On April 20, 2015, the United States Department of Health and Human Services Office of the Inspector General (OIG) issued guidance aimed at the governing boards of healthcare entities. The guidance—issued in conjunction with associations of healthcare auditors, attorneys, and compliance professionals—aims to inform healthcare boards regarding their oversight duties. Although the guidance is written at a relatively high level, it contains numerous statements and recommendations that will be of interest to any board concerned with healthcare compliance.

In the guidance, OIG states that boards have a duty to act reasonably in ensuring that a corporate information and reporting system exists and that the reporting system is adequate to provide the board with appropriate information relating to compliance. OIG recommends that boards consult OIG’s own compliance guidance and also the Federal Sentencing Guidelines and Corporate Integrity Agreements (CIAs) as benchmarks for the board’s compliance efforts. CIAs are imposed on organizations that have been investigated by the OIG because of fraud allegations and contain structural and reporting requirements, while the Sentencing Guidelines consider compliance activity in mitigation of criminal fines and sentences.

In its recommendations, OIG takes into account the size of organizations to some extent. OIG requires that even smaller organizations “show the same degree of commitment to ethical conduct and compliance as larger organizations.” It recognizes, however, that smaller organizations may be able to do so “with less formality and fewer resources” than a larger organization. The guidance states that in smaller organizations it may be possible to use existing employees for compliance instead of hiring separate staff and suggests that boards may be more personally involved.

Despite this recognition of the potential burden on smaller entities, OIG states that a company’s legal, compliance, and internal audit functions should be separate and independent, which clearly requires the involvement or hiring of a number of employees. OIG also recommends that boards consider entering into executive sessions (without management present) with those employees responsible for compliance and suggests that such sessions should be regular so that management is not lead to believe that any executive session relates to a particular problem.

OIG recommends that boards have a formal plan to stay up to date regarding changing regulations including through updates from employees and management as well as formal education. The guidance also suggests that it may be desirable for a board to include one or more members who are professionals with healthcare compliance expertise. OIG states that the board and management should stay up to date regarding new potential compliance risks and industry trends that may create new risks. Among other emerging risks, OIG cites increased transparency due to the reporting of Medicare payments and the Sunshine Act.

The guidance recommends that boards consider employee incentive programs that are focused on compliance and tied to bonuses or other incentives. OIG notes that boards and their organizations can benefit in several ways from compliance programs, noting in particular that repayment of Medicare and Medicaid overpayments within 60 days after they are identified (as required by statute) will be aided by effective compliance and reporting programs.

From the guidance, boards and board members should understand that OIG is expecting them to play integral and active roles in their organization’s compliance. Boards must be prepared to ensure that their organizations have sufficient compliance structures in place and, in the case of smaller entities, to take personal roles in compliance. Under the guidance, and to take full advantage of the possible mitigation of fines under the Sentencing Guidelines in the event of a criminal conviction, boards cannot rely on upper management for compliance, but must be prepared to create structures in which the individuals responsible for compliance and related areas have direct and open contact with their respective boards.