Direct Answer
A medical billing compliance program is an organized set of policies, procedures, controls, and monitoring activities that ensure billing and coding practices comply with Medicare, Medicaid, and commercial payer rules, as well as applicable federal and state laws. The OIG identifies seven foundational elements of an effective compliance program. Healthcare organizations that implement and maintain all seven elements reduce their legal exposure, qualify for reduced penalties when violations are discovered and self-reported, and build the operational culture needed to sustain accurate billing over time.
Table of Contents
OIG Seven Elements of Compliance
The OIG's seven elements of an effective compliance program as applicable to medical billing: (1) Written policies and procedures, documented billing and coding standards, a code of conduct, and policies covering specific high-risk areas such as documentation requirements for E&M levels, modifier usage policies, incident-to supervision policies, and advance beneficiary notice procedures. (2) Compliance officer and compliance committee, a designated individual with authority and accountability for the compliance program; in small practices this may be a part-time role; in health systems it is typically a full-time position with direct board reporting. (3) Training and education, annual compliance training for all staff who bill or code; specialty-specific training for coders in each specialty; documentation training for physicians; training on new or revised policies; and training tracking and attestation. (4) Open lines of communication, a confidential reporting mechanism such as a hotline or anonymous reporting portal for staff to report suspected violations without fear of retaliation; non-retaliation policy must be documented and enforced. (5) Monitoring and auditing, periodic internal audits of billing and coding; external audits by independent coders; monitoring of OIG Work Plan targets; tracking of payer audit activity such as RAC, CERT, and MAC audits. (6) Enforcement of standards, consistent and fair enforcement of compliance standards; disciplinary policies that address compliance violations; no special exemptions for high-revenue providers. (7) Response to detected offenses, documented procedures for investigating detected violations; self-disclosure protocols; repayment calculations; and corrective action plans to prevent recurrence.
High-Risk Billing Areas for Medical Practices
The OIG annually publishes a Work Plan identifying compliance focus areas where federal enforcement and audit resources are directed. Perennial high-risk billing areas for physician practices: Evaluation and management upcoding, billing higher-complexity E&M codes than documentation supports, with OIG historically focusing on new patient vs. established patient coding and hospitalist E&M. Incident-to billing, services billed as incident-to the physician when supervision requirements are not met. Modifier misuse, Modifier 25 appended to E&M services without a separately identifiable service; Modifier 59 used to override NCCI bundling edits without meeting the criteria; Modifier 24 used in the global period without a distinct unrelated service. Unbundling, billing separate procedure codes for services that should be billed as a comprehensive code under CPT bundling guidelines or NCCI edits. Medically unnecessary services, procedures lacking ICD-10 diagnosis codes that support medical necessity under LCD/NCD coverage criteria. Telehealth compliance, billing telehealth services without meeting the technology, patient consent, or setting requirements of the applicable payer policy. High-cost drug billing for chemotherapy, biologics, and infusions with NDC/J-code accuracy and waste documentation. Each risk area should have a dedicated compliance policy and be included in the annual audit scope.
Internal Compliance Audit Program
An internal compliance audit program systematically reviews billing and coding practices to identify errors before they become enforcement targets. Audit program design: Scope and sampling, select a statistically meaningful sample of claims by service type, provider, and payer; minimum recommended sample is 10 to 30 records per provider per audit cycle; focus initial audits on high-risk areas from the OIG Work Plan and internal denial data. Audit frequency, annual baseline audit for all providers; quarterly or semi-annual targeted audits for high-risk service lines or providers with identified patterns. Audit methodology, compare the clinical documentation to the billed code for each sampled claim; assess whether the documentation supports the CPT codes billed; identify under-coding as well as over-coding; calculate an error rate and financial impact estimate; identify patterns such as all E&M audits for one provider showing consistent 99214 billing for patients whose documentation supports 99213. Findings and feedback, provide individual feedback to each provider audited; track error rates over time; require corrective action plans for providers with error rates exceeding the threshold (typically 5 to 10%); document findings, feedback, and corrective actions in the compliance file. External audit, engage an independent external coding reviewer annually or following a significant internal finding to validate the internal audit methodology and provide an independent assessment. External audit findings that reveal systematic over-billing may require self-disclosure assessment.
Self-Disclosure and Voluntary Repayment
When an internal compliance audit discovers a billing pattern that resulted in overpayment from Medicare or Medicaid, the organization faces legal obligations. The 60-day rule under ACA Section 6402: when an overpayment is identified under Medicare or Medicaid, the provider has 60 days to report and return the overpayment. Identified means the organization has determined or should have determined through reasonable diligence that an overpayment has been received. Failure to repay within 60 days after identification creates an obligation under the False Claims Act. Self-disclosure programs: OIG Self-Disclosure Protocol allows organizations to self-disclose conduct that potentially violates federal fraud and abuse laws to the OIG; self-disclosure typically results in reduced settlement multipliers compared to government-initiated investigations; requires a complete description of the conduct, a financial analysis of the overpayment, and proposed corrective actions. CMS Self-Referral Disclosure Protocol addresses potential Stark Law violations specifically. Voluntary repayment to the MAC without formal self-disclosure is appropriate for clear-cut overpayment errors without intent to defraud; for conduct that could constitute fraud, formal self-disclosure is the appropriate path. Legal counsel should be involved in any assessment of whether self-disclosure is required.
Exclusion Screening Requirements
Federal law prohibits Medicare and Medicaid from making payments for items or services furnished by or at the direction of an excluded individual or entity. Healthcare organizations cannot bill Medicare or Medicaid for services provided by anyone who is currently excluded from federal healthcare programs. Exclusion screening requirements: screen all new hires, contractors, and vendors against the OIG List of Excluded Individuals and Entities (LEIE) before the first date of service; re-screen the entire workforce monthly since the LEIE is updated monthly; maintain documentation of all screening results and dates; include exclusion screening in employee onboarding procedures and vendor contracting requirements. Consequences of billing for excluded individuals: each claim submitted for services by an excluded individual is a separate Civil Monetary Penalties Law violation; penalties can reach $20,000 per claim plus three times the overpayment, plus potential False Claims Act liability. Additional screening: screen against the System for Award Management (SAM) database for debarment from federal programs; screen against state Medicaid exclusion lists in all states where the organization bills Medicaid, since OIG LEIE alone is insufficient for Medicaid. Exclusion screening software solutions are available that automate monthly re-screening and generate compliance reports; manual monthly screening is operationally error-prone for any organization with more than a handful of employees.
FAQ
Is a formal compliance program legally required for physician practices?
For most physician practices, a formal written compliance program is not currently required by federal law, with the exception of certain Medicare ACOs and specific program conditions. However, having an effective compliance program provides significant legal protections and is strongly recommended by the OIG for all healthcare providers. The key legal benefits: the existence of an effective compliance program is a mitigating factor in False Claims Act liability, the OIG and DOJ expressly consider compliance program quality when assessing penalties and settlements; under the Federal Sentencing Guidelines, an effective compliance program can reduce organizational culpability scores, which directly affects criminal fine levels; and state laws in some jurisdictions do require compliance programs for healthcare providers above certain size thresholds. The practical reality is that the combination of OIG Work Plan audits, RAC audits, CERT reviews, MAC pre-payment reviews, whistleblower suits under the False Claims Act, and state Medicaid fraud unit audits creates a regulatory environment where practices without compliance programs face material legal and financial risk. A compliance program that is documented, implemented, and maintained (not just written and filed) is the best available defense against enforcement actions. The OIG has specifically noted that a compliance program that exists only on paper provides no meaningful mitigation benefit; it must be operational.
What is the Stark Law and how does it affect physician billing?
The Stark Law (42 U.S.C. 1395nn), also called the physician self-referral law, prohibits a physician from making referrals for designated health services to an entity with which the physician or an immediate family member has a financial relationship, unless an exception applies. Designated health services include clinical laboratory services, physical and occupational therapy, radiology and imaging, radiation therapy, durable medical equipment, home health services, parenteral/enteral nutrition, prosthetics, outpatient prescription drugs, and inpatient and outpatient hospital services. The Stark Law is a strict liability statute: intent to violate is not required; the financial relationship and referral alone trigger the violation unless a regulatory exception is met. Common Stark exceptions: bona fide employment exception for employed physicians; personal services arrangements exception for contracted physician services; and in-office ancillary services exception for certain ancillary services delivered in the referring physician's own practice. Billing implications: claims submitted for services rendered pursuant to a Stark violation are false claims under the False Claims Act; the government has collected over $3 billion in Stark and Anti-Kickback settlements. Physician compensation arrangements must be reviewed by healthcare counsel for Stark compliance before implementation. The most common Stark issue for physician practices involves compensation formulas that include a value-based element tied to referrals, such as a bonus formula where the physician's bonus increases with imaging referrals they generate; these require careful structuring under one of the recognized exceptions.
Build a Billing Compliance Program That Protects Your Organization
Valiant Lifecare provides compliance program development, internal audit services, coding review, exclusion screening implementation, and OIG Work Plan risk assessment, helping healthcare organizations implement the OIG seven elements framework to reduce legal exposure and maintain billing integrity.
Strengthen Your Compliance Program