A credible CP is both sword and shield

It’s now an expected part of management

By Brenton L. Saunders, JD, MBA

Thomas H. Suddath Jr., JD

With an estimated $100 billion lost to fraudulent health care practices nationwide in 1996, health care fraud is a top priority for federal law enforcement and will remain so for years to come. About $1 billion in fines and penalties for fraud and abuse has been paid by health care providers to the federal government since 1993. The magnitude of these fines and penalties, and the draconian sanctions that can be imposed by the government, have caused providers to recognize they can literally no longer afford to see compliance programs (CPs) as a discretionary part of an institution’s policy. The federal Office of Inspector General has made it clear that effective CPs are a significant part of the future of health care regulation and enforcement. CPs are becoming an expected part of an institution’s management. (See related articles on the four objectives of a CP and its seven steps, pp. 46-47.)

It’s a dangerous and changing world for health care providers. Every day we read about a new civil or criminal investigation. Whistleblower lawsuits by employees follow close on the heels of whistleblower Web sites created by law firms. Hospitals and colleagues are becoming excluded from Medicare and Medicaid. (See this issue’s front-page article on the new conditions of Medicare participation, p. 41.) And those are just some of the mine fields you must traverse today.

When properly designed and implemented, CPs can work as both sword and shield in the health care arena. Offensively, an effective program can discover, deter, and eliminate health care fraud. The institution, the government, and the public all benefit. Defensively, a CP can protect against or mitigate fines and penalties by offering objective criteria by which prosecutors and investigators can assess your efforts to protect against fraudulent practices. In addition, an effective program provides evidence that an institution is a responsible corporate citizen, an important factor in the Department of Health and Human Services’ decision of whether a provider continues to participate in Medicare and Medicaid. Finally, a CP may protect an institution against a shareholders’ derivative action seeking to hold the directors of an institution personally liable for losses resulting from a civil or criminal investigation.1

On the other hand, if you lack a CP and are discovered as a result of an investigation to have engaged in wrongdoing, you cannot expect sympathetic consideration by the government.

How one defendant avoided treble fines

An example is the contrast between fines levied on two institutions. At the end of 1995, Clinical Practices of the University of Pennsylvania in Philadelphia paid $30 million in treble fines and penalties based upon allegations of inadequately documented medical records to support a bill for services provided by teaching physicians. In August 1996, Thomas Jefferson University paid $12 million in double fines and penalties for similar allegations. Both cases were prosecuted and investigated at approximately the same time by the United States Attorney’s Office for the Eastern District of Pennsylvania.

The main reason the Clinical Practice of the University of Pennsylvania paid treble damages and Thomas Jefferson paid double damages is Thomas Jefferson had implemented a CP mandating that it voluntarily disclose the violations to investigators.

The next step in negotiating the tumultuous landscape health care organizations now operate within — and perhaps the most difficult one — is implementing a comprehensive CP within the organization. That should be accomplished in several stages:

• First, a compliance officer must get full support and endorsement from the board and senior management of the organization.

• He or she must then develop a broad policy that outlines the officer’s role and responsibilities within the organization. Keep in mind that the compliance officer should be "high level" as defined in the guidelines. In addition, the compliance department should be structured so it has the appropriate ability and independence.

• Next, the compliance officer should assess the organization and learn its operational strengths and weaknesses. The assessment should include both business and legal risks. Counsel should be consulted in this process. Include an assessment of the external climate in which the organization operates.

• Once the assessment is complete, the compliance officer should develop the infrastructure of the program — create a budget, hire appropriate people, and define the parameters of the program. In addition, policy and procedures on issues like internal investigation hotline operations, responding to government investigation, and document retention must be developed.

• With the infrastructure in place, the compliance department will be in a position to begin constructing the necessary operational models of the program. For instance, in an academic medical center, operational models may include a physician reimbursement model, a grant administration model, and a not-for-profit compliance model.

• The next step is perhaps the most important. The hallmark of an effective CP is a best practice education and training program. The compliance department should be developed so that the appropriate resources can be directed to this effort.

• Finally, the compliance officer should develop policies for continuous monitoring of compliance activities; discipline noncompliance; and develop corrective action plans when appropriate.

By following these steps, a compliance officer should be in a position to not only develop an effective CP, but also make it operational. Remember, a CP need not prevent all wrong-doing. It must, however, attempt to do so in good faith and in a diligent manner. If those principles are followed, the CP should attain the goals of credibility, prevention, detection, and correction.


1. In re Caremark International Inc. Derivative Litigation, 1996 WL 549894 (Del. Ch. Sept. 26, 1996).

(Editor’s note: Brenton L. Saunders, JD, MBA, is the corporate compliance officer at Thomas Jefferson University and Jefferson Health System, and vice president of the Health Care Compliance Association in Madison, WI. Thomas H. Suddath Jr., JD, is a former federal prosecutor and a partner with Montgomery, McCraken, Walker, & Rhoads, LLP, in Philadelphia.)