Health Care and Life Sciences > Health Reform Resource Center > PPACA-Mandated Compliance Programs Not Just a Paper Exercise-Are You Ready?
22 Nov '10

Recent rulemakings and comments from a Centers for Medicare & Medicaid Services (CMS) official provide clues as to how Medicare and Medicaid providers will be required to implement mandatory compliance programs as required under the Patient Protection and Affordable Care Act (PPACA).

As most in the health industry are aware, PPACA includes two separate provisions mandating compliance programs for Medicare and Medicaid providers, generally, and for nursing facilities, specifically.  PPACA § 6401, which applies to all Medicare and Medicaid providers, requires the secretary of the Department of Health and Human Services (HHS) to promulgate “core elements” and set an effective date for compliance programs, presumably through rulemaking, but does not set a deadline for these actions. This provision also did not provide detailed guidance on the core elements of a mandatory compliance program.  PPACA Section § 6102 applies to Medicare skilled nursing facilities and Medicaid nursing facilities and sets forth eight core elements of a mandatory compliance program.1 In a September 2010 proposed rule, HHS indicated that compliance program core elements under PPACA § 6401 will most likely be similar to the core elements for nursing facilities and to the elements of effective compliance described in the U.S. Federal Sentencing Guidelines Manual. In that proposed rule, HHS also requested suggestions for compliance program elements and comments on the costs and benefits of compliance programs or operations as well as on a reasonable timeline for establishment of a required program.

At a recent industry compliance conference, a CMS official discussed the new mandatory compliance program requirements, effective January 1, 2011, for Medicare Advantage (MA) and Medicare Part D programs. Although compliance programs for MA and Medicare Part D were mandatory prior to the passage of the PPACA, CMS enhanced those requirements in an April 2010 final rule.2 The CMS official also reportedly emphasized that implementing a compliance program is “not just a paper exercise.” Rather, organizations must be able to demonstrate that they have a “systemic process for proactively and promptly fixing noncompliance issues.” Together with the request for comments in September, this rulemaking and the CMS official’s comments provide some clues regarding the nature and scope of the elements likely to be mandated for provider compliance programs once regulations are published.

  • First, whereas the original MA and Part D standards included a generic provision governing the necessity of written policies and procedures, the enhanced regulations specified seven aspects of the program that the policies and procedures must cover.
  • Second, the existing requirement to designate a compliance officer was expanded to dictate that the compliance officer must be accountable to the organization’s chief executive and must report to the governing body. Notably, in its rulemaking, and as reflected in its response to comments, CMS refused to include language to allow such reporting to be performed by a “delegate” of the compliance officer. Additionally, the new regulations specified that the governing body must be knowledgeable about the content and operation of the compliance program and exercise reasonable oversight regarding the program.
  • Third, the compliance training and education element was amended to require that such education be provided to new members of the governing body. Significantly, CMS stressed in its rulemaking that this compliance training should be on an annual basis and not just for new employees.
  • Fourth, CMS amended the effective lines of communication requirement to make it explicit that the compliance program must include an internal reporting mechanism that allowed for anonymous complaints.
  • Fifth, the new regulations provided more specifics regarding what should be covered in the organization’s disciplinary standards. 
  • Sixth, CMS provided more detail regarding the requirement to conduct compliance monitoring and auditing, including the requirement to implement external audits to evaluate the overall effectiveness of the compliance program. This may be the most significant of the new requirements, as previously neither CMS nor the HHS Office of Inspector General (OIG) in its guidance referenced the need for external evaluation of compliance programs. Nevertheless, for some time it has been considered a best practice within the health industry to perform an independent external review of compliance programs approximately every five years.
  • Finally, regarding the seventh element—investigation, response and corrective action—the new regulations phrased the requirement in somewhat more detail, including a more specific reference to conducting compliance investigations.

While these core elements do not specifically apply to providers, they could reflect, in part, what may be coming once HHS establishes provider compliance program requirements. Additionally, it would not be surprising to see that the regulatory requirements include many of the criteria for evaluating compliance programs set forth in the OIG’s Supplemental Compliance Program Guidance for Hospitals, published in January 2005. Providers should consider engaging an expert to evaluate whether their compliance programs meet the relevant MA and Part D requirements, the OIG criteria, the PPACA core elements for nursing homes and the Federal Sentencing Guidelines elements. In satisfying these criteria, providers will likely have in place more than a “paper program” and can protect themselves on the front end from investigations and litigation under federal fraud and abuse laws.


1 The eight core elements for a nursing facility compliance program are—

 i.            Compliance standards and procedures must be adopted and followed.

 ii.           Specific individuals with authority and sufficient resources must be assigned to oversee compliance.

iii.          The organization must exercise due care to ensure that the above authority is not delegated to an individual with a propensity to engage in PPACA criminal, civil and administrative violations.

iv.          The organization must take steps to educate its employees and agents of the compliance program.

v.           The organization must take reasonable steps to achieve compliance with its standards.

vi.          The standards and procedures must be consistently enforced.

vii.         If an offense is detected, the organization must respond appropriately and prevent similar offenses.

viii.        The organization must periodically reassess the compliance programs and make changes necessary to reflect changes within the organization.

2 Although some aspects of the requirements are specifically tailored to the operational makeup of MA and Part D organizations, most of the requirements reflect compliance program elements that could be applicable to all types of health industry organizations.  The seven elements set forth in the MA and Part D compliance program regulations are—

i.             written policies and procedures

ii.            designation of compliance officer and compliance committee

iii.           compliance training and education

iv.           effective lines of communication

v.            well-publicized disciplinary standards

v.            monitoring and auditing

vi.           investigation, response and corrective action.