Elements Of An Effective Compliance Program – Written Policies And Procedures

The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) provides guidance to various healthcare providers in the form of compliance program guidance documents. [1] These documents provide insightful and useful information on how to structure an effective compliance program. In today’s enforcement environment, HHS is closely scrutinizing healthcare providers’ compliance programs. It is no longer sufficient to simply have a compliance program. HHS wants to see evidence that the program is effectively identifying fraud, waste and abuse, that the program fosters an ethical environment for employees and that the organization is largely choosing to do the right thing.

This article examines written policies and procedures, one of the OIG’s seven elements designed for an effective compliance program and offer best practices for enhancing your current compliance efforts.

Learn about our Policy Resource Center.

Get a Free Quote & Demo

Policies and procedures and other related compliance documents are the necessary foundation for a compliance program. These documents provide the Compliance Officer, executive management and the workforce with an understanding on what is expected and how to operate. The first document developed and distributed should be Standards of Conduct or Code of Conduct. This document must:

  • Establish a commitment to compliance with all federal and state standards.
  • State the organization’s goals, mission and ethical requirements.
  • Express clear expectation that all members of the workforce, management, governing board, contractors and other agents working on behalf of the organization adhere to the standards.

The second type of document healthcare providers must establish is policy and procedures. In the Publication of the OIG Compliance Program Guidance for Hospitals,[2] the OIG outlines several specific areas where policy developed is necessary. Organizations should take into account regulatory exposure of certain high risk areas. The OIG addresses special areas of concern, including:

  • Billing for items or services never provided
  • Providing medically unnecessary items or services
  • Upcoding and Diagnosis Related Group (DRG) creep[3]
  • Unbundling services
  • Duplicate billing
  • Anti-Kickback Statute
  • Joint ventures, Stark Law and financial arrangements between hospitals and hospital-based physicians
  • False cost reports

It is important to develop policies that address the aforementioned areas. However, you must also be mindful of your organization’s own unique high risk areas. Identification of high risk areas can be made through annual compliance audits, internal claims reviews, hotline reports, etc. Looking at your own high risk areas will help establish necessary procedures to remediate these risks.

In addition to high risk areas, the OIG highlights several other areas that should be addressed through policy and compliance documents.

  • Claim development and submission. Not only does the OIG identify a number of high risk areas related to billing, there are also numerous Centers for Medicare & Medicaid Services contractors (E.g. MACs, RACs, ZPICs, MICs) looking at medical records, which place claims under high scrutiny.
  • Medical Necessity. The Compliance Officer should ensure there is a clear and comprehensive summary of what constitutes “medical necessity” definitions, as well as the rules for federal and private payers.
  • Anti-Kickback and Self-Referral Concerns. Policies should address contracts between physicians and the hospital, referral sources, financial arrangements and safe harbor regulations.
  • Bad Debts. Establish a plan to annually review if the organization is properly reporting and claiming.
  • Retention of Records. Policies and procedures should clearly establish creation, distribution, retention, storage, retrieval and destruction of documents.

Developing policy and compliance documents from scratch, and even updating current documents, can be a lengthy process. Allocating sufficient time to the process may be hard to find. There are solutions available to assist you in the process. One example is Compliance Resource Center’s Policy Resource Center, an online library of up-to-date documents. Our service provides hundreds of policy and compliance documents ready for use that address the areas discussed above. Solutions, such as the Policy Resource Center, can provide your organization with a plethora of ready-to-implement documents to get your compliance program started.

Best Practices

All compliance policies and related documents should be developed and reviewed under the direction of the compliance officer and compliance committee. Upon finalization of policy documents, the compliance officer should either train or schedule a training to educate the workforce affected by the policy area. Additional best practice tips include:

  • Use policy and procedure templates to keep the look and format of your organization’s documents consistent.
  • Write documents to be user-friendly and easy to follow.
  • Annually review policy and compliance documents to ensure the content is up-to-date and consistent with federal and state rules, law, regulation and guidance.
  • Ensure a policy management process is in place
  • Train the workforce on new and updated policy and compliance documents during annual compliance program training, at staff meetings and ad hoc training sessions.
  • Document that training was provided to the workforce using signed attestations.
  • Ensure easy access of policies for all affected parties.
  • Verify policies are followed through monitoring activities.
  • Validate policies are achieving the desired outcome.
  • Create metrics to evidence effectiveness of the policies.

This article only touches on the subject of policy development. More information and details concerning types of compliance policies, as well as development and management can be found at the Policy Resource Center.

As mentioned earlier in this article, the OIG drafted compliance program guidance documents for numerous types of healthcare providers. As a helpful reference, included below are links to those guidance documents.


Nursing Facilities

Research Recipients

Pharmaceutical Manufacturers: Compliance Program Guidance for Pharmaceutical Manufacturers (68 Fed. Reg. 23731; May 5, 2003)

Ambulance: Compliance Program Guidance for Ambulance Suppliers (68 Fed. Reg. 14245; March 24, 2003)

Physician Practices: Compliance Program Guidance for Individual and Small Group Physician Practices (65 Fed. Reg. 59434; October 5, 2000)

Medicare+Choice Organizations: Compliance Program Guidance for Medicare+Choice Organizations (64 Fed. Reg. 61893; November 15, 1999)

Hospices: Compliance Program Guidance for Hospices (64 Fed. Reg. 54031; October 5, 1999)

DME: Compliance Program Guidance for the Durable Medical Equipment, Prosthetics, Orthotics, and Supply Industry (64 Fed. Reg. 36368; July 6, 1999)

Third-Party Medical Billing Companies: Compliance Program Guidance for Third-Party Medical Billing Companies (63 Fed. Reg. 70138; December 18, 1998)

Clinical Laboratories: Compliance Program Guidance for Clinical Laboratories (63 Fed. Reg. 45076; August 24, 1998)

Home Health Agencies: Compliance Program Guidance for Home Health Agencies (63 Fed. Reg. 42410; August 7, 1998)

[1] Department of Health and Human Services Office of Inspector General. “Compliance Guidance.” <>

[2] Department of Health and Human Services Office of Inspector General, OIG Supplemental Compliance Program Guidance for Hospitals.  70 Fed Reg. 19, 4858, 4858 (January 31, 2005).

[3] The practice of billing a higher DRG code that would provide receipt of a high payment than the DRG code that more accurately reflects the level of service provided.