One of the most important responsibilities that governing boards of healthcare organizations (“Boards”) have is carrying out their compliance oversight obligations. Recently the U.S. Department of Health and Human Services Office of Inspector General (OIG) released a new guide to assist Boards in carrying out their compliance duties. The guide is titled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (“Guidance”) and was developed in collaboration with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA).
The Guidance, while not mandatory, sets forth a useful framework for creating and sustaining an effective compliance program. While geared toward Boards, the OIG believes it will help internal auditors, lawyers and compliance officers that report to governing boards as well.
The Guidance emphasizes the important role that Boards play in overseeing their organizations’ compliance with federal and state laws and regulations. The OIG’s expectations for Board oversight are that: “A Board must act in good faith in the exercise of its oversight responsibility for its organization, including making inquiries to ensure: (1) a corporate information and reporting system exists and (2) the reporting system is adequate to assure the Board that appropriate information relating to compliance with applicable laws will come to its attention timely and as a matter of course.”
The Guidance suggests that Boards use widely recognized compliance resources, such as the Federal Sentencing Guidelines, the OIG’s voluntary compliance program guidance documents and OIG Corporate Integrity Agreements as benchmarks for their organizations. The compliance program design is not “one size fits all,” but the Guidance explains that Boards are expected to put forth a “meaningful effort” to review the adequacy of compliance systems and functions.
The scope and extent of compliance programs may vary depending on the size and resources of an organization. While smaller organizations must demonstrate a similar degree of commitment and ethical conduct as their larger counterparts, the Guidance points out that they may meet the Guidance requirements “with less formality and fewer resources than would be expected of larger and more complex organizations.”
The Guidance outlines a number of specific recommendations to help Boards carry out their oversight roles, including:
Formal Plans. Boards should create formal plans to stay on top of ever-changing regulations through periodic updates from staff and the review of regulatory resources. By staying abreast of the issues, the Board will be better equipped to ask more informed questions of management and make better strategic decisions regarding compliance programs. The Guidance also suggests that a Board can increase its regulatory and compliance knowledge by adding to the Board, or periodically consulting with, an experienced regulatory, compliance or legal professional. This can help the Board in a number of ways, including the identification of risk areas, provision of insight into best practices governance, or consultation on other substantive or investigative matters.
Roles and Relationships. Healthcare organizations should define the interrelationship of the audit, compliance and legal functions in their organizational documents. The Guidance states that the “OIG believes an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner. While independent, an organization’s counsel and compliance officer should collaborate to further the interests of the organization.”
Reporting to the Board. The Guidance provides that Boards should receive regular updates regarding the organization’s risk mitigation and compliance efforts, including from those responsible for audit, compliance, human resources, legal, quality, and information technology. Boards should communicate their preferences and requirements for receiving compliance related information from management in a timely and thorough manner. Boards may also choose to hold regular “executive sessions” to receive updates from the compliance, legal, internal audit and quality departments.
Identifying and Auditing Potential Risk Areas. The Guidance recommends that Boards ensure that management consistently reviews and audits risk areas, including information from internal and external sources such as internal audits and employee reports as well as industry publications, OIG guidance, consultants and news media. The Guidance states that there should be a “clear understanding” between the Board and management as to how the healthcare provider approaches and implements relationships with referral sources in light of the Stark Law and anti-kickback laws. There should be a clear understanding of how those relationships will be handled, and what level of risk is acceptable. The Guidance also suggests that Boards examine how they can use publicly available information including, among other things, data on health outcomes and quality measures and CMS physician payment data to benchmark against peer organizations.
Encouraging Accountability and Compliance. The Guidance makes clear that, “Compliance is an enterprise-wide responsibility.” In order to promote this principle, the Guidance suggests that Boards consider assessing employee performance in promoting and adhering to compliance.
The Guidance concludes by encouraging Boards to increase their knowledge of relevant and emerging regulatory risks, how the organization’s compliance program will address those risks, and how potential issues and problems are reported to management. This should be done while encouraging compliance accountability across the organization. While not every recommendation is appropriate for every organization, the recommendations are intended to help Boards fulfill their obligations under federal, state and local laws.