OIG and CMS Requirements for Fraud, Waste, and Abuse Policies and Procedures

Understanding OIG and CMS requirements for fraud, waste, and abuse policies and procedures helps you protect patients, safeguard program funds, and avoid costly enforcement. This guide translates expectations into practical steps you can implement across your organization.

You will learn how to build written standards, train your workforce, implement fraud detection protocols, perform compliance plan auditing, and respond effectively when issues arise—all while sustaining regulatory compliance monitoring.

OIG and CMS Compliance Requirements

The Office of Inspector General (OIG) and the Centers for Medicare & Medicaid Services (CMS) expect every Medicare-participating entity to maintain an effective compliance program. These expectations span providers, suppliers, health plans, and vendors that touch federal health care program dollars.

Key legal foundations include the Anti-Kickback Statute, which prohibits improper remuneration for referrals, and the False Claims Act, which imposes liability for knowingly submitting or causing the submission of false claims. Your policies should expressly address these statutes and align with OIG compliance program guidance.

CMS oversees program integrity through data analysis, audits, and investigations performed by government teams and contractors, including Program Safeguard Contractors and their successors. Expect record requests, interviews, and corrective action requirements as part of ongoing regulatory compliance monitoring.

Scope and applicability

• Applies to hospitals, physician practices, pharmacies, labs, DME suppliers, behavioral health, post-acute care, and health plans.
• Extends to business associates, billing companies, and other vendors that impact claims, coding, or member communications.
• Requires documented standards, active oversight, and demonstrable effectiveness—not just a policy on paper.

Written Policies and Procedures

Your written standards are the backbone of fraud, waste, and abuse prevention. They translate the law into day-to-day controls, define fraud detection protocols, and embed waste mitigation strategies into operations.

Core policy topics

• Code of conduct and statement of non-retaliation for good-faith reporting.
• Definitions and examples of fraud, waste, and abuse tailored to your services.
• Prohibitions under the Anti-Kickback Statute and guardrails for gifts, referrals, and marketing.
• False Claims Act risk areas, including upcoding, unbundling, medical necessity, and duplicate billing.
• Conflict-of-interest disclosures and vendor due diligence requirements.
• Sanction screening of employees and contractors prior to hire/engagement and monthly thereafter.

Operational procedures

• Standardized documentation, coding, and claims submission workflows with pre-bill edits and approvals.
• Prior authorization, medical necessity checks, and utilization review to reduce waste.
• Record retention schedules, version control, and policy attestation tracking.
• Third-party oversight: contract clauses, onboarding controls, and performance monitoring.
• Escalation matrices for suspected violations, including immediate hold on questionable claims.

Keep policies clear, accessible, and role-specific. Review at least annually, update for regulatory changes, and confirm workforce understanding through attestations.

Training and Education Programs

Training turns policy into behavior. Provide orientation for new hires, refresher education at least annually, and targeted updates when rules or operations change.

Curriculum design

• Organization-wide fundamentals: what counts as fraud, waste, and abuse; how to report; non-retaliation.
• Role-based modules for coders, billers, clinicians, case managers, sales/marketing, and vendor managers.
• Scenario-based learning tied to your actual claims, documentation, and referral patterns.
• Coverage of the Anti-Kickback Statute, the False Claims Act, and high-risk arrangements.

Delivery and tracking

• Use multiple formats—eLearning, live sessions, microlearning—to reinforce retention.
• Assess knowledge with quizzes and track completion, scores, and attestations.
• Document training rosters and keep materials for audit readiness.
• Measure effectiveness by monitoring hotline activity, error rates, and audit findings over time.

Internal Monitoring and Auditing

Monitoring provides continuous surveillance of risk indicators; auditing delivers independent, documented reviews. Together they demonstrate effective compliance plan auditing and regulatory compliance monitoring.

Risk-based auditing

• Conduct a documented risk assessment to prioritize service lines, providers, and codes.
• Use statistically valid sampling for claims reviews; verify documentation supports coding and medical necessity.
• Test controls around authorizations, modifiers, bundling, and excluded-party screening.
• Track issues, assign owners, and verify completion of corrective action plans.

Data-driven monitoring

• Deploy analytics for outliers in utilization, length of stay, level-of-service distribution, and refund patterns.
• Set alerts for sudden spikes, duplicate claims, or aberrant referral relationships.
• Integrate fraud detection protocols into pre-bill scrubbing and post-payment analytics.
• Report trends to leadership and the compliance committee with clear KPIs and thresholds.

Confirm that remediation works—retest after fixes, compare error rates, and adjust the plan as risks evolve.

Reporting and Response Procedures

Employees must know exactly how to report concerns and trust the process. Offer multiple channels—hotline, email, portal, and open-door policies—with anonymous options and strict non-retaliation.

Intake and triage

• Log each report with time, source, and allegation details; acknowledge receipt when possible.
• Risk-rank the matter and decide on investigation scope, hold actions, and notification needs.
• Preserve relevant records immediately, including EHR logs, billing data, and communications.

Investigation and remediation

• Follow a written protocol for interviews, evidence review, and legal privilege considerations.
• Perform root-cause analysis; implement targeted corrective actions and education.
• Refund identified overpayments promptly and evaluate self-disclosure obligations.
• Cooperate with CMS, OIG, and Program Safeguard Contractors as appropriate and document all steps.

Close each case with a written report, outcome classification, and verification that corrective actions were effective.

Compliance Plan Elements

OIG’s recognized elements outline what an “effective” program looks like. Align your framework to these components and evidence them in practice.

• Written policies, procedures, and standards of conduct that address FWA and day-to-day controls.
• Compliance leadership and oversight via a designated officer and multidisciplinary committee.
• Effective training and education tailored by role and risk.
• Open lines of communication, including hotlines and non-retaliation safeguards.
• Well-publicized disciplinary standards applied consistently.
• Internal monitoring and auditing that is risk-based and independent.
• Prompt response to detected offenses with corrective action and sustained waste mitigation strategies.

Compliance Plan Development

Building or refreshing your plan starts with understanding your risk profile and operational realities. Keep it practical, measurable, and embedded in everyday workflows.

Step-by-step approach

• Perform an enterprise risk assessment using claims, audit findings, and hotline data.
• Map legal and contractual requirements to specific controls, owners, and documentation.
• Draft or update policies and procedures, then pilot them in high-risk areas.
• Stand up training, communications, and reporting channels; socialize expectations.
• Implement analytics-enabled monitoring and a formal audit calendar.
• Define metrics and dashboards to track regulatory compliance monitoring and corrective actions.
• Engage leadership with regular reporting, issue escalation, and resource requests.

Metrics and continual improvement

• Outcome KPIs: error rates, overpayment refunds, timeliness of investigations, and recurrence rates.
• Process KPIs: training completion, policy attestations, sanction screening hits, and audit cycle time.
• Health indicators: hotline utilization, culture survey results, and vendor oversight effectiveness.
• Refresh the plan annually based on lessons learned and emerging fraud schemes.

Conclusion

An effective program blends clear policies, targeted training, data-driven oversight, and disciplined response. By aligning with OIG and CMS requirements for fraud, waste, and abuse policies and procedures—and by operationalizing fraud detection protocols, compliance plan auditing, and waste mitigation strategies—you build a durable, auditable defense against risk.

FAQs

What are the key components of a fraud waste and abuse policy?

Include a code of conduct; definitions and examples; Anti-Kickback Statute and False Claims Act guidance; reporting channels and non-retaliation; documentation and billing standards; vendor oversight; conflict-of-interest rules; investigation and corrective action protocols; and training and auditing requirements.

How often should training on fraud waste and abuse be conducted?

Provide training at onboarding and at least annually for all workforce members, with additional role-based refreshers when laws, policies, systems, or risk profiles change. Track completion and comprehension and reinforce with periodic microlearning.

What steps should be taken when a potential fraud violation is detected?

Secure records, log the allegation, risk-rank the issue, and initiate a privileged investigation under a written protocol. Stop related billing as needed, quantify potential impact, implement corrective actions, refund any overpayments promptly, and evaluate self-disclosure or reporting obligations.

How does CMS enforce compliance with fraud waste and abuse policies?

CMS uses data analytics, audits, and investigations—often through Program Safeguard Contractors and other integrity contractors—to test claims, request documentation, and require corrective action. Demonstrable regulatory compliance monitoring and effective remediation are central to demonstrating program effectiveness.