On April 20, 2015, the Inspector General of the Department of Health and Human Services (OIG), the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA) released a new publication entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.”

The Guidance reiterates the commonly understood view that Governing Boards should play an active role in monitoring compliance. Although the authors acknowledge that compliance program design is not a “one size fits all” issue, it is possible that the Guidance will be used by the government and others to set a new standard for evaluating the Board’s duty of care with respect to oversight of an organization’s compliance functions.

The Guidance includes several specific recommendations. Among other suggestions, the OIG indicates that the Board should make inquiries to ensure that the organization

  • Has a compliance program that is adequate in scope in light of the size and complexity of the organization
  • Has a reporting system capable of providing timely and appropriate information relating to compliance with applicable laws
  • Has a plan to stay abreast of changes in the regulatory landscape

The Guidance also states that organizations should define the interrelationship of the audit, compliance and legal functions such that the structure, reporting relationships, functional boundaries and interaction of these functions can be incorporated when defining the departmental roles and responsibilities. While no specific requirements are articulated, the Guidance indicates that Boards should take responsibility for evaluating the adequacy, independence and performance of the different functions on a periodic basis and contains useful descriptions of these functions.

Reporting to the Board

The Board is expected to set and enforce reporting requirements for compliance related information from various members of the management team. The Guidance stresses the importance of appropriate access to information and envisions the Board receiving reports on, inter alia, pending investigations, issues raised in internal or external audits, hotline call activities, and allegations of fraud or senior management misconduct.  The Guidance suggests that the Board may be well served by requesting the development of objective scorecards that measure the effectiveness of specific components of the compliance program.

Identifying Risks

The Guidance indicates that Boards should ensure that management has strong processes for identifying risk areas for the organization from range of sources, including internal audits and government guidance. The organization’s strengths, weaknesses and recent industry trends should all be considered when designing an audit program or risk assessment plan.


The OIG’s new publication suggests that the Board of a health care organization should engage in an ongoing effort to increase its knowledge of regulatory risks and to monitor the role and functioning of the compliance program in light of those risks. While acknowledging that not every measure or process suggestion in the document should be universally implemented, the Guidance envisions a strong level of Board engagement and provides useful guidance as to specific actions or activities that may assist Boards in discharging their compliance oversight responsibilities. Some in the industry are concerned that the Guidance does not adequately address scalability and may have the effect of setting a new and higher standard of care, possibly attainable by larger organizations with more resources to apply to compliance, but without enough regard to smaller and less complex organizations that do not have the resources to address all of the suggestions.