On April 20, 2015, the Department of Health and Human Services Office of Inspector General (OIG), in conjunction with associations representing legal, compliance, and auditing professionals, released an “educational resource” document intended as practical guidance for governing boards as they oversee their organizations’ compliance with health care laws. While OIG’s new guidance is not binding law, it makes clear that government enforcement authorities now expect all governing boards – not just boards of companies that have had compliance problems – to take an active role in overseeing their organizations’ compliance efforts. The new guidance, which builds and expands on previous guidance issued by OIG1, also offers the most concrete advice to date on how OIG expects boards to monitor and police compliance.

Which companies should read the OIG guidance?  

The new guidance may be useful to governing boards of all companies that are subject to health care fraud and abuse laws such as the federal anti-kickback statute, Stark Law, and federal False Claims Act. While OIG does not define a “health care organization,” and much of the guidance appears targeted at health care providers (e.g., hospitals and nursing homes), drug and device manufacturers also may find the document helpful in understanding the active steps OIG expects boards to take in promoting compliance.

Here are some of the key points on which the OIG provides new or more detailed guidance for boards:

Board Involvement in Compliance Efforts

  • Education of Board Members on Compliance Issues. OIG states that it expects boards to develop a formal plan to stay abreast of changes in regulatory requirements, which will allow the board to ask “pertinent questions” of management.
  • Board Involvement Tailored to Company. Consistent with compliance program guidance that OIG has issued in the past, OIG advises board members to ensure that the organization’s compliance program matches the size and complexity of the organization. OIG also indicates that the level of board involvement in compliance efforts itself should depend on the size and complexity of the organization, and advises that boards of smaller organizations may need to become more involved in compliance efforts than boards of larger organizations.
  • Consultation with Outside Experts. OIG advises boards to raise their level of substantive expertise by periodically consulting with outside regulatory, compliance, or legal professionals. In the past, OIG has required companies to submit to regular reviews by outside professionals as part of their obligations under a Corporate Integrity Agreement (CIA); this is the first time that OIG has suggested all boards should consider such regular consultations.

Reporting to the Board

  • Regular Executive Sessions with Legal and Compliance Leadership. OIG recommends that boards hold regular “executive sessions” with leadership from legal, compliance, and auditing functions, without the presence of senior management. In OIG’s view, regular sessions make it easier for legal and compliance managers to report compliance issues directly to the board.
  • Compliance Dashboards. For the first time, OIG recommends that boards adopt tools such as compliance “dashboards,” containing “key financial, operational, and compliance indicators,” to give the board adequate information to assess the company’s compliance efforts.

New Risk Areas

  • Checking Regularly for New Risk Areas. OIG recommends that boards ensure they have in place “strong processes for identifying risk areas,” from both internal sources (e.g., internal hotlines and audits) and external sources (e.g., professional organization publications, OIG-issued guidance, consultants, competitors, media). OIG expects boards to be aware when compliance problems in similar organizations are publicized and to follow up with their management to ask if the organization has processes to identify and reduce the risk of similar problems.
  • Recent Industry Trends. OIG identifies a number of specific new risk areas that boards should consider in assessing their organizations’ compliance efforts:
    • Provider consolidation, including new and expanded employment or contractual relationships between institutions and individual health care providers.
    • Transparency initiatives such as the federal Sunshine law, which OIG indicates may provide appropriate benchmarks for the organization’s compliance, and also may increase the number of compliance questions that boards will need to address.
    • Quality-based payment programs, which may increase pressure on organizations to improve quality outcomes.
    • Implementation of the new rule requiring Medicare and Medicaid providers to return identified overpayments within 60 days.

Encouraging Accountability and Compliance

  • Incentive Programs for Compliance. Consistent with its approach in other compliance program guidance and in recent CIAs, OIG recommends that boards adopt incentives for employees based on assessments of the employee’s performance on measures of compliance, whether in the form of bonuses for good performance or penalties for poor performance.
  • Self-Disclosure. OIG promotes the use of its Self-Disclosure Protocol to disclose compliance issues to the government, noting that enforcement actions originating from a self-disclosure tend to be resolved more quickly and with lower penalties, and are less likely to result in a CIA than other cases. OIG advises boards to ask management whether the process for identifying probable violations of law includes voluntary self-disclosure to the government.

* * *

OIG has long advised that an organization's governing board should play a role in the organization’s compliance efforts, and has required boards of companies with compliance issues to be more active in monitoring and policing management. The new OIG guidance, while non-binding and primarily applicable to provider organizations, is a clear signal that OIG expects all governing boards to meet certain minimum standards in proactively assessing their organization’s efforts to comply with health care laws.