OIG Releases Final Compliance Program Guidance For Physician Practices

by Gregory J. Naclerio
Chairman, Healthcare Regulatory Department
and Jay B. Silverman
Health Law Department


With annual national health care expenditures now approximating $1 trillion and estimates that health care fraud and abuse may account for as much as 10 percent of that amount, health care fraud is undergoing increased scrutiny at every level of government as well as by private insurance companies. The federal government’s seriousness in fighting fraud and abuse and protecting the integrity of Medicare and other federal healthcare programs can be witnessed in the Attorney General declaring health care fraud the Department of Justice’s number two initiative, behind only violent crime.

While much of the focus in fighting health care fraud has been on large institutional health care providers and entities such as hospitals, nursing homes and clinical laboratories, the federal government has now turned its attention to physicians, specifically individual and small group practices.

To this end, on September 25, 2000, the U.S. Department of Health and Human Services’ Office of Inspector General (OIG) issued its final compliance program guidance (Guidance) for individual and small group physician practices. (The Guidance was published on the OIG web site at http://www.oig.hhs.gov/oigreg/physician.pdf). The purpose of this Guidance is to assist physician practices in developing compliance programs.

With publication of this Guidance, the OIG is encouraging physician practices to implement compliance principles that will become part of the practice culture and that promote adherence to statutes and regulations applicable to federal health care programs so as to prevent and reduce improper conduct.

Unlike other guidance previously issued by the OIG, this Guidance does not suggest that physician practices implement all the standard components of a full scale compliance program. Instead, the Guidance emphasizes an incremental and flexible approach that practices can follow when developing and implementing a compliance program that depends upon the circumstances and resources of the individual practice.

The following are some of the most frequently asked questions and answers regarding the Guidance and an outline of the Guidance’s step by step approach for physician practices to follow in implementing a compliance program.


QUESTION: Must physician practices implement a compliance program?
ANSWER: No. Like the other compliance guidance that the OIG has issued over the past few years dealing with health care providers and entities such as clinical laboratories, hospitals, nursing homes, hospices, home health agencies, durable medical equipment suppliers and third-party medical billing companies, this Guidance is voluntary.

QUESTION: Does the Guidance set a particular numer of physician to define a small group practice?
ANSWER: No. The Guidance does not set a numerical standard for the definition of a small physician group practice.

QUESTION: Does the Guidance target only physicians?
ANSWER: No. For purposes of this guidance, the term “physician” is defined as (1) a doctor of medicine or osteopathy; (2) a doctor of dental surgery or of dental medicine; (3) a podiatrist; (4) an optometrist or (5) a chiropractor. The Guidance can also apply to other health care practitioners such as psychologists, physical therapists, speech and language pathologists and occupational therapists.

QUESTION: Is the Guidance applicable to only Federal health care programs?
ANSWER: Because the Guidance encourages a compliance culture within the physician practice, it should not be difficult to include private payer claims in a physician practice’s compliance program.

QUESTION: What efforts has New York State taken to deal with health care fraud?
ANSWER: In an effort to prevent and curtail health care fraud, physicians should be aware that the State Insurance Department requires insurers, health maintenance organizations and self-insured plans that write at least 3,000 policies annually or provide insurance coverage on a group basis for 3,000 or more individuals a year to implement special investigation units for the detection, investigation and prevention of fraud and abuse. As such, it would be wise for physician practices to include private payer claims in any compliance program that the practice designs.

QUESTION: Are there benefits to implementing a compliance program?
ANSWER: Yes. An effective compliance program can (1) speed and optimize proper claims payment; (2) minimize billing mistakes; (3) reduce the chances of an audit; and (4) avoid conflicts with federal and state self-referral and anti-kickback laws.

QUESTION: Does the guidance set forth basic components for implementing a compliance program for a physician practice?
ANSWER: Yes. The Guidance sets forth a step-by-step guide of seven basic components which form the basis of an effective compliance program for a physician practice. The seven components are as follows: (1) conducting internal monitoring and auditing through the performance of periodic audits; (2) implementing practice standards through the development of written standards and procedures; (3) designating a compliance officer or contact to monitor compliance efforts and enforce practice standards; (4) conducting appropriate training and education on practice standards and procedures; (5) responding appropriately to detected violations through the investigation of allegations and developing a corrective action program; (6) developing open lines of communication with the practice’s employees; and (7) enforcing disciplinary standards through well-publicized guidelines.

QUESTION: Must physician practices implement all seven components?
ANSWER: No. Unlike other guidance previously issued by the OIG, this Guidance does not suggest that physician practices implement all seven standard components of a full scale compliance program. Instead, the OIG stresses flexibility in implementing a compliance program because of physician practices’ financial and staffing resources. The Guidance provides that larger practices may be able to fully implement all the elements of a full-scale compliance program, in fact, it also provides direction to larger practices in developing compliance programs by recommending that they use both this Guidance and the previously issued guidance, such as the Third-Party Medical Billing Company Compliance Program Guidance and/or the Clinical Laboratory Compliance Program Guidance, to create a compliance program that meets the needs of a larger physician practice.



In the Guidance, the OIG recommends that a physician practice perform a baseline audit to determine what, if any, problem areas exist and then focus on the risk areas associated with those problems. A baseline audit can also be helpful to a physician practice in judging over time its progress and effectiveness in reducing or eliminating potential problem areas.

QUESTION: Does the guidance recommend any specific types of audits that physician practices should perform?
ANSWER: The OIG recommends two types of audits that physician practices can perform. The first type of audit is a standards and procedures audit and focuses on whether the practice’s standards and procedures are complete. The second type of audit is a claims submission audit and focuses on whether bills and medical records are in compliance with coding, billing and documentation requirements.

QUESTION: Who should perform a claims submission audit?
ANSWER: The OIG recommends that the practice’s billing representative and a medically trained person perform the audit. To insure a more objective and accurate audit physician practices may want to retain an independent consultant or billing expert to perform the claims submission audit.

QUESTION: How should a claims submission baseline audit be conducted?
ANSWER: The OIG recommends that a claims submission baseline audit cover claims that were submitted and paid during the initial three months after implementation of a practice’s education and training program. Follow-up audits should be conducted at least annually.

QUESTION: How many medical records should be reviewed as part of a claims submission audit?
ANSWER: Although there is no set formula of how many medical records should be reviewed as part of a claims submission audit, the OIG recommends reviewing five or more medical records per federal payer or five to ten medical records per physician.


After the baseline audit identifies those risk areas within the practice, the OIG recommends addressing those risk areas through the development of written standards and procedures. According to the Guidance, physician practices may want to create a resource manual that contains their written standards and procedures as well as information such as OIG Fraud Alerts and Advisory Opinions and Health Care Financing Administration directives and carrier bulletins. In addition, physician practices should update clinical forms periodically to ensure the forms facilitate complete documentation of medical care that is provided.

QUESTION: Has the OIG identified any risk areas where physician practices may be vulnerable?
ANSWER: Yes. The OIG has identified four high risk areas that physicians and their employees should be familiar with which are as follows: (i) coding and billing; (ii) reasonable and necessary services; (iii) documentation; and improper inducements, (iv) kickbacks and self-referrals. The Guidance also includes appendices that outline additional rusk areas.


Since financial constraints may make it difficult for physician practices to designate one individual to be in charge of compliance functions, the Guidance suggests that physician practices designate more than one employee, known as Compliance Contacts, with compliance monitoring responsibility. Physician practices that designate more than one employee to perform certain compliance duties, should describe in its standards and procedures the compliance functions for which the designated employee would be responsible. Alternatively, the Guidance permits physician practices to outsource the compliance officer role to a third party who ideally should have enough interaction with the practice to understand the practice’s inner workings.

QUESTION: What are the duties of a compliance officer?
ANSWER: A compliance officer’s duties should include: (1) overseeing and monitoring the implementation of the compliance program; (2) establishing methods to improve the practice’s efficiency and quality of services and to reduce the vulnerability to fraud and abuse; (3) periodically revising the compliance program to reflect changes in the needs of the practice, the law or standards and procedures of government and private payer health plans; (4) developing, coordinating and participating in a training program for compliance; (5) ensuring that health care providers and contractors are not exclude from federal programs; and (6) investigating allegations of improper business practices and monitoring corrective action.


The OIG recommends that training be provided on both coding and billing and compliance issues and must be tailored to the specific practice’s needs, specialty and size. An effective compliance program should provide which employees require training, how often and how much training those employees require and the kinds of training employees should receive such as seminars, in-house and self-study programs.

QUESTION: What should compliance training cover?
ANSWER: Compliance training should explain the practice’s compliance program, the various applicable federal and state laws that pertain to the prohibitions on the federal and state self-referral laws and the federal anti-kickback statute and state fee-splitting prohibitions.

QUESTION: What should coding and billing training cover?
ANSWER: Coding and billing training should cover (1) coding, documentation and billing requirements; (2) the claim development and submission process; (3) the implications of signing a form for a physician without authorization and (4) the legal implications for submitting false or reckless claims.

QUESTION: How often should employees receive training?
ANSWER: The OIG recommends that employees should be trained at least annually and that new billing and coding employees be trained as soon as possible after being hired and should work under an experienced employee until their training has been completed.


The Guidance provides that upon the receipt of a report or reasonable indications of suspected noncompliance, a practice should look into the allegations to determine whether significant violation of applicable law or the requirements of the compliance program has occurred, and, if so, take appropriate action to correct the problem.

QUESTION: What might appropriate action include?
ANSWER: Appropriate action may include corrective action plans, return of overpayments, reports to government entities or referral to law enforcement.

QUESTION: Are there any warning signs that physician practices should be on the look at for?
ANSWER: The OIG suggests that physician practices develop their own warning signs for compliance problems, such as significant changes in the number or type of claims rejections, challenges to the medical necessity of claims, changes in the pattern of code utilization or high volumes of payment adjustments. Even in the absence of the detection of any violations, the OIG advises physician practices to periodically review and modify their compliance programs.


The OIG advises that in order to prevent problems from occurring, physician practices need to have open lines of communication as an integral part of implementing a compliance program. While guidance previously issued by the OIG has encouraged the use of several forms of communication many of which focus on formal processes and are more costly to implement such as a telephone hotline, the OIG recognizes that the nature of a small physician practice dictates that such communication and information exchanges need to be conducted through a less formalized process. In addition, the OIG recognizes that protecting anonymity may not be feasible for small physician practices.

QUESTION: What are the forms that open lines of communication can take in a small physician practice?
ANSWER: A compliance program’s system for meaning and open communication in a small physician practice can include the following: (1) an open-door policy; (2) conspicuous posting of notices related to compliance; and (3) compliance bulleting board.


According to the OIG so as to add credibility and integrity to a compliance program, an effective physician practice compliance program should include procedures for enforcing and disciplining individuals, including the possibility of termination, who violate the practice’s compliance or practice standards. At the same time, a practice’s enforcement and disciplinary procedures should be flexible enough to account for mitigating and aggravating circumstances.

QUESTION: How should disciplinary guidelines be publicized to practice employees?
ANSWER: The OIG recommends that the inclusion of disciplinary guidelines in-house training and procedure manuals is sufficient to meet the well-publicized standard of this element.

Gregory Naclerio is formerly the Director of the Long Island Regional Office of the Deputy Attorney General’s Medicaid Fraud Control Unit, is a Senior Partner with the law firm Ruskin Moscou Faltischek, P.C., P.C. and is Chairman of the firm’s Healthcare Regulatory Department.  He can be reached at (516) 663-6633 or gnaclerio@rmfpc.aw-develop.com.

Jay Silverman, formerly the Assistant General Counsel of the Medical Society of the State of New York is an attorney in the firm’s Health Law Department. He can be reached at (516) 663-6606 or jsilverman@rmfpc.com.  The firm serves as General Counsel to the Suffolk County Medical Society.