On April 20, 2015, the Office of Inspector General (OIG) of the US Department of Health & Human Services, in collaboration with several health care associations, including the Association of Healthcare Internal Auditors, the American Health Lawyers Association and the Health Care Compliance Association, released new guidance to assist governing boards of health care organizations (Boards) in the discharge of their oversight obligations regarding compliance. The longstanding enforcement policy of the OIG requires that members of a Board act in good faith in connection with the Board’s oversight of the organization’s compliance program. The new guidance builds upon prior materials issued over the past decade by providing realistic steps a Board can implement to enhance its compliance oversight.
The new guidance highlights two critical lines of inquiry: (1) does the organization have an information and reporting system in place with respect to compliance, and (2) is the system “adequate to assure the Board that appropriate information relating to compliance with applicable laws will come to its attention timely and as a matter of course?” Many Board members are unfamiliar with the various and potentially severe administrative, civil and criminal enforcement tools available to the government.
While recognizing there is no “one size fits all” approach, the guidance includes some practical tips to assist a Board with its efforts to oversee the compliance program:
- Determining the scope and adequacy of the compliance program: The guidance suggests that the Board should benchmark its organization against publicly available resources so that it can understand the scope and effectiveness of the organization’s compliance program. Key resources available to assist a Board in this process include the Federal Sentencing Guidelines, OIG’s voluntary compliance program guidance publications and OIG Corporate Integrity Agreements. The guidance also suggests that, in addition to developing a formal plan to guide its efforts and pursuing education and training specific to the health care industry, a Board should consider adding a member that is experienced in health care regulatory and compliance matters, or at least retaining an expert in such matters on a consulting basis.
- Defining departmental roles: Health care entities should have defined roles for their audit, compliance, and legal functions. The guidance recommends that, as part of its oversight efforts, the Board should be aware of, and evaluate, the relationship among these areas. Areas for specific consideration include functional boundaries, expectations of cooperation and collaboration, independence and allocation of resources. The guidance also continues the OIG’s firm stance on the role of the Compliance Officer, stating that the role should not be subordinate to General Counsel and the Compliance Officer should separately report to the Board.
- Reporting to the Board: First and foremost, a Board should “set and enforce” an expectation that it will receive regular and independent reports from a variety of key organizational leaders, including audit, compliance, legal, human resources, quality and information technology. The subject matter of such reports should include information relating to investigations and audits, hotline call activity, allegations of fraud or senior management misconduct, management exceptions to the organization’s code of conduct or expense reimbursement policy and significant regulatory changes or enforcement events. OIG also continues its focus on the use of dashboards as a means to provide comprehensive and objective data regarding vital compliance metrics.
- Identifying and auditing risk areas: Management must be attuned to risks facing the organization. A Board should ensure that there are strong processes for identifying and assessing these risks using both internal and external sources. The guidance also identifies publicly accessible data (e.g., health outcomes and quality measures, Medicare payment data and data reported under the Sunshine Act), which may serve as useful risk benchmarking resources.
- Encouraging enterprise-wide accountability: The Board has a role in encouraging accountability for compliance across the organization. The guidance identifies several areas of inquiry that the Board may explore with management, ranging from individual-level processes, such as employee performance evaluations, bonus or incentive programs and disciplinary processes (including recoupment policies), to organizational decision making processes such as recognition of, and adherence to, repayment obligations.
The guidance recognizes that an organization’s implementation of these recommendations will vary based on the organization’s size, complexity and resources. Indeed, the guidance, like its predecessors, merely scratches the surface with respect to interpreting and applying corporate governance best practices to health care organizations. The guidance does, however, provide practical tips to assist a Board in exercising its fiduciary oversight role and such practices should be expected to become an area of increasing focus by health care regulators in connection with future enforcement actions. Accordingly, Board members and executive management would be well advised to review their organization’s compliance programs in light of this new guidance.