On April 20, 2015, the US Department of Health and Human Services Office of Inspector General (OIG), the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), and the Health Care Compliance Association (HCCA) jointly released an educational resource for governing boards (Boards) titled Practical Guidance for Health Care Governing Boards on Compliance Oversight (Compliance Oversight Guidance).

Building on previous guidance that has emphasized the need for Boards to take an active role in compliance oversight, the Compliance Oversight Guidance aims to provide practical tips to Boards carrying out their responsibilities. In particular, the Compliance Oversight Guidance discusses:

  • Expectations for Board oversight of compliance programs;
  • Roles of, and relationships between, an organization’s audit, compliance, legal, human resources, risk management, and quality improvement departments;
  • Regular reporting to the Board regarding risk mitigation and compliance efforts;
  • Methods for identifying and auditing potential risk areas; and
  • How to ensure that the entire organization promotes and adheres to compliance requirements.

The Compliance Oversight Guidance describes best practices, many of which are not necessarily legal requirements. Nevertheless, in the current enforcement environment where so many cases are being settled, rather than going to trial, following the government’s “guidance” can be very helpful in reducing risk. While much of the information provided has appeared previously in other guidance documents, there are a few new insights and areas of focus in the Compliance Oversight Guidance. In particular, Boards are strongly encouraged to use Corporate Integrity Agreements that have been imposed on other entities as a baseline assessment tool. This recommendation sets the compliance bar at a high level, as CIAs often go well beyond the legal minimum required.

The Compliance Oversight Guidance also suggests that the Board raise its substantive expertise by adding a board member who is an experienced regulatory, compliance, or legal professional (or by consulting periodically with such an individual). In addition, the Compliance Oversight Guidance suggests that the Board consider holding executive sessions with compliance, legal, internal audit, and quality functions, while excluding senior management, on a regular basis. These executive sessions are intended to facilitate an expectation of open dialogue.

The Compliance Oversight Guidance also identifies certain types of “high risk” areas, including:

  • Billing problems (such as upcoding, providing medically unnecessary services, or submitting claims for services not provided);
  • Privacy breaches; and
  • Quality-related events.

Boards are further directed to assess the relationships between their physician employees and other health care entities. In particular, the Board should assess whether these relationships could impact matters such as clinical and research decision-making.

While the Compliance Oversight Guidance provides a good starting point, Boards should ensure that their organizations have consulted with counsel and other compliance professionals in structuring and operating their compliance programs in order to ensure that all necessary requirements are met and the organization is sufficiently protected.