The healthcare industry always has taken the lead in compliance issues, developing innovative compliance tools and programs.   Anti-corruption compliance borrows heavily from many healthcare compliance ideas.

Healthcare companies are dependent on the government for revenues.   As the government plays a greater role in our healthcare system, healthcare companies can expect compliance to become even more important.   At the same time, the government is dedicating more resources to prosecuting healthcare companies for fraud.  This effort will continue and ultimately expand.  For companies in the healthcare industries, the risks are significant and will only increase as the complexity of the healthcare system increases, and as the government plays a large role in the industry.

Healthcare companies have seen the development of mandatory compliance requirements. The sources of these requirements include: (1) the US Sentencing Guidelines; (2) Office of Inspector General/Health and Human Services Guidance; (3) Medicare Part C and D Mandatory Compliance Guidelines; and (4) FAR Acquisition Regulations.  Since 1998, the OIG/HHS has encouraged healthcare providers to implement voluntary compliance programs.

In 2006, the Center for Medicare and Medicaid Services (CMS) adopted mandatory compliance regulations, which originated from the Prescription Drug Improvements and Modernization Act of 2003, and were adopted as part of the Prescription Drug Benefit Manual.   The CMS regulations require companies to adopt compliance programs which contain eight (8) basic elements.   In a 2006 oversight report, the OIG/HHS issued guidance on compliance and noted that CMS has not audited any companies to make sure that they have complied with the mandatory compliance requirement.

The FAR Acquisition regulations adopted a mandatory disclosure rule which required covered companies to implement compliance programs.  The mandatory disclosure and compliance rule applies only to those companies who have contracts with the federal government, Medicare Advantage subcontractors, Part D Plans, Veterans Affairs, and Tricare Plans, and excludes Medicare A hospitals or Medicare B providers.  

Recently, mandatory compliance requirements were enacted through statute in the Affordable Care Act (Sections 6102 and 6401).   Under the ACA, companies are prohibited from participating in Federal heath care programs unless their compliance programs contain certain core elements.   HHS has not yet defined the date for compliance or the required elements of a compliance program. 

The ACA sets out required core elements. The HHS regulations are likely to draw from the statute and from earlier regulatory proceedings which solicited input on the basic compliance program requirements.   These core requirements will include:

  1. Written policies, procedures and standards of conduct to prevent and detect inappropriate behavior;
  2. Designation of a chief compliance officer and other appropriate bodies (for example a corporate compliance committee) charged with the responsibility of operating and monitoring the compliance program and who report directly to high-level personnel and the governing body;
  3. Effective education and training programs for the governing body, all employees, including high-level personnel, and, as appropriate, the organization’s agents;
  4. Maintenance of a hotline and anonymous reporting procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation;
  5. A system to respond to allegations of improper conduct and the enforcement of appropriate disciplinary action against employees who have violated internal compliance policies, applicable statutes, regulations or Federal health care program requirements;
  6. The use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem areas; and
  7. The investigation and remediation of identified systemic problems including making any necessary modifications to the organization’s compliance and ethics program.

The core elements are likely to be expanded to include some other requirements:

  • Hospitals and long-term care facilities will be required to monitor supplier quality risks
  • Companies will be required to use basic tracking systems, data capturing systems and electronic claims submission systems
  • Adjusting compliance requirements for individuals versus corporations

Companies have every reason to re-examine their compliance programs. It is easy to sit back and wait for the HHS regulations but with ongoing aggressive enforcement, companies should be updating their compliance programs.