On April 20, 2015, the U.S. Department of Health and Human Services Office of Inspector General (OIG) announced the release of a new guidance document, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (Guidance), to assist governing boards of health care organizations carry out their compliance plan oversight obligations. The Guidance was developed in collaboration with the American Health Lawyers Association (AHLA), the Association of Health Care Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA). While the Guidance is targeted to health care governing boards, the OIG believes it will also assist internal auditors, lawyers and compliance officers that report to governing boards. The cross-disciplinary authorship of the Guidance highlights the complementary roles of the internal audit, compliance and legal functions in any comprehensive compliance program.
The Guidance discusses health care organizations’ obligations to comply with various federal and state regulations, as well as how to identify and avoid kickbacks, overbilling and other instances of noncompliance that can lead to civil and criminal penalties. The Guidance suggests diverse tools and tips that boards of varied sizes and resources may use, including processes for identifying risks, tools for improving adherence to program objectives and effective reporting tools for board meetings.
The Guidance sets forth the OIG’s expectations for Board oversight of compliance program functions: “A Board must act in good faith in the exercise of its oversight responsibility for its organization, including making inquiries to ensure: (1) a corporate information and reporting system exists and (2) the reporting system is adequate to assure the Board that appropriate information relating to compliance with applicable laws will come to its attention timely and as a matter of course.” The OIG notes that the existence of a corporate reporting system is a “key compliance program element” in that it keeps the Board informed of the activities of the organization and also enables the organization to evaluate and respond to potential compliance issues.
The Guidance provides practical tips to assist Boards in carrying out their oversight roles for their organizations’ compliance program, including the following:
Formal Plan to Stay Abreast of the Regulatory Environment. Having an understanding of the ever-changing regulatory environment will help Boards ask more pertinent questions and make informed strategic decisions regarding the organization’s compliance program, including funding and resource allocation decisions. The OIG suggests that Boards may stay up-to-date by receiving periodic updates from informed staff or reviewing resources made available to them by staff. In addition, the OIG also suggests that Boards consider raising their level of substantive expertise by adding an expert to the Board or periodically consulting with an expert.
Roles and Relationships: Audit, Compliance, Legal, HR and Quality Improvement Functions. Governing boards should be aware of, and evaluate, the adequacy, independence and performance of these different functions within an organization on a period basis. In this Guidance, the OIG once again reiterates its belief that “an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.”
Board Reports. Governing boards should receive regular reports regarding the organization’s risk mitigation and compliance efforts from a variety of key individuals. The Board should set expectations of the type of compliance information it wants to receive, such as information about internal and external investigations, hotline calls, allegations of material fraud or senior management misconduct and exceptions to the organization’s code of conduct and expense reimbursement policy. The information should be presented to the Board in a format sufficient to satisfy their interests and concerns without overwhelming them with details. The OIG’s Guidance also suggests that Boards may want to conduct “executive sessions” with leadership from compliance, legal, internal audit and quality to encourage more open communication.
Auditing Process. Boards should ensure that management consistently reviews and audits risk areas, including “monitoring and auditing to detect criminal conduct.” Governing boards should establish a process for identifying potential risks areas based on information from internal and external sources, including internal audits and employee reports as well as industry publications, OIG guidance and news media. The Guidance states that there should be a “clear understanding” between the Board and management as to how the health care provider approaches and implements relationships with referral sources that potentially implicate the Stark Law and Anti-Kickback Statute and what level of risk is acceptable in those arrangements. The Guidance also suggests that Boards consider how they might use publicly available information (CMS physician payment data, data on health outcomes and quality measures, etc.) to compare their organization to peers and to be cognizant of the relationships their employed physicians have with other health care entities in order to assess whether those relationships could have an impact on clinical and research decision-making.
Compliance Culture. The new Guidance makes clear that “[c]ompliance is an enterprise-wide responsibility.” The OIG suggests that Boards may assess employee performance in promoting and adhering to compliance and either withhold incentives or provide bonuses based on compliance and quality outcomes. As an example of how a Board may assess whether an organization’s compliance program is proactive in correcting and remediating compliance issues, the OIG Guidance suggests that Boards ask management about their efforts to develop policies for identifying and returning overpayments in accordance with the 60-Day Rule. The Guidance also suggests that Boards query their management team to determine how they handle the identification of probable violations of law, including voluntary self-disclosure of such issues to the Government.
In order to ensure that health care governing Boards are fulfilling their responsibilities as Board members, the OIG suggests that Boards make efforts to increase their knowledge about compliance issues and risks, the role of the organization’s compliance department and how it functions in the face of such risks, and how potential issues and problems are reported to senior management. The Guidance also notes that Boards should be encouraging compliance accountability across the organization. The OIG recognizes that compliance programs and Board oversight are not one-size-fits all and that not every suggestion in the Guidance may be appropriate for every organization. However, the Guidance notes that Boards are expected to put forth “meaningful effort to review the adequacy of existing compliance systems and functions” and reiterates that regardless of the size of the organization, “every Board is responsible for ensuring that its organization complies with relevant Federal, State, and local laws.”