Practical guidance for compliance plan oversight programs

June 2015

By Mary M. Bearden and Allison Shelton , Brown & Fortunato, P.C.

On April 20, 2015, the “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the “Guidance”) was published to provide an educational resource for the governing boards of health care organizations with respect to their compliance plan oversight programs. The Guidance is a result of a first-time collaborative effort by the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), the Health Care Compliance Association (HCCA), and the Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services. The cross-disciplinary publication adds to prior guidance materials published by the OIG. This joint effort reflects the importance of the complementary roles of boards, internal auditors, lawyers, and compliance officers in successful compliance oversight programs.

The goal of the Guidance is to provide practical tips and ideas for boards to consider when designing compliance oversight programs. It aims to assist boards in assessing the capacity and effectiveness of compliance oversight programs in the “ever-changing regulatory landscape and operating environment” of health care today. The Guidance does not propose a “one size fits all” standard but instead provides ideas as to how organizations of different sizes and complexities may develop oversight programs that will fit an organization’s specific needs.

The Guidance emphasizes the duty of a governing board to act “in good faith in the exercise of its oversight responsibility for its organization.” To assist boards in fulfilling this duty, the Guidance discusses and provides suggestions relating to four aspects of compliance programs, including: (1) roles and relationships of the organization’s audit, compliance, and legal departments; (2) mechanisms for reporting to the board; (3) approaches to identifying and auditing potential risk areas; and (4) methods of encouraging accountability and compliance throughout the organization.

In regard to roles and relationships, the Guidance makes it clear that while the different functions should report to the board in an independent capacity, compliance is an organization-wide function meant to further the interests of the organization. The Guidance states that organizations “should define the interrelationship of the audit, compliance, and legal functions in charters or other organizational documents.” The documents should clearly detail the roles and responsibilities of each department and its function as well as set the expectation of cooperation and collaboration among them. The Guidance also advises that the board “should understand how management approaches conflicts or disagreements with respect to the resolution of compliance issues and how [management] decides on the appropriate course of action.” According to the Guidance, different functions within an organization should adopt a common language with respect to governance concepts so that reporting to the board and management creates a common understanding of the issues. Second, the Guidance turns to the mechanisms for reporting to the board. A corporate reporting system is “a key compliance program element” to keeping a board informed and enabling it to effectively evaluate and respond to illegal or inappropriate activity. Overall, the Guidance proposes developing a reporting system that allows it to receive regular, separate, and independent reports regarding risk mitigation and compliance efforts. The reports should come from a variety of members of management and other “key players.” The Guidance recommends that the board engage with leaders within the organization so that the board may identify those who can provide the relevant information about operations and operational risks.

A board should establish clear expectations for how management will report to it and hold management accountable for reporting in accordance with those expectations. According to the Guidance, tools, such as dashboards, should be implemented to ensure timely reporting of the appropriate information for each organization. The Guidance expresses the importance of developing a system that places information reported to boards in a “format sufficient to satisfy the interests or concerns of their members and to fit their capacity to review that information.” Further, the Guidance encourages boards to conduct regular “executive sessions” that create a continuous open dialog, rather than convening only once problems have already occurred. Third, the Guidance discusses the approach to identifying and auditing potential risk areas. The Guidance points out that there are specific regulatory risk areas that are common to all health care providers. It mentions “referral relationships and arrangements, billing problems, privacy breaches, and quality-related events” as particular areas of interest. Further, the Guidance explains that risk areas may be identified from internal sources, such as employees, or external sources, such as professional publications or news media. Moreover, when there is a failure or problem publicized in a similar organization, board members should determine whether their organization is at risk regarding the same issue. The Guidance specifically recommends that boards adopt programs for regular monitoring and auditing especially to detect criminal conduct.

To identify risk areas, the Guidance recommends that boards stay in touch with recent industry trends, including the “increasing emphasis on quality, industry consolidation, and changes in insurance coverage and reimbursement.” Likewise, the Guidance recommends that boards put a plan in place to stay abreast of regulatory changes. The plan may involve regular updates from informed staff, review of updated regulatory resources, and participation in outside educational programs on a regularly scheduled basis. In addition, the Guidance suggests “adding to the board, or periodically consulting with, an experienced regulatory, compliance, or legal professional” in order to raise the board’s level of substantive expertise with respect to regulatory and compliance matters.

Finally, the Guidance addresses encouraging accountability and compliance throughout the entire organization. The Guidance emphasizes that “compliance is an enterprise-wide responsibility.” The entire organization is responsible for executing the compliance program. The Guidance encourages boards to develop the culture that compliance is “a way of life” within their organizations. The Guidance recommends utilizing incentive programs to encourage self-identification of compliance failures within an organization and disclosure of such failures to the government. Quick disclosure of identified issues is particularly important to an organization in certain instances. For example, failure to report and refund a Medicare or Medicaid overpayment within 60 days may result in a violation of the False Claims Act. Additionally, the Guidance asserts that self-disclosure can often lead to more advantageous resolutions with governmental agencies such as the OIG.

The Guidance is a valuable resource to assist boards of health care organizations, regardless of size or complexity, to effectively execute their compliance plan oversight programs. Boards of health care industry organizations may utilize the Guidance to assess the adequacy of their organization’s current compliance program and to generate ideas for improvement.