In April 2015, the Office of Inspector General of the Department of Health and Human Services (OIG), working in collaboration with the American Health Lawyers Association, the Association of Healthcare Internal Auditors and the Health Care Compliance Association, released a compliance guidance document entitled, “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the “Guidance”). The Guidance is available here.
The Guidance provides tips and suggestions for boards as they work to oversee their organization’s compliance program, including: (1) the roles and relationships between audit, compliance and legal departments, (2) mechanisms and processes for reporting compliance issues, (3) ways to identify regulatory risks and issues, and (4) ways to encourage accountability across the organization.
Before delving into each of those areas, the Guidance identifies the OIG’s expectation that boards “act in good faith in the exercise of its oversight responsibility for its organization, including making inquiries to ensure: (1) a corporate information and reporting system exists and (2) the reporting system is adequate to assure the Board that appropriate information relating to compliance with applicable laws will come to it attention timely and as a matter of course.” The Guidance also cautions boards that they are expected to stay abreast of the “ever-changing regulatory landscape and operating environment.” This solidifies what the industry had assumed and understood: the OIG holds boards accountable for monitoring and taking an active role in compliance programs. The Guidance may signal a new standard for boards in investigations and enforcement actions.
- Roles and Relationships
The Guidance instructs that health care organizations should clearly define the roles, structure, and reporting relationships of the audit, compliance, and legal departments. The Guidance further states that the interactions between the compliance department and the quality, risk management, and human resources functions should be clearly outlined and communicated to all employees. Finally, the Guidance indicates that boards should take responsibility for evaluating the adequacy, independence and performance of these different departments on a periodic basis, giving particular attention to how each identifies, manages and resolves risk issues.
- Reporting to the Board
The Guidance states that the board is expected to set and enforce reporting requirements for members of the organization’s management team. The Guidance emphasizes the need for adequate access to compliance-related information, and indicates that the OIG desires for the board to receive reports on compliance matters such as investigations and audits (both internal and external) and to be apprised of compliance-related reports made through hotlines or other avenues, particularly when those reports relate to possible fraud or senior management misconduct. The Guidance suggests that boards should lead the development of “objective scorecards” that measure the effectiveness of elements of the compliance program.
- Identifying and Auditing Potential Risk Areas
The Guidance indicates that boards should ensure that management has an adequate process for identifying risk areas. Risks could be identified through a variety of sources, including internal audits and government guidance. The board should consider the organization’s strengths and weaknesses, as well as recent industry trends, when designing an audit program or risk assessment plan.
- Encouraging Accountability and Compliance
In the final section of the Guidance, the OIG encourages boards to be creative when overseeing compliance programs in order to ensure that compliance is a “way of life” for the health care organization. The board should promote a culture of compliance within the organization. The board should evaluate whether the compliance program and management encourage effective communication about compliance matters, and whether employees feel comfortable voicing compliance concerns without fear of retaliation or retribution. It is undoubtedly the OIG’s expectation that, if the board finds the organization to be deficient in any of these areas, then the board will act to remedy those deficiencies.
The Guidance may set a new standard of accountability for boards. The OIG seems to expect that boards of a health care organization should stay abreast of regulatory risks and monitor the role and functioning of the compliance program in light of those risks.