On April 20, 2015, an educational resource designed to assist governing boards of health care organizations (“Boards”) to carry out their compliance oversight obligations was published (the “Guidance”). The Guidance was developed in collaboration among the Association of Healthcare Internal Auditors, the American Health Lawyers Association, the Health Care Compliance Association, and the Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services.
While prior guidance has emphasized the need for Boards to be fully engaged in their compliance oversight responsibility, this Guidance provides practical suggestions for Boards to effectuate their compliance oversight role. Some of these practical suggestions include:
Expectations for Board Oversight of Compliance Program Functions
- To determine what functions may be necessary to meet the requirements of an effective compliance program, Boards should use as a benchmark, and ensure that management is aware of, publicly available compliance resources, including:
- The Federal Sentencing Guidelines;
- The OIG’s voluntary compliance program guidance; and
- OIG Corporate Integrity Agreements which often include obligations tailored to an organization’s specific compliance risks.
- Boards should analyze the scope and adequacy of their organization’s compliance program in light of the size and complexity of their organization. While all organizations must demonstrate the same commitment to compliance, smaller organizations may have less formal processes in place, and the Boards of smaller organizations may need to be more involved.
- Boards should develop a formal educational plan to stay abreast of the dynamic regulatory environment so they can ask management pertinent questions and make informed strategic decisions. This educational plan may include (i) periodic updates from staff, (ii) review of regulatory resources made available by staff, (iii) attendance at outside educational programs and/or (iv) a formal Board education calendar to ensure that Board members are periodically educated on the organization’s highest risks.
- Boards should consider adding to the Board, or periodically consulting with, an experienced regulatory, compliance or legal professional to assist with the identification or risk areas, provide insight into best practices in governance, and consultation on other substantive or investigative matters.
Roles and Relationships
- Boards should be aware of, and evaluate on a periodic basis, the adequacy, independence and performance of its organization’s compliance function, legal function, internal audit function, human resource function and quality improvement function. Boards should ensure that these functions have access to appropriate and relevant corporate information and resources.
- In assessing independence, Boards should assess, among other things, whether these functions have uninhibited access to the relevant Board committees and are free from organizational bias through an appropriate administrative reporting relationship.
- Organizations that do not separate these functions should mitigate potential risks by allowing individuals who serve in multiple roles the capability to execute each function in an independent manner, including reporting opportunities with the Board and executive management.
- The organization’s compliance officer should not be legal counsel for the provider, nor be subordinate in function or position to counsel or the legal department, but the compliance officer and counsel should collaborate to further the interests of the organization.
- Boards should evaluate how these functions work together to identify compliance risks, investigate compliance risks and avoid duplication of effort, identify and implement appropriate corrective action and decision-making, and communicate between the various functions throughout the process.
- Boards should understand how management approaches disagreements with respect to the resolution of compliance issues and how it decides on the appropriate course of action.
Reporting to the Board
- The Board should establish clear expectations for members of the leadership team responsible for audit, compliance, human resources, legal, quality and information technology, and should receive regular reports from those individuals to determine how well they are executing the compliance program, mitigating risks and implementing corrective action plans.
- Management personnel should report to the Board on internal and external investigations, serious issues raised in internal and external audits, hotline call activity, all allegations of material fraud or senior management misconduct, and all management exceptions to the organization’s code of conduct and/or expense reimbursement policy. The format of such reports and their frequency should enable the Board to fulfill its compliance oversight obligations while recognizing the Board’s capacity to review the information. Alternative reporting mechanisms include:
- Risk-based reporting systems in which reports will be made when certain risk-based criteria are met;
- Use of dashboards that summarize key financial, operational and compliance indicators to assess risks, goals and objectives;
- Reporting of regular internal reviews that provide a snapshot of where the organization is in terms of compliance; and
- Regular “executive sessions” with leadership from audit, compliance, human resources, legal, quality and information technology, but without senior management, to encourage open communication with the Board.
Identifying and Auditing Potential Risk Areas
- Boards should ensure that management consistently reviews and audits risk areas, as well as develops, implements and monitors corrective action plans.
- Boards and management should identify regulatory risks through internal sources (internal audits and hotline reports) and external sources (OIG-issued guidance, news media). When compliance failures in similar organizations are publicized, Boards should question whether their organization has processes and controls in place to reduce the risk of, and to identify, similar misconduct in their organization.
- Boards should ensure that risk assessment plans reflect recent industry trends, including the emphasis on quality, industry consolidation, changes in insurance coverage and new forms of reimbursement which may lead to new incentives and compliance risks.
- Boards of entities that have financial relationships with referral sources or recipients should understand how their organization reviews these relationships for compliance with applicable laws and regulations, and what level of risk is acceptable.
- As part of its risk assessment, Boards should consider all beneficial use of Government collected and published data, including comparison of accessible data against organizational peers.
- Boards of organizations that employ physicians should be cognizant of relationships between their employees and other health care entities to determine whether there could be an impact on their clinical and research decision-making.
- Audits should be used to pinpoint potential risk factors, identify regulatory or compliance problems and confirm the effectiveness of internal controls.
Encouraging Accountability and Compliance
- Boards should assess individual, department and/or facility-level performance in promoting and adhering to the compliance program.
- To effectively communicate that compliance is everyone’s responsibility, Boards should consider using the assessments to: (i) withhold incentives or provide bonuses based on compliance and quality outcomes; (ii) require that participation in annual incentive programs is contingent on satisfaction of certain compliance goals; and/or (iii) use employee/executive compensation claw-back/recoupment provisions if compliance metrics are not met.
- Boards should request information from management about how it encourages self-identification of compliance failures and voluntarily discloses and returns any overpayments.
- Boards should understand and evaluate whether compliance systems and processes encourage effective communication across the organization and whether employees feel confident that raising compliance concerns, questions or complaints will result in meaningful inquiry without retaliation or retribution.