Skip Navigation
Seven Elements of an Effective Compliance Program
  • Compliance

Seven Elements of an Effective Compliance Program

An explanation of the seven basic elements that are expected by the OIG and the DOJ in a good-faith compliance program.

Paul Giancola & Claudia Stedman, attorneys at The Law Offices of Snell & Wilmer


For over 25 years, Health and Human Services Office of Inspector General (“OIG” or “HHS OIG”) has been promoting the seven elements of an effective compliance program. The OIG has published compliance program guidance for most health care providers and suppliers including clinical laboratories, home health, hospitals suppliers, nursing homes, and for individual and small group physician practices.

In 2010 the Affordable Care Act mandated a compliance program for Medicare, Medicaid, and Children’s Health Insurance Program providers. An effective compliance program, with its internal controls and monitoring, allows a provider or supplier to identify and promptly respond to potential violations of state and federal laws, thereby preventing the submission of erroneous claims and fraudulent conduct.

Although many medical practices have adopted compliance programs with compliance policies and procedures, they often fail to fully operationalize the compliance aspects of the program, which creates ineffective results. To address this concern, the United States Department of Justice (“DOJ”) has also provided guidance by developing a metric to assess whether a compliance program is effective.

One focus of the DOJ has been on individual responsibility. This means that in a civil or criminal prosecution, the DOJ will focus both on the medical practice as well as the individuals involved or responsible for the misconduct at issue. This article will focus on the basic elements of what is expected by the OIG and the DOJ in a good-faith compliance program.

Components of an Effective Compliance Program

Generally speaking, an effective compliance program for medical practices contains seven components:

  1. Implement compliance and practice standards

  2. Designate a compliance officer or contact;

  3. Conduct appropriate training and education;

  4. Conduct internal auditing and monitoring;

  5. Respond appropriately to detected offenses and develop corrective action;

  6. Develop open lines of communication; and

  7. Enforce disciplinary standards through well-publicized guidelines.

The OIG has acknowledged that full implementation of all components may not be feasible for all medical practices. However, medical practices may wish to consider adopting only those components which, based on the practice’s particular history with billing problems or other compliance issues, are most likely to produce an identifiable benefit.

Steps for Implementing a Compliance Program that Follows the Seven Core Elements

Establish Practice Standards and Procedures

Establishing written policies and procedures is necessary to promote consistency and uniformity. Policies and procedures should also establish standards of conduct and guidelines to be followed by employees of the practice. The standards should be designed to address both generalized codes of conduct that apply to all employees as well as specific standards that apply to particular employees based upon their role in the practice. For example, policies should address the specific risk areas of the practice as well as policy statements regarding patient care, personnel matters and practice standards and procedures on complying with Federal and State law.

Medical practices that do not have standards or procedures in place can: (1) develop a written standards and procedures manual that includes, among other things, the compliance reporting structure, training requirements, how investigations will be conducted, monitoring and auditing, how issues are resolved; and (2) update clinical forms to ensure that they facilitate and encourage clear and complete documentation of patient care. A practice’s standards could also identify the clinical protocol(s), pathway(s), and other treatment guidelines followed by the practice.

Particular medical practice risk areas are:

  1. Coding and billing (often the highest risk area);

  2. Whether services are reasonable and medically necessary;

  3. Documentation expectations; and

  4. Improper inducements, kickbacks, and/or self-referrals.

High Level Oversight and Designation of Compliance Officer/Contract(s)

A compliance officer or a compliance committee should be established to oversee the compliance program. Most large practices have both an officer and a committee that the officer reports to. Other organizations have the officer report to the Executive Committee or to the Board of Directors. In either case, the officer is responsible for overseeing the implementation and day-to-day operations of the compliance program and developing corrective action. It is acceptable for a medical practice to designate more than one employee with compliance monitoring responsibility. The compliance officer and/or committee will usually be involved in auditing, monitoring, conducting investigations, recommending policy improvements, enforcing compliance, and often interacting with outside or in house counsel regarding compliance matters.

Conducting Appropriate Training and Education

Conducting effective training is necessary to ensure that staff is aware of the practice’s expectations and standards. Training may be accomplished through a variety of means, including in-person training sessions (i.e., either on site or at outside seminars), web-based training, distribution of newsletters, or even a readily accessible office bulletin board. Regardless of the training modality used, a medical practice should ensure that the necessary education is communicated effectively and that the practice’s employees come away from the training with a better understanding of the issues covered.

Auditing and Monitoring

An ongoing evaluation process includes not only whether the practice’s standards and procedures are in fact current and accurate, but also whether the compliance program is working (i.e., whether individuals are properly carrying out their responsibilities and claims are submitted appropriately). Practices can perform a standards and procedures review or a claims submission audit. Through a standards and procedures review, practices should assess their policies and procedures to determine whether those standards are complete and accurate. In a payment claims submission audit, the practice should review bills and medical records to ensure compliance with applicable coding, billing, and documentation requirements. The Centers for Medicare and Medicaid (“CMS”) recommends auditing of both internal and external accounts, as needed. Additionally, auditing should include formal reviews against a set of base measurement standards contained in the practice’s policies and procedures.

Responding to Detected Offenses and Developing Corrective Initiatives

When a practice determines it has detected a possible violation, the next step is to develop a corrective action plan and determine how to respond to the problem. Upon receipt of reports or reasonable indications of suspected noncompliance, it is important that the Compliance Officer, Contact or Committee investigate the allegations or concerns to determine whether a significant violation of applicable law or the requirements of the compliance program has indeed occurred, and, if so, take decisive steps to correct the problem. As appropriate, such steps may involve a corrective action plan, the return of any overpayments, a report to the Government, and/or a referral to law enforcement authorities.

Developing Open Lines of Communication

It is important that medical practices have open lines of communication to identify potential noncompliance and strategize how to address those problems. An “open door” policy ensures that all employees have access to the Compliance Officer, Contact or Committee at all levels of the practice. How to achieve this will depend on the size and structure of the practice. For example, the OIG has encouraged the use of several forms of communication between the compliance officer/committee and provider personnel, many of which focus on formal processes and are more costly to implement (e.g., hotlines). The nature of a small medical practice dictates that such communication and information exchanges may need to be conducted through a less formalized process. What is important is to identify what works best for your practice.

Enforcing Disciplinary Standards Through Well-Publicized Guidelines

A medical practice should incorporate measures into its practice to ensure that practice employees understand the consequences if they behave in a non-compliant manner. An effective compliance program includes procedures for enforcing and disciplining individuals who violate the practice’s compliance or other practice standards. The OIG recommends that a medical practice’s enforcement and disciplinary mechanisms ensure that violations of the practice’s compliance policies will result in consistent and appropriate sanctions, including the possibility of termination, against the offending individual. At the same time, it is advisable that the practice’s enforcement and disciplinary procedures be flexible enough to account for mitigating or aggravating circumstances.

Disciplinary actions may include: Warnings (oral); reprimands (written); probation; demotion; temporary suspension; termination; restitution of damages; and referral for criminal prosecution. Inclusion of disciplinary guidelines in training and procedure manuals is sufficient to meet the ‘‘well publicized’’ standard of this element. It is suggested that any communication resulting in the finding of non-compliant conduct be documented in the compliance files by including the date of incident, name of the reporting party, name of the person responsible for taking action, and the follow-up action taken.

Practical Advice

  • Review resources from the OIG and CMS in developing or improving your compliance plan;

  • Keep it simple and easy to read;

  • Annual review to revise, as needed;

  • Engage providers and employees by scheduling educational meetings;

  • Routinely highlight the importance of compliance through emails, newsletters, and meetings;

  • Identify a compliance officer or contact who is readily accessible; and

  • Strive to make compliance friendly, fair, and fun.

Benefits of a Compliance Program

While a practice’s primary focus should be on patient care, OIG has noted that patient care can actually be enhanced by the adoption of a compliance program. For instance, increased accuracy of documentation through a compliance program will assist a practice in maintaining the most accurate records for its patients. Implementing a compliance program can be analogous to preventive medicine in that this proactive approach can help to prevent billing and compliance problems in the future. Other benefits may be realized through adoption of a voluntary compliance program as well:

  • Increasing efficiency and optimization of proper payment of claims;

  • Minimizing billing mistakes, such as double billing, billing for non-covered services, improper coding, and insufficient documentation to support the diagnosis, treatment, or CPT code, using incorrect modifiers or place of service designations, and unbundling or upcoding the level of service;

  • Reducing the risks that an audit will be conducted by CMS Services Program Auditor or the OIG; and

  • Avoiding conflicts with the Stark and Anti-Kickback statutes.

Developing an effective compliance program can also generate a culture of compliance and communicates to a practice’s employees that those individuals also have an affirmative, ethical duty to come forward and report erroneous or fraudulent conduct.

OIG recommends that medical practices approach this compliance through a step-by-step approach. This article is neither mandatory nor an all-inclusive list of all advisable components of a compliance program. If you have questions about how to create an effective compliance program for your practice, consider contacting MICA or a healthcare attorney.