What Is Healthcare Compliance?
Healthcare compliance is the formal name given to proactive tasks to prevent fraud, waste, or abuse within a healthcare entity. A compliance program is the active, ongoing process to ensure that legal, ethical, and professional standards are met and communicated throughout the entire healthcare organization.
Compliance promotes a culture where participants within the healthcare organization strive to prevent, detect, and resolve activity that could lead to fraud, waste, or abuse. The foundation of compliance culture is an organized plan with steps often referred to as compliance elements. The terms ethics, culture, and code of conduct are woven together in many documents that discuss compliance.
History of Healthcare Compliance Regulations
The history of healthcare compliance regulations spans many years. The core elements of healthcare compliance first appeared in the United States Sentencing Commission Guidelines Manual in 1991, and organizations still use these today as a guide when designing their unique compliance programs. The Office of Inspector General (OIG) provided further details regarding healthcare compliance in 1998 with core steps that hospitals can use to start a compliance program. The OIG later designed guidance for other healthcare organizations and made it all available on the OIG website.
The Social Security Act (SSA) also discusses compliance components and ethics. For instance, SSA, Section 1128I, focuses on nursing facilities and skilled nursing facilities that accept Medicare and Medicaid, mentioning required components like these:
A compliance and ethics program is a reasonably designed, implemented, and enforced program that will prevent and detect criminal, civil, and administrative violations that include standards and procedures to be followed by the organization’s employees and other agents.
Specific individuals within high-level personnel of the organization must be assigned overall responsibility to oversee compliance and have sufficient resources to ensure such compliance.
The organization must have used care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known, could violate the law.
The organization must have taken steps to effectively communicate its standards and procedures to all employees and other agents, such as requiring participation in training programs.
The organization must have taken reasonable steps to achieve compliance with its standards, such as by using monitoring and auditing.
The standards must have been consistently enforced through appropriate disciplinary mechanisms.
After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense.
The organization must periodically undertake reassessment of its compliance program to identify changes necessary.
The Centers for Medicare & Medicaid Services (CMS) provides guidance on healthcare compliance requirements, too. For instance, the Medicare Managed Care Manual, Chapter 11, Medicare Advantage Application Procedures and Contract Requirements, states that there must be a commitment to compliance, integrity, and ethical values as demonstrated by a compliance plan. The ways the manual offers to demonstrate these values stem from the SSA list above and are known as the core elements.
7 Core Elements of Compliance
The seven core elements of healthcare compliance, listed below, assist organizations with the design and implementation of a hearty healthcare compliance program featuring education, communication, and proactive measures that set an ethical culture for the organization. Although these are taken from a Medicare manual chapter related to Medicare Advantage (MA), organizations billing to any payer can benefit from applying these core elements. There is a similar list on the OIG site.
Written policies, procedures, and standards of conduct that articulate the organization’s commitment to comply with all applicable federal and state standards
Example: A written policy can be a compliance plan. The procedures and standards described in the plan will assist with the development of a compliance program. An example of a procedure or standard might be to conduct internal coding reviews of a specified number of healthcare providers two times a year. The seven core elements can be used as a template to write your plan.Designation of a compliance officer and compliance committee that are accountable to senior management
Example: Will the organization hire a designated compliance officer? Or, particularly if it's a small healthcare office, will the office manager also act as the compliance point of contact for the organization?Effective training and education between the compliance officer and organization employees
Example: Does the compliance plan state when employees will be trained? Is there a test that the employees take to see if they understand the concepts of the plan? Does compliance training offer various methods of teaching such as the use of videos or slide presentations?Effective lines of communication between the compliance officer, the organization’s employees, and the Medicare-Advantage-related contractors so that at a minimum there is a mechanism for employees or contractors to ask questions, seek clarification, and report potential or actual noncompliance without fear of retaliation
Example: Will there be a hotline implemented? Will the hotline go directly to the compliance point of contact? Can someone send compliance a message to their door? How will the person’s identity be kept private to prevent retaliation? Which key senior staff will know about the communication or investigation?Enforcement of standards through well publicized disciplinary guidelines
Example: How will employees know that the compliance plan/program exists? Where will the compliance guidelines be posted? Will everyone be held accountable, even the CEO and board members? What about the compliance point of contact? How will the compliance point of contact handle a situation where the CEO of the company has acted in disregard of the compliance program?Internal monitoring and auditing that includes risk assessment
Example: Internal monitoring refers to coding and billing spot checks. How often will compliance conduct this activity? What will compliance do when coding and billing errors have been detected? Audits are more formal and sometimes involve an outside consultant. How often will an audit take place to ensure that the monitoring is effective?Procedures for ensuring prompt response to detected offenses and development of corrective action initiatives
Example: What steps will take place and be outlined in the compliance plan when someone has breached the compliance plan? Will there be a warning, or will the person be fired? If the compliance breach is at a high level — CEO or board — how will the compliance point of contact handle that situation? Is there a compliance committee that reviews and discusses such issues?
Is Compliance Mandated?
The Patient Protection and Affordable Care Act (ACA), Section 6401, mandated that providers put a compliance plan in place, but an enforcement date has not been issued for that requirement. That’s the short answer to whether healthcare compliance is mandated.
As further explanation, per the ACA, providers and suppliers must establish a compliance program as a condition of enrollment in Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP). The compliance program must contain core elements that the U.S. Department of Health and Human Services (HHS) secretary, in consultation with the HHS inspector general, must establish. “The Secretary shall determine the timeline for the establishment of the core elements … and the date of the implementation,” the ACA states (as does the SSA).
The enforcement date for this ACA requirement hasn’t been set yet, however. Considering the ACA went into effect in 2010, the healthcare industry has had a lot of time to prepare and get compliance programs in place. If an organization still has work to do, resources like the 2014 CMS joint presentation with the OIG may assist with designing a compliance program.
We also saw above that the Medicare Advantage contract requirements chapter of the Medicare Managed Care Manual mandates that MA organizations show a demonstrated commitment to compliance. (The manual goes on to state that MA plans offered to employees or union members may have different rules.)
Remember that Medicare is not the only payer that wants healthcare organizations to have a compliance program. Many state Medicaid units and commercial payers also require a compliance program. Some states require healthcare providers to have a compliance program, too, so organizations need to know both their state and individual payer guidelines.
To be clear, even without an enforcement date for the ACA requirement or specific information from states or payers, healthcare organizations need to comply with the rules and regulations that apply to them. Following the law regarding submitting accurate healthcare claims is not optional.
Major Laws Related to Compliance
The purpose of healthcare compliance is to assist with the prevention of erroneous healthcare claims submission to healthcare insurance carriers (federal, state, and commercial). The ultimate goal is to prevent fraud, waste, and abuse. Below is a quick summary of a few (but certainly not all) of the acts and statutes related to healthcare compliance.
False Claims Act (FCA): The civil FCA imposes civil liability on any person who knowingly submits, or causes the submission of, a false or fraudulent claim to the federal government. “Knowing” and “knowingly” mean a person has actual knowledge of the information or acts in deliberate ignorance or reckless disregard of the truth or falsity of the information. A person can violate the FCA even if they have no specific intent to defraud.
Example: A physician knowingly bills for patient services when the patient was not seen.
Anti-Kickback Statute (AKS): The AKS makes it a crime to knowingly and willfully offer, pay, solicit, or receive any remuneration directly or indirectly to induce or reward patient referrals for the generation of business involving any item or service reimbursable by a federal healthcare program. Healthcare organizations should be sure to review updates to the AKS (and the Stark law below).
Example: A medical office gives coffee shop gift cards to patients who bring new patients to the office.
Physician Self-Referral Law (Stark Law): The Physician Self-Referral Law is often called the Stark Law. This law prohibits a physician from referring patients to receive “designated health services” payable by Medicare or Medicaid from an entity with which the physician or a member of the physician’s immediate family has a financial relationship, unless an exception applies.
HIPAA (Privacy and Security): The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the HHS Secretary to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.
Advantages of Healthcare Compliance Programs
Healthcare compliance is needed to ensure that healthcare organizations protect federal, state, and commercial insurance dollars from being misused. Organizations also benefit from having a healthcare compliance plan and program. An effective compliance program helps the organization detect issues early so the organization can fix them, such as medical coding and billing problems. The compliance program also sets a positive tone for the organization, indicating that its leadership and employees care about compliance and want to act ethically.
Healthcare organizations cannot reap the benefits of their compliance programs unless they use them. Having a healthcare compliance program designed to be window dressing, meaning the program was never intended to be as it was portrayed on paper, can cause many problems. For instance, if an organization is investigated for issues related to healthcare compliance — and the issues identified were spelled out in the organization’s compliance plan — the investigator will ask the organization to explain why it understood the core elements of compliance when designing the plan but chose to ignore its own plan.
Settings That Benefit From Compliance Programs
Many healthcare entities (settings) can benefit from an effective healthcare compliance program. The OIG has free resources to assist organizations with guidance on designing a healthcare compliance program. These settings include:
Hospitals
Nursing facilities
Physicians and physician groups
Durable medical equipment (DME) suppliers
Laboratories
Home health providers
Hospice providers
Third-party billing companies
Medicare Choice organizations (Part C, now MA)
Ambulance suppliers
Pharmaceutical manufacturers
Public Health Service research awards
The OIG has spent many years observing various types of healthcare entities and recognizes that some organizations are more prone to compliance issues. For example, a DME representative may feel pressed to embark on questionable activities to meet sales target goals. A culture of compliance is the foundation for the ethical and legal behavior of an organization.
Healthcare Compliance and Organization Size
For healthcare compliance, the size of the organization does matter. If a healthcare organization is small, a compliance program is necessary, but it may not need to have a compliance committee or dedicated person to handle compliance. The office manager might wear the compliance hat in smaller healthcare organizations. On the other hand, the larger the healthcare organization, the more compliance risks they face. Larger organizations need to put more checks and balances in place.
As an example, teaching facilities have medical residency programs. The medical resident and supervising physician have special documentation and attestation requirements. These facilities also use special medical coding modifiers that nonteaching facilities do not use. These special coding guidelines need to be represented in the organization’s compliance plan.
How to Design a Healthcare Compliance Program
A large budget to design and implement a compliance program is not necessary. The OIG and CMS provide free resources and tools — checklists, fact sheets, educational videos, and more — to help create a compliance plan.
The best way to start a healthcare compliance plan is to research free compliance plans from a similar healthcare organization and to review what others have written, looking for samples from reputable sources. The plan needs to be customized to fit an organization’s unique circumstances.
All seven core compliance elements should be addressed in a compliance plan, first deciding how deep and expansive the organization wants the compliance program to be. Many states have implemented an eighth core element that addresses nonretaliation. Even if the state doesn’t require this element, addressing it in a compliance plan is wise. Those who come forward in good faith to report compliance issues should not have to fear retaliation.
The average healthcare compliance plan can cover the basics of all eight compliance elements in three to four pages. The plan must be one that a healthcare organization can implement and oversee. Organizations will be held accountable for compliance items that are stated to be delivered, so the plan should include items only intended for follow-through.
The plan should address how often the organization will review it each year to ensure goals are met and to incorporate any new OIG Work Plan items into the compliance plan. At a minimum, the plan should be reviewed by the compliance point of contact, senior management, and the board (if the organization has one) at least once a year. After each review, the document should be dated, and the signatures included of those who assisted in reviewing the plan. Most likely the existing plan will only need to be amended each year, versus writing a new compliance plan.
Effort and professional drive are key to a successful compliance program. Everyone must understand that compliance is part of an organization's culture, with senior management serving as a driving force. A compliance plan should be easy to read by every education level represented in the work force, and all employees need to understand the compliance plan, including all updates each year. A good way to do this is to make compliance fun. Implementing compliance games is a great way to engage the employees.
Effective Healthcare Compliance Programs
Authorities such as the Department of Justice (DOJ) often use the term “effective” when evaluating compliance programs. An effective healthcare compliance program is one where the outcome of the compliance plan achieves what was outlined in it.
Regardless of the size of the organization, the compliance professional must have adequate resources to implement and oversee the compliance program. This includes resources for steps like risk analysis, which assists organizations with identifying weak spots, especially if the program is not achieving its goals.
A starting point for ensuring a compliance plan is effective is the DOJ’s Evaluation of Corporate Compliance Programs, updated in March 2023. Key points reviewed include:
Is the corporate compliance program well designed?
Has the organization conducted a risk assessment?
Does the organization allocate resources for compliance appropriately when comparing low- to high-risk areas?
What type of training do key gatekeepers receive?
CERT and OIG Work Plan as Compliance Tools
Many tools are available to help establish an effective compliance program. Below are two examples that inform organizations of problem areas identified by auditors.
Each year, CMS conducts Comprehensive Error Rate Testing (CERT) to ascertain how healthcare providers are doing in regard to billing, coding, and documenting for services rendered to Medicare beneficiaries. CERT reports go back to 2011. CMS looks at healthcare providers (physician services), hospital services, and DME to review a sample of claims and documentation across the U.S. This sample of claims and documentation helps CMS to see the bigger picture of how all healthcare providers are billing, coding, and documenting for services rendered. The CERT reports also help healthcare organizations see what issues CMS has identified as problem areas. The organization can then conduct risk analysis to ensure its actions comply with the rules and it is part of the solution rather than part of the problem.
In addition to providing compliance guidance, the OIG also has a Work Plan that outlines what issues they have identified as risks (fraud, waste, and abuse) and what they plan to investigate. The OIG Work Plan is updated as needed throughout the year and is considered active. For example, the OIG Work Plan was updated during the COVID-19 pandemic to include telehealth services as an area to watch in the future due to higher demand for these billable services. It is a good idea to visit the OIG Work Plan frequently to ensure a compliance plan is updated to address these risk areas.
Choosing a Compliance Point of Contact
A major factor in a compliance program’s success is the compliance professional (or point of contact/POC). The compliance point of contact for an organization needs to be aware of all duties that they must oversee per the compliance plan.
Key questions a compliance professional should be able to answer include:
What are the seven (or eight) core elements of compliance?
What are some key regulations that helped to form compliance?
Where can compliance resources be obtained?
What is the purpose of the OIG Work Plan?
What top medical codes should be audited or reviewed for the specific organization?
How will the compliance professional communicate any compliance updates to all employees?
How often will the compliance professional train new employees about compliance?
How often will the compliance professional conduct ongoing compliance education for current staff?
In addition to knowing the answers to these questions, a good compliance professional should have strong listening skills, a thirst to know compliance guidelines, an understanding of medical coding and billing practices, and the ability to understand the culture of the organization to assess objectively what’s working and what needs to be addressed.
Healthcare Compliance as a Career
As healthcare gets more regulated, the need for qualified and knowledgeable healthcare compliance professionals grows both in the U.S. and abroad. Compliance jobs are global for third-party billing companies and U.S.-based healthcare organizations that have satellite facilities in other countries.
Several healthcare compliance organizations assist compliance professionals and offer compliance classes to prepare professionals for certification or just to be prepared for the job. The government and payers do not require individuals to be certified to act as compliance professionals, but certification and credentials demonstrate to employers that the professional has a foundation in compliance complexities. Certification also helps professionals feel confident that they know the basics of healthcare compliance. Continuing education to stay up to date on compliance laws and regulations is also essential for anyone serious about healthcare compliance as a career.
In addition to knowledge, individuals must have the right personality to succeed in a compliance career. Compliance professionals need to hold staff accountable, even supervisors and the board. This can be achieved with good communication skills and relationships with members of the organization. Compliance professionals must know the difference between right and wrong and must adhere to the law and their organization’s code of conduct, as well as to professional organization guidelines per their credentials.
Often viewed as role models and as the public face of the organization, healthcare compliance professionals must adhere to the saying “what we permit, we promote” by demonstrating ethical behavior and being confident in their skills and abilities. This approach helps compliance professionals achieve their goals of protecting the organization; federal, state, and private payer funds; and patients.
Last reviewed on Dec. 4, 2023, by the AAPC Thought Leadership Team
About the author
See what job opportunities are out there
AAPC's job board is your one-stop resource for medical coding jobs, medical billing jobs, and other jobs in healthcare.
Certified Professional Compliance Officer (CPCO)®
By passing the CPCO exam, employers recognize you possess an understanding of the key requirements necessary to effectively develop, implement, and monitor a healthcare compliance program.