Publication
Article
Compliance
Author(s):
Health care compliance is both reactive work to address identified concerns and proactive work to prevent fraud, waste, and abuse by adhering to state and federal regulations specific to health care, with a focus on patient safety, data privacy and security, and billing and coding of services. Every health care entity is responsible for developing and adhering to its customized and updated compliance plan. It is easy to become complacent and think the plan is set and nothing else is needed; however, as with anything in health care, change is constant, and cancer programs must be vigilant about how changes may affect their compliance plan. At the very least, cancer programs should complete a cursory review to ensure their compliance plan is easily accessible and relevant to current practices or provide a detailed review and update to align with changes issued in November 2023 by the Office of Inspector General (OIG). As we close out 2025 and enter 2026, let’s review some key aspects of health care compliance plans and strategy.
Defining Key Terminology
The Office of Inspector General
The OIG is a branch of the Department of Health and Human Services (HHS). Its mission is to protect the integrity of HHS programs and the health and welfare of the programs’ beneficiaries. The OIG’s duties are carried out through audits, investigations, inspections, and other mission-related functions performed by OIG components, including the OIG Office of Audit Services and Office of Evaluation and Inspections.
There are several facets to the OIG, with the primary focus being the identification and addressment of fraud, waste, and abuse related to Medicare, as well as educating providers on how to be compliant and avoid compliance violations. Mistakes happen, so it is important to further understand that the intent of the action may also define if something was just noncompliant or potentially could be defined as fraudulent. An individual or entity that purposely or intentionally creates a misrepresentation of services or a relationship is viewed differently than an unintentional error or mistake.
One way the OIG communicates its focus and mitigation of risk presented to Medicare is through the development of its Work Plans.1 OIG Work Plans are a list of projects the OIG is working on or plans to begin soon. It includes projects in the major HHS agencies and administrations, such as the Centers for Medicare & Medicaid Services, the Centers for Disease Control and Prevention, and the Administration on Aging.
A few of the current Work Plans listed on the OIG website focus on drug pricing, specifically comparisons of Quarterly reporting of Average Sales Prices and Average Manufacturer Prices, and identifying 304B units to recoup inflation rates for Part B drugs in Medicare Advantage. The OIG has also had a longstanding mission to educate providers about ways to avoid compliance violations. Before November 2023, the OIG issued a series of compliance program guidance (CPG) documents for various sectors of the health care industry, including hospitals, physician practices, and third-party billing companies. To streamline and modernize access to information, the OIG has ceased maintaining many of its previously published compliance program documents specific to physician practices and third-party billing companies. It has replaced them with guidance for clinical laboratories and Medicare Advantage.
In November 2023, the OIG released a General Compliance Program Guidance (GCPG) that applies to all individuals and entities involved in the health care industry.2 This guidance addresses the following: key federal authorities for entities engaged in health care business, the 7 elements of a compliance program, adaptations for small and large entities, other compliance considerations, and OIG processes and resources. In 2024, the OIG began publishing Industry Segment-Specific Compliance Program Guidance (ICPG) for different types of providers, suppliers, and other participants in the health care industry.3 The first industry guidance published is related to nursing facilities.
Compliance Program for Coding and Billing
The OIG outlines 7 successful elements for a successful compliance program in the General Compliance Program Guidance:
Most compliance programs begin with a comprehensive “commitment to compliance” that includes a discussion of the Standards of Conduct for the organization. Health care providers must establish standards of conduct that are above reproach and ensure that those standards are clearly articulated and strictly adhered to.
A compliance program specific to the coding and billing of services has 4 key elements. The components of these 4 elements should be reviewed annually to ensure they cover changes in services offered, designation of entities, and any other regulatory changes to coding and billing practice:
Identifying potential risks may be one of those items that takes a back seat to whatever else is going on, because ideally, they have not happened. Remember, a bit of prior planning prevents poor performance. Thinking of coding and billing, what are some things that could go wrong? Or how or why might they happen? Risk areas specific to coding and billing include the following:
Once risks are identified, there should then be policies and procedures developed to address and manage these risks on an ongoing basis. As mentioned, these policies should be reviewed annually and easily accessible and current to services in the department and/or cancer program. Policies should reflect the current reimbursement principles from applicable statutes, regulations, and federal, state, or private payer health care program requirements. Written standards and procedures should also ensure that coding and billing are based on medical record documentation.
The policies and procedures should define the minimal documentation requirements for coding purposes and the methods for clarifying ambiguous or conflicting documentation, such as communication with the performing physician. Policies should also outline what are considered appropriate coding references and tools to be used by staff, orientation and training related to accessing medical records and their sensitive information, continuing education and training to ensure staff are aware of and understand new codes and billing rules, a documentation improvement plan outlining how staff communicate to physicians when improvements are needed to documentation practices, and ongoing monitoring to ensure any identified risks identified are handled appropriately.
Education and training are an important part of any compliance program and are the logical next step after problems have been identified and the practice has designated an individual to oversee education and training. It is likely some of the education and training provided for coding and billing staff may vary from that of the physicians, but it should be recognized that they work closely together and can greatly impact each other when it comes to compliant coding and billing.
Each year, the following items should be reviewed and updated as part of the ongoing education and training specific to coding and billing staff:
Finally, an effective compliance program requires both auditing and monitoring. This includes internal and external medical record audits by trained staff or outside consultants and the ongoing review and upkeep of information to detect and address potential risks. The internal auditor or reviewer can be most effective when viewed as a team member or helpful resource rather than a management police force. This person should also be someone who can be objective, independent of the department’s management team, and communicate findings appropriately.
The report of findings should be clear and laid out to demonstrate in detail the issue identified. For example, if something was overcoded (eg, coded at a higher level than what is supported in the documentation), the report should identify the patient, date of service, the code billed, what was supported by the documentation identifying the error as an overcoded procedure, and any recommendations for action.
More frequent internal and/or external audits may be needed or planned, depending on the findings. Additionally, any findings should be addressed immediately—not shelved or hidden. The implications of ignoring and avoiding findings related to coding and billing could be significantly impactful and require self-reporting to the payer and return of overpayments within a defined timeline. Most health care providers do not intend to commit fraud, waste, or abuse; mistakes happen. Even with increased access to and use of artificial intelligence in coding and billing for health care services, mistakes can happen. It has long been understood that the intention to do good—even having a compliance policy in place but never updating or really following— will typically be interpreted as intent to do the right thing, as if the errors are unintentional. This should not be counted on to get out of doing the necessary work of updating and maintaining compliance plans, especially when addressing coding and billing health care services. We are all patients at some time in our lives; we would like to think our providers are doing the best for us, as we would for any patients that walk through the door
for treatment.
Teri Bedard, BA, RT(R)(T), CPC, is executive director of Client and Corporate Resources at Revenue Cycle Coding Strategies in Des Moines, Iowa.
References
1. US Department of Health and Human Services, Office of Inspector General. Work Plan. Accessed October 28, 2025. https://oig.hhs.gov/reports-and-publications/workplan/index.asp
2. US Department of Health and Human Services, Office of Inspector General. Compliance guidance. Accessed October 28, 2025. https://oig.hhs.gov/ compliance/compliance-guidance/
3. US Department of Health and Human Services, Office of Inspector General. Nursing facility industry segment-specific compliance program guidance. Accessed October 28, 2025. https://oig.hhs.gov/ compliance/nursing-facility-icpg
