It is more important than ever to have an effective internal corporate compliance program tailored to your organization’s compliance risks. Funding for federal government efforts to fight health care fraud is likely to go up, not down. In February and March, federal agencies issued important new guidance on their enforcement priorities and proposed metrics for evaluating the effectiveness of your compliance program. These new resources are excellent tools for conducting a compliance program audit and evaluating your compliance readiness to address a report or government investigation of potential misconduct.

Strong Incentives Continue for Federal Investment in Anti-Fraud Efforts

Despite a proposed $15 billion cut in funding to the U. S. Department of Health and Human Services (HHS), President Trump’s March 16 budget proposal targets an increase of $70 million for combined federal agency efforts to fight health care fraud and abuse.

This support no doubt reflects the very successful track record of federal investments in combatting health care fraud and abuse. The Health Care Fraud and Abuse Control (HCFAC) program, a national program under the joint control of the Department of Justice (DOJ) and HHS, reported that the agencies recovered $5 for every $1 spent between 2014 and 2016 – a 5:1 return on investment. In its 89-page annual report for fiscal year 2016, HCFAC detailed criminal, civil and administrative enforcement activities involving virtually every sector of the health care industry, resulting in over $3.35 billion in payments and transfers to federal agencies and whistleblowers in 2016.

The government also recognizes that a strong enforcement program protects federal health care programs and their beneficiaries by deterring fraud and abuse and encouraging voluntary compliance.

An Effective Compliance Program is Your First and Best Defense

Compliance programs, once optional, became mandatory for health care providers participating in Medicare and Medicaid under the Patient Protection and Affordable Care Act of 2010 (ACA). If your organization fails to adopt and implement an effective compliance program, you are at much greater risk of a compliance failure, and the government is likely to exact harsher penalties if your organization is subject to an enforcement action.

New Compliance Program Resources

The Office of Inspector General of HHS (OIG) has provided extensive guidance on the essential elements of an effective compliance program for more than two decades, beginning in the 1990s. On March 27, the OIG and the Health Care Compliance Association (HCCA) jointly published an important new resource – the Resource Guide to Measuring Compliance Program Effectiveness, based on a roundtable meeting of compliance professionals and staff from the OIG. The report lists detailed and comprehensive compliance program metrics, with the expectation that each health care organization will choose the metrics that best suit its needs and focus on a limited number of key metrics each year. The Resource Guide is an excellent tool for evaluating your compliance program now and on an ongoing basis, and it provides benchmarks for compliance program best practices.

The effectiveness of a compliance program is tested most critically in the breach – when internal parties or a whistleblower, federal agency or prosecutor alleges a potential violation of law. An organization with a strong internal compliance program will be in the best position to resolve compliance matters quickly and limit negative consequences to the organization.

On February 8, the Fraud Section of the DOJ’s Criminal Division published another important compliance resource – Evaluation of Corporate Compliance Programs. The DOJ’s statement describes specific factors that prosecutors should consider when conducting an investigation of a company, determining whether to bring charges, and negotiating plea or other agreements.

Whether at some point in the future your organization faces a government investigation – criminal, civil or administrative – or voluntarily elects to conduct an internal investigation, the DOJ’s questions will help you evaluate your organization’s compliance readiness and understand the government’s expectations. Consider conducting a “mock survey” to test how your organization measures up against these factors, using either a recent (and successfully concluded) internal investigation or an investigation of hypothetical misconduct in a key risk area as your test case.

The DOJ’s evaluation tool covers eleven topics:

  • Analysis and Remediation of Underlying Misconduct
    • Root cause analysis – why did the misconduct happen; were there other opportunities to identify the misconduct, and why were they missed? What changes have been made?
  • Senior and Middle Management
    • How have senior leaders demonstrated leadership; how have senior leaders and other stakeholders demonstrated their commitment to compliance; does the board exercise effective oversight?
  • Compliance Autonomy and Resources
    • Does compliance have necessary resources, stature, autonomy and integration within the organization? Did compliance raise concerns related to the misconduct?
  • Policies and Procedures
    • What is the organization’s process for designing, implementing and communicating policies and procedures; do policies address the prohibited conduct and have they been effectively implemented? Is there supervisory oversight and accountability?
    • What controls were missing or inadequate to detect and prevent the misconduct? Have controls been improved?
  • Risk Assessment
    • How does the organization assess risks? What information or metrics are collected and have they informed the compliance program? Did the process identify the misconduct as a risk area?
  • Training and Communications
    • Is training risk-based – directed at employees in relevant control functions and high risk areas? Is it effective and has the organization measured the effectiveness of its training? What compliance guidance is made available to employees?
    • What has senior management communicated to employees about the organization’s position on the misconduct?
  • Confidential Reporting and Investigation
    • Does the organization have effective reporting mechanisms to collect, analyze and use information? Does compliance have full access to the information?
    • Are investigations properly scoped, independent, objective, appropriately conducted and properly documented? What is the process for responding to investigative findings?
  • Incentives and Disciplinary Measures
    • Was disciplinary action taken in response to the misconduct? Were managers and supervisors held accountable? Who participated in the decisions? How has the organization incentivized compliance and ethical behavior? Have actions been fair and consistent across the organization?
  • Continuous Improvement, Periodic Testing and Review
    • How effective are the organization’s audit processes? Are findings and remediation progress regularly reported to management and the board?
    • Has the organization undertaken control testing relating to the misconduct and generally? How are results reported and action items tracked?
    • How often does the organization update its risk assessments and review compliance policies procedures and practices?
  • Third Party Management
    • If there is third party management, are there appropriate controls in place? Does the arrangement incentivize (or de-incentivize) compliance?
  • Mergers and Acquisitions
    • If the misconduct arose in connection with an acquired company, was the risk or misconduct identified during due diligence? Was the due diligence process adequate? Have issues identified during due diligence been addressed?
    • Has the acquired entity been integrated into the organization’s compliance program?