The phrase “healthcare compliance program” is commonly used to describe those processes and procedures implemented by a healthcare provider to prevent submission of erroneous claims and combat fraudulent conduct. The expectation is that providers using internal controls will more efficiently monitor adherence to legal and regulatory requirements than providers without such controls in place1. However, confusion remains over whether a healthcare compliance program is legally required for many healthcare providers, particularly those in clinical practice.

Some healthcare providers may believe a formal compliance program is not necessary until a clear, legal requirement is established involving detailed parameters and penalties. This perspective primarily comes from those who don’t have the time, energy or resources to implement a program unless they understand it as an enforced legal mandate tied to penalties. Understandably, the same perspective surrounded compliance with HIPAA until the 2009 HITECH Act issued a clear enforcement rule with sizeable penalties for noncompliance2.

Unlike HIPAA, currently there exists no clear enforcement rule setting forth explicit penalties against all types of providers for failure to implement a formal healthcare compliance program. While Section 6401 of the Patient Protection and Affordable Care Act requires as a condition of participation, all healthcare providers participating in a federal healthcare program establish a compliance program, such mandate is subject to when the Secretary of the Department of Health and Human Services (“HHS”) determines the timeline and core elements for such mandate3. To date, the Secretary of HHS has not formally issued a timeline.

However, HHS through its Office of Inspector General (“OIG”) has issued significant guidance surrounding core elements of compliance programs for many types of participating providers. Beginning in the late 90s and through early 2000, HHS issued compliance program guidance for multiple healthcare providers, from physician practices to nursing facilities4. The OIG’s website currently contains 13 compliance resource publications and an abundance of other compliance education materials (including PowerPoints and videos for ease of understanding)5. Just last year, OIG issued a resource guide on measuring compliance program effectiveness “to ensure that all elements of a compliance program [are] covered”6. This guidance and commentary make it clear compliance programs are, at a minimum, an expectation from key enforcement agencies.

Additionally, compliance program obligations were recently addressed by HHS’s Centers for Medicare and Medicaid Services (“CMS”) in the 2016 “Overpayments” Final Rule (the “Overpayments Rule”)7. Under the Overpayments Rule, a provider is required to exercise “reasonable diligence” in identifying “overpayments”. In its commentary to the Overpayments Rule, CMS emphasized that “effective compliance programs [are] a way to avoid receiving or retaining overpayments” and, further, “undertaking no or minimal compliance activities” could result in the government finding “a failure to exercise reasonable diligence” and resulting violation of the False Claims Act8. Thus, providers who fail to implement compliance programs would have a challenging defense to the “reasonable diligence” requirements when an overpayments issue arises.

The question a provider must ask is not whether compliance programs are legally required, but whether the provider’s risk tolerance for business and individual liability is sufficient to ignore these obligations and expectations. Assuming this risk is not tolerable for most providers, the provider should focus its energy on developing a plan for an effective compliance program that is reasonable in size and scope to its practice.

About the Author:

Rose Willis is a Member in Dickinson Wright’s Health Care Practice group and the Vice President of Compliance for Crux Strategies. Rose’s practice focuses on healthcare regulatory, transactional and corporate law in her representation of healthcare providers and suppliers and other current or prospective participants in the healthcare industry. To learn more about Dickinson Wright’s Health Care Practice and Crux Strategies, please contact Rose in the Troy or Saginaw offices at 248-433-7584 or rwillis@dickinson-wright.com and you can visit her bio here.


1See Compliance Program Guidance for Individual and Small Group Physician Practices, at 65 Fed. Reg. 59434 (October 5, 2000).
2See the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law on February 17, 2009 as part of the Title XIII of the American Recovery and Reinvestment Act of 2009.
3It is worth noting in contrast, Section 6102 of Patient Protection and Affordable Care Act established a clear and detailed compliance program mandate for nursing facilities.
4See, for example, Compliance Program Guidance for Individual and Small Group Physician Practices, et. seq.
5See Compliance Education Materials, at https://oig.hhs.gov/compliance/101/index.asp, and Compliance Guidance, at https://oig.hhs.gov/compliance/compliance-guidance/index.asp (last accessed February 2, 2018).
6See Measuring Compliance Program Effectiveness: A Resource Guide; HCCA-OIG Compliance Effectiveness Roundtable (Issue Date: March 27, 2017), located at https://oig.hhs.gov/compliance/101/files/HCCA-OIG-Resource-Guide.pdf (last accessed February 2, 2018).
7See 81 Fed. Reg. 7653 (February 12, 2016).
8See, i.d.