The Affordable Care Act (ACA) authorized the Secretary of the Department of Health and Human Services (HHS) to mandate that physicians who treat Medicare and Medicaid beneficiaries establish a compliance program. As of this date the Secretary has not issued a regulation making this mandatory. However, the HHS Office of Inspector General (OIG) has issued significant guidance to healthcare providers including physicians on the content of compliance programs. This guidance makes it clear that compliance programs are expected by the OIG. The guidance has identified seven elements that are necessary to have an effective compliance program. They are as follows.

  1. Adoption of written policies and procedures to promote the organization’s commitment to compliance.
  2. Identification and appointment within the organization of an individual to serve as compliance officer, who will be responsible for monitoring compliance efforts and enforcing practice standards.
  3. Establishment of reporting systems to encourage individuals to make complaints regarding compliance items without fear of retaliation.
  4. Commitment to conducting formal education and training programs for all levels of employees.
  5. Ongoing auditing and monitoring of systems to assess the effectiveness of the compliance program and identify issues.
  6. Development of policies to enforce standards of conduct with disciplinary measures for employees who fail to comply with requirements.
  7. When vulnerabilities are identified, a corrective action must be conducted in response to potential violations.

The OIG has also issued compliance program guidance for eight industry sectors, hospitals, clinical laboratories, home health agencies, durable medical equipment suppliers, third-party medical billing companies, hospices, Medicare + Choice organizations offering coordinated care plans, and nursing facilities.

The importance of having an active compliance program was emphasized by several representatives of the OIG at the recent American Health Lawyers Association (AHLA) Fraud and Compliance forum in Baltimore, Maryland (September 25-27, 2019). The speakers emphasized that a written plan alone, would not be considered to be an active plan. Speakers noted that during inspection activities when employees were queried some would have no knowledge of the existence of a compliance plan, or the identity of the compliance officer.

At least two OIG speakers stated that when determining the best resolution of an investigation of an alleged overpayment the existence of an active compliance program was very important. In particular, speakers mentioned that a finding of a lack of an active compliance program would almost assuredly result in a requirement that the entity enter into a Corporate Integrity Agreement (CIA) as part of a global resolution of a claimed overpayment. A CIA typically lasts for five years, although we have observed some three year agreements recently. An entity that is subject to a CIA endures a great deal of inconvenience and expense. A comprehensive CIA usually includes the following elements:

  • A review and modification of written standards and policies;
  • The appointment of a compliance committee;
  • The implementation of a comprehensive employee training program;
  • The establishment and testing of a confidential disclosure program;
  • The requirement that the entity retain an independent review organization (IRO) to conduct reviews on a specified timetable (quarterly to annually);
  • A report of all overpayments, reportable events, and ongoing investigations and legal proceedings; and
  • An implementation report on the status of the entities compliance activities.

CIAs usually include breach and default provisions with specified monetary penalties for failure to comply with obligations set forth in the CIA. In addition, the material breach of the CIA would constitute a basis for the provider’s exclusion from participation in Federal health care programs.

IROs are independent qualified vendors, typically forensic accounting and compliance firms, to conduct external reviews of compliance with the CIA and report via independent reports to the OIG. The use of an IRO can constitute a very significant expense.

In a related issue, the scope of acts or omissions that can lead to overpayments has been subject to expansion almost every year. Prosecutions for overpayments include the following areas of concern:

  • Upcoding;
  • Unbundling;
  • Failure to rectify accounts in a timely manner to identify duplicate or third party payments;
  • Payments received when there is an existing violation of regulations such as the Stark Laws or Anti-kickback law;
  • Services that do not meet acceptable standards;
  • Lack of medical necessity;
  • Incorrect coding;
  • Insufficient documentation; and
  • Processing or administrative errors.

Providers must use due diligence to identify overpayments and must report and repay overpayments within six months of quantifying the overpayment. Governmental agencies use numerous private auditors to identify overpayments and other areas of non-compliance. In many instances, a sample of records is audited and the overpayment revealed by the sample is then extrapolated over all payments for a period of time. This can result in a very large recoupment amount. In most instances, a six year look-back period is permitted. There is a self-disclosure program that can minimize the impact of improperly rectified overpayments. However, a multiplier may still be utilized on the amount of overpayment to be recouped and sanctions may be imposed. OIG speakers also indicated that the existence of an active compliance program would have an impact on the determination of the use of a multiplier and the imposition of sanctions.

Now is the time to assess the adequacy of your compliance program.

For more information, contact Bruce Lamb in Gunster’s Health Care practice at (813) 222-6605 or

Yes! Please sign me up to receive email alerts from other Gunster practice areas.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

About Gunster

Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 12 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, The Florida Keys, Vero Beach, and its headquarters in West Palm Beach. With nearly 200 attorneys and 200 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at


Find a Professional

by Name

by Practice/Office