OIG Draft Supplemental Compliance Program Guidance for Hospitals

AGENCY:

Office of Inspector General (OIG), HHS.

ACTION:

Notice and comment period.

SUMMARY:

This Federal Register notice seeks the comments of interested parties on a draft supplemental compliance program guidance (CPG) for hospitals developed by the Office of Inspector General (OIG). When the final version of this document is published, it will supplement the OIG's prior compliance program guidance for hospitals issued in 1998. This draft contains new compliance recommendations and an expanded discussion of risk areas. The draft takes into account recent changes to hospital payment systems and regulations, evolving industry practices, current enforcement priorities, and lessons learned in the area of corporate compliance. When published, the final supplemental CPG will provide voluntary guidelines to assist hospitals and hospital systems in identifying significant risk areas and in evaluating and, as necessary, refining ongoing compliance efforts.

DATES:

To ensure consideration, comments must be delivered to the address provided below by no later than 5 p.m. on July 23, 2004.

ADDRESSES:

Please mail or deliver written comments to the following address: Office of Inspector General, Department of Health and Human Services, Attention: OIG-9-CPG, Room 5246, Cohen Building, 330 Independence Avenue, SW., Washington, DC 20201.

We do not accept comments by facsimile (FAX) transmission. In commenting, please refer to file code OIG-9-CPG. Comments received timely will be available for public inspection as they are received, generally beginning approximately 2 weeks after publication of a document, in Room 5541 of the Office of Inspector General at 330 Independence Avenue, SW., Washington, DC 20201 on Monday through Friday of each week from 8 a.m. to 4:30 p.m.

FOR FURTHER INFORMATION CONTACT:

Darlene M. Hampton or Paul Johnson, Office of Counsel to the Inspector General, (202) 619-0335.

SUPPLEMENTARY INFORMATION:

Background

Several years ago, the OIG embarked on a major initiative to engage the private health care community in preventing the submission of erroneous claims and in combating fraud and abuse in the Federal health care programs through voluntary compliance efforts. In the last several years, the OIG has developed a series of compliance program guidances (CPGs) directed at the following segments of the health care industry: Hospitals; clinical laboratories; home health agencies; third-party billing companies; the durable medical equipment, prosthetics, orthotics, and supply industry; hospices; Medicare+Choice organizations; nursing facilities; physicians; ambulance suppliers; and pharmaceutical manufacturers. CPGs are intended to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements. The suggestions made in these CPGs are not mandatory, and the CPGs should not be viewed as exhaustive discussions of beneficial compliance practices or relevant risk areas. Copies of these CPGs can be found on the OIG webpage at http://oig.hhs.gov.

Supplementing the Compliance Program Guidance for Hospitals

The OIG originally published a CPG for the hospital industry on February 23, 1998. Since that time, there have been significant changes in the way hospitals deliver, and are reimbursed for, health care services. In response to these developments, on June 18, 2002, the OIG published a notice in the Federal Register, titled a “Solicitation of Information and Recommendations for Revising the Compliance Program Guidance for the Hospital Industry.” The OIG received 11 comments from various interested parties. In light of the public comments and our consideration of the issues, we have decided to supplement, rather than revise, the 1998 guidance.

Many public commenters sought guidance on the application of specific Medicare rules and regulations related to payment and coverage, an area beyond the scope of this OIG guidance. Hospitals with questions about the interpretation or application of payment and coverage rules or regulations should contact their Fiscal Intermediaries (FIs) or the national CMS office, as appropriate.

To ensure full and meaningful input from the industry, we are publishing this supplemental CPG in draft form with a 45-day comment period. We will then review the comments and publish a final supplemental CPG.

Draft Supplemental Compliance Program Guidance for Hospitals

I. Introduction

Continuing its efforts to promote voluntary compliance programs for the health care industry, the Office of Inspector General (OIG) of the Department of Health and Human Services (the Department) publishes this Supplemental Compliance Program Guidance for Hospitals. This document supplements, rather than replaces, the OIG's 1998 CPG for the hospital industry, 63 FR 8987 (February 23, 1998), which addressed the fundamentals of establishing an effective compliance program. Neither this supplemental CPG, nor the original 1998 CPG, is a model compliance program. Rather, collectively the two documents offer a set of guidelines that hospitals should consider when developing and implementing a new compliance program or evaluating an existing one.

We are mindful that many hospitals have already devoted substantial time and resources to compliance efforts. We believe that those efforts demonstrate the industry's good faith commitment to ensuring and promoting integrity. For those hospitals with existing compliance programs, this document may serve as a benchmark or comparison against which to measure ongoing efforts and as a roadmap for updating or refining their compliance plans.

In crafting this CPG, we considered, among other things, the public comments received in response to the solicitation notice published in the Federal Register, as well as relevant OIG and Centers for Medicare & Medicaid Services (CMS) statutory and regulatory authorities (including the Federal anti-kickback statute, together with the safe harbor regulations and preambles, and CMS transmittals and program memoranda); other OIG guidance (such as OIG advisory opinions, Special Fraud Alerts, bulletins, and other guidance); experience gained from investigations conducted by the OIG's Office of Investigations, the Department of Justice, and the State Medicaid Fraud Units; and relevant reports issued by the OIG's Office of Audit Services and Office of Evaluation and Inspections. We also consulted generally with CMS, the Department's Office for Civil Rights, and the Department of Justice.

A. Benefits of a Compliance Program

A successful compliance program addresses the public and private sectors' mutual goals of reducing fraud and abuse; enhancing health care providers' operations; improving the quality of health care services; and reducing the overall cost of health care services. Attaining these goals benefits the hospital industry, the government, and patients alike. Compliance programs help hospitals fulfill their legal duty to refrain from submitting false or inaccurate claims or cost information to the Federal health care programs or engaging in other illegal practices. A hospital may gain important additional benefits by voluntarily implementing a compliance program, including:

• Demonstrating the hospital's commitment to honest and responsible corporate conduct;
• increasing the likelihood of preventing, identifying, and correcting unlawful and unethical behavior at an early stage;
• encouraging employees to report potential problems to allow for appropriate internal inquiry and corrective action; and
• through early detection and reporting, minimizing any financial loss to government and taxpayers, as well as any corresponding financial loss to the hospital.

The OIG recognizes that implementation of a compliance program may not entirely eliminate improper or unethical conduct from the operations of health care providers. However, an effective compliance program demonstrates a hospital's good faith effort to comply with applicable statutes, regulations, and other Federal health care program requirements, and may significantly reduce the risk of unlawful conduct and corresponding sanctions.

B. Application of Compliance Program Guidance

Given the diversity of the hospital industry, there is no single “best” hospital compliance program. The OIG recognizes the complexities of the hospital industry and the differences among hospitals and hospital systems. Some hospital entities are small and may have limited resources to devote to compliance measures; others are affiliated with well-established, large, multi-facility organizations with a widely dispersed work force and significant resources to devote to compliance.

Accordingly, this supplemental CPG is not intended to be one-size-fits-all guidance. Rather, the OIG strongly encourages hospitals to identify and focus their compliance efforts on those areas of potential concern or risk that are most relevant to their individual organizations. Compliance measures adopted by a hospital to address identified risk areas should be tailored to fit the unique environment of the organization (including its structure, operations, resources, and prior enforcement experience). In short, the OIG recommends that each hospital adapt the objectives and principles underlying this guidance to its own particular circumstances.

In section II below, titled “Fraud and Abuse Risk Areas,” we present several fraud and abuse risk areas that are particularly relevant to the hospital industry. Each hospital should carefully examine these risk areas and identify those that potentially impact the hospital. Next, in section III, “Hospital Compliance Program Effectiveness,” we offer recommendations for assessing and improving an existing compliance program to better address identified risk areas. Finally, in section IV, “Self-Reporting,” we set forth the actions hospitals should take if they discover credible evidence of misconduct.

II. Fraud and Abuse Risk Areas

This section is intended to help hospitals identify areas of their operations that present a potential risk of liability under several key Federal fraud and abuse statutes and regulations. This section focuses on areas that are currently of concern to the enforcement community and is not intended to address all potential risk areas for hospitals. Importantly, the identification of a particular practice or activity in this section is not intended to imply that the practice or activity is necessarily illegal in all circumstances or that it may not have a valid or lawful purpose underlying it.

This section addresses the following areas of significant concern for hospitals: (A) Submission of accurate claims and information; (B) the referral statutes; (C) payments to reduce or limit services; (D) the Emergency Medical Treatment and Labor Act (EMTALA); (E) substandard care; (F) relationships with Federal health care program beneficiaries; (G) HIPAA Privacy and Security Rules; and (H) billing Medicare or Medicaid substantially in excess of usual charges. In addition, a final section (I) addresses several areas of general interest that, while not necessarily matters of significant risk, have been of continuing interest to the hospital community. This guidance does not create any new law or legal obligations, and the discussions in this guidance are not intended to present detailed or comprehensive summaries of lawful and unlawful activity. Nor is this guidance intended as a substitute for consultation with CMS or a hospital's Fiscal Intermediary (FI) with respect to the application and interpretation of Medicare payment and coverage provisions, which are subject to change. Rather, this guidance should be used as a starting point for a hospital's legal review of its particular practices and for development or refinement of policies and procedures to reduce or eliminate potential risk.

A. Submission of Accurate Claims and Information

Perhaps the single biggest risk area for hospitals is the preparation and submission of claims or other requests for payment from the Federal health care programs. It is axiomatic that all claims and requests for reimbursement from the Federal health care programs—and all documentation supporting such claims or requests—must be complete and accurate and must reflect reasonable and necessary services ordered by an appropriately licensed medical professional who is a participating provider in the health care program from which the individual or entity is seeking reimbursement. Hospitals must disclose and return any overpayments that result from mistaken or erroneous claims. Moreover, the knowing submission of a false, fraudulent, or misleading statement or claim is actionable. A hospital may be liable under the False Claims Act or other statutes imposing sanctions for the submission of false claims or statements, including liability for civil monetary penalties or exclusion. Underlying assumptions used in connection with claims submission should be reasoned, consistent, and appropriately documented, and hospitals should retain all relevant records reflecting their efforts to comply with Federal health care program requirements.

Common and longstanding risks associated with claims preparation and submission include inaccurate or incorrect coding, upcoding, unbundling of services, billing for medically unnecessary services or other services not covered by the relevant health care program, billing for services not provided, duplicate billing, insufficient documentation, and false or fraudulent cost reports. While hospitals should continue to be vigilant with respect to these important risk areas, we believe these risk areas are relatively well-understood in the industry and, therefore, they are not generally addressed in this section. Rather, the following discussion highlights evolving risks or risks that appear to the OIG to be under-appreciated by the industry. The risks are grouped under the following topics: Outpatient procedure coding; admissions and discharges; supplemental payment considerations; and use of information technology. By necessity, this discussion is illustrative, not exhaustive, of risks associated with the submission of claims or other information. In all cases, hospitals should consult the applicable laws, rules, and regulations.

1. Outpatient Procedure Coding

The implementation of Medicare's Hospital Outpatient Prospective Payment System (OPPS) increased the importance of accurate procedure coding for hospital outpatient services. Previously, hospital coding concerns mainly consisted of ensuring accurate ICD-9-CM diagnosis and procedure coding for reimbursement under the inpatient prospective payment system (PPS). Hospitals reported procedure codes for outpatient services, but were reimbursed for outpatient services based on their charges for services. With OPPS, procedure codes effectively became the basis for Medicare reimbursement. Under OPPS, each reported procedure code is assigned to a corresponding Ambulatory Payment Classification (APC) code. Hospitals are then reimbursed a predetermined amount for each APC, irrespective of the specific level of resources used to furnish the service. In implementing OPPS, CMS developed new rules governing the use of procedure code modifiers for outpatient coding. Because incorrect procedure coding may lead to overpayments and subject a hospital to liability for the submission of false claims, hospitals need to pay close attention to coder training and qualifications.

Hospitals should also review their outpatient documentation practices to ensure that claims are based on complete medical records and that the medical record supports the level of service claimed. Under OPPS, hospitals must generally include on a single claim all services provided to the same patient on the same day. Coding from incomplete medical records may create problems in complying with this claim submission requirement. Moreover, submitting claims for services that are not supported by the medical record may also result in the submission of improper claims.

In addition to the coding risk areas noted above and in the 1998 hospital CPG, other specific risk areas associated with incorrect outpatient procedure coding include the following:

• Billing on an outpatient basis for “inpatient-only” procedures—CMS has identified several procedures for which reimbursement is typically allowed only if the service is performed in an inpatient setting.

• Submitting claims for medically unnecessary services by failing to follow the FI's local medical review policies—Each FI publishes local medical review policies (LMRPs) that identify certain procedures that may only be rendered when specific conditions are present. In addition to relying on a physician's sound clinical judgment with respect to the appropriateness of a proposed course of treatment, hospitals should regularly review and become familiar with their individual FI's LMRPs. LMRPs should be incorporated into a hospital's regular coding and billing operations.

• Submitting duplicate claims or otherwise not following the National Correct Coding Initiative guidelines—CMS developed the National Correct Coding Initiative (NCCI) to promote correct coding methodologies. NCCI identifies certain codes that should not be used together because they are either mutually exclusive or one is a component of another. If a hospital uses code pairs that are listed in the NCCI and those codes are not detected by the editing routines in the hospital's billing system, the hospital may submit duplicate or unbundled claims. Intentional manipulation of code assignments to maximize payments and avoid NCCI edits constitutes fraud. Unintentional misapplication of the NCCI coding and billing guidelines may also give rise to overpayments or civil liability for hospitals that have developed a pattern of inappropriate billing. To minimize risk, hospitals should ensure that their coding software includes up-to-date NCCI edit files.

• Submitting incorrect claims for ancillary services because of outdated Charge Description Masters—Charge Description Masters (CDMs) list all of the hospital's charges for items and services and include the underlying procedure codes necessary to bill for those items and services. Outdated CDMs create significant compliance risk for hospitals. Because the Healthcare Common Procedure Coding System (HCPCS) codes and APCs are updated regularly, hospitals should pay particular attention to the task of updating the CDM to ensure the assignment of correct codes to outpatient claims. This should include timely updates, proper use of modifiers, and correct associations between procedure codes and revenue codes.

• Circumventing the multiple procedure discounting rules—A surgical procedure performed in connection with another surgical procedure may be discounted. However, certain surgical procedures are designated as non-discounted, even when performed with another surgical procedure. Hospitals should ensure that the procedure codes selected represent the actual services provided, irrespective of the discounting status. They should also review the annual OPPS rule update to understand more fully CMS's multiple procedure discounting rule.

• Failing to follow CMS instructions regarding the selection of proper evaluation and management codes—Hospitals should take steps to ensure that the evaluation and management (E/M) codes that are used to describe medical services provided to patients follow published CMS guidelines.

• Improperly billing for observation services—In certain circumstances, Medicare provides a separate APC payment for observation services for patients with diagnoses of chest pain, asthma, or congestive heart failure. Claims for these observation services must correctly reflect the diagnosis and meet certain other requirements. Billing for observation services in situations that do not satisfy the requirements is inappropriate and may result in hospital liability. Hospitals should develop, and become familiar with, CMS's detailed policies for the submission of claims for observation services.

2. Admissions and Discharges

Often, the status of patients at the time of admission or discharge significantly influences the amount and method of reimbursement hospitals receive. Therefore, hospitals have a duty to ensure that admission and discharge policies are updated and reflect current CMS rules. Risk areas with respect to the admission and discharge processes include the following:

• Failure to follow the “same-day rule”—OPPS rules require hospitals to include on the same claim all OPPS services provided at the same hospital, to the same patient, on the same day, unless certain conditions are met. Hospitals should review internal billing systems and procedures to ensure that they are not submitting multiple claims for OPPS services delivered to the same patient on the same day.

• Abuse of partial hospitalization payments—Under OPPS, Medicare provides a per diem payment for specific hospital services rendered to behavioral and mental health patients on a partial hospitalization basis. Examples of improper billing under the partial hospitalization program include, without limitation: reducing the range of services offered; withholding services that are medically appropriate; billing for services not covered; and billing for services without a certificate of medical necessity.

• Same-day discharges and readmissions—Same-day discharges and readmissions may indicate premature discharges, medically unnecessary readmissions, or incorrect discharge coding. Hospitals should have procedures in place to review discharges and admissions carefully to ensure that they reflect prudent clinical decision-making and are properly coded.

• Violation of Medicare's post-acute care transfer policy—The post-acute care transfer policy provides that, for certain designated DRGs, a hospital will receive a per diem transfer payment, rather than the full DRG payment, if the patient is discharged to certain post-acute care settings. There are currently 29 DRGs that are subject to CMS's post-acute care transfer policy; however, CMS may revise the list of designated DRGs periodically. To avoid improperly billing for discharges, hospitals should pay particular attention to CMS's post-acute care transfer policy and keep an accurate list of all designated DRGs subject to that policy.

• Improper churning of patients by long-term care hospitals co-located in acute care hospitals—Long term care hospitals that are co-located within acute care hospitals may qualify for PPS-exempt status if certain regulatory requirements are satisfied. Hospitals should not engage in the practice of churning, or inappropriately transferring, patients between the host hospital and the hospital-within-a-hospital.

3. Supplemental Payment Considerations

Under the Medicare program, in certain limited situations, hospitals may claim payments in addition to, or in some cases in lieu of, the normalreimbursement available to hospitals under the regular payment systems. Eligibility for these payments depends on compliance with specific criteria. Hospitals that claim supplemental payments improperly are liable for fines and penalties under Federal law. Examples of specific risks that hospitals should address include the following:

• Improper reporting of the costs of “pass-through” items—“Pass-through” items are certain items of new technology and drugs for which Medicare will reimburse the hospital based on costs during a limited transitional period.

• Abuse of DRG outlier payments—Recent investigations revealed substantial abuse of outlier payments by hospitals with Medicare patients. Hospital management, compliance staff, and counsel should familiarize themselves with CMS's new outlier rules and requirements intended to curb abuses.

• Improper claims for incorrectly designated “provider-based” entities—Certain hospital-affiliated entities and clinics can be designated as “provider-based,” which allows for a higher level of reimbursement for certain services. Hospitals should take steps to ensure that facilities or organizations are only designated as provider-based if they satisfy the criteria set forth in the regulations.

• Improper claims for clinical trials—Since September 2000, Medicare has covered items and services furnished during certain clinical trials, as long as those items and services would typically be covered for Medicare beneficiaries, but for the fact that they are provided in an experimental or clinical trial setting. Hospitals that participate in clinical trials should review the requirements for submitting claims for patients participating in clinical trials.

• Improper claims for organ acquisition costs-Hospitals that are approved transplantation centers may receive reimbursement on a reasonable cost basis to cover the costs of acquisition of certain organs. Organ acquisition costs are only reimbursable if a hospital satisfies several requirements, such as having adequate cost information, supporting documentation, and supporting medical records. Hospitals must also ensure that expenses not related to organ acquisition, such as transplant and post-transplant activities and costs from other cost centers, are not included in the hospital's organ acquisition costs.

• Improper claims for cardiac rehabilitation services—Medicare covers reasonable and necessary cardiac rehabilitation services under the hospital “incident-to” benefit, which requires that the services of non-physician personnel be furnished under a physician's direct supervision. In addition to satisfying the supervision requirement, hospitals must ensure that cardiac rehabilitation services are reasonable and necessary.

• Failure to follow Medicare rules regarding payment for costs related to educational activities —Hospitals should pay particular attention to these rules when implementing dental or other education programs, particularly those not historically operated at the hospital.

4. Use of Information Technology

The implementation of the OPPS increased the need for hospitals to pay particular attention to their computerized billing, coding, and information systems. Billing and coding under the OPPS is more data intensive than billing and coding under the inpatient PPS. When the OPPS began, many hospitals' existing systems were unable to accommodate the new requirements and required adjustments.

As the health care industry moves forward, hospitals will increasingly rely on information technology. For example, HIPAA Privacy and Security Rules (discussed below in section II.G), electronic claims submission, electronic prescribing, networked information sharing among providers, and systems for the tracking and reduction of medical errors, among others, will require hospitals to depend more on information technologies. Information technology presents new opportunities to advance health care efficiency, but also new challenges to ensuring the accuracy of claims and the information used to generate claims. It is often difficult for purchasers of computer systems and software to know exactly how the system operates and generates information. Prudent hospitals will take steps to ensure that they thoroughly assess all new computer systems and software that impact coding, billing, or the generation or transmission of information related to the Federal health care programs or their beneficiaries.

B. The Referral Statutes: The Physician Self-Referral Law (the “Stark” Law) and the Federal Anti-Kickback Statute

1. The Physician Self-Referral Law

From a hospital compliance perspective, the physician self-referral law (section 1877 of the Social Security Act (Act), commonly known as the “Stark” law) should be viewed as a threshold statute. Simply put, hospitals face significant financial exposure unless their financial relationships with referring physicians fit squarely in statutory or regulatory exceptions to the statute. The statute prohibits hospitals from submitting—and Medicare from paying—any claim for a “designated health service” (DHS) if the referral of the DHS comes from a physician with whom the hospital has a prohibited financial relationship. This is true even if the prohibited financial relationship is the result of inadvertence or error. In addition, hospitals and physicians that knowingly violate the statute may be subject to civil monetary penalties and exclusion from the Federal health care programs. Under certain circumstances, a knowing violation of the Stark law may also give rise to liability under the False Claims Act. Because all inpatient and outpatient hospital services (including services furnished directly by a hospital or by others “under arrangements” with a hospital) are DHS under the statute, hospitals must diligently review all financial relationships with referring physicians for compliance with the Stark law.

For purposes of analyzing a financial relationship under the Stark law, the following three-part inquiry is useful:

• Is there a referral from a physician for a designated health service? If not, then there is no Stark law issue (although other fraud and abuse authorities, such as the anti-kickback statute, may be implicated). If the answer is “yes,” the next inquiry is:
• Does the physician (or an immediate family member) have a financial relationship with the entity furnishing the DHS (e.g., the hospital)? Again, if the answer is no, the Stark law is not implicated. However, if the answer is “yes,” the third inquiry is:
• Does the financial relationship fit in an exception? If not, the statute has been violated.

Detailed definitions of the highlighted terms (and others) are set forth in regulations at 42 CFR 411.351 through 411.361 (substantial additional explanatory material appears in the regulatory preambles to the final regulations: 66 FR 856 (January 4, 2001); 69 FR 16054 (March 26, 2004); and 69 FR 17933 (April 6, 2004)). Importantly, a financial relationship can be almost any kind of direct or indirect ownership or investment relationship (e.g., stock ownership, a partnership interest, or secured debt) or direct or indirect compensation arrangement, whether in cash or in-kind (e.g., a rental contract, personal services contract, salary, gift, or gratuity), between a referring physician (or immediate family member) and a hospital. Moreover, the financial relationship need not relate to the provision of DHS (e.g., a joint venture between a hospital and a physician to operate a hospice would create an indirect compensation relationship between the hospital and the physician for Stark law purposes).

The statutory and regulatory exceptions are the key to compliance with the Stark law. Any financial relationship between the hospital and a physician who refers to the hospital must fit in an exception. Exceptions exist in the statute and regulations for many common types of business arrangements. To fit in an exception, an arrangement must squarely meet all of the conditions set forth in the exception. Importantly, it is the actual relationship between the parties, and not merely the paperwork, that must fit in an exception. Unlike the anti-kickback safe harbors, which are voluntary, fitting in an exception is mandatory under the Stark law.

Compliance with a Stark law exception does not immunize an arrangement under the anti-kickback statute. Rather, the Stark law sets a minimum standard for arrangements between physicians and hospitals. Even if a hospital-physician relationship qualifies for a Stark law exception, it should still be reviewed for compliance with the anti-kickback statute. The anti-kickback statute is discussed in greater detail in the next subsection.

Because of the significant exposure for hospitals under the Stark law, we recommend that hospitals implement systems to ensure that all conditions in the exceptions upon which they rely are fully satisfied. For example, many of the exceptions, such as the rental and personal services exceptions, require signed, written agreements with physicians. We are aware of numerous instances in which hospitals failed to maintain these signed written agreements, often inadvertently (e.g., a holdover lease without a written lease amendment; a physician hired as an independent contractor for a short-term project without a signed agreement). To avoid a large overpayment, hospitals should ensure frequent and thorough review of their contracting and leasing processes. The final regulations contain a new limited exception for certain inadvertent, temporary instances of noncompliance with another exception. This exception may only be used on an occasional basis. Hospitals should be mindful that this exception is not a substitute for vigilant contracting and leasing oversight. In addition, hospitals should review the new reporting requirements at 42 CFR 411.361, which generally require hospitals to retain records that the hospitals know or should know about in the course of prudently conducting business. Hospitals should ensure that they have policies and procedures in place to address these requirements.

In addition, because many exceptions to the Stark law require fair market value compensation for items or services actually needed and rendered, hospitals should have appropriate processes for making and documenting reasonable, consistent, and objective determinations of fair market value and for ensuring that needed items and services are furnished or rendered. Other areas that may require careful monitoring include, without limitation, tracking the total value of non-monetary compensation provided annually to each referring physician, tracking the provision and value of medical staff incidental benefits, and monitoring the provision of professional courtesy. As discussed further in the anti-kickback section below, hospitals should exercise care when recruiting physicians. Importantly, while the final regulations contain a limited exception for certain joint recruiting by hospitals and existing group practices, the exception strictly forbids the use of income guarantees that shift group practice overhead or expenses to the hospital or any payment structure that otherwise transfers remuneration to the group practice.

Further information about the Stark law and applicable regulations can be found on CMS's webpage at http://cms.gov/medlearn/refphys.asp. Information regarding CMS's Stark advisory opinion process can be found at http://cms.gov/physicians/aop/default.asp.

2. The Federal Anti-Kickback Statute

Hospitals should also be aware of the Federal anti-kickback statute, section 1128B(b) of the Act, and the constraints it places on business arrangements related directly or indirectly to items or services reimbursable by any Federal health care program, including, but not limited to, Medicare and Medicaid. The anti-kickback statute prohibits in the health care industry some practices that are common in other business sectors, such as offering gifts to reward past or potential new referrals.

The anti-kickback statute is a criminal prohibition against payments (in any form, whether the payments are direct or indirect) made purposefully to induce or reward the referral or generation of Federal health care program business. The anti-kickback statute addresses not only the offer or payment of anything of value for patient referrals, but also the offer or payment of anything of value in return for purchasing, leasing, ordering, or arranging for or recommending the purchase, lease, or ordering of any item or service reimbursable in whole or in part by a Federal health care program. The statute extends equally to the solicitation or acceptance of remuneration for referrals or the generation of other business payable by a Federal health care program. Liability under the anti-kickback statute is determined separately for each party involved. In addition to criminal penalties, violators may be subject to civil monetary penalties and exclusion from the Federal health care programs. Hospitals should also be mindful that compliance with the anti-kickback statute is a condition of payment under Medicare and other Federal health care programs. See, e.g., Medicare Federal Health Care Provider/Supplier Application, CMS Form 855A, Certification Statement at section 15, paragraph A.3, available on CMS's webpage at http://www.cms.gov/providers/enrollment/forms/. As such, liability may arise under the False Claims Act where the anti-kickback statute violation results in the submission of a claim for payment under a Federal health care program.

Although liability under the anti-kickback statute ultimately turns on a party's intent, it is possible to identify arrangements or practices that may present a significant potential for abuse. For purposes of analyzing an arrangement or practice under the anti-kickback statute, the following two inquiries are useful:

• Does the hospital have any remunerative relationship between itself (or its affiliates or representatives) and persons or entities in a position to generate Federal health care program business for the hospital (or its affiliates) directly or indirectly? Persons or entities in a position to generate Federal health care program business for a hospital include, for example, physicians and other health care professionals, ambulance companies, clinics, hospices, home health agencies, nursing facilities, and other hospitals.
• With respect to any remunerative relationship so identified, could one purpose of the remuneration be to induce or reward the referral or recommendation of business payable in whole or in part by a Federal health care program? Importantly, under the anti-kickback statute, neither a legitimate business purpose for the arrangement, nor a fair market value payment, will legitimize a payment if there is also an illegal purpose (i.e., inducing Federal health care program business).

Although any arrangement satisfying both tests implicates the anti-kickback statute and requires careful scrutiny by a hospital, the courts have identified several potentially aggravating considerations that can be useful in identifying arrangements at greatest risk of prosecution. In particular, hospitals should ask the following questions, among others, about any potentially problematic arrangements or practices they identify:

• Does the arrangement or practice have a potential to interfere with, or skew, clinical decision-making?
• Does the arrangement or practice have a potential to increase costs to Federal health care programs, beneficiaries, or enrollees?
• Does the arrangement or practice have a potential to increase the risk of overutilization or inappropriate utilization?
• Does the arrangement or practice raise patient safety or quality of care concerns?

Hospitals that have identified potentially problematic arrangements or practices can take a number of steps to reduce or eliminate the risk of an anti-kickback violation. Detailed guidance relating to a number of specific practices is available from several sources. Most importantly, the anti-kickback statute and the corresponding regulations establish a number of “safe harbors” for common business arrangements. The following safe harbors are of most relevance to hospitals:

• Investment interests safe harbor, 42 CFR 1001.952(a),
• space rental safe harbor, 42 CFR 1001.952(b),
• equipment rental safe harbor, 42 CFR 1001.952(c),
• personal services and management contracts safe harbor, 42 CFR 1001.952(d),
• sale of practice safe harbor, 42 CFR 1001.952(e),
• referral services safe harbor, 42 CFR 1001.952(f),
• discount safe harbor, 42 CFR 1001.952(h),
• employment safe harbor, 42 CFR 1001.952(i),
• group purchasing organizations safe harbor, 42 CFR 1001.952(j),
• waiver of beneficiary coinsurance and deductible amounts safe harbor, 42 CFR 1001.952(k),
• practitioner recruitment safe harbor, 42 CFR 1001.952(n),
• obstetrical malpractice insurance subsidies safe harbor, 42 CFR 1001.952(o),
• cooperative hospital services organizations safe harbor, 42 CFR 1001.952(q),
• ambulatory surgical centers safe harbor, 42 CFR 1001.952(r),
• ambulance replenishing safe harbor, 42 CFR 1001.952(v), and
• safe harbors for certain managed care and risk sharing arrangements, 42 CFR 1001.952(m), (t), and (u).

Safe harbor protection requires strict compliance with all applicable conditions set out in the relevant safe harbor. Although compliance with a safe harbor is voluntary and failure to comply with a safe harbor does not mean an arrangement is illegal per se, we recommend that hospitals structure arrangements to fit in a safe harbor whenever possible. Arrangements that do not fit in a safe harbor must be evaluated on a case-by-case basis.

Other available guidance includes special fraud alerts and advisory bulletins issued by the OIG identifying and discussing particular practices or issues of concern and OIG advisory opinions issued to specific parties about their particular business arrangements. A hospital concerned about an existing or proposed arrangement may request a binding OIG advisory opinion regarding whether the arrangement violates the Federal anti-kickback statute or other OIG fraud and abuse authorities, using the procedures set out at 42 CFR part 1008. The safe harbor regulations (and accompanying Federal Register preambles), fraud alerts and bulletins, advisory opinions (and instructions for obtaining them, including a list of frequently asked questions), and other guidance are available on the OIG webpage at http://oig.hhs.gov.

The following discussion highlights several known areas of potential risk under the anti-kickback statute. The propriety of any particular arrangement can only be determined after a detailed examination of the attendant facts and circumstances. The identification of a given practice or activity as “suspect” or as an area of “risk” does not mean it is necessarily illegal or unlawful, or that it cannot be properly structured to fit in a safe harbor; nor does it mean that the practice or activity is not beneficial from a clinical, cost, or other perspective. Rather, the areas identified below are areas of activity that have a potential for abuse and that should receive close scrutiny from hospitals. The discussion highlights potential risks under the anti-kickback statute arising from hospitals' relationships in the following five categories: (a) Joint ventures; (b) compensation arrangements with physicians; (c) relationships with other health care entities; (d) recruitment arrangements; (e) discounts; (f) medical staff credentialing; and (g) malpractice insurance subsidies. (In addition, the kickback risks associated with gainsharing arrangements are discussed below in section II.C of this guidance).

Physicians are the primary referral source for hospitals, and, therefore, most of the discussion below focuses on hospitals' relationships with physicians. Notwithstanding, hospitals also receive referrals from other health care professionals, including physician assistants and nurse practitioners, and from other providers and suppliers (such as ambulance companies, clinics, hospices, home health agencies, nursing facilities, and other hospitals). Therefore, in addition to reviewing their relationships with physicians, hospitals should also review their relationships with non-physician referral sources to ensure that the relationships do not violate the anti-kickback statute. The principles described in the following discussions can be used to assess the risk associated with relationships with both physician and non-physician referral sources.

a. Joint Ventures

The OIG has a long-standing concern about joint venture arrangements between those in a position to refer or generate Federal health care program business and those providing items or services reimbursable by Federal health care programs. In the context of joint ventures, our chief concern is that remuneration from a joint venture might be a disguised payment for past or future referrals to the venture or to one or more of its participants. Such remuneration may take a variety of forms, including dividends, profit distributions, or, with respect to contractual joint ventures, the economic benefit received under the terms of the operative contracts.

When scrutinizing joint ventures under the anti-kickback statute, hospitals should examine the following factors, among others:

• The manner in which joint venture participants are selected and retained. If participants are selected or retained in a manner that takes into account, directly or indirectly, the value or volume of referrals, the joint venture is suspect. The existence of one or more of the following indicators suggests that there might be an improper nexus between the selection or retention of participants and the value or volume of their referrals:

—a substantial number of participants are in a position to make or influence referrals to the venture, other participants, or both;

—participants that are expected to make a large number of referrals are offered a greater or more favorable investment or business opportunity in the joint venture than those anticipated to make fewer referrals;

—participants are actively encouraged or required to make referrals to the joint venture;

—participants are encouraged or required to divest their ownership interest if they fail to sustain an “acceptable” level of referrals;

—the venture (or its participants) tracks its sources of referrals and distributes this information to the participants; or

—the investment interests are nontransferable or subject to transfer restrictions related to referrals.

• The manner in which the joint venture is structured. The structure of the joint venture is suspect if a participant is already engaged in the line of business to be conducted by the joint venture, and that participant will own all or most of the equipment, provide or perform all or most of the items or services, or take responsibility for all or most of the day-to-day operations. With this kind of structure, the co-participant's primary contribution is typically as a captive referral base.
• The manner in which the investments are financed and profits are distributed. The existence of one or more of the following indicators suggests that the joint venture may be a vehicle to disguise referrals:

—participants are offered investment shares for a nominal or no capital contribution;

—the amount of capital that participants invest is disproportionately small, and the returns on the investment are disproportionately large, when compared to a typical investment in a new business enterprise;

—participants are permitted to borrow their capital investments from another participant or from the joint venture, and to pay back the loan through deductions from profit distributions, thus eliminating even the need to contribute cash;

—participants are paid extraordinary returns on the investment in comparison with the risk involved; or

—a substantial portion of the gross revenues of the venture are derived from participant-driven referrals.

In light of the obvious risk inherent in joint ventures, whenever possible, hospitals should structure joint ventures to fit squarely in one of the following safe harbors for investment interests:

• the “small entity” investment safe harbor, 42 CFR 1001.952(a)(2), which applies to returns on investments as long as no more than 40 percent of the investment interests are held by investors who are in a position to make or influence referrals to, furnish items or services to, or otherwise generate business for the venture (interested investors), no more than 40 percent of revenues come from referrals or business otherwise generated from investors, and all other conditions are satisfied;

• the safe harbor for investment interests in an entity located in an underserved area, 42 CFR 1001.952(a)(3), which applies to ventures located in medically underserved areas (as defined in regulations issued by the Department and set forth at 42 CFR part 51c), as long as no more than 50 percent of the investment interests are held by interested investors and all other conditions are satisfied; or
• the hospital-physician ambulatory surgical center (ASC) safe harbor, 42 CFR 1001.952(r)(4). This safe harbor only protects investments in Medicare-certified ASCs owned by hospitals and certain qualifying physicians. Importantly, it does not protect investments by hospitals and physicians in non-ASC clinical joint ventures, including, for example, cardiac catheterization or vascular labs, oncology centers, and dialysis facilities. Investors in such clinical ventures should look to other safe harbors and to the factors noted above.

These safe harbors protect remuneration in the form of returns on investment interests (i.e., money paid by an entity to its owners or investors as dividends, profit distributions, or the like). However, they do not protect payments made by participating investors to a venture or payments made by the venture to other parties, such as vendors, contractors, or employees (although in some cases these arrangements may fit in other safe harbors).

As we originally observed in our 1989 Special Fraud Alert on Joint Venture Arrangements, joint ventures may take a variety of forms, including a contractual arrangement between two or more parties to cooperate in a common and distinct enterprise providing items or services, thereby creating a “contractual joint venture.” We elaborated more fully on contractual joint ventures in our 2003 Special Advisory Bulletin on Contractual Joint Ventures. Contractual joint ventures pose the same kinds of risks as equity joint ventures and should be analyzed similarly. Factors to consider include, for example, whether the hospital is expanding into a new line of business created predominately or exclusively to serve the hospital's existing patient base, whether a would-be competitor of the new line of business is providing all or most of the key services, and whether the hospital assumes little or no bona fide business risk. An example of a potentially problematic contractual joint venture would be a hospital contracting with an existing durable medical equipment (DME) supplier to operate the hospital's newly formed DME subsidiary (with its own DME supplier number) on essentially a turnkey basis, with the hospital primarily furnishing referrals and assuming little or no business risk.

Hospitals should be aware that, for reasons described in our 2003 Special Advisory Bulletin on Contractual Joint Ventures, safe harbor protection may not be available for contractual joint ventures, and attempts to carve out separate contracts and qualify each separately for safe harbor protection may be ineffectual and leave the parties at risk under the statute.

If a hospital is planning to participate, directly or indirectly, in a joint venture involving referring physicians and the venture does not qualify for safe harbor protection, the hospital should scrutinize the venture with care, taking into account the factors noted above, and consider obtaining advice from an experienced attorney. At a minimum, to reduce (but not necessarily eliminate) the risk of abuse, hospitals should consider (i) barring physicians employed by the hospital or its affiliates from referring to the joint venture; (ii) taking steps to ensure that medical staff and other affiliated physicians are not encouraged in any manner to refer to the joint venture; (iii) notifying physicians annually in writing of the preceding policy; (iv) refraining from tracking in any manner the volume of referrals attributable to particular referrals sources; (v) ensuring that no physician compensation is tied in any manner to the volume or value of referrals to, or other business generated for, the venture; (vi) disclosing all financial interests to patients; and (vii) requiring that other participants in the joint venture adopt similar steps.

b. Compensation Arrangements With Physicians

Hospitals enter into a variety of compensation arrangements with physicians whereby physicians provide items or services to, or on behalf of, the hospital. Conversely, in some arrangements, hospitals provide items or services to physicians. Examples of these compensation arrangements include, without limitation, medical director agreements, personal or management services agreements, space or equipment leases, and agreements for the provision of billing, nursing, or other staff services. Although many compensation arrangements are legitimate business arrangements, compensation arrangements may violate the anti-kickback statute if one purpose of the arrangement is to compensate physicians for past or future referrals.

The general rule of thumb is that any remuneration flowing between hospitals and physicians should be at fair market value for actual and necessary items furnished or services rendered based upon an arm's-length transaction and should not take into account, directly or indirectly, the value or volume of any past or future referrals or other business generated between the parties. Arrangements under which hospitals provide physicians with items or services for free or less than fair market value, relieve physicians of financial obligations they would otherwise incur, or inflate compensation paid to physicians for items or services pose significant risk. In such circumstances, an inference arises that the remuneration may be in exchange for generating business.

In particular, hospitals should review their physician compensation arrangements and carefully assess the risk of fraud and abuse using the following factors, among others:

• Are the items and services obtained from a physician legitimate, commercially reasonable, and necessary to achieve a legitimate business purpose of the hospital (apart from obtaining referrals)? Assuming that the hospital needs the items and services, does the hospital have multiple arrangements with different physicians, so that in the aggregate the items or services provided by all physicians exceed the hospital's actual needs (apart from generating business)?
• Does the compensation represent fair market value in an arm's-length transaction for the items and services? Could the hospital obtain the services from a non-referral source at a cheaper rate or under more favorable terms? Does the remuneration take into account, directly or indirectly, the value or volume of any past or future referrals or other business generated between the parties? Is the compensation tied, directly or indirectly, to Federal health care program reimbursement?
• Is the determination of fair market value based upon a reasonable methodology that is uniformly applied and properly documented? If fair market value is based on comparables, the hospital should ensure that the comparison entities are not actual or potential referral sources, so that the market rate for the services is not distorted.
• Is the compensation commensurate with the fair market value of a physician with the skill level and experience reasonably necessary to perform the contracted services?
• Were the physicians selected to participate in the arrangement in whole or in part because of their past or anticipated referrals?
• Is the arrangement properly and fully documented in writing? Are the physicians documenting the services they provide? Is the hospital monitoring the services?
• In the case of physicians staffing hospital outpatient departments, are safeguards in place to ensure that the physicians do not use hospital outpatient space, equipment, or personnel to conduct their private practice and that they bill the appropriate site-of-service modifier?

Whenever possible, hospitals should structure their compensation arrangements with physicians to fit in a safe harbor. Potentially applicable are the space rental safe harbor, 42 CFR 1001.952(b), the equipment rental safe harbor, 42 CFR 1001.952(c), the personal services and management contracts safe harbor, 42 CFR 1001.952(d), the sale of practice safe harbor, 42 CFR 1001.952(e), the referral services safe harbor, 42 CFR 1001.952(f), the employee safe harbor, 42 CFR 1001.952(i), the practitioner recruitment safe harbor, 42 CFR 1001.952(n), and the obstetrical malpractice insurance subsidies safe harbor, 42 CFR 1001.952(o). An arrangement must fit squarely in a safe harbor to be protected. Arrangements that do not fit in a safe harbor should be reviewed in light of the totality of all facts and circumstances. At minimum, hospitals should develop policies and procedures requiring physicians to document, and the hospital to monitor, the services or items provided under compensation arrangements (including, for example, by using written time reports). In some cases, particularly rentals, hospitals should consider obtaining an independent fair market valuation using appropriate health care valuation standards.

Arrangements between hospitals and hospital-based physicians (e.g., anesthesiologists, radiologists, and pathologists) raise some different concerns. In these arrangements, it is typically the hospitals making referrals to the physicians, rather than the physicians making referrals to the hospitals. Such arrangements may violate the anti-kickback statute if the arrangements: (i) Compensate physicians for less than the fair market value of goods or services provided by the physicians to the hospitals; or (ii) require physicians to pay more than the fair market value for services provided by the hospitals. We are aware that hospitals have long provided for the delivery of certain hospital-based physician services through the grant of a contract to a physician or physician group akin to a franchise, which shifts management, staffing, and other administrative functions, and in some cases limited clinical duties, to physicians at no cost to the hospitals. Such arrangements are of value to the hospital as well as the physicians, value that may well have nothing to do with the value or volume of referrals flowing from the hospital to the hospital-based physicians. In an appropriate context, an arrangement that requires a hospital-based physician or physician group to perform reasonable administrative or clinical duties directly related to their hospital-based professional services at no charge to the hospital or its patients would not violate the anti-kickback statute. Whether a particular arrangement with hospital-based physicians runs afoul of the anti-kickback statute would depend on the specific facts and circumstances, including the intent of the parties.

c. Relationships With Other Health Care Entities

As addressed in the preceding subsection, hospitals may obtain referrals of Federal health care program business from a variety of health care professionals and entities. In addition, when furnishing inpatient, outpatient, and related services, hospitals often direct or influence referrals for items and services reimbursable by Federal health care programs. For example, hospitals may refer patients to, or order items or services from, home health agencies, skilled nursing facilities, durable medical equipment companies, laboratories, pharmaceutical companies, and other hospitals. In cases where a hospital is the referral source for other providers or suppliers, it would be prudent for the hospital to scrutinize carefully any remuneration flowing to the hospital from the provider or supplier to ensure compliance with the anti-kickback statute, using the principles outlined above. Remuneration may include, for example, free or below-market-value items and services or the relief of a financial obligation.

Hospitals should also review their managed care arrangements to ensure compliance with the anti-kickback statute. Managed care arrangements that do not fit within one of the managed care and risk sharing safe harbors at 42 CFR 1001.952(m), (t), or (u) must be evaluated on a case-by-case basis.

d. Recruitment Arrangements

Many hospitals provide incentives to recruit a physician or other health care professional to join the hospital's medical staff and provide medical services to the surrounding community. When used to bring needed physicians to an underserved community, these arrangements can benefit patients. However, recruitment arrangements pose substantial fraud and abuse risk.

In most cases, the recruited physician establishes a private practice in the community instead of becoming a hospital employee. Such arrangements potentially implicate the anti-kickback statute if one purpose of the recruitment arrangement is to induce referrals to the recruiting hospital. Safe harbor protection is available for certain recruitment arrangements offered by hospitals to attract primary care physicians and practitioners to health professional shortage areas (HPSAs), as defined in regulations issued by the Department. The scope of this safe harbor is very limited. In particular, the safe harbor does not protect (a) recruitment arrangements in areas that are not designated as HPSAs, (b) recruitment of specialists, or (c) joint recruitment with existing physician practices in the area.

Because of the significant risk of fraud and abuse posed by improper recruitment arrangements, hospitals should scrutinize these arrangements with care. When assessing the degree of risk associated with recruitment arrangements, hospitals should examine the following factors, among others:

• The size and value of the recruitment benefit. Does the benefit exceed what is reasonably necessary to attract a qualified physician to the particular community? Has the hospital previously tried and failed to recruit or retain physicians?
• The duration of payout of the recruitment benefit. Total benefit payout periods extending longer than three years from the initial recruitment agreement should trigger heightened scrutiny.
• The practice of the existing physician. Is the physician a new physician with few or no patients or an established practitioner with a ready stream of referrals? Is the physician relocating from a substantial distance so that referrals are unlikely to follow or is it possible for the physician to bring an established patient base?
• The need for the recruitment. Is the recruited physician's specialty necessary to provide adequate access to medically necessary care for patients in the community? Do patients already have reasonable access to comparable services from other providers or practitioners in or near the community? An assessment of community need based wholly or partially on the competitive interests of the recruiting hospital or existing physician practices would subject the recruitment payments to heightened scrutiny under the statute.

Significantly, hospitals should be aware that the practitioner recruitment safe harbor does not protect “joint recruitment” arrangements between hospitals and other entities or individuals, such as solo practitioners, group practices, or managed care organizations, pursuant to which the hospital makes payments directly or indirectly to the other entity or individual. These joint recruitment arrangements present a high risk of fraud and abuse and have been the subject of recent government investigations and prosecutions. These arrangements can easily be used as vehicles to disguise payments from the hospital to an existing referral source—typically an existing physician practice—in exchange for the existing practice's referrals to the hospital. Suspect payments to existing referral sources may include, among other things, income guarantees that shift costs from the existing referral source to the recruited physician and overhead and build-out costs funded for the benefit of the existing referral source. Hospitals should review all “joint recruiting” arrangements to ensure that remuneration does not inure in whole or in part to the benefit of any party other than the recruited physician.

e. Discounts

Public policy favors open and legitimate price competition in health care. Thus, the anti-kickback statute contains an exception for discounts offered to customers that submit claims to the Federal health care programs, if the discounts are properly disclosed and accurately reported. However, to qualify for the exception, the discount must be in the form of a reduction in the price of the good or service based on an arm's-length transaction. In other words, the exception covers only reductions in the product's price. Moreover, the regulation provides that the discount must be given at the time of sale or, in certain cases, set at the time of sale, even if finally determined subsequent to the time of sale (i.e., a rebate).

In conducting business, hospitals sell and purchase items and services reimbursable by Federal health care programs. Therefore, hospitals should thoroughly familiarize themselves with the discount safe harbor at 42 CFR 1001.952(h). In particular, depending on their role in the arrangement, hospitals should pay attention to the discount safe harbor requirements applicable to “buyers,” “sellers,” or “offerors.” Compliance with the safe harbor is determined separately for each party. In general, hospitals should ensure that all discounts—including rebates—are properly disclosed and accurately reflected on hospital cost reports. If a hospital offers a discount on an item or service to a buyer, it should ensure that the discount is properly disclosed on the invoice or other documentation for the item or service.

The discount safe harbor does not protect a discount offered to one payor but not to the Federal health care programs. Accordingly, in negotiating discounts for items and services paid from a hospital's pocket (such as those reimbursed under the Medicare Part A prospective payment system), the hospital should ensure that there is no link or connection, explicit or implicit, between discounts offered or solicited for that business and the hospital's referral of business billable by the seller directly to Medicare or another Federal health care program. For example, a hospital should not engage in “swapping” by accepting from a supplier an unreasonably low price on Part A services that the hospital pays for out of its own pocket in exchange for hospital referrals that are billable by the supplier directly to Part B (e.g., ambulance services). Suspect arrangements include below-cost arrangements or arrangements at prices lower than the prices offered by the supplier to other customers with similar volumes of business, but without Federal health care program referrals.

Hospitals may also receive discounts on items and services purchased through group purchasing organizations (GPOs). Discounts received from a vendor in connection with a GPO to which a hospital belongs should be properly disclosed and accurately reported on the hospital cost reports. Although there is a safe harbor for payments made by a vendor to a GPO as part of an agreement to furnish items or services to a group of individuals or entities, 42 CFR 1001.952(k), the safe harbor does not protect the discount received by the individual or entity.

f. Medical Staff Credentialing

Certain medical staff credentialing practices may implicate the anti-kickback statute. For example, conditioning privileges on a particular number of referrals or requiring the performance of a particular number of procedures, beyond volumes necessary to ensure clinical proficiency, potentially raise substantial risks under the statute. On the other hand, a credentialing policy that categorically refuses privileges to physicians with significant conflicts of interest would not appear to implicate the statute in most situations. Hospitals are advised to examine their credentialing practices to ensure that they do not run afoul of the anti-kickback statute. The OIG has solicited comments about, and is considering, whether further guidance in this area is appropriate.

g. Malpractice Insurance Subsidies

The OIG historically has been concerned that a hospital's subsidy of malpractice insurance premiums for potential referral sources, including hospital medical staff, may be suspect under the anti-kickback statute, because the payments may be used to influence referrals. The OIG has established a safe harbor for medical malpractice premium subsidies provided to obstetrical care practitioners in primary health care shortage areas. Depending on the circumstances, premium support may also be structured to fit in other safe harbors.

We are aware of the current disruption (i.e., dramatic premium increases, insurers' withdrawals from certain markets, and/or sudden termination of coverage based upon factors other than the physicians' claims history) in the medical malpractice liability insurance markets in some States. Notwithstanding, hospitals should review malpractice insurance subsidy arrangements closely to ensure that there is no improper inducement to referral sources. Relevant factors include, without limitation:

• Whether the subsidy is being provided on an interim basis for a fixed period in a State or States experiencing severe access or affordability problems;
• whether the subsidy is being offered only to current active medical staff (or physicians new to the locality or in practice less than a year, i.e., physicians with no or few established patients);
• whether the criteria for receiving a subsidy is unrelated to the volume or value of referrals or other business generated by the subsidized physician or his practice;
• whether physicians receiving subsidies are paying at least as much as they currently pay for malpractice insurance (i.e., are windfalls to physicians avoided);
• whether physicians are required to perform services or relinquish rights, which have a value equal to the fair market value of the insurance assistance; and
• whether the insurance is available regardless of the location at which the physician provides services, including, but not limited to, other hospitals.

No one of these factors is determinative, and this list is illustrative, not exhaustive, of potential considerations in connection with the provision of malpractice insurance subsidies. Parties contemplating malpractice subsidy programs that do not fit into one of the safe harbors may want to consider obtaining an advisory opinion. Parties should also be mindful that these subsidy arrangements also implicate the Stark law.

C. Payments To Reduce or Limit Services: Gainsharing Arrangements

The civil monetary penalty set forth in section 1128A(b)(1) of the Act prohibits a hospital from knowingly making a payment directly or indirectly to a physician as an inducement to reduce or limit items or services furnished to Medicare or Medicaid beneficiaries under the physician's direct care. Hospitals that make (and physicians that receive) such payments are liable for civil monetary penalties (CMPs) of up to $2,000 per patient covered by the payments. The statutory proscription is very broad. The payment need not be tied to an actual diminution in care, so long as the hospital knows that the payment may influence the physician to reduce or limit services to his or her patients. There is no requirement that the prohibited payment be tied to a specific patient or to a reduction in medically necessary care. In short, any hospital incentive plan that encourages physicians through payments to reduce or limit clinical services directly or indirectly violates the statute.

We are aware that a number of hospitals are engaged in, or considering entering into, incentive arrangements commonly called “gainsharing.” While there is no fixed definition of a “gainsharing” arrangement, the term typically refers to an arrangement in which a hospital gives physicians a percentage share of any reduction in the hospital's costs for patient care attributable in part to the physicians' efforts. We recognize that, properly structured, gainsharing arrangements can serve legitimate business and medical purposes, such as increasing efficiency, reducing waste, and, thereby, potentially increasing a hospital's profitability. However, the plain language of section 1128A(b)(1) of the Act prohibits tying the physicians' compensation for services to reductions or limitations in items or services provided to patients under the physicians' clinical care.

In addition to the CMP risks described above, gainsharing arrangements can also implicate the anti-kickback statute if the cost-savings payments are used to influence referrals. For example, the statute is potentially implicated if a gainsharing arrangement is intended to influence physicians to “cherry pick” healthy patients for the hospital offering gainsharing payments and steer sicker (and more costly) patients to hospitals that do not offer gainsharing payments. Similarly, the statute may be implicated if a hospital offers a cost-sharing program with the intent to foster physician loyalty and attract more referrals. In addition, we have serious concerns about overly broad arrangements under which a physician continues for an extended time to reap the benefits of previously-achieved savings or receives cost-savings payments unrelated to anything done by the physician, whether work, services, or other undertaking (e.g., a change in the way the physician practices).

Wherever possible, hospitals should consider structuring cost-saving arrangements to fit in the personal services safe harbor. However, in many cases, protection under the personal services safe harbor is not available because gainsharing arrangements typically involve a percentage payment (i.e., the aggregate fee will not be set in advance, as required by the safe harbor). Finally, gainsharing arrangements may also implicate the Stark law.

D. Emergency Medical Treatment and Labor Act (EMTALA)

Hospitals should review their obligations under EMTALA (section 1867 of the Act) to evaluate and treat individuals who come to their emergency departments and other facilities. Hospitals should pay particular attention to when an individual must receive a medical screening exam to determine whether that individual is suffering from an emergency medical condition. When such a screening or treatment of an emergency medical condition is required, it cannot be delayed to inquire about an individual's method of payment or insurance status. If the hospital's emergency department (ED) is “on diversion” and an individual comes to the ED for evaluation or treatment of a medical condition, the hospital is required to provide such services despite its diversionary status.

Hospital emergency departments may not transfer an individual with an unstable emergency medical condition unless the benefits of such a transfer outweigh the risks. In such circumstances, the hospital must arrange for a transfer that will minimize the risks to the individual and that has been prearranged with the facility to which the individual is being transferred. Moreover, when a hospital receives a call from another facility requesting that it accept an appropriate transfer of a patient with an emergency, it must accept that patient for transfer if it has specialized capabilities to treat the patient that the transferring hospital does not have and it has the capacity to treat the patient.

A hospital must provide appropriate screening and treatment services within the full capabilities of its staff and facilities. This includes access to specialists who are on call. Thus, hospital policies and procedures should be clear on how to access the full services of the hospital and all staff should understand the hospital's obligations to patients under EMTALA. In particular, on-call physicians need to be educated as to their responsibilities to emergency patients, including the responsibility to accept appropriately transferred patients from other facilities. In addition, all persons working in emergency departments should be periodically trained and reminded of the hospital's EMTALA obligations and hospital policies and procedures designed to ensure that such obligations are met.

For further information about EMTALA, hospitals are directed to: (i) The anti-dumping statute at section 1867 of the Act; (ii) the anti-dumping statute's implementing regulations at 42 CFR part 489; (iii) our 1999 Special Advisory Bulletin on the Patient Anti-Dumping Statute, 64 FR 61353 (November 10, 1999), available on our webpage at http://oig.hhs.gov/fraud/docs/alertsandbulletins/frdump.pdf;; and (iv) CMS's EMTALA resource webpage located at http://www.cms.gov/providers/emtala/emtala.asp.

E. Substandard Care

The OIG has authority to exclude any individual or entity from participation in Federal health care programs if the individual or entity provides unnecessary items or services (i.e., items or services in excess of the needs of a patient) or substandard items or services (i.e., items or services of a quality which fails to meet professionally recognized standards of health care). Significantly, neither knowledge nor intent is required for exclusion under this provision. The exclusion can be based upon unnecessary or substandard items or services provided to any patient, even if that patient is not a Medicare or Medicaid beneficiary.

We are mindful that the vast majority of hospitals are fully committed to providing quality care to their patients. To achieve their quality-related goals, hospitals should continually measure their performance against comprehensive standards. For example, hospitals should meet all of the Medicare hospital conditions of participation (COP), including without limitation, the COP pertaining to a quality assessment and performance program at 42 CFR 482.21 and the hospital COP pertaining to the medical staff at 42 CFR 482.22. Hospitals that have elected to be reviewed by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) should maintain their JCAHO accreditation. In addition, hospitals should develop their own quality of care protocols and implement mechanisms for evaluating compliance with those protocols.

Finally, in reviewing the quality of care provided, hospitals must not limit their review to the quality of their nursing and other ancillary services. Instead, hospitals must also take an active part in monitoring the quality of medical services provided at the hospital by appropriately overseeing the credentialing and peer review of their medical staffs.

F. Relationships With Federal Health Care Beneficiaries

Hospitals' relationships with Federal health care beneficiaries may also implicate the fraud and abuse laws. In particular, hospitals should be aware that section 1128A(a)(5) of the Act authorizes the OIG to impose CMPs on hospitals (and others) that offer or transfer remuneration to a Medicare or Medicaid beneficiary that the offeror knows or should know is likely to influence the beneficiary to order or receive items or services from a particular provider, practitioner, or supplier for which payment may be made under the Medicare or Medicaid programs. The definition of “remuneration” expressly includes the offer or transfer of items or services for free or other than fair market value, including the waiver of all or part of a Medicare or Medicaid cost-sharing amount. In other words, hospitals may not offer valuable items or services to Medicare or Medicaid beneficiaries to attract their business. In this regard, hospitals should familiarize themselves with the OIG's August 2002 Special Advisory Bulletin on Offering Gifts and Other Inducements to Beneficiaries.

1. Gifts and Gratuities

Hospitals should scrutinize any offers of gifts or gratuities to beneficiaries for compliance with the CMP provision prohibiting inducements to Medicare and Medicaid beneficiaries. The key inquiry under the CMP is whether the remuneration is something that the hospital knows or should know is likely to influence the beneficiary's selection of a particular provider, practitioner, or supplier for Medicare or Medicaid payable services. As interpreted by the OIG, section 1128A(a)(5) does not apply to the provision of items or services valued at less than $10 per item and $50 per patient in the aggregate on an annual basis. A special exception for incentives to promote the delivery of preventive care services is discussed below at section II.I.2.

2. Cost-Sharing Waivers

In general, hospitals are obligated to collect cost-sharing amounts owed by Federal health care program beneficiaries. Waiving owed amounts may constitute prohibited remuneration to beneficiaries under section 1128A(a)(5) of the Act or the anti-kickback statute. Certain waivers of Part A inpatient cost-sharing amounts may be protected by structuring them to fit in the safe harbor for waivers of beneficiary inpatient coinsurance and deductible amounts at 42 CFR 1001.952(k). In particular, under the safe harbor, waived amounts may not be claimed as bad debt; the waivers must be offered uniformly across the board, without regard to the reason for admission, length of stay, or DRG; and waivers may not be made as part of any agreement with a third party payer, unless the third party payer is a Medicare SELECT plan under section 1882(t)(1) of the Act.

In addition, hospitals (and others) may waive cost-sharing amounts on the basis of a beneficiary's financial need, so long as the waiver is not routine, not advertised, and made pursuant to a good faith, individualized assessment of the beneficiary's financial need or after reasonable collection efforts have failed. The OIG recognizes that what constitutes a good faith determination of “financial need” may vary depending on the individual patient's circumstances and that hospitals should have flexibility to take into account relevant variables. These factors may include, for example:

• The local cost of living;
• a patient's income, assets, and expenses;
• a patient's family size; and
• the scope and extent of a patient's medical bills.

Hospitals should use a reasonable set of financial need guidelines that are based on objective criteria and appropriate for the applicable locality. The guidelines should be applied uniformly in all cases. While hospitals have flexibility in making the determination of financial need, we do not believe it is appropriate to apply inflated income guidelines that result in waivers for beneficiaries who are not in genuine financial need. Hospitals should consider that the financial status of a patient may change over time and should recheck a patient's eligibility at reasonable intervals sufficient to ensure that the patient remains in financial need. For example, a patient who obtains outpatient hospital services several times a week would not need to be rechecked every visit. Hospitals should take reasonable measures to document their determinations of Medicare beneficiaries' financial need. We are aware that in some situations patients may be reluctant or unable to provide documentation of their financial status. In those cases, hospitals may be able to use other reasonable methods for determining financial need, including, for example, documented patient interviews or questionnaires.

In sum, hospitals should review their waiver policies to ensure that the policies and the manner in which they are implemented comply with all applicable laws. For more information about cost-sharing waivers, hospitals should review our February 2, 2004 paper on “Hospital Discounts Offered To Patients Who Cannot Afford To Pay Their Hospital Bills,” containing a section titled “Reductions or Waivers of Cost-Sharing Amounts for Medicare Beneficiaries Experiencing Financial Hardship” and available on our webpage at http://oig.hhs.gov/fraud/docs/alertsandbulletins/2004/FA021904hospitaldiscounts.pdf.

3. Free Transportation

The plain language of the CMP prohibits offering free transportation to Medicare or Medicaid beneficiaries to influence their selection of a particular provider, practitioner, or supplier. Notwithstanding, hospitals can offer free local transportation of low value (i.e., within the $10 per item and $50 annual limits). Luxury and specialized transportation, such as limousines or ambulances, would exceed the low value threshold and are problematic, as are arrangements tied in any manner to the volume or value of referrals and arrangements tied to particularly lucrative treatments or medical conditions. However, we have indicated that we are considering developing a regulatory exception for some complimentary local transportation provided to beneficiaries residing in a hospital's primary service area. Accordingly, until such time as we promulgate a final rule on complimentary local transportation under section 1128A(a)(5) or indicate our intention not to proceed with such rule, we have indicated that we will not impose administrative sanctions for violations of section 1128A(a)(5) of the Act in connection with hospital-based complimentary transportation programs that meet the following conditions:

• The program was in existence prior to August 30, 2002, the date of publication of the Special Advisory Bulletin on Offering Gifts and Other Inducements to Beneficiaries.
• Transportation is offered uniformly and without charge or at reduced charge to all patients of the hospital or hospital-owned ambulatory surgical center (and may also be made available to their families).
• The transportation is only provided to and from the hospital or a hospital-owned ambulatory surgical center and is for the purpose of receiving hospital or ambulatory surgery center services (or, in the case of family members, accompanying or visiting hospital or ambulatory surgical center patients).
• The transportation is provided only within the hospital's or ambulatory surgical center's primary service area.
• The costs of the transportation are not claimed directly or indirectly by any Federal health care program cost report or claim and are not otherwise shifted to any Federal health care program.
• The transportation does not include ambulance transportation.

Other arrangements are subject to a case-by-case review under the statute to ensure that no improper inducement exists.

G. HIPAA Privacy and Security Rules

As of April 14, 2003, all hospitals transmitting electronic transactions to health plans were required to comply with the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA). Generally, the HIPAA privacy rule addresses the use and disclosure of individuals' health information (protected health information or PHI) by hospitals and other covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used. The privacy rule, 45 CFR parts 160 and 164, and other helpful information about how it applies, including frequently asked questions, can be found on the webpage of the Department's Office for Civil Rights (OCR) at http://www.hhs.gov/ocr/hipaa/. Questions about the privacy rule should be submitted to OCR. Hospitals can contact OCR by following the instructions on its webpage, http://www.hhs.gov/ocr/contact.html,, or by calling the HIPAA toll-free number, (866) 627-7748.

To ease the burden of complying with the new requirements, the privacy rule gives hospitals and other covered entities flexibility to create their own privacy procedures. Each hospital should make sure that it is compliant with all applicable provisions of the privacy rule, including provisions pertaining to required disclosures (such as required disclosures to the Department when it is undertaking a compliance investigation or review or enforcement action) and that its privacy procedures are tailored to fit its particular size and needs.

The final HIPAA security rule was published in the Federal Register on February 20, 2003. It is available on CMS's webpage at http://www.cms.gov/hipaa/hipaa2. The security rule specifies a series of administrative, technical, and physical security procedures for hospitals that are covered entities and other covered entities to use to assure the confidentiality of electronic PHI. Hospitals that are covered entities must be compliant with the security rule by April 20, 2005. The security rule requirements are flexible and scalable, which allows each covered entity to tailor its approach to compliance based on its own unique circumstances. Covered entities can consider their organization and capabilities, as well as costs, in designing their security plans and procedures. Questions about the HIPAA security rules should be submitted to CMS. Hospitals can contact CMS by following the instructions on its webpage, http://www.cms.gov/hipaa/hipaa2/contact,, or by calling the HIPAA toll-free number, (866) 627-7748.

H. Billing Medicare or Medicaid Substantially in Excess of Usual Charges

Section 1128(b)(6)(A) of the Act provides for the permissive exclusion from Federal health care programs of any provider or supplier that submits a claim based on costs or charges to the Medicare or Medicaid programs that is “substantially in excess” of its usual charge or cost, unless the Secretary finds there is “good cause” for the higher charge or cost. The exclusion provision does not require a provider to charge everyone the same price; nor does it require a provider to offer Medicare or Medicaid its “best price.” However, providers cannot routinely charge Medicare or Medicaid substantially more than they usually charge others. Hospitals have raised concerns regarding the impact of the exclusion authority on hospital services, and the OIG is considering those concerns in the context of the rulemaking process. The OIG's policy regarding application of the exclusion authority to discounts offered to uninsured and underinsured patients is discussed below.

I. Areas of General Interest

Although in most cases the following areas do not pose significant fraud and abuse risk, the OIG has received numerous inquiries from hospitals and others on these topics. Therefore, we offer the following guidance to assist hospitals in their review of these arrangements.

1. Discounts to Uninsured Patients

No OIG authority, including the Federal anti-kickback statute, prohibits or restricts hospitals from offering discounts to uninsured patients who are unable to pay their hospital bills. In addition, the OIG has never excluded or attempted to exclude any provider or supplier for offering discounts to uninsured or underinsured patients under the permissive exclusion authority at section 1128(b)(6)(A) of the Act. However, to provide additional assurance to the industry, the OIG recently proposed regulations that would define key terms in the statute. Among other things, the proposed regulations would make clear that free or substantially reduced charges to uninsured persons would not affect the calculation of a provider's or supplier's “usual” charges, as the term “usual charges” is used in the exclusion provision. The OIG is currently reviewing the public comments to the proposed regulations. Until such time as a final regulation is promulgated or the OIG indicates its intention not to promulgate a final rule, it will continue to be the OIG's enforcement policy that when calculating their “usual charges” for purposes of section 1128(b)(6)(A), individuals and entities do not need to consider free or substantially reduced charges to (i) uninsured patients or (ii) underinsured patients who are self-paying patients for the items or services furnished. In offering such discounts, a hospital should reflect full uniform charges, rather than the discounted amounts, on its Medicare cost report and make the FI aware that it has reported its full charges.

Under CMS rules, Medicare generally reimburses a hospital for a percentage of the “bad debt” of a Medicare beneficiary (i.e., unpaid deductibles or coinsurance) as long as the hospital bills a patient and engages in reasonable, consistent collection efforts. However, as explained in CMS's paper titled “Questions On Charges For The Uninsured,” a hospital can forgo any collection effort aimed at a Medicare patient, if the hospital, using its customary methods, can document that the patient is indigent or medically indigent. In addition, if the hospital also determines that no source other than the patient is legally responsible for the unpaid deductibles and coinsurance, the hospital may claim the amounts as Medicare bad debts.

CMS rules provide that a hospital can determine its own individual indigency criteria as long as it applies the criteria to Medicare and non-Medicare patients uniformly. For Medicare patients, however, if a hospital wants to claim Medicare bad debt reimbursement, CMS requires documentation to support the indigency determination. To claim Medicare bad debt reimbursement, the hospital must follow the guidance stated in the Provider Reimbursement Manual. A hospital should examine a patient's total resources, which could include, but are not limited to, an analysis of assets, liabilities, income, expenses, and any extenuating circumstances that would affect the determination. The hospital should document the method by which it determined the indigency and include all backup information to substantiate the determination. In addition, if collection efforts are made, Medicare requires the efforts to be documented in the patient's file with copies of the bill(s), follow-up letters, and reports of telephone and personal contacts. In the case of a dually-eligible patient (i.e., a patient entitled to both Medicare and Medicaid), the hospital must include a denial of payment from the State with the bad debt claim.

2. Preventive Care Services

Hospitals, particularly non-profit hospitals, frequently participate in community-based efforts to deliver preventive care services. The Medicare and Medicaid programs encourage patients to access preventive care services. The prohibition against beneficiary inducements at section 1128A(a)(5) of the Act does not apply to incentives offered to promote the delivery of certain preventive care services, if the programs are structured in accordance with the regulatory requirements at 42 CFR 1003.101. Generally, to fit within the preventive care exception, a service must be a prenatal service or post-natal well-baby visit or a specific clinical service described in the current U.S. Preventive Services Task Force's Guide to Clinical Preventive Services that is reimbursed by Medicare or Medicaid. Obtaining the service may not be tied directly or indirectly to the provision of other Medicare or Medicaid services. In addition, the incentives may not be in the form of cash or cash equivalents and may not be disproportionate to the value of the preventive care provided. From an anti-kickback perspective, the chief concern is whether an arrangement to induce patients to obtain preventive care services is intended to induce other business payable by a Federal health care program. Relevant factors in making this evaluation would include, but not be limited to: the nature and scope of the preventive care services; whether the preventive care services are tied directly or indirectly to the provision of other items or services and, if so, the nature and scope of the other services; the basis on which patients are selected to receive the free or discounted services; and whether the patient is able to afford the services.

3. Professional Courtesy

Although historically “professional courtesy” referred to the practice of physicians waiving the entire professional fee for other physicians, the term is variously used in the industry now to describe a range of practices involving free or discounted services (including “insurance only” billing) furnished to physicians and their families and staff. Some hospitals have used the term “professional courtesy” to describe various programs that offer free or discounted hospital services to medical staff, employees, community physicians, and their families and staff. Although many professional courtesy programs are unlikely to pose a significant risk of abuse (and many may be legitimate employee benefits programs eligible for the employee safe harbor), some hospital-sponsored “professional courtesy” programs may implicate the fraud and abuse statutes.

In general, whether a professional courtesy program runs afoul of the anti-kickback statute turns on whether the recipients of the professional courtesy are selected in a manner that takes into account, directly or indirectly, any recipient's ability to refer to, or otherwise generate business for, the hospital. Also relevant is whether the physicians have solicited the professional courtesy in return for referrals. With respect to the Stark law, the key inquiry is whether the arrangement fits in the exception for professional courtesy at 42 CFR 411.357(s). Finally, hospitals should evaluate the method by which the courtesy is granted. For example, “insurance only” billing offered to a Federal program beneficiary potentially implicates the anti-kickback statute, the False Claims Act, and the CMP provision prohibiting inducements to Medicare and Medicaid beneficiaries (discussed in section II.F above). Notably, the Stark law exception for professional courtesy requires that insurers be notified if “professional courtesy” includes “insurance only” billing.

III. Hospital Compliance Program Effectiveness

Hospitals with an organizational culture that values compliance are more likely to have effective compliance programs and thus be better able to prevent, detect, and correct problems. Building and sustaining a successful compliance program rarely follows the same formula from organization to organization. However, such programs generally include: The commitment of the hospital's governance and management at the highest levels; structures and processes that create effective internal controls; and regular self-assessment and enhancement of the existing compliance program. The 1998 CPG provided guidance for hospitals on establishing sound internal controls. This section discusses the important roles of corporate leadership and self-assessment of compliance programs.

A. Code of Conduct

Every effective compliance program necessarily begins with a formal commitment to compliance by the hospital's governing body and senior management. Evidence of that commitment should include active involvement of the organizational leadership, allocation of adequate resources, a reasonable timetable for implementation of the compliance measures, and the identification of a compliance officer and compliance committee vested with sufficient autonomy, authority, and accountability to implement and enforce appropriate compliance measures. A hospital's leadership should foster an organizational culture that values, and even rewards, the prevention, detection, and resolution of problems. Moreover, hospitals' leadership and management should ensure that policies and procedures, including, for example, compensation structures, do not create undue pressure to pursue profit over compliance. In short, the hospital should endeavor to develop a culture that values compliance from the top down and fosters compliance from the bottom up. Such an organizational culture is the foundation of an effective compliance program.

Although a clear statement of detailed and substantive policies and procedures—and the periodic evaluation of their effectiveness—is at the core of a compliance program, the OIG recommends that hospitals also develop a general organizational statement of ethical and compliance principles that will guide the entity's operations. One common expression of this statement of principles is a code of conduct. The code should function in the same fashion as a constitution, i.e., as a document that details the fundamental principles, values, and framework for action within an organization. The code of conduct for a hospital should articulate a commitment to compliance by management, employees, and contractors, and should summarize the broad ethical and legal principles under which the hospital must operate. Unlike the more detailed policies and procedures, the code of conduct should be brief, easily readable, and cover general principles applicable to all members of the organization.

As appropriate, the OIG strongly encourages the participation and involvement of the hospital's board of directors, officers (including the chief executive officer (CEO)), members of senior management, and other personnel from various levels of the organizational structure in the development of all aspects of the compliance program, especially the code of conduct. Management and employee involvement in this process communicates a strong and explicit commitment by management to foster compliance with applicable Federal health care program requirements. It also communicates the need for all managers, employees, contractors, and medical staff members to comply with the organization's code of conduct and policies and procedures.

B. Regular Review of Compliance Program Effectiveness

Hospitals should regularly review the implementation and execution of their compliance program elements. This review should be conducted at least annually and should include an assessment of each of the basic elements individually, as well as the overall success of the program. This review should help the hospital identify any weaknesses in its compliance program and implement appropriate changes.

A common method of assessing compliance program effectiveness is measurement of various outcomes indicators (e.g., billing and coding error rates, identified overpayments, and audit results). However, we have observed that exclusive reliance on these indicators may cause an organization to miss crucial underlying weaknesses. We recommend that hospitals examine program outcomes and assess the underlying structure and process of each compliance program element. We have identified a number of factors that may be useful when evaluating the effectiveness of basic compliance program elements. Hospitals should consider these factors, as well as others, when developing a strategy for assessing their compliance programs. While no one factor is determinative of program effectiveness, the following factors are often observed in effective compliance programs.

1. Designation of a Compliance Officer and Compliance Committee

The compliance department is the backbone of the hospital's compliance program. The compliance department should be led by a well-qualified compliance officer, who is a member of senior management, and should be supported by a compliance committee. The purpose of the compliance department is to implement the hospital's compliance program and to ensure that the hospital complies with all applicable Federal health care program requirements. To ensure that the compliance department is meeting this objective, each hospital should conduct an annual review of its compliance department. Some factors that the organization may wish to consider in its evaluation include the following:

• Does the compliance department have a clear, well-crafted mission?
• Is the compliance department properly organized?
• Does the compliance department have sufficient resources (staff and budget), training, authority, and autonomy to carry out its mission?
• Is the relationship between the compliance function and the general counsel function appropriate to achieve the purpose of each?
• Is there an active compliance committee, comprised of trained representatives of each of the relevant functional departments, as well as senior management?
• Are ad hoc groups or task forces assigned to carry out any special missions, such as conducting an investigation or evaluating a proposed enhancement to the compliance program?
• Does the compliance officer have direct access to the governing body, the president or CEO, all senior management, and legal counsel?
• Does the compliance officer have a good working relationship with other key operational areas, such as internal audit, coding, billing, and clinical departments?
• Does the compliance officer make regular reports to the board of directors and other hospital management concerning different aspects of the hospital's compliance program?

2. Development of Compliance Policies and Procedures, Including Standards of Conduct

The purpose of compliance policies and procedures is to establish bright-line rules that help employees carry out their job functions in a manner that ensures compliance with Federal health care program requirements and furthers the mission and objective of the hospital itself. Typically, policies and procedures are written to address identified risk areas for the organization. As hospitals conduct a review of their written policies and procedures, some of the following factors may be considered:

• Are policies and procedures clearly written, relevant to day-to-day responsibilities, readily available to those who need them, and re-evaluated on a regular basis?
• Does the hospital monitor staff compliance with internal policies and procedures?
• Have the standards of conduct been distributed to the Board of Directors, all officers, all managers, employees, contractors, and medical staff?
• Has the hospital developed a risk assessment tool, which is re-evaluated on a regular basis, to assess and identify weaknesses and risks in operations?
• Does the risk assessment tool include an evaluation of Federal health care program requirements, as well as other publications, such as OIG CPGs, Work Plans, Special Advisory Bulletins, and Special Fraud Alerts?

3. Developing Open Lines of Communication

Open communication is essential to maintaining an effective compliance program. The purpose of developing open communication is to increase the hospital's ability to identify and respond to compliance problems. Generally, open communication is a product of organizational culture and internal mechanisms for reporting instances of potential fraud and abuse. When assessing a hospital's ability to communicate potential compliance issues effectively, a hospital may wish to consider the following factors:

• Has the hospital fostered an organizational culture that encourages open communication, without fear of retaliation?
• Has the hospital established an anonymous hotline or other similar mechanism so that staff, contractors, patients, visitors, and medical staff can report potential compliance issues?
• How well is the hotline publicized; how many and what types of calls are received; are calls logged and tracked (to establish possible patterns); and does the caller have some way to be informed of the hospital's actions?
• Are all instances of potential fraud and abuse investigated?
• Are the results of internal investigations shared with the hospital governing body and relevant departments on a regular basis?
• Is the governing body actively engaged in pursuing appropriate remedies to institutional or recurring problems?
• Does the hospital utilize alternative communication methods, such as a periodic newsletter or compliance intranet web site?

4. Appropriate Training and Education

Hospitals that fail to train and educate their staff adequately risk liability for the violation of health care fraud and abuse laws. The purpose of conducting a training and education program is to ensure that each employee, contractor, or any other individual that functions on behalf of the hospital is fully capable of executing his or her role in compliance with rules, regulations, and other standards. In reviewing their training and education programs, hospitals may consider the following factors:

• Does the hospital provide qualified trainers to conduct annual compliance training to its staff, including both general and specific training pertinent to the staff s responsibilities?
• Has the hospital evaluated the content of its training and education program on an annual basis and determined that the subject content is appropriate and sufficient to cover the range of issues confronting its employees?
• Has the hospital kept up-to-date with any changes in Federal health care program requirements and adapted its education and training program accordingly?
• Has the hospital formulated the content of its education and training program to consider results from its audits and investigations; results from previous training and education programs; trends in hotline reports; and OIG, CMS, or other agency guidance or advisories?
• Has the hospital evaluated the appropriateness of its training format by reviewing the length of the training sessions; whether training is delivered via live instructors or via computer-based training programs; the frequency of training sessions; and the need for general and specific training sessions?
• Does the hospital seek feedback after each session to identify shortcomings in the training program, and does it administer post-training testing to ensure attendees understand and retain the subject matter delivered?
• Has the hospital s governing body been provided with appropriate training on fraud and abuse laws?
• Has the hospital documented who has completed the required training?
• Has the hospital assessed whether to impose sanctions for failing to attend training or to offer appropriate incentives for attending training?

5. Internal Monitoring and Auditing

Effective auditing and monitoring plans will help hospitals avoid the submission of incorrect claims to Federal health care program payors. Hospitals should develop detailed annual audit plans designed to minimize the risks associated with improper claims and billing practices. Some factors hospitals may wish to consider include the following:

• Is the audit plan re-evaluated annually, and does it address the proper areas of concern, considering, for example, findings from previous years' audits, risk areas identified as part of the annual risk assessment, and high volume services?
• Does the audit plan include an assessment of billing systems, in addition to claims accuracy, in an effort to identify the root cause of billing errors?
• Is the role of the auditors clearly established and are coding and audit personnel independent and qualified, with the requisite certifications?
• Is the audit department available to conduct unscheduled reviews and does a mechanism exist that allows the compliance department to request additional audits or monitoring should the need arise?
• Has the hospital evaluated the error rates identified in the annual audits?
• If the error rates are not decreasing, has the hospital conducted a further investigation into other aspects of the hospital compliance program in an effort to determine hidden weaknesses and deficiencies?
• Does the audit include a review of all billing documentation, including clinical documentation, in support of the claim?

6. Response to Detected Deficiencies

By consistently responding to detected deficiencies, hospitals can develop effective corrective action plans and prevent further losses to Federal health care programs. Some factors a hospital may wish to consider when evaluating the manner in which it responds to detected deficiencies include the following:

• Has the hospital created a response team, consisting of representatives from the compliance, audit, and any other relevant functional areas, which may be able to evaluate any detected deficiencies quickly?
• Are all matters thoroughly and promptly investigated?
• Are corrective action plans developed that take into account the root causes of each potential violation?
• Are periodic reviews of problem areas conducted to verify that the corrective action that was implemented successfully eliminated existing deficiencies?
• When a detected deficiency results in an identified overpayment to the hospital, are overpayments promptly reported and repaid to the FI?
• If a matter results in a probable violation of law, does the hospital promptly disclose the matter to the appropriate law enforcement agency.

7. Enforcement of Disciplinary Standards

By enforcing disciplinary standards, hospitals help create an organizational culture that emphasizes ethical behavior. Hospitals may consider the following factors when assessing the effectiveness of internal disciplinary efforts:

• Are disciplinary standards well-publicized and readily available to all hospital personnel?
• Are disciplinary standards enforced consistently across the organization?
• Is each instance involving the enforcement of disciplinary standards thoroughly documented?
• Are employees, contractors and medical staff checked routinely (e.g., at least annually) against government sanctions lists, including the OIG's List of Excluded Individuals/Entities (LEIE) and the General Services Administration's Excluded Parties Listing System.

In sum, while no single factor is conclusive of an effective compliance program, the preceding seven areas form a useful starting point for developing and maintaining an effective compliance program.

IV. Self-Reporting

Where the compliance officer, compliance committee, or a member of senior management discovers credible evidence of misconduct from any source and, after a reasonable inquiry, believes that the misconduct may violate criminal, civil, or administrative law, the hospital should promptly report the existence of misconduct to the appropriate Federal and State authorities within a reasonable period, but not more than 60 days, after determining that there is credible evidence of a violation. Prompt voluntary reporting will demonstrate the hospital's good faith and willingness to work with governmental authorities to correct and remedy the problem. In addition, reporting such conduct will be considered a mitigating factor by the OIG in determining administrative sanctions (e.g., penalties, assessments, and exclusion), if the reporting hospital becomes the subject of an OIG investigation. To encourage providers to make voluntary disclosures, the OIG published the Provider Self-Disclosure Protocol.

When reporting to the government, a hospital should provide all information relevant to the alleged violation of applicable Federal or State law(s) and the potential financial or other impact of the alleged violation. The compliance officer, under advice of counsel and with guidance from the governmental authorities, could be requested to continue to investigate the reported violation. Once the investigation is completed, and especially if the investigation ultimately reveals that criminal, civil or administrative violations have occurred, the compliance officer should notify the appropriate governmental authority of the outcome of the investigation, including a description of the impact of the alleged violation on the applicable Federal health care programs or their beneficiaries.

V. Conclusion

In today's environment of increased scrutiny of corporate conduct and increasingly large expenditures for health care, it is imperative for hospitals to establish and maintain effective compliance programs. These programs should foster a culture of compliance that begins at the highest levels and extends throughout the organization. This supplemental CPG is intended as a resource for hospitals to help them operate effective compliance programs that decrease errors, fraud, and abuse and increase compliance with Federal health care program requirements for the benefit of the hospitals and public alike.