth. Employees must understand that violations have consequences, regardless of position or tenure. Disciplinary policies should:

• Apply uniformly - The same rules apply to physicians, nurses, administrators, and billing staff
• Scale to the violation - Minor inadvertent errors may warrant retraining; intentional fraud justifies termination
• Be well-publicized - Include in employee handbooks, new hire orientation, and compliance training
• Be consistently enforced - Selective enforcement undermines credibility

Discipline isn't just about punishment—it's about accountability. When staff see that violations are addressed promptly and fairly, it reinforces the organization's commitment to compliance and deters future problems. Progressive discipline makes sense for most compliance issues: verbal warning for minor first offenses, written warning for repeated problems, suspension for serious violations, and termination for intentional misconduct or criminal conduct. The key is documentation and consistency.

Effective System for Routine Monitoring and Auditing

You can't manage what you don't measure. Regular monitoring and auditing helps you identify compliance problems before government auditors do. An effective monitoring system includes:

• Internal Audits - Periodic reviews of high-risk areas like billing practices, documentation quality, and HIPAA compliance. These audits should use statistical sampling when reviewing large volumes of claims or records.
• Benchmarking - Compare your billing patterns against national and regional data. Significant deviations—particularly unusually high rates of certain procedures or modifiers—may indicate coding errors or documentation issues.
• Claims Review - Analyze denied claims and payer audits to identify patterns suggesting systemic problems.
• Risk Assessments - Annually evaluate emerging risks based on regulatory changes, OIG enforcement priorities, and your organization's specific activities.

The scope and frequency of monitoring should be risk-based. High-risk areas like Medicare billing, physician financial relationships, and controlled substance prescribing warrant more frequent review than lower-risk activities. When audits identify problems, don't just fix the individual claim—investigate whether it represents a broader pattern requiring corrective action, policy changes, or additional training.

Procedures for Responding to Compliance Issues

Despite your best efforts, compliance problems will occur. How you respond determines whether a mistake becomes a minor correction or a government investigation. Your response procedures should include:

• Investigation Protocol - Clear procedures for investigating potential violations, including who conducts the investigation, what documentation is required, and how findings are reported.
• Corrective Action Plans - When violations are confirmed, develop specific, measurable steps to correct the problem and prevent recurrence. This might include policy revisions, additional training, process changes, or system modifications.
• Overpayment Reporting - Federal law requires healthcare providers to report and return Medicare overpayments within 60 days of identification. Your procedures should define how overpayments are identified, calculated, and reported.
• Self-Disclosure - For serious violations involving federal healthcare programs, the OIG Self-Disclosure Protocol and CMS Self-Referral Disclosure Protocol provide mechanisms to voluntarily report violations and potentially reduce penalties.
• Legal Review - Engage legal counsel early when investigating potential fraud and abuse violations, government audit demands, or whistleblower allegations. Attorney-client privilege can protect your investigation.

The key is acting promptly and decisively when problems are identified. Government enforcement authorities look favorably on providers who self-identify violations, conduct thorough investigations, implement meaningful corrective actions, and make appropriate refunds.

Sizing Your Compliance Program

These seven elements scale to organizations of any size. A solo physician practice doesn't need the same infrastructure as a 500-bed hospital, but the fundamentals remain the same.

• Small Practices (1-10 providers): Your compliance program can be straightforward—a compliance manual with key policies, designation of a part-time compliance officer (often the office manager), annual staff training, and periodic self-audits of billing and documentation. External consultants can supplement internal resources for complex issues.
• Medium Groups (10-50 providers): Consider a dedicated compliance officer (possibly part-time), a small compliance committee, more formalized training programs, regular internal audits with statistical sampling, and a compliance hotline (even if outsourced).
• Large Organizations (50+ providers): A full-time compliance officer and staff, robust compliance committee with board oversight, comprehensive audit programs covering all high-risk areas, sophisticated monitoring systems, and dedicated compliance budget are warranted.

Regardless of size, the goal is the same: prevent violations, detect problems early, and respond effectively when issues arise.

The Return on Investment

An effective compliance program requires time and resources, but the return on investment is substantial:

• Reduced legal and financial risk - Detecting and correcting violations before government auditors find them avoids penalties, settlements, and exclusion from federal healthcare programs
• Improved billing accuracy - Regular audits and training reduce billing errors that lead to claim denials and payment delays
• Better documentation - Compliance-driven documentation improvements support medical necessity and defend against audits
• Enhanced reputation - A strong compliance program demonstrates commitment to ethical business practices
• Operational efficiency - Well-designed compliance processes eliminate waste and streamline operations

Government enforcement authorities consider the presence and effectiveness of a compliance program when investigating potential violations. While a compliance program isn't a get-out-of-jail-free card, it can significantly reduce penalties and demonstrate good faith efforts to comply with regulations.

Getting Started

If you don't have a compliance program or need to strengthen your existing program, start with a risk assessment. Identify your highest-risk areas based on your practice type, patient population, payer mix, and recent regulatory enforcement trends. Focus your initial efforts on those areas. Then build out the seven elements systematically:

1. Draft or update policies addressing your top risks
2. Designate a compliance officer with appropriate authority and resources
3. Provide targeted training to staff on high-risk areas
4. Establish reporting mechanisms and make them known to staff
5. Implement or revise disciplinary policies
6. Conduct initial audits of your highest-risk activities
7. Document procedures for investigating and correcting compliance issues

Compliance is an ongoing process, not a one-time project. As regulations evolve, your practice changes, and new risks emerge, your compliance program must adapt. Regular evaluation and continuous improvement ensure your program remains effective.

Need Help Building or Enhancing Your Compliance Program?

Kaufman & Canoles' health care team assists providers of all sizes with compliance program development, risk assessments, internal audits, policy drafting, staff training, government investigations, and self-disclosures. Contact Colin McCarthy at colin.mccarthy@kaufcan.com or 804.771.5733.