On April 20, 2015, the U.S. Department of Health and Human Services Office of Inspector General (OIG), in conjunction with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA) released a joint educational resource to assist governing boards of healthcare organizations carry out their compliance plan oversight obligations. Entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the Guidance), the Guidance supplements previous guidance documents issued by the OIG and AHLA in 2003, 2004 and 2007 related to oversight by healthcare company boards of directors (BODs). Included are practical tips that BODs may implement in the areas of internal reporting, identifying regulatory risk areas, and facilitating compliance. The Guidance also addresses the roles of and relationships between a healthcare company’s audit, compliance, and legal departments.

Notably, the Guidance is not binding. It does, however, include expectations and recommendations for board members that go beyond existing OIG guidance regarding the elements of effective compliance programs and indicates that board members should hone their skills in providing oversight and review of compliance program functions.

Designing a Corporate Compliance Program

The Guidance suggests three resources that healthcare companies may consult when designing a corporate compliance program: (1) the Federal Sentencing Guidelines, (2) OIG’s voluntary compliance program guidance documents, and (3) OIG Corporate Integrity Agreements, if the entity has entered into a CIA. While the guidance recognizes that the design of a corporate compliance program is “not a ‘one size fits all’ issue,” it does set forth an expectation that BODs should “put forth a meaningful effort” to review the adequacy of their company’s existing compliance program, evaluating the scope and complexity of the program in light of the size and complexity of the organization. The Guidance also suggests that BODs develop a formal plan to stay abreast of relevant regulations – suggests an “education calendar” that ensures the board members are periodically educated by management on regulations related to the organization’s risk areas. An educated BOD will then be knowledgeable enough to ask pertinent questions and to “make informed strategic decisions.”

Defining the Roles of Audit, Compliance, and Legal

According to the Guidance, organizations should define the interrelationship of the audit, compliance, human resources and legal functions of the entity in the organizational documents, including details of the reporting hierarchy. The Guidance provides an example description of each function that could be included in a company’s charter or organizational document.

The Guidance includes the OIG’s belief that the compliance officer should not also be legal counsel for the provider and should not be subordinate in function or position to counsel or the legal department. The OIG has long expressed a preference for separating organizations’ compliance functions from their legal departments, and has identified potential conflict-of-interest risks associated with having in-house counsel responsible for compliance. However, the Guidance advances a stronger position on separating the compliance officer role from the legal department than the OIG has taken in previous guidance.

Reporting to the Board

The Guidance identifies as a BOD responsibility the scheduling of regular compliance-related reports, including separate and independent reports from key management personnel, as well as audit, compliance, human resources, legal, quality, and information technology personnel, rather than calling for reports only when a problem arises. Along with regular reports, the Guidance suggests that BODs establish a risk-based reporting system. Importantly, BODs should be educated on the organization’s process and mechanisms to report violations and to evaluate corrective action plans.

Identifying and Auditing Potential Risk Areas

BODs “should ensure” that both management and BODs have “strong processes that identify risk areas.” The Guidance notes that organizations’ high risk areas may be determined by consulting internal information sources such as employee reports to an internal compliance hotline and/or external sources such as OIG guidance. BODs then should set and enforce expectations that management consistently review and audit the identified risk areas. The Guidance notes that audit results reflecting compliance issues should be accompanied by a corrective action plan.

Encouraging Accountability and Compliance

The Guidance provides examples of how boards may foster a corporate culture of compliance to meet the ultimate goals of protecting the integrity and viability of the healthcare delivery system. The Guidance suggests that, to creatively motivate compliance, BODs should implement employee and executive compensation claw-back provisions if compliance metrics are not met. These specific employee incentives and penalties related to compliance activities also go further than past OIG guidance, which has focused on taking appropriate corrective actions (left largely to the discretion of the employer) to respond to compliance violations.

Commentary

The Guidance states that the document is not intended to set particular standards of conduct and should not be taken as legal or professional advice or opinion from any of the organizations, is not a “one size fits all” and includes measures that may not be appropriate for every organization. Despite these assurances, the tone of the Guidance and the detailed expectations of BODs appear more focused on and applicable to highly functional mega-systems than to community hospitals and BODs or small physician practices. In addition, the inclusion of multiple “shoulds” reflects significant OIG input and the OIG “belief” that irreconcilable conflicts exist between an organization’s legal counsel and its compliance officer is certainly contrary to that of the authors of this client alert.

The Guidance does, however, illustrate the OIG’s expectations for the level of BOD involvement in and leadership of an organization’s compliance program and, solely for this reason, should be carefully reviewed by BODs, as well as compliance, legal, audit, quality and human resources personnel.