For the first time in almost ten years, the Office of Inspector General ("OIG") at the U.S. Department of Health and Human Services issued new compliance guidance for healthcare-governing boards ("Boards"). This guidance, Practical Guidance for Health Care Governing Boards on Compliance Oversight (the "Guidance"), provides timely advice for Boards on how to exercise appropriate oversight of compliance programs at a time when healthcare companies and individuals are facing increasing fraud enforcement.

The Guidance is the product of a collaboration among the OIG, American Health Lawyers Association ("AHLA"), Association of Healthcare Internal Auditors, and Health Care Compliance Association. It echoes the three-part compliance series issued by the OIG and AHLA in the early 2000s,1 while also reflecting new industry trends and health reform efforts. The Guidance makes clear that compliance programs are not "one size fits all" but should be adapted to an organization's size and complexity.

Expectations for Board Oversight of Compliance Program Functions. Board members must understand pertinent compliance risks and issues so that they can ask appropriate questions of management and make informed strategic decisions. Further, Boards must have formal plans to stay abreast of the "ever-changing regulatory landscape and operating environment." Plans may involve periodic updates from informed staff, review of regulatory resources, or the creation of a formal education calendar that ensures that Board members are periodically educated on the organization’s highest risks. The Guidance suggests that Boards raise their level of substantive expertise by adding to the Board, or at least periodically consulting with, an experienced compliance professional. Doing so "sends a strong message about the organization's commitment to compliance."

In addition, the Guidance points to available public resources that Boards can use as baseline assessment tools to develop an effective compliance program: the Federal Sentencing Guidelines, OIG's voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements ("CIAs"). The inclusion of CIAs sets a high bar for compliance, as the OIG has required some settling healthcare entities to agree to Board-level restrictions or standards—for example, inclusion of independent, non-executive Board members; required quarterly submissions to the OIG describing compliance materials reviewed by the Board; and standards for training of Board members.2 Notably, CIAs often go beyond minimum legal requirements.

Roles and Relationships in the Organization. The Guidance emphasizes the importance of independence among an organization's legal, compliance, and internal audit functions. While an organization's legal counsel and compliance officer should work together, the Guidance encourages an organization's compliance officer to be separate from, and not subordinate to, legal counsel. Similarly, the internal audit function also should be separate and independent. When organizations cannot completely separate these functions, the Board should provide for independent reporting opportunities to the Board to mitigate potential risks associated with individuals serving in multiple roles.

Reporting to the Board. The Board should receive regular reports on the organization's compliance efforts from the organization's key personnel overseeing these efforts. The Board should consider establishing clear reporting expectations, such as the development of scorecards and reports of hotline activity and fraud allegations, and hold responsible personnel accountable for these expectations. This corporate reporting system is key to the organization's compliance program.

Identifying and Auditing Potential Risk Areas. The OIG singles out areas of particular interest—referral relationships and arrangements, billing problems, privacy breaches, and quality-related events—which overlap with new compliance challenges brought about by evolving payment models and increasing transparency. Newer forms of reimbursement, such as bundling services for a single payment, may create new incentives, compliance risks, and fraud liability. New payment models also have incentivized consolidation among healthcare providers, spurring employment and contractual relationships. Boards are advised to scrutinize referral and compensation arrangements among providers for self-referral and kickback issues. The trend toward increased transparency presents opportunities, such as availability of data to use as benchmarks, but also presents risks, such as increased scrutiny by various stakeholders, including patients, employees, government officials, donors, the media, and whistleblowers.

Encouraging Accountability and Compliance. The entire organization bears responsibility to execute the compliance program. The Guidance suggests that the Board seek out ways to promote and incentivize compliance efforts and ensure the availability of effective communication avenues. For example, the Board should ensure that the organization has mechanisms to voluntarily disclose identified overpayments to the Government as required by law. Boards should ensure that employees feel confident that compliance concerns can be raised without fear of retaliation.

The Guidance serves as a valuable reminder to Boards of their obligation to oversee a healthcare organization's compliance. While the Guidance provides very little new information, it does serve as a framework for Boards to examine their compliance programs from a fresh perspective and determine where improvements can be made. A Board that continually focuses on its organization's compliance efforts ensures that the organization can proactively address issues as they arise and reduces the risk of potential enforcement actions.

The Guidance can be found on the OIG's website.