Richard Romero

An effective compliance program that includes periodic reviews is the best protection against liability for Medicaid and other healthcare fraud.

At a Glance 

Compliance programs should, at a minimum, include seven elements: 

  • Written policies and procedures 
  • Compliance officer 
  • Training 
  • Communication 
  • Discipline 
  • Review and monitoring 
  • Corrective action 

In early 2006, President Bush signed the Deficit Reduction Act of 2005. The act lives up to its name by cutting Medicaid benefits and several other federal outlays. But it's also designed to launch a frontal assault on Medicaid fraud and abuse.

As a consequence of the DRA, hospitals and other healthcare providers should expect heightened government scrutiny of their Medicaid billings. They should also expect an increase in litigation under federal and state false claims acts, as the DRA allocates funds for expanded Centers for Medicare and Medicaid Services oversight of state Medicaid programs. The DRA also provides states with financial incentives to step up their efforts to combat fraud and abuse.

A solid compliance program should be your first line of defense. For the first time, larger entities-those paying or receiving more than $5 million in Medicaid funds annually-are required to undertake specific compliance activities. But even smaller entities should develop compliance programs or review existing programs to help immunize themselves against the potentially devastating effects of lawsuits and government investigations. 

Time for Action

Medicaid is the country's largest health program, providing benefits to more than 56 million Americans. Despite a small dip last year, Medicaid spending has been growing steadily since the program began more than 40 years ago to its current level of about $300 billion (Healthcare Leadership Council, "Medicaid Reform Recommended, but Leaders of New Congress Will Be a Tough Sell," Dec. 8, 2006).

The Medicaid program has faced its share of fraud, abuse, and waste. And although the federal government pays about 59 percent of the cost, combating Medicaid fraud has largely been left in the hands of the state governments that administer the program. According to a 2005 report by the Government Accountability Office, total CMS staff resources dedicated to overseeing the states' Medicaid fraud and abuse control activities were the equivalent of 8.1 FTE employees (Medicaid Fraud and Abuse: CMS's Commitment to Helping States Safeguard Program Dollars Is Limited, GAO-05-855T, June 28, 2005). The GAO report concluded, "Relatively few and questionably aligned resources and an absence of strategic planning underscore the limited commitment CMS has made to strengthening states' ability to curb fraud and abuse."

The DRA aims to cure these deficiencies by:

  • Establishing a comprehensive Medicaid Integrity Program  
  • Offering financial incentives to states that pass tough false claims legislation or beef up existing legislation
  • Mandating written policies and employee education about false claims recovery (Note that education refers to the provision of information to employees, contractors, and agents. There is no training requirement for compliance with section 6032 of the DRA.)

Unmasking Fraud

The DRA directs CMS to design a national strategy for detecting and preventing Medicaid fraud and abuse, modeled after the Medicare Integrity Program established in 1996. The act funds the program with $50 million per year for FY07 and FY08, increasing to $75 million beginning in 2009. It also boosts CMS staff devoted to Medicaid oversight to 100 FTE employees.

In July 2006, CMS issued a comprehensive five-year Medicaid Integrity Plan. The plan guides CMS personnel in reviewing the actions of Medicaid providers and supporting the states' efforts to combat Medicaid fraud. The MIP outlines several strategies for achieving its objectives, including striking a balance between overseeing and providing training and technical assistance to the states, and supporting criminal investigations of suspect providers while seeking administrative sanctions.

In October 2006, Robb Miller, acting director of CMS's Medicaid Integrity Group, conducted a teleconference briefing on the MIP's status. Miller announced that CMS had partnered with a third-party service provider as its audit program development contractor. The APD contractor is designing a Medicaid payment integrity audit program and developing audit protocols, methodologies, and standards.

CMS also has partnered with a management consulting firm as its State Program Integrity Assessment contractor. The consulting firm is charged with three tasks: 

  • Surveying state agencies' efforts to combat fraud, waste, and abuse
  • Developing baselines for state program integrity
  • Recommending metrics and standards for measuring performance

Both CMS and its contractors will balance oversight and education. In addition to uncovering fraud and abuse, they will educate providers and others on payment integrity and quality of care. They will strike a similar balance in their relationships with the states, combining oversight of state programs with education in the form of program integrity training, best practices guidance, and other technical assistance.

In addition to overseeing the activities of the APD and SPIA contractors, CMS staff will conduct state-of-the art data mining and analysis to identify emerging trends in Medicaid fraud and abuse. The MIP is developing a detailed work plan to identify and address Medicaid's most vulnerable areas. Issues targeted for initial study include: 

  • Fraud related to long-term care facilities and home health agencies
  • Provision of prescription drugs to Medicaid beneficiaries and the underlying costs of those drugs as reported to the states
  • Durable medical equipment and other medical suppliers
  • Improper claims for payment from hospitals and individual practitioners

The MIP will submit annual reports to Congress that document the use and effectiveness of its funds and calculate the program's ROI. 

Boosting ROI for Recovery

The federal False Claims Act has proven to be a powerful tool for combating Medicare fraud and abuse. In addition to establishing criminal penalties, the act allows the federal government to collect treble damages for fraudulent claims. It also boosts enforcement efforts by authorizing private citizens ("qui tam relators," or "whistleblowers") to bring actions on the government's behalf in exchange for a share of the recovery-usually between 15 percent and 30 percent.

The government's ROI in Medicare investigations and prosecutions is impressive: It gets back an estimated $15 for every dollar it puts in (Meyer, J. A., "Fighting Medicare Fraud: More Bang for the Federal Buck," Taxpayers Against Fraud Education Fund, July 2006, p. 4). But this success hasn't been duplicated in the Medicaid program. Part of the problem is that the federal act applies only to fraud against the federal government. It doesn't cover false claims related to a state's portion of Medicaid spending.

The DRA attempts to close this loophole by encouraging states to pass their own false claims legislation that mirrors the federal act. States with laws that are as tough or tougher than the federal FCA are entitled to a 10 percent increase in their share of Medicaid recoveries.

In August 2006, the Office of Inspector General  of the Department of Health and Human Services published guidelines for determining whether a state false claims act qualifies. Among other things, a state false claims act must contain provisions that are at least as effective as the federal act in facilitating and rewarding whistleblower actions.

As of April 2007, there are 17 jurisdictions that have enacted a false claims act with whistleblower provisions, and several other states are considering legislation designed to meet the DRA's requirements. 

Beefing Up Compliance Efforts

The DRA's education provisions will have a significant impact on healthcare compliance efforts. Despite its innocuous-sounding title-Employee Education About False Claims Recovery-this section of the act effectively mandates a compliance program for any entity that receives or pays $5 million or more per year in Medicaid funds. Historically, healthcare providers have been encouraged, but not required, to develop these programs.

Covered entities must establish written policies for all employees (including management)-as well as for contractors and other agents-that provide detailed information about: 

  • The federal FCA
  • Federal administrative remedies for false claims
  • Any state laws pertaining to civil or criminal penalties for false claims
  • Whistleblower protections under federal and state laws
  • The entity's policies and procedures for detecting and preventing fraud, waste, and abuse

Employee handbooks also must contain a discussion of these issues. 

Prevention Is the Cure

A program that follows OIG guidelines can go a long way toward preventing Medicaid and other types of healthcare fraud and abuse as well as mitigating the consequences should fraud or abuse occur.

The OIG guidelines, which are derived from the U.S. Sentencing Commission, Guidelines Manual-commonly referred to as the federal sentencing guidelines-recommend that compliance programs, at a minimum, include seven elements.

Written policies and procedures. Develop and distribute written standards of conduct as well as compliance policies and procedures that identify specific areas of risk to the organization. A hospital, for example, should address areas of risk such as: 

  • Billing for items or services not actually rendered or for medically unnecessary services
  • Upcoding and "DRG creep" (that is, using a diagnosis-related group code that provides a higher payment rate than the appropriate code)
  • Outpatient services rendered in connection with inpatient stays
  • Duplicate billing and false cost reports
  • Unbundling
  • Billing for discharge in lieu of transfer
  • Incentives or other financial arrangements that violate anti-kickback or physician self-referral (Stark) laws
  • Patient dumping

The program should also have in place detailed claim development and submission processes designed to minimize these risks.

Compliance officer. A chief compliance officer and a compliance committee should be designated to oversee compliance activities. To ensure the effectiveness of the compliance officer, he or she should report directly to the board of directors.

Training. All personnel, including corporate officers, managers, employees, physicians, and other healthcare professionals, should receive effective training and education.

Communication. The program should have effective lines of communication, including access to the compliance officer and anonymous hotlines or other mechanisms for reporting fraud or other misconduct.

Discipline. Standards of conduct should be enforced through well-publicized disciplinary guidelines. Federal sentencing guidelines indicate that, in addition to promoting compliance through appropriate incentives, programs should include "appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct" (United States Sentencing Commission, Guidelines Manual, §3E1.1, Nov. 1, 2006, §8B2.1(b)[6]).

The guidelines also emphasize that compliance programs should be "promoted and enforced consistently throughout the organization." In other words, no one should be immune from disciplinary action, from the CEO to the rank-and-file.

Review and monitoring. The compliance program should be monitored and evaluated continually, and findings reported to senior management. One of the most effective monitoring techniques is to arrange for periodic compliance reviews by an independent consultant with healthcare experience.

Corrective action. Policies and procedures should be developed to effectively respond to and correct any noncompliance. Corrective actions may include referral to law enforcement authorities, a corrective action plan, a report to the government, and return of any overpayments.

Under federal sentencing guidelines, after criminal conduct has been detected, organizations should "take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct," including modifying the compliance program.

Remember that each provider has different needs, capabilities, and risks that should be considered in updating a compliance plan.

Boosting Your Defenses

A well-designed compliance plan helps protect your organization if a criminal or civil investigation occurs. A program that conforms to OIG and federal sentencing guidelines can help reduce criminal penalties. It can also be your best defense when settling fraud claims.

In its "Open Letter to Health Care Providers," dated March 9, 2000, the OIG outlined some of the benefits of compliance programs. When settling FCA or other fraud claims with the federal government, a provider is required to enter into a corporate integrity agreement. Typically, a corporate integrity agreement requires the organization to adopt the seven program elements described above. It may also impose significant ongoing review and reporting requirements.

The letter specifies, "In all cases, the OIG is prepared to consider the provider's current compliance program when we negotiate the appropriate terms of a CIA." If you can demonstrate that your compliance program is effective-particularly if you detect and voluntarily disclose problems based on your own examinations-the OIG may consider alternative review procedures.

For example, it might permit you to perform billing audits through your internal auditors rather than requiring you to retain an independent review organization for each year of the corporate integrity agreement. The OIG may also forgo statistical sampling-which can lead to significant monetary recoveries and penalties-in favor of alternate audit methodologies.

Clearly, there are advantages to voluntarily disclosing and correcting violations, and cooperating with the authorities. But be sure to consult legal counsel to discuss the risks involved in coming forward.

In 2003, former Deputy U.S. Attorney General Larry D. Thompson wrote a memorandum encouraging federal prosecutors to require organizations to waive the attorney-client privilege and certain other rights in exchange for receiving credit for cooperation. The so-called Thompson memo has been widely criticized. Certain aspects of the memo have been struck down by the courts as unconstitutional, and there's a bill pending in Congress that would protect organizations from being pressured into waiving the attorney-client privilege.

In addition, a recent shift in Justice Department policy limits prosecutors' access to privileged communications. Still, organizations should work with legal counsel to ensure that they cooperate with the government in a manner that avoids unnecessary risks. 

Meeting the Challenges

The additional resources, manpower, and incentives provided by the DRA will mean an increase in the number of government investigations, fraud claims, and whistleblower suits. Healthcare providers that develop effective compliance programs and police themselves will be in the best position to meet these challenges.

Richard Romero, CHFP, AVA, is a senior manager specializing in healthcare and forensics, Crowe Chizek and Company, LLC, Nashville, Tenn., and a member of HFMA's Tennessee Chapter (

Publication Date: Friday, June 01, 2007

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead