Building an FCA Compliance Program: A Step-by-Step Guide for Small Practices to Prevent Liability Under 31 U.S.C. § 3729

Executive Summary

Small healthcare practices face significant exposure under the False Claims Act (FCA), codified at 31 U.S.C. § 3729. Even unintentional billing errors can trigger costly investigations, civil penalties, and reputational harm. A well-structured FCA compliance program is not just a safeguard against liability, it is a proactive strategy to ensure lawful, ethical, and accurate participation in federal healthcare programs. This expanded guide offers a detailed, step-by-step approach to building a compliance framework tailored to the realities of small practices, aligning with federal guidance, real enforcement trends, and industry best practices.

Introduction

The FCA is the federal government’s primary tool for combating fraud in programs like Medicare and Medicaid. It imposes liability on anyone who knowingly submits, or causes the submission of, false or fraudulent claims for payment. Importantly, “knowingly” under 31 U.S.C. § 3729(b)(1) includes actual knowledge, deliberate ignorance, or reckless disregard, meaning that intent to defraud is not required for penalties to apply.

Small practices are particularly vulnerable for several reasons:

  • They often operate with minimal administrative staff.

  • They rely on third-party billing vendors without deep oversight.

  • They may lack formalized compliance processes or documented procedures.

  • A single employee’s actions, intentional or accidental, can trigger a federal investigation.

An effective FCA compliance program minimizes these risks by providing a clear operational blueprint for proper billing, rigorous documentation, and fast response to potential problems.

Understanding FCA Liability Under 31 U.S.C. § 3729

Understanding FCA Liability Under 31 U.S.C. § 3729

Key FCA Provisions

  • False or Fraudulent Claims – Submitting claims for services not rendered, not medically necessary, or miscoded to inflate reimbursement.

  • Reverse False Claims – Failing to return known overpayments to Medicare or Medicaid within the statutory 60-day window.

  • Conspiracy – Collaborating with others to submit or hide false claims.

  • Broad Definition of “Knowing” – Actual knowledge, deliberate ignorance, or reckless disregard are all equally actionable.

Financial Consequences

  • Treble Damages – The government can collect three times the actual damages sustained.

  • Per-Claim Penalties – Civil monetary penalties currently range from approximately $13,508 to $27,018 per claim.

  • Exclusion from Federal Programs – Practices found liable may be excluded from Medicare and Medicaid participation.

Whistleblower Actions

FCA whistleblower (qui tam) provisions allow employees, contractors, or others to file lawsuits on the government’s behalf, receiving 15–30% of any recovery. This creates a strong incentive for insiders to report compliance failures.

Step-by-Step Guide to Building an FCA Compliance Program

Step-by-Step Guide to Building an FCA Compliance Program

Step 1: Appoint a Compliance Officer

In a small practice, this role may be filled by a senior administrator, office manager, or the practice owner. The compliance officer should:

  • Develop and maintain written compliance policies.

  • Coordinate staff training.

  • Serve as the liaison for auditors and legal counsel.

  • Track regulatory changes and update procedures accordingly.

Step 2: Develop Written Policies and Procedures

Written policies should clearly outline:

  • Correct coding and billing protocols.

  • Standards for documenting medical necessity.

  • Procedures for promptly identifying and refunding overpayments.

  • Internal auditing schedules.

  • Protocols for responding to government inquiries and subpoenas.

These documents should be reviewed at least annually.

Step 3: Train Staff Regularly

Training is not a one-time event. Schedule semiannual sessions covering:

  • FCA fundamentals and examples of violations.

  • Updates in coding rules or CMS policies.

  • Real case studies from similar-sized practices.

  • How to use reporting systems for compliance concerns.

Keep attendance logs and copies of training materials as part of your compliance records.

Step 4: Implement Internal Auditing and Monitoring

Internal audits should:

  • Review a sample of claims monthly for accuracy.

  • Focus on high-risk areas like E/M coding, telehealth claims, and modifiers.

  • Identify both overpayments and underpayments.

Annual external audits provide an additional layer of assurance and demonstrate diligence if questioned by regulators.

Step 5: Establish a Reporting and Response System

An effective reporting mechanism includes:

  • A confidential hotline or email for anonymous concerns.

  • Clear instructions for staff on how and when to report.

  • Written policies prohibiting retaliation.

  • Documented follow-up on every report, with corrective actions when needed.

Step 6: Manage Overpayments Proactively

  • Assign responsibility for tracking and processing overpayment refunds.

  • Keep detailed records of identified overpayments, investigation notes, and repayment confirmations.

  • Adhere strictly to the 60-day repayment rule to avoid reverse FCA liability.

Step 7: Vet Third-Party Vendors and Business Associates

Vendor oversight is essential. Contracts should include:

  • FCA compliance clauses.

  • Rights to audit vendor work.

  • Specific performance standards.

  • Indemnification for errors caused by the vendor.

A Realistic Case Study: Small Practice FCA Exposure

A Realistic Case Study: Small Practice FCA Exposure

A family medicine clinic outsourced all Medicare billing to a third-party vendor, trusting them to handle coding accuracy and compliance. Over a period of two years, the vendor systematically up coded hundreds of visits from Level 3 (99213) to Level 4 (99214) without clinical justification. These inflated claims increased reimbursements significantly, creating the appearance of higher patient complexity and longer visit times than were actually documented.

A whistleblower, a former vendor employee, reported the pattern to the Department of Justice (DOJ) under the False Claims Act’s qui tam provisions. In response, the DOJ issued a Civil Investigative Demand (CID) requiring production of patient charts, billing data, and internal communications between the clinic and the vendor.

The investigation revealed multiple compliance failures:

  • No internal coding audits were performed.

  • No vendor oversight policy existed.

  • Leadership failed to verify claim accuracy before submission.

Because the clinic’s leadership ignored these oversight responsibilities, the DOJ classified the conduct as reckless disregard, enough to meet the FCA’s “knowing” standard even without proof of intent.

Settlement: $325,000 plus entry into a Corporate Integrity Agreement (CIA) requiring:

  • Quarterly independent billing audits.

  • Annual compliance training for all staff.

  • Written vendor oversight procedures with documented review cycles.

Lesson Learned: Under both HITECH and FCA principles, outsourcing billing does not outsource liability. Small practices must actively monitor vendor activities, implement formal oversight procedures, and document compliance checks to avoid exposure to federal enforcement.

Common Pitfalls in FCA Compliance and How to Avoid Them

Pitfall

Description

Prevention Strategy

Lack of Documentation

Missing or incomplete medical records backing claims

Use standardized templates and audit documentation monthly

Vendor Negligence

Blind reliance on billing vendors

Require contractual compliance clauses and quarterly audits

Poor Staff Training

Outdated or inconsistent knowledge of billing rules

Implement semiannual compliance training

Ignoring Overpayments

Failure to refund within 60 days

Assign a compliance officer to monitor and process overpayments

Weak Internal Reporting

No safe channel for whistleblowing

Provide anonymous reporting tools and enforce non-retaliation policies

FCA Compliance Program Checklist

Task

Responsible Party

Timeline

Reference

Appoint Compliance Officer

Owner/Administrator

Immediate

DOJ/OIG Compliance Guidance

Draft Written Policies

Compliance Officer

Within 30 days

31 U.S.C. § 3729

Conduct Staff Training

Compliance Officer

Every 6 months

FCA/OIG

Perform Internal Audits

Compliance Officer/Billing Lead

Monthly

DOJ Protocol

Manage Overpayments

Compliance Officer/Admin

Within 60 days

42 U.S.C. § 1320a-7k(d)

Vet Vendors

Compliance Officer/Owner

Before engagement

FCA Vendor Compliance

Document All Actions

Compliance Officer

Ongoing

DOJ/OIG Guidance

Concluding Recommendations and Next Steps

A strong FCA compliance program is a living system that evolves as laws, billing rules, and enforcement priorities shift. For small practices, this means:

  • Leadership commitment – Owners and providers must set the tone by visibly supporting compliance.

  • Ongoing staff engagement – Training and policy updates must be consistent.

  • Proactive auditing – Catch and correct errors internally before they become government investigations.

  • Meticulous documentation – Ensure every claim can be justified with complete records.

  • Vendor accountability – Demand the same compliance standards from contractors as from your own team.

Implementing these strategies not only reduces FCA risk but also strengthens the practice’s reputation and financial stability.

A practical step to reinforce compliance is integrating a compliance system into your operations. These tools monitor requirements, perform ongoing risk reviews, and keep your practice prepared for audits, helping you avoid costly mistakes while presenting a proactive stance to oversight bodies.

Official References

  1. 31 U.S.C. § 3729 – False Claims Act, liability for false or fraudulent claims.

  2. DOJ Civil Division – Fraud Section – Guidance on FCA enforcement priorities.

  3. OIG Compliance Program Guidance for Individual and Small Group Practices – U.S. Department of Health and Human Services.