How to Screen for Medicare Compliance: Step-by-Step Guide and Checklist for Healthcare Providers

Establish Medicare Compliance Program Structure

Build the foundation

Start by appointing a Compliance Officer with authority to act and a multidisciplinary Compliance Committee to provide oversight. Define clear reporting lines to executive leadership and the governing body. Publish Compliance Program Policies and Procedures and a code of conduct that set expectations for billing integrity, documentation, and professional behavior.

Stand up Fraud Waste and Abuse Reporting Mechanisms, including confidential reporting options and a strict non-retaliation standard. Document how concerns are triaged, investigated, and resolved. Establish document control practices so policies, workflows, and forms are versioned, approved, and retrievable.

Step-by-step setup checklist

• Perform a baseline risk assessment covering billing, referrals, ordering, and vendor relationships.
• Map high-risk processes (coding, claims submission, refunds, cost reporting, enrollment) to owners and controls.
• Create an annual compliance work plan that separates monitoring from auditing and defines escalation thresholds.
• Define training requirements by role and maintain signed acknowledgments of key policies.
• Implement a record retention schedule and meeting minutes for leadership and committee oversight.
• Include vendors and contractors in screening, onboarding, and policy attestation requirements.

Documentation to retain

• Approved policies and code of conduct, with revision history.
• Risk assessment results and the current compliance work plan.
• Committee charters, rosters, and minutes documenting oversight actions.
• Hotline procedures and aggregate reporting for Fraud Waste and Abuse Reporting Mechanisms.

Implement Fraud Waste and Abuse Training

Training scope and cadence

Provide Fraud, Waste, and Abuse training to all workforce members and relevant contractors at onboarding and at least annually thereafter. Tailor modules by role so coders, billers, prescribers, and leaders understand their specific risks and controls.

Content essentials

• Definitions and practical examples of fraud, waste, and abuse, with consequences and common red flags.
• How to apply the organization’s Compliance Program Policies and Procedures in daily work.
• How to use your Fraud Waste and Abuse Reporting Mechanisms confidentially and without fear of retaliation.
• Scenarios on documentation integrity, improper inducements, and billing for services not rendered.

Execution checklist

• Select curricula with knowledge checks; set completion deadlines and auto-reminders.
• Track completion, reassign overdue modules, and escalate persistent non-compliance.
• Capture attestations and post-test scores; file certificates in personnel or learning records.
• Update content when processes, systems, or regulations change.

Maintain Billing and Documentation Standards

Anchor services to Medical Necessity Criteria

Require documentation to show why the service was reasonable and necessary, linking diagnoses to services ordered and performed. Ensure notes capture history, exam or relevant data, decision-making, orders, time (when applicable), and a clear plan of care.

Controls for coding, charging, and claims

• Use current code sets and maintain edits to catch mismatched diagnoses, modifiers, or units.
• Validate authorizations, coverage, and any required notices before service.
• Implement secondary reviews for high-risk services and modifiers prior to claim submission.
• Reconcile scheduling, documentation, and charge capture to prevent missed or duplicate charges.

Documentation checklist

• Accurate patient identifiers, service dates, rendering provider, and signatures.
• Legible, contemporaneous notes supporting intensity, scope, and place of service.
• Complete orders, results, images, and ancillary reports tied to the billed claim.
• Retention of corrections with author, date, and rationale—never overwrite original entries.

Revenue integrity safeguards

• Analyze denials and refunds to identify root causes and training needs.
• Monitor for upcoding, unbundling, and inappropriate use of time-based or complexity-based codes.
• Verify timely refunds for overpayments and document corrective actions.

Conduct Exclusion Screening Procedures

Who and what to screen

Screen all prospective and current employees, licensed clinicians, owners, board members, contractors, and key vendors. At a minimum, check the Office of Inspector General List of Excluded Individuals and Entities and document results for each individual and entity.

Frequency and triggers

• Screen pre-hire or pre-contract and then monthly for the duration of employment or engagement.
• Re-screen immediately upon name changes, mergers, acquisitions, or role changes.

Step-by-step workflow

• Collect identifiers (full legal name, prior names, date of birth, NPI or license if applicable).
• Search the Office of Inspector General List of Excluded Individuals and Entities and compare potential matches.
• Resolve possible matches with additional identifiers and document the determination.
• If a confirmed match is found, remove the individual from federally reimbursed work and initiate corrective actions.
• Store results, screenshots or confirmations, date stamps, and reviewer sign-off for audit readiness.

Ensure Patient Privacy and Security Compliance

Conduct a Security Risk Analysis

Perform an organization-wide Security Risk Analysis to identify where protected health information is created, received, maintained, or transmitted. Assess threats, vulnerabilities, and likelihood/impact, then build a prioritized remediation plan with clear owners and timelines.

Safeguards to implement

• Administrative: role-based access, workforce training, sanctions, and vendor management with business associate agreements.
• Technical: unique IDs, multi-factor authentication, encryption at rest and in transit, audit logging, and timely patching.
• Physical: facility access controls, device security, and secure disposal of media.

Breach Notification Policies

Define how suspected incidents are reported, investigated, and classified. Establish timelines for containment, documentation, and required notifications. Maintain incident logs, root-cause analyses, and corrective actions, and train staff on how to recognize and escalate potential breaches promptly.

Perform Regular Internal Monitoring and Auditing

Design Internal Audit Protocols

Create risk-based Internal Audit Protocols that specify objectives, scope, sampling, testing steps, and acceptance criteria. Keep workpapers that support findings and link each recommendation to a corrective action with an accountable owner and due date.

Monitoring metrics and cadence

• Track KPIs such as coding accuracy, denial rates, refund volumes, late documentation, and hotline activity.
• Use dashboards to spot trends and trigger targeted audits when thresholds are exceeded.
• Schedule routine probes of high-risk areas and perform event-driven reviews after system or process changes.

The audit cycle

• Plan: select topics from the risk assessment and define scope.
• Test: review records, claims, and controls; interview process owners.
• Report: grade findings, quantify impact, and recommend fixes.
• Correct: implement corrective and preventive actions; retrain as needed.
• Verify: re-test to confirm sustained effectiveness and close the issue.

Respond to Compliance Violations Promptly

Triage and investigate

Use standardized intake to capture who, what, when, and where. Preserve evidence, restrict access to affected systems if needed, and assign an investigator with no conflicts. Document all steps taken, decisions made, and timelines met.

Corrective action and remediation

• Stop non-compliant activity; isolate financial impact and initiate refunds as appropriate.
• Address root causes through process redesign, training, technology changes, or disciplinary action.
• Update policies and Internal Audit Protocols to prevent recurrence and verify effectiveness through follow-up testing.

Communication and closure

Brief leadership on findings, risks, and completed actions. Record outcomes in a centralized log and include lessons learned in future training, monitoring, and the compliance work plan.

Conclusion

A strong Medicare compliance program blends clear governance, rigorous training, accurate billing, vigilant exclusion screening, robust privacy and security, disciplined auditing, and decisive response. Treat this as a continuous cycle—measure, learn, and improve—to protect patients, your organization, and program integrity.

FAQs

What is exclusion screening for Medicare compliance?

Exclusion screening is the process of checking your workforce and key vendors against the Office of Inspector General List of Excluded Individuals and Entities to ensure no excluded party participates in federally reimbursed work. You document results, resolve potential matches, and immediately remediate any confirmed exclusions.

How often should Medicare compliance training be conducted?

Provide training at onboarding and at least annually for all workforce members. Add targeted refreshers when processes, systems, or regulations change, and keep records of completion and competency checks.

What are the key components of a Medicare compliance program?

Core components include leadership oversight, Compliance Program Policies and Procedures, risk assessment and a work plan, comprehensive training, Fraud Waste and Abuse Reporting Mechanisms, monitoring and Internal Audit Protocols, consistent enforcement, and prompt response with corrective actions.

How do providers report a compliance violation?

Use your organization’s confidential reporting channels—such as a hotline or secure web form—or contact the Compliance Officer directly. Include relevant facts and supporting documents. Reports are protected by non-retaliation policies and are triaged, investigated, and resolved according to established procedures.