Form an effective compliance program

Jan. 1, 2011

Q What does the government’s requirement for a compliance program mean for clinical laboratories and pathologists?

A The Patient Protection and Affordable Care Act (PPACA)1 requires a compliance program as a condition of participation in federal health-benefits programs. This is one of several new weapons against fraud and abuse found in the PPACA. Another is that providers must report and return Medicare and Medicaid overpayments within 60 days of identification.

Any overpayment retained beyond the deadline may subject the company to the False Claims Act (FCA). A systemic error can result in huge FCA liability — including treble damages and mandatory penalties of up to $11,000 per claim. Faced with a potential overpayment, laboratories may engage outside counsel to investigate the matter.

Compliance programs, like the Office of Inspector General (OIG) model plan for laboratories,2 can reduce a company’s risk of overpayment. Organizations with effective compliance programs will benefit from deferred prosecution, reduced fines, and sentences, and are less likely to be excluded. There are seven steps to an effective compliance program.

1. Compliance policies and procedures. Establish written policies, procedures, and controls to prevent and deter fraudulent conduct. Written polices and procedures, and a code of conduct reduce risk by embedding compliance into organizational culture. They provide clear guidance about how to be compliant.

Written policies should cover marketing, self-referral, Stark and Antikickback statute (AKS) violations, HIPAA and HITECH protection, CLIA requirements, documenting medical necessity and accuracy in billing. Risks specific to laboratories should be addressed; for example, correct identification of services and selection of proper CPT or HCPCS codes.

2. Compliance officer and committee. Designate a compliance officer (CO) who monitors compliance efforts. The CO reports directly to the board of directors or chief executive officer (CEO). A compliance committee may be designated to help identify compliance gaps. Compliance is used to drive resource allocation, training, and identify potential risks.

3. Exclusion check. Ensure that no employee or agent has engaged in illegal activities or conduct inconsistent with effective compliance. Employees, third-party vendors, sales force, and other agents should be “vetted” against government-exclusion databases prior to hiring or entering into a contract. The databases are found at and

4. Communication and training. Communicate periodically its policies, procedures, and other aspects of the Compliance Program. Training should be provided to all employees, including management, and any personnel involved in billing, sales, marketing, specimen collection, and test ordering. Attendance should be recorded.

The OIG recommends training on self-referral, Stark, the AKS, and CLIA requirements. Providers billing Medicaid $5 million or more should provide training on FCA laws, whistleblower protections, administrative remedies, and penalties for healthcare fraud. Training should be relevant to operations and driven by risks. All employees should be trained on the risks of non-compliance and the company’s non-retaliation policy. Training and communication should be provided in every applicable language using websites, handouts, slide decks, and online tools.

5. Monitoring and auditing. Use monitoring and auditing to detect fraudulent conduct or prevent overpayments. A reporting system (e.g., hotline with a well-publicized number) allows for anonymity and confidentiality. Employees in a widespread practice may not understand how to report a compliance incident.

Risk should drive auditing and monitoring. In addition to regular audit of billing, sales, pricing, ordering, and other areas, reviews should cover compliance with CLIA, federal and state laws, CPT/HCPCS coding and billing, reporting, and record-keeping rules. The results are reported to the CEO or board and used to identify the need for resources.

6. Appropriate disciplinary measures. The compliance plan should be enforced through appropriate performance incentives and disciplinary measures. Compliance breaches should be dealt with fairly without regard to internal hierarchy. Specific penalties for non-compliance must be clearly articulated, approved by legal counsel, communicated to the human resources department, and consistently enforced. Actual disciplinary measures should be publicized. Letting employees know the program has “teeth” is an important part of an effective program.

7. Reporting and response. If fraudulent conduct or systematic overpayments are alleged, respond appropriately to prevent further conduct. An internal investigation under attorney/client privilege may be warranted. The protocol for responding to allegations of fraud or misconduct should be outlined in the policies, with instructions about retaining and preserving records, and cooperating with auditors. If a compliance violation has occurred, it should be reported to the board and legal counsel. If necessary, the violation may be reported to the government. If there is an overpayment, steps should be taken to make any repayment.

Laboratories can benefit from an effective compliance program implemented before regulators visit. Planning ahead will go a long way toward helping an organization if the government “comes knocking.”


  1. U.S. Department of Labor. Patient Protection and Affordable Care Act; Pub. L. 111-148 Section 1128 J (d); (March 23, 2010), and the Healthcare and Education Reconciliation Act of 2010, Pub. L. 111-152 (March 30, 2010). See PPACA, Subtitle E, Medicare, Medicaid and CHIP Program Integrity Provisions, Section 6401. Accessed November 17, 2010.
  2. U.S. Department of Health and Human Services. Office of Inspector General. Accessed November 17, 2010.

Virginia B. Evans, Esquire, is a principal in Ober|Kaler’s Government Investigations and White Collar Defense Group in Washington, DC.

MLO’s “Liability and the lab” is intended to provide information of a general nature; it is not intended to provide specific legal advice. If you require legal advice, the services of an attorney should be sought. Contact us at [email protected].