On April 20, 2015, the U.S. Department of Health and Human Services Office of Inspector General (“OIG”), together with industry leaders, released a new educational resource to help governing boards of health care organizations (“Boards”) meet their compliance oversight obligations. The publication, Practical Guidance for Health Care Governing Boards on Compliance Oversight (the “Guidance”), is the latest in a series of educational materials published by OIG. It follows three similar resource papers for Boards, various summaries of government-industry roundtable meetings on the topic of governance, and, most recently, a one-page “toolkit” intended to assist Boards in developing and maintaining a culture of compliance within their organizations.1
Health care organizations and their Boards will recognize several themes from prior OIG publications, such as the importance of independent legal and compliance functions; recognition that the nature of Board oversight will differ based on the size and complexity of the organization; and emphasis on the U.S. Sentencing Guidelines and OIG voluntary compliance program guidance as tools to measure the effectiveness of an organization’s compliance program. In light of other OIG guidance, including OIG’s evolving priorities and areas of emphasis in industry corporate integrity agreements (“CIAs”), the following features of the Guidance are particularly noteworthy:
- Roles of Legal, Compliance and Internal Audit Functions. The Guidance reiterates OIG’s longstanding view that health care organizations should maintain separate legal and compliance functions (to the extent that available resources permit such separation), with each having uninhibited access to the Board and appropriate administrative reporting relationships within the organization. The Guidance also applies the same principles of independence and separation to the organization’s internal audit function (i.e., providing an objective evaluation of an organization’s risk and control systems and developing actions to enhance internal controls and reduce organizational risk). By stressing the importance of separating these functions, the Guidance signals OIG’s view that each function serves a distinct purpose with respect to Board compliance oversight.
- Identification and Evaluation of an Organization’s Key Risk Areas. The Guidance emphasizes that Boards must understand regulatory and operational risks relevant to their organizations2 and must ensure that their organizations have strong and effective processes to identify and mitigate risk. Along these lines, CIAs generally require companies to engage in regular compliance monitoring and auditing to identify compliance gaps or violations. CIAs also increasingly require companies to implement annual risk assessment and mitigation programs tailored to the products and services the companies provide. OIG’s continued focus on risk assessment and mitigation indicates that a Board should engage in prospective, regular analysis of the organization and business to understand areas of company-specific risk, and should devote appropriate resources to the thoughtful mitigation of risk.
- Fostering Culture of Compliance. The Guidance highlights trends within the health care industry to promote enterprise-wide recognition of, and accountability for, an organization’s compliance program. For example, recent CIAs require annual certifications of compliance from managers outside of the compliance program. Notably, the Guidance also makes specific mention of the following:
- Boards of companies, including a small number of companies under CIAs, have implemented recoupment (“claw-back”) programs that apply when compliance metrics are not met or significant violations occur. More widely, pharmaceutical and medical device manufacturer CIAs routinely require that “off-label” sales be excluded from incentive compensation decisions.
- Boards have implemented defined, systematic compliance goals throughout their organizations, which may be used to assess performance of individual employees, as well as entire departments or facilities, in promoting and adhering to the compliance program.
- Boards systematically evaluate their organizations’ reporting mechanisms and non-retaliation procedures to encourage effective communication and the raising of compliance concerns by employees. Relatedly, the Guidance highlights providers’ legal and ethical obligations to disclose known violations of law under OIG’s Self-Disclosure Protocol, in particular.
- Evolving Legal and Regulatory Environment. Given the complexity and dynamic nature of the legal and regulatory regime governing health care organizations, Boards must ensure that they keep informed about legal and regulatory changes that could affect the organizations they oversee. Regular updates to the Board by educated personnel and internal training of Board members, both of which are standard requirements of CIAs, may or may not be sufficient. The Guidance suggests that Board members may also seek out external, industry-wide educational opportunities and/or review peer company CIAs to better understand government priorities and industry best practices for compliance programs.
The new Guidance also identifies what it refers to as “practical tips” for Boards as they oversee their organizations’ compliance with State and Federal laws that regulate the health care industry. Many organizations and their counsel will view these as standard fare. That the Guidance identifies them specifically may be seen as an attempt to be standard-setting. They include:
- Expert Advice. The Guidance suggests that organizations include an experienced compliance, legal, or regulatory professional as a member of the Board or engage such a professional as an outside consultant to provide regular compliance advice to the Board. These experts can help the Board understand the complexities of the organization’s compliance program, identify regulatory risks, and make informed decisions about the design and implementation of the program. The Guidance notes that certain companies under CIAs are required to retain outside experts in compliance or governance issues to help Boards fulfill their CIA obligations.
- Education. Board participation in educational programs that focus on industry-wide compliance issues and compliance program design, combined with internal training and education, is important to ensure Boards are educated on evolving regulatory requirements, as well as key risk areas for their organizations. This is further supported by the Board member training requirements in a number of recent CIAs.
- Regular and Fulsome Reports. In order to ensure the Board receives compliance-related information needed to fulfill its oversight duties, the Board should meet periodically with key internal personnel across a variety of departments, including audit, compliance, human resources, legal, and information technology. Boards may also wish to schedule regular meetings with personnel from the compliance, internal audit, legal and quality functions – excluding senior management – so as to encourage open dialogue and avoid the impression that such meetings occur only when problems arise.
- Reporting Tools. Boards should evaluate whether they need additional tools to organize and document the information they receive. The Guidance notes that some companies use objective “scorecards” to measure how well management is implementing the compliance program, mitigating compliance risk and undertaking corrective actions. The Guidance also notes that some Boards work with management to develop compliance “dashboards” to strike the appropriate balance between too much and too little information.
- Use of External Resources to Identify Risks. Boards should consider how to make use of new publicly available information about the health care industry, such as physician payment (“Sunshine”) reports, Medicare payment data, and health outcomes and quality measures. Boards may compare their organizations’ data against peer companies or national benchmarks to better assess organizational risk and compliance program effectiveness. When a peer company experiences a publicized compliance failure, Boards should ask management about the controls and processes in place within their own organizations to reduce the risk of similar failure within their own organizations.
- Written Delineation of Functional Responsibilities. The Guidance suggests that organizations should develop charters or other organizational documents that define the structure and relationship of compliance, legal, internal audit and other functions (e.g., human resources, quality and risk management). Relatedly, Boards should implement a process to ensure that each function has appropriate access to information and resources.