On April 20, 2015, the Office of the Inspector General of the U.S. Department of Health and Human Resources (“OIG”), in collaboration with the American Health Lawyers Association, the Association of Healthcare Internal Auditors, and the Health Care Compliance Association, published guidance directed in particular at health care organizations’ boards of directors and trustees regarding compliance oversight.[1] This guidance reaffirms that federal enforcement authorities are increasingly focused on boards, both as a check on potential violations by management and for potential liability on the part of boards and individual board membership.

This guidance reflects the heightened challenge for boards to ensure their organizations’ compliance with applicable federal and state laws concerning, among other things, referral relationships and arrangements, billing issues (such as upcoding and submitting claims for services not rendered and/or medically unnecessary services), privacy breaches, and quality-related events.

The focus on governing boards not only mandates enhanced compliance oversight but also might require boards to obtain legal, billing-audit, and other professional advice independent of management, especially in the context of an official government investigation or where, at the conclusion of a matter, the board faces duties imposed upon it by Corporate Integrity Agreements (“CIAs”) or other settlement obligations.

The following suggestions are essential for creating and maintaining a program that can best promote effective corporate compliance as well as offer protection to governing boards:

Board Oversight

  • Ensure that there is a corporate reporting system in place that will deliver pertinent information to the board in a timely manner relating to compliance with applicable laws. At a minimum, your organization’s chief compliance officer should periodically report directly to the board or its compliance or audit committees independent of management. It is a best practice that this person should not be the General Counsel or function as an attorney advising management but be limited to a compliance role.
  • Create benchmarks as to goals and functions for your organization’s compliance program as described in the Federal Sentencing Guidelines,[2] OIG’s voluntary compliance program guidance documents,[3] and published OIG CIAs.
  • Include data privacy (including HIPAA compliance) and cybersecurity as a compliance element.
  • Insist that the compliance department provide periodic documentation of its training and quality control activities, including quantitative data on outcomes concerning discipline and remediation.
  • Ensure that the scope and adequacy of the program is adaptive to changing conditions and is reflective of the size and scope of your organization.
  • Develop a formal plan to stay updated with the constantly changing regulatory and legal compliance landscape.
  • Create charters or similar documents defining the organization’s audit, compliance, and legal functions. The OIG suggests that, even though these functions can collaborate, they should be independent, particularly as to the legal function.
  • Implement a formal process to ensure that appropriate access is granted to information needed by the audit, compliance, and legal entities within the organization.
  • Create and enforce clear expectations for receiving specific types of compliance information from members of your management team. The OIG suggests that the board should receive regular comprehensive reports that include information about the organization’s risk mitigation and compliance efforts. Boards should receive this information in a format that satisfies the interests and concerns of its members by using special tools to deliver the information, such as a customizable dashboard.
  • Consider carefully those board members who are tasked specifically with compliance oversight functions and ensure that they have the necessary training and experience for this role.

Auditing and Correcting Potential Risk Areas

  • Besides reviewing internal and external audits, require a complete corrective plan if deficiencies are indicated.
  • If board members have financial relationships with referral sources or recipients, analyze how the organization is reviewing these arrangements for compliance with Stark and anti-kickback laws.
  • If you discover a violation of any laws, consider disclosing under the OIG’s Self-Disclosure Protocol in order to have a faster resolution of the case, lower monetary penalty, and exclusion release.