The phrase “healthcare compliance program” is commonly used to describe those processes and procedures implemented by a healthcare provider to prevent submission of erroneous claims and combat fraudulent conduct. The expectation is that providers using internal controls will more efficiently monitor adherence to legal and regulatory requirements than providers without such controls in place. However, confusion remains over whether a healthcare compliance program is legally required for many healthcare providers, particularly those in clinical practice.

Some healthcare providers may believe a formal compliance program is not necessary until a clear, legal requirement is established involving detailed parameters and penalties. This perspective primarily comes from those who don’t have the time, energy or resources to implement a program unless they understand it as an enforced legal mandate tied to penalties. Understandably, the same perspective surrounded compliance with HIPAA until the 2009 HITECH Act issued a clear enforcement rule with sizeable penalties for noncompliance.

Unlike HIPAA, currently there exists no clear enforcement rule setting forth explicit penalties against all types of providers for failure to implement a formal healthcare compliance program. While Section 6401 of the Patient Protection and Affordable Care Act requires as a condition of participation, all healthcare providers participating in a federal healthcare program establish a compliance program, such mandate is subject to when the Secretary of the Department of Health and Human Services (“HHS”) determines the timeline and core elements for such mandate. To date, the Secretary of HHS has not formally issued a timeline.

However, HHS through its Office of Inspector General (OIG) has issued significant guidance surrounding core elements of compliance programs for many types of participating providers. Beginning in the late ‘90s and through early 2000, HHS issued compliance program guidance for multiple healthcare providers, from physician practices to nursing facilities. The OIG’s website currently contains 13 compliance resource publications and an abundance of other compliance education materials (including PowerPoints and videos for ease of understanding). Just last year, OIG issued a resource guide on measuring compliance program effectiveness “to ensure that all elements of a compliance program [are] covered.” This guidance and commentary make it clear compliance programs are, at a minimum, an expectation from key enforcement agencies.

Additionally, compliance program obligations were recently addressed by HHS’s Centers for Medicare and Medicaid Services (CMS) in the 2016 “Overpayments” Final Rule (the “Overpayments Rule”) . Under the Overpayments Rule, a provider is required to exercise “reasonable diligence” in identifying “overpayments.” In its commentary to the Overpayments Rule, CMS emphasized that “effective compliance programs [are] a way to avoid receiving or retaining overpayments” and, further, “undertaking no or minimal compliance activities” could result in the government finding “a failure to exercise reasonable diligence” and resulting violation of the False Claims Act. Thus, providers who fail to implement compliance programs would have a challenging defense to the “reasonable diligence” requirements when an overpayments issue arises.

The question a provider must ask is not whether compliance programs are legally required, but whether the provider’s risk tolerance for business and individual liability is sufficient to ignore these obligations and expectations. Assuming this risk is not tolerable for most providers, the provider should focus its energy on developing a plan for an effective compliance program that is reasonable in size and scope to its practice.

(1) See Compliance Program Guidance for Individual and Small Group Physician Practices, at 65 Fed. Reg. 59434 (October 5, 2000).
(2) See the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law on February 17, 2009 as part of the Title XIII of the American Recovery and Reinvestment Act of 2009.
(3) It is worth noting in contrast, Section 6102 of Patient Protection and Affordable Care Act established a clear and detailed compliance program mandate for nursing facilities.
(4) See, for example, Compliance Program Guidance for Individual and Small Group Physician Practices, et. seq.
(5) See Compliance Education Materials, at, and Compliance Guidance, at (last accessed February 2, 2018).

(6) See Measuring Compliance Program Effectiveness: A Resource Guide; HCCA-OIG Compliance Effectiveness Roundtable (Issue Date: March 27, 2017), located at (last accessed February 2, 2018).
(7) See 81 Fed. Reg. 7653 (February 12, 2016).
(8) See, i.d.