On April 20, 2015, the Office of the Inspector General of the Department of Health and Human Services (“OIG”) released educational guidance designed to assist governing boards of health care organizations (“Boards”) in their compliance oversight functions. This guidance, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the “Guidance”), was developed in a collaborative effort among the OIG, the Association of Healthcare Internal Auditors (“AHIA”), the American Health Lawyers Association (“AHLA”), and the Health Care Compliance Association (“HCCA”).

The Guidance updates previous guidance issued by OIG and AHLA, and incorporates insight from the AHIA and HCCA to help assist the internal auditors, compliance officers, and lawyers that report to the Boards. The document addresses four key issues relating to a Board’s oversight and review of compliance program functions: (1) the roles and relationships among an organization’s audit, compliance, and legal departments; (2) the mechanisms and processes for reporting to the Board; (3) identifying and auditing regulatory risk; and (4) methods to encourage organization-wide accountability for achieving compliance goals and objectives.  

Complementing the previous guidance issued by OIG and AHLA, the Guidance provides some practical suggestions for and expectations of Boards when implementing their oversight compliance programs. Boards have a duty to act in good faith in exercising their oversight function to ensure that the organization has a corporate reporting system that is adequate to ensure that appropriate information relating to compliance and applicable law comes to the Board’s attention in a timely manner as a matter of course. Specifically, the Guidance suggests that Boards should not take a “one size fits all” approach to compliance, given the varying sizes and complexity of their organizations. Rather, Boards should take into account the differing regulatory landscapes and operating environments in which they operate, and should continue to raise the bar by adding regulatory and compliance experts to their Boards. The Guidance also suggests that Boards should develop a formal plan to stay abreast of the ever-changing regulatory landscape – clearly a challenge for all health care organizations that are subject to an increasing array of regulatory requirements.

In an in-depth discussion of the roles and relationships of the audit, compliance, and legal departments of an organization, the Guidance reinforces the proposition that compliance is an enterprise-wide function, not simply a function of one department within the organization. The Guidance illustrates that while some compliance approaches may set specific boundaries, other approaches should focus on cooperation and collaboration between the relevant departments of an organization. Regardless of the approach, however, the OIG reiterates its position that the compliance and legal functions should remain independent—in addition to internal audit, human resources, and quality improvement. Additionally, the Guidance provides that when overseeing compliance programs, Boards should be aware of how the management of an organization approaches conflicts and disagreements when resolving compliance issues.

The Guidance further discusses processes for identifying and auditing potential risk areas common to all health care providers, how Boards can employ existing industry tools to address risk areas, and methods for ensuring that organizations constantly review and audit risk areas. Among other things, the OIG suggests that Boards should receive regular reports regarding an organization’s risk mitigation and compliance efforts.

The Guidance also focuses on building incentives into compliance programs to encourage self-identification of compliance issues and voluntary self-reporting of compliance “failures.” The Guidance provides the example of the so-called 60-Day Rule, which requires providers enrolled in the Medicare and Medicaid programs to report and refund known overpayments within 60 days from the date when the overpayment is “identified” or within 60 days from the date when any corresponding cost report is due. While acknowledging that there are still no final rules to guide Boards or health care organizations on what it means to “identify” an overpayment, the Guidance suggests that Boards ask management about its efforts to develop policies for identifying and returning overpayments in anticipation of this rule and, more broadly, how the organization is correcting compliance issues. In addition, the Guidance emphasizes that health care organizations need to monitor new developments and ensure that the organization is taking appropriate steps to comply and reduce enterprise risk.

In advancing the overarching theme that compliance is an enterprise-wide responsibility, the Guidance emphasizes that it should not be construed as setting a particular standard of conduct. Nonetheless, the document emphasizes that “every Board is responsible for ensuring that its organization complies with relevant federal, state, and local laws.” In closing, the Guidance underscores that while there is no uniform approach to compliance, Boards should continuously make their best efforts to increase their knowledge of emerging risks and to encourage a level of compliance accountability on an organization-wide basis.

The Guidance notes that large and small organizations must demonstrate equal levels of commitment to ethical conduct and compliance, even if they have differing levels of resources available to do so. Given this, and in light of the increasing number of Corporate Integrity Agreements in which the OIG requires specific compliance attention and activity by Boards of Directors, large and small organizations alike would do well to build a compliance role into their Board activities.