OIG Compliance Program for Hospitals: 8 Keys to Success

The U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) is tasked with combating fraud under Medicare, Medicaid, and other federally funded healthcare programs. The HHS-OIG is the largest inspector general’s office in the federal government, employing more than 1,600 investigators, attorneys, and support staff. While the HHS-OIG investigates healthcare fraud across over 100 government-funded programs, it dedicates most of its resources to uncovering Medicare and Medicaid fraud.

All healthcare providers that bill Medicare or Medicaid are subject to HHS-OIG’s oversight. This includes hospitals. The HHS-OIG enforces all aspects of federal healthcare compliance, and it conducts investigations targeting hospitals (and other facilities) that it has reason to believe are out of compliance. While these investigations are typically civil in nature, they can lead to criminal charges against hospitals, executives, administrators, and others in some cases.

“Hospitals need to devote sufficient time and resources to federal healthcare compliance. The HHS-OIG expects hospitals to adopt, implement, and enforce robust compliance programs, and it expects to be able to see documentation of hospitals’ compliance audits when conducting investigations.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

The best way to avoid allegations of Medicare or Medicaid fraud is to prioritize general compliance program guidance in all aspects of a hospital’s operations. While the HHS-OIG provides some guidance, it is ultimately up to hospitals (and their legal counsel) to determine what is necessary.

8 Key to Effectively Managing Hospitals’ OIG Compliance Obligations

With this in mind, here are eight keys to OIG compliance for hospitals:

1. Comprehensively Identifying the Hospital’s Federal Healthcare Compliance Obligations

The first step in developing a comprehensive OIG compliance program is to conduct a deep dive into the hospital’s compliance obligations. While there will be some broad similarities between facilities, hospitals need to focus on developing compliance policies and procedures that are tailored to their specific risks and needs to ensure quality and patient safety.

Hospitals should consider a two-tiered approach when identifying their federal healthcare compliance program needs. The first tier involves reviewing the facility’s existing compliance documentation and implementation to determine where (and to what extent) issues must be addressed. Among other things, this will involve conducting a claims submission audit. This involves reviewing all previously denied claims and identifying any claims that resulted in overpayments. Identifying past billing compliance failures will allow the hospital to ensure that future bills are accurately coded, that the correct documentation is being generated and stored, and that the hospital is prepared to withstand an HHS-OIG investigation if necessary. Once complete, management can create a “benchmark” to judge compliance and gauge future approval and denial rates.

The second tier involves identifying areas of compliance that are not addressed in the hospital’s current compliance program infrastructure. This can result from changes in the scope of the hospital’s operations or changes to governing laws or regulations. Neither type of change is an excuse for noncompliance, and when it comes to addressing new compliance obligations, hospitals’ leadership teams need to be as proactive as possible.

2. Implementing All Necessary Compliance Policies, Procedures, and Protocols

After identifying all areas of concern, the next step is to address each of these areas with new or amended compliance policies, procedures, and protocols. This includes, but is by no means limited to, ensuring that the hospital’s compliance documentation is up to date regarding:

• Billing and Coding – Hospitals must ensure strict compliance with all applicable federal billing regulations and private insurance billing rules. This includes implementing safeguards that are effective at ensuring coding compliance consistently.
• Medical Necessity - One of the most common issues during HHS-OIG investigations is medical necessity. Under federal billing regulations, hospitals (and other facilities) can only bill for services and supplies that are medically necessary. What hospital personnel believe is medically necessary and what the federal billing regulations consider medically necessary won’t always align.
• Anti-Kickback Statute and Stark Law Compliance – Relationships with physicians, pharmacies, and other parties raise potential compliance concerns under the federal Anti-Kickback Statute and Stark Law. Violations of these federal statutes are common issues for hospitals in HHS-OIG investigations.
• Prescription Drug Compliance – The HHS-OIG works alongside the Drug Enforcement Administration (DEA) to strictly enforce the Controlled Substances Act (CSA) within the healthcare sector. Hospitals’ ordering, storage, prescription, dispensing, and pharmacy referral practices present potential noncompliance and enforcement risks.
• Documentation - In many respects, maintaining effective compliance programs and documenting compliance are equally important. If a hospital cannot affirmatively demonstrate compliance with the documentation it has available, it will present a high risk for civil or criminal enforcement.

Of course, every hospital will have different risks, and it is important to address all pertinent issues with specificity in a hospital’s compliance program. This requires an in-depth understanding of the hospital’s operations and the governing laws and regulations. As a result, it will generally be best for hospitals to establish ongoing relationships with outside counsel who can get to know their business and proactively provide custom-tailored compliance advice.

3. Designating a Compliance Officer

All hospitals should have designated compliance personnel responsible for overseeing the facility’s compliance efforts and, when necessary, responding to potential compliance failures. The hospital’s compliance officer should communicate regularly with the facility’s outside counsel and clearly understand when potential compliance-related concerns require legal advice that exceeds their expertise. However, the compliance officer cannot provide medical providers with legal or financial advice.

4. Ensuring that Internal Personnel Are Adequately Trained

Effective implementation of the hospital’s compliance policies, procedures, and protocols is a critical step for effective compliance management. Training is a major part of the implementation process.

Anyone who has any role to play in the hospital’s compliance efforts should receive training to ensure that they have a clear understanding of what is necessary day to day. Ensuring adequate compliance training on a facility-wide basis involves:

• Identify all departments and operational areas that implicate the hospital’s compliance obligations;
• Identify all personnel who will need to be trained;
• Determine what training is necessary for each role;
• Develop and present custom-tailored compliance programs; and,
• Document the hospital’s training efforts and continue to provide training on an ongoing basis as necessary.

Here, too, documentation is key. When facing scrutiny from the HHS-OIG, hospitals must be prepared to prove that they have provided adequate training to their personnel. This is especially (but not exclusively true) when an investigation uncovers inadvertent noncompliance.

5. Identifying Potential Violations and Determining the Appropriate Corrective Action

Even when hospitals take a comprehensive approach to federal healthcare compliance, they must still acknowledge the very real possibility of mistakes. This means that they must both (i) have procedures for identifying potential compliance violations and (ii) have procedures for addressing confirmed compliance violations as efficiently as possible.

A comprehensive compliance program will include documented procedures for identifying and addressing compliance-related concerns. Generally, the OIG expects hospitals to conduct regular self-assessments and proactively remedy all identified compliance failures. Depending on the nature of a compliance failure, this may involve implementing a corrective action plan, arranging for the return of overpayments, or taking other measures that are necessary to both remedy the violation(s) at issue and promote compliance going forward.

While some isolated compliance failures may be unavoidable, systemic failures generally indicate that the hospital’s compliance program is deficient. When this is the case, corrective action will also involve examining the hospital’s compliance policies, procedures, and protocols to determine what additions or changes are necessary.

6. Maintaining Open Lines of Communication

An effective compliance program will ensure open lines of communication between the hospital’s personnel, compliance officer, and outside counsel. Effective communication is key to ensuring that key personnel have an accurate understanding of their role in the hospital’s compliance efforts and that all personnel know how to raise potential compliance concerns when necessary.

With this in mind, some examples of important communication-related policies include:

• A requirement for all hospital personnel to report any concerns about fraud, waste, and abuse laws or other misconduct;
• A clear chain of command for responding to verified compliance concerns and external inquiries (including billing compliance audits and HHS-OIG investigations); and,
• A clear policy against retaliating against hospital personnel who report compliance-related concerns.

Implementing these policies may involve leveraging the hospital’s human resources functions or establishing a complaint hotline (or both). Of course, as discussed above, this is in addition to providing adequate training.

7. Enforcing Compliance Internally

While hospitals should have clear policies against retaliating against employees who report compliance-related concerns, the compliance committee should also have clear policies for disciplining those responsible for compliance failures.

Disciplinary policies need to be clear and consistent, and they must be enforced on a non-discriminatory basis. While there is room for hospitals to tailor disciplinary actions to the specific circumstances of each particular case, hospitals must also be very careful to avoid allegations of disparate treatment. Some examples of possible disciplinary actions in compliance-related matters include:

• Oral warnings or formal write-ups
• Demotion
• Probation
• Suspension
• Termination

Training is also essential here. All personnel should have a clear understanding of the consequences they can expect to face if they are responsible for a compliance failure. This is an area where federal healthcare compliance and federal (and state) employment law compliance intersect, and this intersection can be very risky for facilities that do not have the necessary policies, protocols, and enforcement mechanisms in place.

8. Focusing on Compliance on an Ongoing Basis

Implementing the OIG compliance guidance is not a one-time task. As laws and regulations change and hospitals’ operations and relationships evolve, executives, administrators, and compliance officers must do what is necessary to keep pace. With this in mind, an effective compliance program will also necessarily involve:

• Conducting Periodic OIG Compliance Audits – In addition to conducting initial compliance audits to assess their compliance-related needs, hospitals should also conduct OIG compliance audits on an ongoing basis. These audits should take place annually in most cases. When auditing hospitals’ compliance efforts, a comprehensive approach is key, and the individuals involved must be capable of providing an unbiased assessment of the efficacy of an organization's compliance program.
• Promptly Investigating Potential Compliance Failures - Along with regularly scheduled compliance audits, hospitals should also conduct internal investigations when potential compliance concerns arise. These investigations should take place immediately, and a comprehensive and unbiased approach is key here, too.
• Continuing to Train Both New and Existing Personnel – Ongoing training is also essential. All new personnel should receive adequate training during the onboarding process, and existing personnel should receive updated and refresher training as necessary. The volume and frequency of necessary ongoing training will vary depending on individual employees’ and contractors’ roles within the hospital’s operations.
• Carefully Drafting and Reviewing Contracts with Physicians and Others – Careful contracting is key to avoiding Anti-Kickback Statute and Stark Law violations. This applies not only to physicians but to pharmacies, marketers, and other third parties. Hospitals often must draft their contracts with third-party service providers with a specific Anti-Kickback Statute “safe harbor” or Stark Law exception in mind.
• Updating the Hospital’s Compliance Documentation as Necessary - While we’ve covered this already, it bears repeating: Thorough compliance documentation is essential for withstanding scrutiny from the HHS-OIG. With this in mind, hospitals should prioritize updating their compliance documentation as necessary and generate and store compliance documentation as a matter of course.

While effectively managing OIG compliance is not easy, it is extremely important. The risks of noncompliance are substantial. Not only can hospitals face substantial penalties, but, in some cases, their executives, administrators, and other individuals can face substantial penalties as well. By taking a comprehensive and proactive approach to federal healthcare compliance, hospitals can mitigate these risks effectively and ensure they are prepared to defend against an HHS-OIG investigation, if necessary.