Healthcare compliance is the ongoing process of meeting the legal, ethical, and professional standards applicable to a particular healthcare organization or provider. To be compliant, healthcare organizations and providers need to develop effective processes, policies, and procedures to define appropriate conduct, train the organization’s staff, and monitor the adherence to defined policies. Healthcare compliance covers numerous areas including patient care, billing, reimbursement, HIPAA privacy and security and many more.
The governing body and the executive officers of the healthcare organization bear the ultimate responsibility for its compliance, or lack of it. The organization’s governing body is responsible for directing the organization’s administrators to develop and implement the compliance program together with authorizing funds to accomplish the task.
While the governing body, the compliance officer, and the compliance committees have primary responsibility for the organization’s compliance program, every employee is responsible in their own way for healthcare compliance, and the success of the program. Accordingly, individual members of the organization need to report any healthcare compliance concerns they have up the chain of command, and report anything that appears to be out of the ordinary, unusual or questionable.
A compliance program is an imperative for every healthcare organization and provider. Since it is an ongoing process, every organization needs to constantly review and examine its policies and procedures to ensure adherence to requirements established by laws, regulations and professional standards as well as to regularly audit its performance.
The Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) is charged with identifying and combating waste, fraud, and abuse in more than 300 of HHS programs, including Medicare and programs conducted by agencies within HHS, such as the Food and Drug Administration, the Centers for Disease Control and Prevention, and the National Institutes of Health.
The mission of the OIG, as mandated by the Inspector General Act , is to protect the integrity of HHS programs as well as the well-being of the beneficiaries of those programs.
OIG holds accountable those who bill HHS programs but do not meet Federal health program requirements or who violate Federal laws regarding the use of Federal health care funds. OIG also identifies opportunities to improve the economy, efficiency, and effectiveness of HHS programs.
OIG reports both to the Secretary of HHS and to the United States Congress about program and management problems and recommendations to correct them. OIG’s work is carried out by regional offices nationwide that perform audits, investigations, inspections and other mission-related functions.
HHS OIG is the largest inspector general’s office in the Federal Government, with more than 1,700 employees dedicated to combating fraud, waste and abuse and to improving the efficiency of HHS programs. Most of OIG’s resources go to overseeing Medicare and Medicaid – programs that represent much of the Federal budget and affect the most vulnerable U.S. citizens. OIG’s oversight extends to programs under other HHS institutions, including the Centers for Disease Control and Prevention, National Institutes of Health, and the Food and Drug Administration.
The current Inspector General for HHS is Daniel R. Levinson.
The OIG consists of the following six components:
The Office of Investigations (OI) conducts criminal, civil and administrative investigations of allegations of wrongdoing regarding HHS programs or HHS beneficiaries. Investigative efforts lead to criminal convictions, civil judgments and settlements, administrative sanctions, and/or civil monetary penalties. Additionally, a small Protective Operations Branch (POB) within OI consists of special agents dedicated solely to protection of the Secretary of HHS in support of domestic and overseas missions.
The Office of Audit Services (OAS) provides all auditing services for HHS, either through its own resources or by overseeing audit work of others. Audits examine the performance of HHS programs and/or its grantees and contractors in carrying out their respective responsibilities and provide independent assessments of HHS programs and operations.
The Office of Evaluation and Inspections (OEI) conducts management and program evaluations that focus on issues of concern to HHS, the Congress and the public. OEI generally focuses on identifying instances in which the management of large HHS programs can be improved to increase the well-being of beneficiaries or to save Federal health care dollars.
The Office of Counsel to the Inspector General (OCIG) represents OIG in all civil and administrative fraud cases and, in connection with these cases, negotiates and monitors corporate integrity agreements, a compliance agreement in which health care providers or other entities consent to a set of obligations in order to avoid being excluded from participating in any Federal health care program. OCIG also provides guidance to the health care industry to promote compliance with Federal laws and regulations and provides legal support to OIG operations.
The Immediate Office, which includes the Office of External Affairs which handles OIG’s interactions with Congress and the public, is directed by the Inspector General with the assistance of the Principal Deputy Inspector General and his staff.
The Office of Management and Policy provides mission-support services to the Immediate Office of the Inspector General and other OIG components.
Criminal and civil enforcement actions often result from OIG’s work as part of its Most Wanted Health Care Fugitives initiative, the Medicare Fraud Strike Force, the Health Care Fraud Prevention and Enforcement Action Team, and other similar efforts.
Medicare Fraud Control Units (MFCU) investigate and prosecute Medicaid fraud as well as patient abuse and neglect in health care facilities. At the moment, MFCUs operate in 49 States and in the District of Columbia. OIG certifies, and annually recertifies, each MFCU.OIG also collects information about MFCU operations and assesses whether they comply with statutes, regulations, and OIG policy.
The Office of Inspector General (OIG) has the authority to seek civil monetary penalties (CMPs), assessments, and exclusion against an individual or entity based on a wide variety of prohibited conduct.
The OIG has the right to impose stipulated penalties for non-compliance with the requirements of a Corporate Integrity Agreement (CIA). A material breach of the terms of the CIA may also result in the provider’s exclusion from participation in the Federal healthcare programs.
Since the early 1970’s, the Department of Health and Human Services (HHS), Office of the Inspector General (OIG) has the authority and responsibility “to protect the integrity of Department of Health & Human Services (HHS) programs as well as the health and welfare of program beneficiaries”. The OIG is acting in the people’s best interest to regulate and enforce violations of healthcare fraud, waste, and abuse.
Exclusion screening is the process of verifying that a current or potential employee is not classified as an excluded individual who is prohibited from participation in any Federal health care program. The OIG imposes exclusions under the authority of sections 1128 and 1156 of the Social Security Act. A list of all OIG exclusions and their statutory authorities can be found on the Exclusion Authorities page.
OIG’s exclusion process is governed by regulations that implement sections of the Act. When an individual or entity gets a Notice of Intent to Exclude (NOI), it does not necessarily mean that they will be excluded. OIG will carefully consider all material provided by the person who received the NOI before making a decision. All exclusions implemented by OIG may be appealed to an HHS Administrative Law Judge (ALJ), and any adverse decision may be appealed to the HHS Departmental Appeals Board (DAB). Judicial review in Federal court is also available after a final decision by the DAB.
The OIG does not issue individual warnings or notifications regarding excluded individuals. Employers are required to search the Federal exclusion database and SAM.gov, as well as each individual state’s Medicaid Exclusion database, to verify the status of each employee.
Although the OIG maintains its own database of excluded individuals, individual states may exclude individuals for reasons other than the ones cited by Federal law, without immediately reporting to the OIG or other states. Therefore, the only way for employers to ensure compliance with the mandated requirement is to conduct a nationwide search each month.
The OIG is required by law to exclude from participation in all federal healthcare programs individuals and entities on a number of grounds.
The OIG is required by law to impose mandatory exclusions for the reasons outlined in the Social Security Act. Permissive exclusions, on the other hand, can be imposed by the OIG at their discretion for a much greater number of reasons, some of which can be non-healthcare related.
When OIG is considering exclusion of an individual or entity under section 1128 of the Act, the administrative process is governed by regulations codified at 42 CFR sections 1001.2001 through 1001.2007. However, depending on the basis for the proposed exclusion, the process can vary.
For all proposed mandatory exclusions that are longer than the mandatory minimum five-year period, and most proposed permissive exclusions, the administrative process is the same. OIG sends out a written NOI to any individual that they are considering excluding. The NOI includes the basis for the proposed exclusion and a statement about the potential effect of an exclusion.
The NOI is pre-decisional and allows the individual or entity 30 days to respond in writing with any information or evidence relevant to whether the exclusion is warranted and to raise any other related issues, such as mitigating circumstances. OIG considers all available information in making a final decision about whether to impose the exclusion.
If OIG decide to proceed with exclusion, they send the individual or entity a Notice of Exclusion along with information about the effect of the exclusion and appeal rights. For mandatory exclusions that are for the minimum five year period, OIG man not send a NOI. For these exclusions, a Notice of Exclusion is the first notification sent. Exclusions are effective 20 days after the Notice of Exclusion is mailed, and notice to the public is provided on OIG’s website. The exclusion may be appealed to an ALJ, and any adverse decision may be appealed to the DAB. Judicial review is also available after a final decision by the DAB.
When a permissive exclusion is being considered under section 1128(b) (6) of the Act, the NOI allows the individual or entity to request an opportunity to present oral argument to an OIG official before a decision about whether to execute is reached. This is in addition to the right to submit documentary evidence and written argument.
If OIG decides to proceed with exclusion, we send the individual or entity a Notice of Execution along with information about the effect of the exclusion and appeal rights. When a permissive exclusion is imposed under sections 1128(b) (12) or (b) (13) of the Act, OIG is not required to send a NOI. We send the individual or entity a Notice of Exclusion along with information about the effect of the exclusion and appeal rights. An exclusion under section 1128(b) (12) is effective immediately and an exclusion under section 1128(b) (13) is effective 20 days after the Notice of Exclusion is mailed, and notice to the public is provided on OIG’s website.
When OIG is considering excluding an individual or entity under section 1128(b) (7) of the Act, the administrative process differs. OIG sends the individual or entity a written Notice of Proposal to Exclude. The written notice includes the basis for the proposed exclusion, the length of exclusion, the factors considered in setting the exclusion period, the effect of the exclusion, the earliest date on which OIG will consider a request for reinstatement, appeal rights and reinstatement information. The individual or entity may file a written request for a hearing within 60 days of receipt of the Notice of Proposal to Exclude. If the individual or entity does not request a hearing, the exclusion goes into effect 60 days after the receipt of the Notice of Proposal to Exclude. If the individual or entity makes a timely written request for a hearing, and OIG has determined that the health and safety of individuals receiving services under Medicare or any State health program does not warrant immediate exclusion, and exclusion will only go into effect as of the date of the ALJ’s decision, if the ALJ upholds OIG’s decision to exclude. Any adverse decision may be appealed to the DAB, and judicial review is available after a final decision by the DAB.
If OIG excludes an individual under section 1156 of the Act, OIG sends a written notice notifying the individual of the exclusion. The written notice includes the legal and factual basis for the exclusion, the length and effective date of the exclusion, the effect of the exclusion, appeal rights, reinstatement information, and patient notification option. The exclusion goes into effect 20 days after the date of the written notice. The individual may file a written request for a hearing before an ALJ within 60 days of receipt of the written notice. Any adverse decision by the ALJ may be appealed to the DAB, and judicial review is available after a final decision by the DAB.
An individual excluded under section 1156 of the Act may request a preliminary hearing if the location where services are rendered to over 50 percent of the individual’s patients at the time of the written notice is in a rural health professional shortage area or in a county with a population of less than 70,000. Such an individual may file a written request for a preliminary hearing before an ALJ within 15 days of receipt of the written notice. A request for a preliminary hearing stays the effective date of the exclusion pending the ALJ’s decision at the preliminary hearing.
The principal effect of exclusion is that payment is prohibited for anything that an excluded individual furnishes, orders, or prescribes, and any administrative and management services furnished by the excluded individual. This prohibition extends to anyone who employs or contracts with the excluded individual.
The OIG provides an in-depth review of the effects of exclusion in its Updated Special Advisory Bulletin on the Effect of Exclusions from Participation in Federal Health Programs. The Bulletin sets forth the following specific instances where payment of items and services are prohibited with Federal health care program funds:
In addition to the scenarios listed above, the Bulletin provides additional clarification on the effect of an OIG exclusion. The Bulletin states that the payment prohibition applies to all methods of Federal health care program payment, whether from itemized claims, cost reports, fee schedules, a prospective payment system or bundled payment, or other payment system and applies even if the payment is made to a State agency or a person that is not excluded.
There are limited exceptions. The OIG Special Advisory Bulletins explains and clarifies the situations where a health care provider who receives funds from a Federal health care program may employ an excluded individual. In short, an entity that receives Federal health care funding may employ an excluded individual where the provider is both able to pay the individual exclusively with private funds or from other non-Federal funding sources and where the services furnished by the excluded individual relate solely to non-Federal program patients.
The Bulletin also provides the following guidance regarding the circumstances under which an excluded person may be employed by, or contract with, a provider that receives payments from Federal healthcare programs:
The Bulletins require that the excluded individual and Federal funds never overlap. In an effort to keep health care providers from CMP liability, the Bulletins set forth a number of situations where employment of an excluded individual could lead to CMP liability.
One of the most important things to understand about exclusion screening are differences between the exclusion databases and where they are located. At the federal level, exclusions can be found on the Office of Inspector General’s List of Excluded Individuals and Entities (LEIE) as well as the GSA SAM.gov exclusion database, which contains exclusion records for many industries. In addition to this, the majority of states also have their own Medicaid exclusion lists. All of these exclusion lists need to be individually cross-checked and monitored on a monthly basis in order to remain compliant. What makes this process even more difficult is that not all of them share the same data with the OIG nor with each other.Exclusion screening software can help you perform exclusion list cross-checks daily, monthly, or at any schedule that fits your company’s needs.
The List of Excluded Individuals and Entities (LEIE) is a list of all individuals and entities currently excluded by the OIG. The LEIE is available to the public and can be easily searched using the name of employees or entities. Once individuals or entities are reinstated, they are immediately removed from the LEIE. LEIE searches can be performed using the OIG’s Online Searchable Database or by downloading the LEIE Downloadable Database.
Searching the LEIE is important because health care providers who hire an individual on the LEIE may be subject to civil monetary penalties (CMP). Under the CMP authority, providers may face CMP exposure if they submit claims to a Federal health care program for items or services provided, directly or indirectly, by excluded individuals. CMP liability applies to all of the following: direct patient care, indirect patient care, administrative and management services, and items or services furnished at the medical direction or on the prescription of an excluded person when the person furnishing the services either knows or should know of the exclusion. In order to avoid CMP liability, health care entities must routinely check the LEIE to ensure that potential and current employees are not excluded.
The LEIE is available in two formats:
Profile updates (changes to information on specific excluded individuals and entities) are also available on the Downloadable Database file web page.
The Downloadable Database does not contain SSNs or EINs. Therefore, verification of specific individuals or entities through the use of the SSN or EIN must be done via the Online Searchable Database.
Best Practices for Using the OIG’s List of Excluded Individuals and Entities
The GSA or General Services Administration, is the federal entity that excludes companies and individuals from receiving federal contracts. In addition to being excluded at the OIG LEIE, an individual or entity can also be debarred or sanctioned at the GSA SAM which includes the Excluded Parties List System (EPLS). GSA administers EPLS and SAM, both of which contain debarment actions taken by various federal agencies, including exclusion actions taken by the OIG.
The SAM system includes individuals and entities found on the OIG exclusion list, and it is necessary for health care organizations to continually check this database. SAM’s purpose is to prevent companies from doing business with an individual or entity that have been debarred, sanctioned or excluded by a federal agency. The SAM data is populated by other federal agencies and it is designed to provide one single search for such actions. However, SAM does not have any direct authority to fine a company if it does business with an individual or entity that is on their list.
To verify if an individual or entity is listed as excluded on the SAM database, it is necessary to enter the following information:
Individuals are not assigned DUNS numbers. To check for an exclusion for an individual, it is necessary to type in the name.
Exclusion Monitoring Checklist
Key things to remember about state and federal health care program exclusions:
What Lists to Monitor
Required: OIG LEIE
Recommended: SAM.gov and State Exclusion Lists
How often to Check OIG LEIE
Initial check before hire
Who to Monitor
Required: Physicians, Employees, Vendors, Referring Physicians
State Medicaid Sanction Lists
While getting on the OIG’s list of excluded individuals can pose some serious problems for personal credibility and financial stability, it is not an irreversible situation.
At the end of OIG exclusion term, the affected provider needs to apply for reinstatement to receive an authorized notice from the OIG stating the request was granted. Excluded providers may only begin the process of reinstatement 90 days before the end of the excluded period. Premature requests for reinstatement will not be considered, so it is important to be careful when to apply.
The reinstatement process typically requires up to 120 days to complete, but can take longer. If the OIG grants the written request for reinstatement followed by a notice in writing, individuals or entities are taken off the list. However, it is advisable to double-check if this is the case.
If the OIG denies written request for reinstatement, individuals or entities may apply again and redo the whole process after one year.
While the process of reinstatement can be long and complicated, following the established procedures in order and at the right point in time can effectively result in getting off of the OIG exclusion list. It is important to follow directions, fill out the forms in their entirety, and not apply before 90 days prior to the end of excluded term.
If a provider or entity is excluded by both a State Medicaid exclusion authority and the OIG LEIE, then they need to apply for reinstatement at both separately. The State Medicaid exclusion authorities do not remove an individual from the State list just because they have been removed from the OIG LEIE. Even if the reason the OIG added the individual to the LEIE was due to the State Medicaid exclusion, the reinstatement by the OIG has no effect on the separate State Medicaid exclusion and vice versa.
After being removed from the OIG list of excluded individuals, individuals or entities need to reapply for the federal healthcare services they need. The federal government does not have a system that automatically notifies healthcare providers of the removal from the OIG exclusion list. Furthermore, it is important to check state’s databases to ensure that removal from the exclusion list is complete.
Healthcare licensing boards may approve individuals or entities for services by issuing them a provider number, but their services cannot be used until reinstatement is official. If individuals or entities submit forms incorrectly or provide inaccurate documentation to the OIG office, their reinstatement may be cancelled. This cancellation is not permanent, but they would have to wait one year before restarting the reinstatement process.
An excluded provider or entity can apply at a certain point for reinstatement to be removed from the OIG LEIE list. However, it is not automatic and can be denied if it is prematurely requested. If a provider’s exclusion term has expired, there is a defined protocol to apply for reinstatement at the OIG site. Also, if the provider is excluded separately at a State exclusion authority, they must separately apply for reinstatement there. The OIG reinstatement is not the same as reinstatement by or at a State Medicaid exclusion authority.
Providers that employ or contract with individuals or entities that such provider knows or should know are excluded from participation in federal health care programs may be subject to different penalties.
The OIG assesses civil fines and monetary penalties.
The penalties for allowing services to be performed by an excluded individual or entity can include:
In the Updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs, the OIG provided specific guidance to the healthcare industry on the frequency of screening employees and contractors to determine whether they are excluded persons. While noting that there is no statutory or regulatory requirement to check the OIG LEIE, and that providers may decide how frequently to check it, the OIG confirmed that it updates the LEIE monthly, so screening employees and contractors each month best minimizes potential overpayment and CMP liability.
The OIG does not issue individual warnings or notifications regarding excluded individuals. Employers are required to search the Federal exclusions database and SAM.gov, as well as each individual state’s Exclusion Database, to verify the status of each one of their employees. In addition to this, various states require additional searches as well.
The employer inputs the employee’s (or potential hire’s) name and date of birth into the database. The database returns a list of potential matches, including individuals with similar names. The employer must then independently verify whether or not the employee in question is the same person as the excluded individual. Employers are also required to check all versions of each employee’s name, including maiden names, combined names and name diminutives.
Although the OIG maintains its own database of excluded individuals, individual states may exclude individuals for reasons other than the ones cited by Federal law, without immediately reporting to the OIG or to the other states. The only way for employers to ensure compliance with the mandated requirement is to conduct a nationwide search every month.Exclusion screening software can simplify the screening process considerably by making the detection process cheaper, faster, and more reliable and allowing users to stay ahead of the stringent compliance standards.
Given the penalties, potential repayments, and recent government warnings, providers should do the following to protect against liability for doing business with an excluded individual or entity:
In order to guide healthcare organizations in the process of achieving effective compliance, the OIG released a resource document to help healthcare organizations measure the effectiveness of their compliance programs.
The guide, titled Measuring Compliance Program Effectiveness: A Resource Guide and published March 27, 2017, is the product of a roundtable discussion involving OIG staff and compliance professionals. Their goal was to provide metrics for measuring compliance program effectiveness that would be helpful to a wide range of healthcare organizations differing in size, operational complexity, industry sectors, and resources.
While the Resource Guide lists over 400 individual compliance program metrics, its authors emphasize that it is not meant to be a checklist or applied in its entirety. Rather, healthcare organizations should treat the Resource Guide as an idea bank from which they can select those metrics most suited to their needs, resources, and risks.
The Resource Guide is divided into seven sections and each one contains suggestions for what to measure to evaluate the effectiveness of an organization’s compliance program and how to measure those standards.
The Guide highlights the importance of having the relevant policies and procedures in place to form the structure of an organization’s compliance program. The metrics focus on basic compliance functions, including measuring employees’ access to the policies, implementing internal processes for periodically reviewing the policies, assessing the quality and applicability of the policies, maintaining an organizational code of conduct, and ensuring an organization-wide understanding of compliance policies and procedures.
A key component of an effective compliance program is a well-functioning administration that involves everyone in compliance processes. The metrics highlighted in this section offer ideas to judge the effectiveness of an organization’s board of directors, compliance committees, compliance officer, compliance staff, and general culture of compliance.
This section includes ideas for measuring how well organizations evaluate employees, vendors, and affiliated individuals for possible exclusion and conflicts of interest, and whether the organization has a plan for responding to these issues. The metrics remind organizations that an effective compliance program concerns not only the organization’s own employees, but also the organization’s third-party vendors, agents, and affiliated individuals.
The Guide provides organizations with tools to measure whether individuals receive effective job-appropriate training, whether the organization’s governing body is adequately trained in compliance efforts, and whether that training is updated with necessary regulatory changes or compliance failures. There are also ideas on how to measure whether an organization has established a culture of compliance.
This section contains metrics that an organization may use to evaluate whether its processes for monitoring violations of laws and regulations, its internal reporting system for noncompliance, and its routine risk assessments and compliance audits are effective. It also highlights the importance of an organization’s response to compliance audits or instances of noncompliance, including corrective action plans.
The Resource Guide provides several metrics that organizations will find helpful in analyzing whether employees understand the consequences for noncompliance and whether the discipline imposed in instances of noncompliance is consistent across the organization. The questions in this section also help organizations assess whether incentive and promotion criteria are appropriately aligned with the organization’s compliance concerns.Exclusion screening best practices call for minimum monthly screening of all individuals and entities that a provider does business with. Fully integrated platform simplifies this entire process, provides high efficiency, and ensures full compliance with the lowest screening cost.
This section includes metrics that organizations may use to evaluate the effectiveness of compliance investigations, including the independence and competence of the investigators, communication regarding investigations, and whether the organization responds appropriately to compliance concerns.
The Resource Guide represents the most thorough presentation of the OIG’s thinking on compliance program evaluations. As such, it can be used as a starting point for healthcare compliance program assessment tools, regardless of the type of organization conducting the evaluation.
OIG Compliance Law
With health care regulations in a constant state of change, compliance now takes more effort than ever. To avoid the potentially crippling fines associated with exclusion screening, organizations need to stay up to date with the latest rules and regulations. There is no time like the present to review current risk management program and to ensure regular exclusion monitoring.
As the OIG continues to broaden and expand its exclusion authority, healthcare organizations not actively seeking updates to regulatory requirements and exclusion lists can easily become non-compliant. Therefore, it is of utmost importance to monitor all employees and entities regularly and self-disclose any exclusions to the OIG to reduce penalties.
Screening and monitoring large healthcare populations of employees, vendors, and all of the entities in between, can seem to be a daunting task. However, this cannot be avoided because healthcare providers have a duty to screen prospective and current employees against all exclusion databases. What can be avoided are fines and violations. Exclusion screening technology makes it easy to maintain compliance with the OIG, GSA SAM and other state exclusion and sanction cross-checking lists. With reliable, automated exclusion screening it is possible to both save time and maintain compliance.The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document.We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, re-transmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.