Compliance Program

A structured system of policies, procedures, training, and monitoring designed to prevent, detect, and correct violations of healthcare laws and regulations.

A compliance program is not optional for healthcare providers. The OIG has published guidance recommending that all healthcare providers implement compliance programs, and for some provider types (like Medicare-enrolled physicians), it is effectively required. Having a compliance program also demonstrates to payers during credentialing that your practice takes regulatory obligations seriously. The seven elements of an effective compliance program, as defined by the OIG, are: written policies and procedures that address specific risk areas, designation of a compliance officer and compliance committee, effective education and training for all employees, a mechanism for reporting concerns or violations (like a compliance hotline), internal auditing and monitoring, enforcement of disciplinary standards, and prompt response to detected problems. For small practices, this does not need to be an overwhelming bureaucratic exercise. A compliance program can be scaled to your practice size. At minimum, you need documented policies for coding and billing, HIPAA privacy and security, a designated compliance contact person, annual staff training, a way for employees to report concerns without retaliation, and a process for reviewing and correcting issues. Common risk areas that your compliance program should address include: accurate coding and billing (no upcoding, no unbundling), proper documentation supporting billed services, HIPAA privacy and security policies, anti-kickback and Stark Law compliance, proper use of modifiers, and accurate reporting of quality measures. During credentialing and re-credentialing, some payers ask whether you have a compliance program and who your compliance officer is. Having a documented program ready to reference shows the payer that you are managing compliance proactively rather than reactively. Review your compliance program annually. Update policies when regulations change, retrain staff on new requirements, and conduct internal audits of your high-risk areas. A compliance program that was created five years ago and never updated provides little protection.