Healthcare Reform Law and Mandatory Compliance Programs

April 27, 2010

With the passage of the Patient Protection and Affordable Care Act of 2010, as amended by the Health Care Education Reconciliation Act of 2010 (the Healthcare Reform Law), Congress for the first time has mandated that a broad range of providers, suppliers, and physicians adopt a compliance and ethics program.[1] Smaller providers and suppliers may feel the impact of these new compliance program obligations most acutely given that many, if not most, larger healthcare providers already have some form of compliance program.

But large and small providers alike will need to be more vigilant in their compliance program efforts inasmuch as the new law will undoubtedly "raise the bar" for healthcare compliance measures. A failure to implement certain core compliance program features will create additional opportunities for regulatory and law enforcement scrutiny, as well as potential False Claims Act liability for failure to prevent or identify improper federal healthcare program claims and payments. The existence or lack of robust provider compliance program controls, when paired with the stronger sanctions and expanded application of the federal False Claims Act, Civil Monetary Penalties Law, and Anti-Kickback Law[2], will be subject to enhanced focus in fraud and abuse inquiries and prosecutions.

For the last 12 years, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) has promoted the voluntary adoption of compliance programs throughout the healthcare industry by the development and promulgation of compliance guidance tailored to specific healthcare industry segments. Additionally, OIG has settled hundreds of matters involving civil fraud allegations, using mandatory contractual compliance program obligations in the form of Corporate Integrity Agreements (CIAs) and other similar settlement documents that reflect OIG's perspective on appropriate elements and activities of a compliance program. These compliance program guidances and CIAs will undoubtedly serve as important guideposts to HHS as it considers which compliance program elements shall be required in the future.

The Healthcare Reform Law creates a new opportunity for HHS and its Inspector General to promulgate regulations that impose on most healthcare providers and suppliers a form of compliance program intended to be "effective in preventing and detecting criminal, civil, and administrative violations" under the Medicare and Medicaid laws. The New York Office of Medicaid Inspector General (New York OMIG) has adopted similar rules applicable to larger Medicaid providers in New York, but this federal initiative will be far more expansive in many respects.

The Healthcare Reform Law's compliance program mandates are divided into two categories: (1) nursing facilities and (2) all other providers/suppliers. The nursing facility compliance program provisions in the Healthcare Reform Law are far more detailed and contain the implementation timeline detailed below, whereas Congress did not set forth in the legislation any time frame for other healthcare provider/supplier compliance program implementation, leaving it to the discretion of HHS. At a recent conference for healthcare compliance officers, an official with the Centers for Medicare & Medicaid Services (CMS) publicly confirmed that, in accordance with this delegated authority that gives the HHS Secretary (the Secretary) discretion to prioritize certain industry sectors over others, it expects to issue the mandatory compliance program requirements on a rolling basis.

Nursing Facility Compliance Program Implementation:

  • By December 31, 2011, the Secretary shall establish and implement a quality assurance and performance improvement (QAPI) program for nursing facilities that will address best practices. Within one year following the promulgation of the Secretary's QAPI program regulations (no date is specified for such regulations), a nursing facility must submit a plan to HHS to meet such standards and implement such best practices.

  • By March 23, 2012, the Secretary of HHS, working jointly with OIG, must promulgate regulations for "an effective compliance program" for nursing facility operating organizations. Those regulations "may" include a model compliance program and, with respect to specific elements of the program, "shall" vary with the size of the operating organization for organizations that operate five or more facilities. Larger organizations are expected to have a more formal program, and requirements may "specifically apply to the corporate level management of multi-unit nursing home chains." In other words, the nursing facility compliance program regulations should contain an element of scalability and proportionality.

  • By March 23, 2013, skilled nursing facilities and other nursing facilities must have "in operation" a compliance and ethics program that meets the Law's criteria.

  • By March 23, 2013, the HHS Secretary shall have completed "an evaluation" of the compliance and ethics programs that nursing facilities will be required to establish. Interestingly, nursing facilities are not required to have in operation those compliance and ethics programs until the very same day the Secretary's evaluation is supposed to be completed.

  • Sometime after March 23, 2013, the Secretary must submit an evaluation report to Congress with recommendations on changes to the regulatory requirements for nursing facility compliance programs.

For nursing facilities, the Healthcare Reform Law specifies certain "required components of a compliance and ethics program" that include:

  • Compliance standards and procedures for employees and other agents "that are reasonably capable of reducing the prospect" of criminal, civil, and administrative law Medicare and Medicaid violations.

  • The assignment of overall compliance program oversight to "high-level personnel" with "sufficient resources and authority" to assure such compliance.

  • The exercise of "due care" not to delegate "substantial discretionary authority" to individuals whom the nursing facility knew or should have known had a "propensity to engage in criminal, civil, or administrative violations."

  • The effective communication of compliance standards and procedures to all employees and agents, including training programs or published materials.

  • The adoption of reasonable monitoring and auditing systems reasonably designed to detect compliance violations by employees and other agents and a mechanism for employees and agents to report violations without fear of retribution.

  • The consistent enforcement of appropriate disciplinary mechanisms, including for failure to detect an offense.

  • Following detection of an offense, reasonable responses to include steps to prevent further similar offenses, including any modifications to the compliance program.

  • The periodic reassessment of its compliance program to identify modifications necessary to reflect changes within the nursing facility organization and its facilities.

Although the Healthcare Reform Law states that the nursing facility compliance program regulations "may" contain a "model compliance program," it should not be read to mandate such an approach. Indeed, over the last 12 years, as it has issued its 11 voluntary compliance program guidances (largely derived from the federal Sentencing Guidelines' seven elements), OIG has steadfastly resisted promulgating a "model compliance plan," given its historic view that, when it comes to compliance programs, "one size does not fit all."

The New York OMIG has similarly declined to issue a model compliance plan despite the state's compliance program requirement for Medicaid providers. The "required components of a compliance and ethics program" for nursing facilities listed above and contained in the Healthcare Reform Law closely track the seven elements contained in the federal Sentencing Guidelines, as well as prior voluntary Compliance Program Guidance for Nursing Facilities published by OIG in March 2000 and the Supplemental Compliance Program Guidance for Nursing Facilities published by OIG in September 2008.

Compliance Programs for Other Providers

Although the Healthcare Reform Law's compliance program mandates for nursing facilities stand alone, the Law also contains broad compliance program requirements for all other healthcare providers and suppliers. Indeed, the Law requires that such providers and suppliers "shall, as a condition of enrollment," establish a compliance program that contains certain core elements established by HHS in "consultation" with OIG within particular industries or categories.

The requirements as to other providers and suppliers, however, are largely undefined. As noted above, there is no specific implementation timeline for the development or implementation of these compliance programs. Instead, Congress has left the establishment of core compliance program elements and implementation deadlines to the discretion of HHS.

We would expect HHS to continue to track prior OIG guidance and the federal Sentencing Guidelines elements for an effective compliance program when developing required compliance program elements for other providers/suppliers. In exercising its discretion with respect to establishing deadlines for mandatory compliance program implementation by other providers/suppliers, HHS is required by the Healthcare Reform Law to consider "the extent to which the adoption of compliance programs by a provider . . . or supplier is widespread in a particular industry sector or with respect to a particular provider or supplier category."

As such, and as confirmed by CMS's recent public comments noted above, we expect other provider/supplier compliance program mandates to issue on a rolling, industry sector-specific basis. Given the relatively low rate of compliance program adoption by certain industry sectors, such as durable medical equipment (DME) and home health, as compared to other industry sectors, such as hospitals and health systems, and given the increased focus of the Healthcare Reform Law and CMS on enrollment requirements for DME and home health, these are two industry sectors that the HHS may prioritize in establishing mandatory compliance program requirements.

Finally, Congress has extended the requirement for mandatory compliance programs to the Medicaid program. States must require providers and suppliers under a state Medicaid plan to establish a compliance program that contains the core elements established by HHS and OIG with respect to the Medicare program for providers or suppliers within a particular industry or category.

Note that an exception to the compliance program requirements for physicians that appeared in earlier versions of the healthcare reform legislation does not appear in the final law. As such, and subject to the HHS administrative rulemaking, the mandatory compliance program requirements would appear to extend to all physicians as well as to small family operated pharmacies, durable medical equipment providers, etc. Consequently, this new federal requirement is more onerous than the rules adopted for New York Medicaid providers by the New York OMIG that exempt providers with less than $500,000 in annual Medicaid billings.

But one would expect that the compliance program regulations for providers and suppliers, like the nursing facility compliance program requirements, will include some degree of "scalability" to recognize the often articulated view of the OIG in the past that what may constitute effective compliance measures for a large, complex organization (for example, a multi-hospital health system) may be excessive and unnecessary for a small physician practice or supplier. The OIG's Compliance Program Guidance for Individual and Small Group Physician Practices, published by OIG in October 2000, states "this guidance for physicians does not suggest that physician practices implement all seven components of a full scale compliance program."

With a compliance program mandate from Congress and a "condition of enrollment" requirement, as well as a more robust fraud and abuse initiative to guide its policy and rulemaking, it remains to be seen whether HHS and OIG will continue in the future to grant such wide latitude to physicians and other small suppliers with regard to minimum compliance program features.

Implications for Medical Product Manufacturers

The new mandatory compliance program requirements for providers and suppliers will likely mean a bevy of new compliance program policies and procedures with some focus on conflict-of-interest issues, vendor access, and the like. For those manufacturers with healthcare provider subsidiaries that file claims, they will need to pay heed to the new compliance program requirements, especially those that relate to medical product suppliers.

If you have any questions or would like more information on any of the issues discussed in this LawFlash, please contact the authors of this LawFlash, Scott Memmott (202.739.5098; and Howard Young (202.739.5461;, or any of the following key members of our cross-practice Healthcare Reform Law resource team:

FDA & Healthcare Practice
Kathleen M. Sanzo Washington, D.C.
Business & Finance Practice -
Mergers & Acquisitions, Securities, Emerging Business & Technology
Marlee S. Myers Pittsburgh
Scott D. Karchmer San Francisco
Business & Finance Practice -
Insurance Regulation
David L. Harbaugh Philadelphia
Labor & Employment Practice
John F. Ring Washington, D.C.
Litigation Practice -
Commercial & Products Liability
John P. Lavelle, Jr. Philadelphia
Coleen M. Meehan Philadelphia
Brian W. Shaffer Philadelphia
Litigation Practice -
Corporate Investigations & White Collar Practice
Lisa C. Dykstra Philadelphia
Jack C. Dodds Philadelphia
Eric W. Sitarchuk Philadelphia
Tax Controversy & Consulting Practice
Barton W. Bassett Palo Alto

[1] See Section 6102 and Section 6401 of the Healthcare Reform Law.

[2] For more information on the major fraud and abuse provisions of the Healthcare Reform Law, please see Morgan Lewis's previous analysis in the March 31, 2010 LawFlash, "Healthcare Reform Law: Healthcare Fraud and Abuse and Program Integrity Provisions," available here. A summary of that information is found in "Fraud and Abuse and Program Integrity Provisions," available here.