Hot Topics in Compliance


Mandatory Compliance for Medicare Advantage Providers/Suppliers

By Mary R. Daulong, PT, CHC, CHP

Question: I have heard that as a provider of services to beneficiaries enrolled in Part C (Medicare Advantage Plan) I must participate in Centers for Medicare & Medicaid Services (CMS)–specific training and testing on Fraud, Waste and Abuse and General Compliance: Is this correct?

Answer: Yes, with one exception. You are required to take the CMS General Compliance Training & Testing,1 but if you are enrolled in Medicare Part A or Part B you could be exempt from the Fraud, Waste and Abuse Training and Testing. You will need to attest that you have had that training, as a result of your enrollment, and have the specified components of a Compliance Program in place. The effective date for compliance was January 1, 2016.

Question: What authority does CMS have to mandate training and compliance programs?

Answer: Section 6401 of the Affordable Care Act provides that a “provider of medical or other items or services or supplier within a particular industry sector or category shall establish a compliance program as a condition of enrollment in Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP).”2

Question: Has CMS published an effective date for providers and suppliers of traditional Medicare services?

Answer: No. CMS has only set an effective date for a mandatory Compliance Program for Part C (Managed Care Organizations [MCO]) and Part D (Prescription Drug Plans) which was January 1, 2016. Chapter 21 of CMS’s MCO Manual, has been updated to detail what a Compliance Program must include to demonstrate that it has taken measures to prevent, detect, and correct program noncompliance and fraud, waste, and abuse. CMS also listed the core elements for the MCO-mandated Compliance Program.3

Question: I have a compliance plan. Is that the same as a compliance program?

Answer: No. Plans and programs are very different. In general, a compliance program is dynamic—energetic, capable of action and/or change, or forceful—while a compliance plan is more stationary or fixed. The Bonadio Group, a business accounting and consulting firm, states that there is a significant difference between these two compliance paths. They maintain that, “A compliance plan is a public, written document that details those policies that the organization adheres to regarding its implementation of the elements of compliance. This document is expected to be an accurate reflection of what is in place at any one time, and is expected to undergo regular, periodic review and revision to ensure that it is always in step with the compliance activities of the organization.” It goes on to state that “A compliance program is a set of formal organization systems intended to prevent, detect and respond to potential problems identified by employees and other agents. A compliance program cannot, by definition, exist only on paper. It is a mindset, an operational model for how an organization has internalized the concepts and intent of a compliance culture and made it their own.”

Question: What are the components of a compliance program?

Answer: In short, according to the Office of Inspector General as well as the Medicare Managed Care Manual, Chapter 21, a compliance program must, at a minimum, include the following core requirements:

  1. Written policies, procedures, and standards/code of conduct;
  2. Compliance officer, compliance committee, and high-level oversight;
  3. Effective training and education;
  4. Effective lines of communication;
  5. Well-publicized disciplinary standards;
  6. Effective system for routine monitoring and identification of compliance risks; and
  7. Procedures and system for prompt response to compliance issues.

Question: I don’t understand the acronym FDR that is used in relationship to CMS’s Managed Care Organizations; can you explain what it is and how it applies to me?

Answer: CMS, in its updated MCO manual, stipulates that sponsors of Part C & D (MCOs) must specifically develop procedures to promote and ensure that all FDRs (First Tier Entity, Downstream Entity, and Related Entity) are in compliance with all applicable laws, rules, and regulations. A sponsor must have a risk assessment and management program, effective training and education, effective internal controls, and effective monitoring in place to exercise oversight of all of its FDRs and their associated personnel.

Some helpful definitions as denoted in Medicare Managed Care Manual, Chapter 21, Definitions:

  • First Tier Entity: any party that enters into a written arrangement, acceptable to CMS, with a Part C Medicare Advantage Organization (MAO) sponsor, Part D Prescription Drug Plan sponsor, or applicant to provide administrative services or health care services (this, per most MCOs, is where health care providers reside) to a Medicare-eligible individual under the Medicare Advantage program or Part D program.
  • Downstream Entity: any party that enters into a written agreement, acceptable to CMS, with persons or entities involved with a Part C or Part D benefit, below the level of first tier entity. These arrangements continue down to the level of the ultimate provider (this could also be where physical therapy providers reside) of both health and administrative services.
  • Related Entity: any entity that is related to an MAO or Part D Sponsor by common ownership or control and performs some of the sponsor’s management functions under contract or delegation, furnishes services to Medicare enrollees under an oral or written agreement, or leases real property or sells materials to the MAO or Part D plan sponsor at a cost of more than $2,500 during a contract period.

Question: When and how do I start compliance testing?

Answer: Practices should initiate orientation and testing now so that they can provide the attestation of completion, for each applicable workforce member, when verification of training becomes required. For the time being CMS has granted a waiver to MCOs regarding logging proof of FDR training.4 At the conclusion of the test(s), a Certificate of Completion is rendered. Please note that certificate(s) should be maintained by the clinic as well as by participant for 10 years.

AMA’s Methodology for Counting Units

Question: Is it true that the American Medical Association (AMA) has defined what constitutes a unit of service? When should a provider apply the different methodologies?

Answer: Yes, it is true that AMA has defined a unit of service as “Time is the face-to-face time with the patient” and “A unit of time is attained when the mid-point is passed.” This definition went into effect in 2012 and is explained in the AMA’s CPT Code Book, 2012 and subsequent versions. This methodology is currently being entitled “The Greater than 50 percent Unit Rule.” AMA’s methodology differs from CMS’s “8 Minute Rule” in that it does not allow for consideration of cumulative total minutes, which CMS does. Instead the AMA counts units based on the total minutes per specific current procedural terminology (CPT) code.

While AMA’s method appears, at first glance, to be more generous than CMS, it really depends on which CPT codes are billed per AMA’s approach rather than the total minutes for 1:1 codes. The dangling remaining minutes can be used to obtain an additional unit per CMS, which is not the case with AMA’s methodology. Providers should review payment and/or coverage policies to determine which methodology is utilized by their payers.

Question: Can you provide comparative illustrations of the two coding methodologies?

Screen Shot 2016-06-21 at 10.10.21 AM

Answer: Please see scenarios 1-3 to the left.

In summary, what is left dangling can yield an additional unit (CMS) and what is duplicated (AMA) does not necessarily double your billable units.

OSHA’s Hazard Communications Standard

Question: Do the new Occupational Safety and Health Administration (OSHA) regulations that went into effect in June 1, 2016, apply to private practices?

Answer: Yes, health care providers must comply with OSHA’s Hazard Communication Standard and its new regulations. According to OSHA, all employers with hazardous chemicals, disinfectants, and many other products used in the clinic must have labels and safety data sheets (SDS) for their exposed workers, and train them to handle the chemicals appropriately.5

OSHA, in an effort to align itself with the Globally Harmonized System (GHS) of Classification and Labelling of Chemicals, has introduced four major areas of change that health care providers, among others, must comply with:

  • Hazard Classification: The definitions of hazard have been changed to provide specific criteria for classification of health and physical hazards, as well as classification of mixtures. These specific criteria will help to ensure that evaluations of hazardous effects are consistent across manufacturers, and that labels and safety data sheets are more accurate as a result.

  • Labels: Chemical manufacturers and importers will be required to provide a label that includes a harmonized signal word, pictogram, and hazard statement for each hazard class and category. Precautionary statements must also be provided.
  • Safety Data Sheets: Will now have a specified 16-section format.
  • Information and Training: To facilitate understanding of the new system, the new standard requires that workers be trained by December 1, 2013, on the new label elements and safety data sheet format, in addition to any current training requirements.

OSHA required that employees be trained on the new label elements (i.e., pictograms, hazard statements, precautionary statements, and signal words) and the SDS format by December 1, 2013, so that they would be familiar with the new labels and SDS format, and be able to use them and access the information effectively when the final deadline of June 1, 2016 arrives.

So, if you have not updated your Hazard Communication Program or oriented your employees to the new labels and SDS sheets, now is the time. OSHA’s frequently asked questions (FAQs) are very helpful.7

Because we have set times (several months in advance of publication) to author our compliance articles, we cannot routinely alert our readers prior to compliance deadlines. In addition, those of us who write these columns often choose the subject matter based on interaction with clients.


1. Accessed May 2016.

2. Accessed May 2016.

3. Items/CMS019326.html?DLPage=2&DLEntries=10&DLSort=0&DLSortDir= ascending. Accessed May 2016.

4. Accessed May 2016.

5. AMA CPT Coding Book; Versions 2012-2016.

6. Accessed May 2016.

7. Accessed May 2016.


Mary R. Daulong, PT, CHC, CHP, is a PPS member and the owner of Business & Clinical Management Services, Inc., a consulting firm specializing in outpatient therapy compliance, including documentation, coding and billing, enrollment and credentialing, and Health Insurance Portability and Accountability Act and Occupational Safety and Health Administration regulation education. She is also the author of both The Private Practice Compliance Manual and The Third-Party Biller Compliance Manual. She can be reached at

Copyright © 2018, Private Practice Section of the American Physical Therapy Association. All Rights Reserved.

Are you a PPS Member?
Please sign in to access site.
Enter Site!