Medicare Compliance Checklist for Healthcare Providers: A Step-by-Step Guide

Establish Compliance Program Structure

Lay a strong foundation with clear governance, written standards, and risk-based oversight. Your goal is to prevent, detect, and correct issues before they become liabilities.

Build governance and accountability

1. Appoint a qualified Compliance Officer with direct access to leadership and authority to act.
2. Form a multidisciplinary Compliance Committee to review risks, approve plans, and track remediation.
3. Brief the Board or owners regularly on program effectiveness and key compliance indicators.

Adopt a Code of Conduct and written policies

1. Publish a Code of Conduct that sets expectations on integrity, conflicts, gifts, and reporting obligations.
2. Issue policies for billing, documentation, record retention, privacy, vendor oversight, and non-retaliation.
3. Align policies with Medicare conditions of participation and payer contracts.

Use a risk-based work plan

1. Complete an annual enterprise risk assessment covering clinical, billing, and privacy/security risks.
2. Prioritize high-impact areas and create an audit/monitoring work plan with owners and timelines.
3. Track corrective actions to closure and re-test to confirm effectiveness.

Enable open reporting and communication

1. Provide confidential reporting channels (e.g., hotline, web portal) and publicize non-retaliation.
2. Deliver routine compliance updates and “lessons learned” to all staff and contractors.

Implement Mandatory Fraud Waste Abuse Training

Educate your workforce to prevent, detect, and report Fraud Waste and Abuse (FWA). Tie training to your Code of Conduct and real scenarios they face daily.

Scope and frequency

1. Require FWA training for all employees, providers, and relevant contractors upon onboarding.
2. Refresh training at least annually and when laws, policies, or roles materially change.
3. Verify role-based modules for billers, coders, and leaders who manage higher-risk activities.

Content essentials

1. Define FWA, common schemes (upcoding, unbundling, kickbacks), and reporting pathways.
2. Cover gifts/referrals, documentation standards, and red flags in ordering, prescribing, and billing.
3. Include case studies and short knowledge checks to confirm understanding.

Proof and oversight

1. Maintain rosters, completion dates, scores, and attestations for audit readiness.
2. Escalate non-completions and restrict system access until training is finished.

Ensure Accurate Billing and Documentation

Accurate clinical documentation drives correct coding and clean claims. Build controls that hardwire medical necessity, code selection, and proper signatures.

Documentation standards

1. Demonstrate medical necessity with clear history, exam, decision-making, and treatment plans.
2. Capture orders/referrals, time (for time-based services), dates, and legible authenticated signatures.
3. Use ABNs when appropriate and retain diagnostic test results and other source documents.

Coding accuracy and charge capture

1. Assign codes using Current Procedural Terminology (CPT) and International Classification of Diseases 10 (ICD-10) that reflect services rendered and clinical findings.
2. Apply correct modifiers and avoid unbundling or duplicate billing.
3. Deploy coding audits, edit/scrubber rules, and secondary reviews for high-risk encounters.

Clean claim submission and retention

1. Validate NPI, taxonomy, place-of-service, and coverage rules before submission.
2. Monitor denials, analyze root causes, and implement targeted fixes.
3. Retain records per policy and payer requirements to support appeals and audits.

Conduct Employee and Contractor Screening

Prevent prohibited relationships by screening people and entities before engagement and throughout their tenure. Document every check and its outcome.

Pre-hire and pre-contract checks

1. Verify licensure, certifications, and credentials directly with primary sources.
2. Screen the Office of Inspector General (OIG) Exclusion List and other applicable exclusion databases.
3. Assess background, malpractice history, and disciplinary actions consistent with policy and law.

Ongoing monitoring

1. Rescreen all employees and contractors against the OIG Exclusion List at least monthly.
2. Confirm license renewals and monitor sanctions or scope-of-practice changes.
3. Escalate potential matches promptly and remove excluded individuals from federal program work.

Documentation

1. Maintain searchable logs with dates, sources, results, and resolution notes.
2. Require annual attestations of continued eligibility and disclosure of changes.

Maintain Patient Privacy and HIPAA Security

Protect health information through robust Health Insurance Portability and Accountability Act (HIPAA) Compliance. Pair privacy practices with strong technical and administrative safeguards.

Privacy program essentials

1. Apply minimum necessary standards, access controls, and role-based permissions.
2. Issue and acknowledge Notices of Privacy Practices and Business Associate Agreements.
3. Monitor disclosures and handle requests for access, amendments, and restrictions on time.

Perform a Security Risk Analysis

1. Inventory systems, data flows, and threats; rate likelihood and impact; and document residual risks.
2. Implement a risk management plan: encryption, multi-factor authentication, patching, backups, and secure remote access.
3. Reassess after major changes or incidents and at least annually to keep controls current.

Breach response readiness

1. Define incident classification, investigation steps, and decision criteria for reportability.
2. Set notification timelines and templates; coordinate with legal and leadership.
3. Log incidents, corrective actions, and lessons learned for program improvement.

Respond to Compliance Violations

When issues arise, move quickly and consistently. A documented, fair process limits harm and demonstrates an effective program.

Intake and triage

1. Offer multiple reporting avenues with options for anonymity and non-retaliation.
2. Log each allegation, assign priority, and preserve relevant records immediately.

Investigation and resolution

1. Use trained investigators, interview witnesses, and analyze records and system logs.
2. Document findings, scope, and evidence; consult counsel when needed.
3. Implement corrective action plans, re-education, and disciplinary measures proportionate to risk.

Overpayments and disclosures

1. Identify, quantify, and refund Medicare overpayments promptly consistent with the 60-day repayment rule.
2. Consider self-disclosure pathways when appropriate and track all repayments.

Monitor and Audit Compliance Activities

Continuous monitoring confirms controls are working; targeted audits test high-risk areas. Use data to drive decisions and demonstrate program effectiveness.

Plan and execute audits

1. Build an annual audit plan from your risk assessment, OIG focus areas, and internal metrics.
2. Define sampling methods, tools, and acceptance thresholds before fieldwork begins.
3. Report results clearly, assign owners, and verify remediation with follow-up testing.

Operational monitoring and KPIs

1. Track FWA training completion, exclusion screening timeliness, denial rates, refunds, and privacy incidents.
2. Use dashboards; escalate red flags to the Compliance Committee and leadership quickly.

Conclusion

This Medicare compliance checklist helps you build governance, educate your workforce, code and bill correctly, screen your teams, safeguard privacy, respond to issues, and verify performance. Execute each step consistently, document thoroughly, and adapt your program as risks evolve.

FAQs

What are the key components of a Medicare compliance program?

Core components include governance (Compliance Officer and Committee), a published Code of Conduct, written policies and procedures, risk assessment and a work plan, training and communication, effective reporting and non-retaliation, standards for billing and documentation, exclusion screening, HIPAA privacy and security controls, disciplined investigations and corrective actions, repayment processes, and ongoing monitoring and auditing.

How often must Fraud Waste and Abuse training be completed?

Provide Fraud Waste and Abuse (FWA) training at onboarding for all workforce members and at least annually thereafter. Update content when regulations, payer rules, or job duties change, and track completions with dates and attestations.

What documentation is required for Medicare billing?

You need clear clinical notes showing medical necessity, authenticated signatures and dates, orders/referrals, time when required, diagnostic test results, and any applicable ABN. Codes must accurately reflect services using Current Procedural Terminology (CPT) and International Classification of Diseases 10 (ICD-10), with correct modifiers and claim elements such as NPI, place of service, and taxonomy.

How frequently should employee exclusion screenings be conducted?

Screen all employees and contractors against the Office of Inspector General (OIG) Exclusion List before hire or contracting and at least monthly thereafter. Recheck state exclusion lists as applicable, verify license status on renewal, document each screening, and promptly remove any excluded individual from federally reimbursed work.