The Purpose of Compliance Programs

Mandated compliance programs are not a new concept, but they have evolved over time. The Deficit Reduction Act of 2005 required all Medicaid providers receiving $5 million a year or more to have an effective compliance program. In 2009, New York State began requiring that certain providers and managed care plans that receive Medicaid funding of $500,000 a year or more have a compliance program in place, and several other states have followed suit. A host of other regulations make compliance programs mandatory for a full range of entities, including nonprofits (IRS 990 since 2008), federal contractors (FAR 52.203-13 since 2009), Medicare Advantage and Part D Plans (72 FR 68700 and program memos since 2009) and Accountable Care Organizations (since 2012). The Affordable Care Act also defined which entities receiving Medicaid dollars are required to have compliance programs, but the regulations around implementation are still pending.

Effective programs ensure that healthcare organizations are:

  • Operating in accordance with applicable laws and regulations
  • Creating a culture of honesty and integrity
  • Meeting high ethical and professional standards
  • Preventing fraud and abuse and other compliance issues
  • Detecting compliance issues at earlier stages
  • Assuring prompt corrective action
  • Creating a culture of ethical and compliance behavior
  • Building employee trust and confidence

The Three Purposes of a Compliance Program: Prevention, Detection and Correction

There are eight elements of effective compliance programs that fall within three buckets:

Bucket 1: Prevention

  • Written policies/code of conduct
  • Compliance officer and oversight
  • Training/education

Bucket 2: Detection

  • Reporting hotline
  • Monitoring/auditing and internal reporting
  • Nonintimidation/nonharassment

Bucket 3: Corrective Action

  • Investigations/remediation
  • Disciplinary policies

The Office of Inspector General’s (OIG’s) list includes only seven elements, because it does not cover nonintimidation/nonharassment. We have included nonintimidation/nonharassment as an eighth element on our list, however, because it is such a key component of any effective compliance program—and is required as an element by some states, such as New York.

Element 1: Written Policies/Code of Conduct

Written policies should outline compliance program expectations. They are usually embedded in a code of conduct or code of ethics that is broadly applicable to all individuals who are  employed by, interact with or serve on the board of the organization.

In addition, there should be a second document that details the operation and implementation of the compliance program, providing guidance around governance, organizational structure and processes for dealing with compliance issues. Some organizations choose to address governance and structure across multiple documents. For purposes of responding to an audit or request from a government agency, however, it is preferable to consolidate this information into a single document. Having the information in one document also simplifies the annual review of policies and procedures and helps ensure that compliance programs are evaluated and updated regularly.

We recommend that compliance plans and related documents be approved by the organization’s governing body and senior management, with that approval recorded through a resolution, meeting minutes or signatures on the policy. Policies and procedures should be reviewed and revised each year, with past versions archived.

In addition, it’s important to remember that, for policies to be effective, they must be easily available to staff—not simply stuck in the compliance officer’s binder or posted to a SharePoint site that not everyone can access. At minimum, the compliance program and code of conduct should be posted on an external website, as well as on an Intranet location that all staff can easily find.

Element 2: Compliance Officer and Oversight

The compliance officer should be a senior role with an appropriate level of autonomy. The best practice is for the compliance officer to report directly to the CEO or the board of directors. He or she should not report to the general counsel—or through operations or finance, where there could be perceived conflicts of interest.

It is critical for the board of directors to review the compliance officer and his or her functions annually and update the job description to reflect added responsibilities. Organizations that have decided to outsource their compliance functions should consider the rationale for that decision—and define how they will maintain active oversight of the compliance officer role.

In addition, the compliance officer should be supported by a compliance committee. The committee should be multidisciplinary and have a charter that details set responsibilities. Compliance committees should meet at least twice a year and ensure that all members are actively involved and accountable. Activities such as quality reporting and grievance monitoring should be reported to the committee, demonstrating that the organization is actively auditing operational activities to ensure compliance. The compliance committee should keep minutes as evidence of its activities.

As was defined in In re Caremark,1 the governing board also has responsibilities for ensuring compliance. In the 1996 case, the shareholders of Caremark International Inc. brought a derivative action alleging that directors breached their duty of care by failing to put in place adequate internal controls. As a result, the company’s employees were able to commit criminal offenses resulting in substantial fines and civil penalties.

Ultimately the court did not find that the board violated its duty of care, but this case set forth how to determine if the board has exercised its duty of care appropriately:

It’s important that the board exercises good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operation, so it may satisfy its responsibility.

The Business Judgment Rule—the presumption that in making a business decision, the directors of a corporation acted on an informed basis, in good faith and with the honest belief that the action taken was in the best interest of the company—governs the level of detail appropriate for an organization’s information systems. Directors are entitled to rely on their officers, employees and consultants—but have a duty to make reasonable inquiries when facts warrant gathering further information.

The role of the board is general oversight over the compliance program activities. This can be delegated to a subcommittee, but ultimately it is the board’s responsibility. For multientity organizations, it’s key that the governing entity of the subsidiary, as well as the parent board, receive reports on compliance. The board should receive regular updates from the chief compliance officer, annually assess compliance effectiveness, receive reports on audits and investigations, discuss corrective actions, and approve any changes to compliance programs.

Element 3: Training/Education

Educational programs should include training in general compliance issues; fraud, waste and abuse; the Anti-Kickback Statute (AKS); and the False Claims Act, as well as inappropriate gifts and relationships with referral sources that could put the company at risk for noncompliance. The training should be documented, including pre- and post-tests. To create a culture of compliance, training should be part of the onboarding process, as well as held annually—and be supported with monthly email blasts and in-person road shows that reinforce best practices. Compliance training and education should not just be an annual “check the box” activity.

Element 4: Reporting Hotline

It is critical to have a hotline that enables confidential and truly anonymous reporting of compliance issues. The organization may publicize reporting options, such as email, toll-free numbers and mailbox addresses, including information on the kinds of issues to report. To help publicize the hotline, the number can be placed on the email signature lines of employees, external-facing websites and posters in lunchrooms.

Element 5: Monitoring, Auditing and Internal Reporting

It is important to perform an annual risk assessment that is specific to an organization. The assessment should go beyond looking at the OIG, Centers for Medicare & Medicaid Services (CMS) and Department of Justice (DOJ) areas of focus. It should incorporate interviews with key staff to identify each organization’s particular risks, as well as look at any compliance challenges over the past 12 months and consider internal controls and accountability. Results should be presented to senior leadership and the board, with a strategy developed to determine how findings fit with other risk assessments and enterprisewide approaches. The annual risk assessment should be continuously revisited throughout the year to ensure it remains accurate in light of changes facing the organization.

As a best practice, leverage the risk assessment to create an annual monitoring and auditing internal reporting program. The assessment can be used to identify trends, support quality reviews and other operational activities, determine where expertise is lacking and third parties should be engaged, evaluate vendors, and track compliance hotline calls.

The annual compliance work plan may be broader than just auditing and monitoring. It may involve creating new policies and procedures, as well as potentially setting up ad hoc committees to look deeper into possible compliance issues. Similar to the risk assessment, the work plan is a living document and may change over the year. Any changes or updates should be documented and justified.

Element 6: Nonretaliation and Nonintimidation

Nonretaliation and nonintimidation  are crucial elements of effective compliance programs. People will not participate if they fear they will lose their jobs for reporting potential issues. The compliance officer should partner with human resources to ensure the nonretaliation and nonintimidation policies are strictly enforced.

Element 7: Investigations and Remediation

It is critical to respond quickly and thoroughly to compliance issues, because the clock starts ticking the day an organization acknowledges that it has received a potential overpayment. (If a company doesn’t act within 60 days of an overpayment being identified, it can face an FCA case. See part 1 of our series for more information.)

Investigations should be performed by qualified individuals and scoped to determine the “who, what, when and how” of the issue. It is critical that investigations identify root causes, as well as uncover and correct any areas of system vulnerability to ensure there is no further risk of overpayment. Corrective actions should be tracked to confirm that they have been effective.

Element 8: Disciplinary Policies

Clear disciplinary policies must be in place for anyone who has engaged in unlawful or unethical actions. The policies should apply consistently across all levels and positions, including employees, board members and vendors. Board members should be removed and vendors and employees terminated if any misconduct is identified. We strongly recommend that creating a culture of compliance be a performance review metric. It also is important that incentive compensation programs support a culture of ethics and compliance and don’t inadvertently encourage noncompliant behavior.

Building Successful Compliance Programs

To ensure compliance programs are effective, it is critical to:

  • Develop a culture of accountability from the top levels of the organization.
  • Hire a credible compliance officer and ensure he or she has adequate resources and direct access to the board and executive team.
  • Require that concerns be reported.
  • Build compliance into operations, including active monitoring and internal auditing—and consider using predictive modeling techniques, particularly in high-risk areas.
  • Address issues and document all information, including inquiries, complaints and repayments.
  • Evaluate all efforts.

The Price of Noncompliance

Noncompliant organizations can pay a high price. In addition to the cost of investigating issues and preparing a defense, organizations have the expense of repayments, as well as potentially massive fines and penalties. They also face bad publicity, a degraded reputation, operational restrictions, corporate probation and increased regulatory scrutiny. In addition, executives may find themselves looking at jail time.

Demonstrating Program Effectiveness

Meticulous documentation of compliance programs is essential. It is critical to document:

  • All compliance policies, plans and other documents that describe the entity’s approach to managing its compliance program
  • The results of regular self-assessments, which should be performed at least annually
  • Descriptions of operational functions that interact with the compliance program
  • All compliance committee and board resolutions, agendas and minutes related to compliance oversight
  • Compliance training and communications initiatives
  • Hotline information, logs and follow-through activities
  • Compliance auditing/monitoring reports, trends and corrective action plans
  • Summaries of incidents, as well as self-reporting and disclosures
  • Evidence that recurring issues are being addressed and compliance standards are being enforced

Reducing the Risk of Violating the Law

There are several actions that organizations can take to mitigate the risks of potential noncompliance. Most critically, be sure to have counsel review any arrangements that raise potential AKS and Stark issues. Counsel also should review valuation reports for adherence to legal principles. Other key actions organizations can take to protect themselves include:

  • Using qualified experts to determine fair market value in sensitive cases
  • Responding quickly to AKS problems to avoid FCA liability
  • Using state OIG self-disclosure protocols or the CMS voluntary refund process, when appropriate
  • Engaging outside auditors or reviewers to perform audits or reviews when internal expertise is lacking or not available