On April 20, 2015, the Department of Health and Human Services Office of Inspector General (“HHS-OIG“) published its “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the “Guide“). The Guide was prepared in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association, the Health Care Compliance Association, and according to the Guide, provides tips to health care boards (“Boards“) on four categories: “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.” While not a legally binding document, the Guide provides helpful insight for Boards and underscores best practices in these areas.
As to the roles and relationships of key organizational functions, the Guide generally recommends that Boards periodically make themselves aware of and evaluate different functions within the organization including compliance, legal, internal audit, human resources, and quality improvement. The evaluation should ensure that these functions are adequate, independent, and performing properly; including that they have access to appropriate and relevant corporate information and resources and are engaging in effective and meaningful communications.
As to issue reporting, the Guide recommends that Boards set and enforce expectations for compliance and risk management reports from responsible personnel in key functions such as audit, compliance, human resources, legal, quality, and information technology. In addition, the Guide suggests that Boards consider implementing a number of measures to improve reporting including (1) developing scorecards measuring management execution of compliance programs and risk mitigation, as well as implementation of corrective action plans; (2) setting expectations for management to address significant regulatory changes and enforcement events; (3) using dashboards to report risk information; or (4) conducting regular executive sessions to discuss risk and compliance issues.
With respect to identifying and auditing potential risk areas, the Guide encourages Boards to ensure that its organization has strong processes for identifying risks particularly in areas of key interest such as referral relationships and arrangements, billing, privacy breaches, quality-related events; and new industry trends (e.g., increasing emphasis on quality, industry consolidation, and changes in insurance coverage and reimbursement). Further, and in order to satisfy an organization’s requirement to monitor and audit to detect criminal fraud, the Guide recommends that Boards ensure consistent review by management of audit risk areas and use of corrective action plans where appropriate.
Finally, the Guide reminds Boards to develop and encourage a compliance “way of life.” Suggestions for doing so include assessing employee performance in compliance, implementing annual incentive programs contingent on meeting certain compliance goals, encouraging self-identification of compliance failures and voluntary disclosures, and evaluating whether, and ensuring that, compliance systems and processes encourage effective communication.