Round 5 — Compliance and the Changing Environment
Module 2: Defining Your Compliance Plan
When your revenue cycle can't afford to stop.
A compliance plan isn't a binder that sits on a shelf. It's the active set of processes a practice uses to make sure clinical services are documented, coded, and billed correctly — and that when something goes wrong, there's a clear path to catch it, correct it, and prevent it from happening again.
The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services has published guidance on what an effective compliance program looks like for individual and small group physician practices. This module walks through that framework, explains fraud and abuse, and covers what federal auditors are actually looking for.
The OIG recommends that every practice compliance program include these seven elements. They're not optional extras — they're the baseline the federal government uses to evaluate whether a practice's compliance effort is real.
- Conducting internal monitoring and auditing
- Implementing compliance and practice standards
- Designating a compliance officer or contact
- Conducting appropriate training and education
- Responding appropriately to detected offenses and developing corrective action
- Developing open lines of communication
- Enforcing disciplinary standards through well-publicized guidelines
Business Risk Areas to Address
In addition to the seven elements, an effective compliance program should actively monitor these specific billing risk areas:
Billing for items or services not sufficiently documented — upcoding — improper bundling of procedure codes — improper use of NPI numbers — billing for services provided by unqualified personnel — compensation structures that create financial incentives to improperly code — failure to properly resolve overpayments — contractual relationships with sanctioned individuals or organizations — violations of anti-kickback laws, Stark law, the False Claims Act, and HIPAA.
Fraud and abuse are both serious — but they are legally distinct, and that distinction matters for how enforcement is handled.
Fraud is intentional. It means knowingly submitting false statements or misrepresentations to obtain payment that wouldn't otherwise be owed, soliciting or paying kickbacks for referrals, or making prohibited referrals for designated health services. Intent to deceive is the defining element.
Abuse is different. It describes billing practices that result in unnecessary costs to payers — but without the intentional deception that characterizes fraud. Unintentionally filing a duplicate claim, for example, may be abuse rather than fraud. The result is still harmful and still subject to correction and penalties, but the intent test matters in enforcement.
- Billing for services never rendered
- Billing for phantom patients
- Paying or receiving kickbacks for referrals
- Using false credentials
- Misrepresenting non-covered services as medically necessary
- Unintentionally filing duplicate claims
- Billing for services in excess of what was needed
- Collecting more than the allowed coinsurance or deductible from Medicare patients
The OIG publishes an annual work plan that identifies the specific billing and coding areas it will audit that year. A practice that isn't tracking the OIG work plan is flying blind on its own compliance risk exposure.
The OIG also maintains the List of Excluded Individuals and Entities (LEIE) — a database of providers and organizations found guilty of fraudulent activity. Before hiring a new provider or employee, or contracting with a billing-related vendor, any practice should check the LEIE. Employing or contracting with an excluded individual is itself a compliance violation.
Why This Matters in Practice
Federal and state enforcement tolerance is narrow, and scrutiny of healthcare billing has increased steadily. A compliance program that exists on paper but isn't actively practiced — no monitoring, no training, no corrective action process — offers very little protection when an audit arrives. The seven elements exist precisely because passive compliance doesn't work. Designating someone responsible, training staff regularly, and building in a process for catching and correcting problems are what make a compliance program real rather than decorative.