• Health Reform Mandates that Health Care Providers Adopt Compliance Programs
  • May 19, 2010
  • Law Firm: Jackson Walker L.L.P. - Austin Office
  • The Patient Protection and Affordable Care Act (“PPACA”), which President Obama signed into law on March 23, 2010, for the first time mandates  that, as a condition of enrollment in Medicare, Medicaid, or CHIP, providers and suppliers establish and maintain a compliance program centered around yet-to-be-defined “core elements.” A compliance program generally refers to a system enacted within an organization that receives governmental resources intended to detect and deter internal fraud, waste, and abuse of those resources.

    The PPACA charges the Secretary of Health and Human Services (“HHS”), in consultation with the Office of the Inspector General (“OIG”) of HHS, with establishing by rule the core elements that the compliance programs of providers or suppliers within particular industries or categories must meet. The Secretary will also determine the timeline for the establishment of these core elements, but the PPACA directs the Secretary to consider the extent to which providers or suppliers within a particular industry or category have already adopted compliance programs.

    Existing Compliance Guidance

    Though the PPACA compliance program mandate is new, the federal government’s support for compliance programs is not. In 1997, the OIG issued its first “compliance program guidance,” which was specifically intended for use as a model by clinical laboratories. Between 1998 and 2008, the OIG issued or supplemented compliance program guidance for hospitals, home health agencies, clinical laboratories, medical billing companies, DMEPOS suppliers, hospices, Medicare Part D organizations, nursing facilities, individual and small group physician practices, ambulance suppliers, and pharmaceutical manufacturers. In addition to the OIG’s efforts, the Centers for Medicare & Medicaid Services (“CMS”) issued its own compliance program guidance for Medicare fee-for-service contractors in 2005.

    The OIG’s guidance, as well as CMS’ 2005 publication, all state that they are intended as models and not as exhaustive descriptions of programs appropriate for all providers within a particular category (e.g., all hospitals). They are, however, all generally structured around seven elements that the United States Sentencing Commission has identified as those an organization must have incorporated into a compliance program to demonstrate that it exercised “due diligence” in detecting and deterring fraud, waste, and abuse of government resources. These elements include: (1) developing written policies and procedures; (2) designating a compliance officer and compliance committee; (3) conducting training and education; (4) developing effective lines of communication including anonymous reporting; (5) auditing and monitoring systems; (6) enforcing disciplinary guidelines and excluding ineligible persons; and (7) responding to, correcting, and reporting detected problems.

    The fact that the OIG and CMS have maintained their focus on these seven elements of compliance programs as fundamentals since 1998 and applied them across the provider spectrum suggests that the seven will enjoy pride of place among the Secretary’s core elements.

    PPACA Requirements for Compliance Programs

    Although it remains to be seen which categories of providers will be targeted first for mandatory compliance programs, the PPACA specifically requires that nursing facilities develop “compliance and ethics programs” by a yet-to-be-determined date no earlier than March 23, 2013. The PPACA directs the Secretary to promulgate regulations governing these nursing facility compliance programs by March 23, 2012. The regulations must distinguish between single nursing facilities and chain facilities, so that smaller operators face a lesser administrative burden.

    Aside from the deadlines set forth for nursing facilities, the PPACA grants the Secretary discretion to determine the timeline for establishing core elements based on the extent to which providers or suppliers within a particular industry or category have already adopted compliance programs. Considering CMS’ heightened scrutiny of home health agencies and DMEPOS suppliers through measures intended to prevent and detect fraud and abuse, these groups should pay particular attention to the Secretary’s actions on this front.

    The PPACA does not specify whether compliance plans will be required of currently enrolled providers and suppliers or only those seeking initial enrollment in Medicare, Medicaid, or CHIP. Nevertheless, all providers and suppliers currently enrolled or planning to enroll in these programs should have in place a compliance program—one that meets the currently recommended criteria for their industry and that can evolve to meet new requirements imposed by the PPACA. Having such a program in place now will give providers and suppliers a head start when the new required core elements are adopted. It will also help ensure that providers and suppliers are policing themselves internally in the face of ever-more-intense governmental scrutiny.