BY Phuong D. Nguyen, Esq. and Michael R. Alexander, Esq., Brown & Fortunato, P.C.
In November of last year, the Office of Inspector General for the Department of Health and Human Services (“OIG”) published revised General Compliance Program Guidance “CPG.” While much of the content of the revised CPG will be familiar, the format has been significantly revised with a few updates along the way. The OIG intends to publish industry segment-specific CPGs later this year, starting with Medicare Advantage and nursing facilities. What follows is a summary of the seven elements of a compliance program described in the General CPG.
Written Policies and Procedures – The CPG continues to recommend that a compliance program have written policies and
Compliance Leadership and Oversight – The OIG recommends that a compliance program have a designated leader as the entity’s Compliance Officer (“CO”). The CO should have the authority, stature, and resources necessary lead an effective program. The OIG recommends that the CO have direct and independent access to the board of directors. The OIG advises that the CO should not report to the entity’s legal or financial functions. The OIG also recommends that health care entities have a compliance committee that is comprised of operational and department leaders, meets at least quarterly, is chaired by the CO. The compliance committee should assist the CO in analyzing regulatory requirements, assessing and developing policies and procedures, monitoring internal controls, and assessing and addressing organizational risks. The CPG also emphasizes the board’s role in oversight of the compliance officer, compliance committee, and compliance program. The OIG recommends that the board reserve regularly scheduled meetings with the compliance officer, without other non-board members present, to permit candid, uninhibited discussions of compliance risks, including compliance program resource needs.
Training and Education – An entity’s compliance program should include appropriate, annual education and training targeted to the entity’s needs and risks. The training should include education on the compliance program, federal and state standards applicable to the entity, and board governance and oversight of the entity. The compliance officer should develop an annual training plan that includes topics on risks and issues identified in audits and investigations and changes to applicable federal or state regulations and health care requirements. The training plan should include education targeted to all board members, officers, employees, medical staff, and even contractors.
Effective Lines of Communication with the Compliance Officer and Disclosure Program – The OIG recommends an open line of communication between the compliance officer and personnel. Employees and staff should be informed about the ways they can reach the compliance officer directly through multiple means, such as email, phone, message box, etc. Entities should post those avenues of communication in common physical and virtual spaces, such as break rooms, employee entrances, and employee intranet sites. To support and encourage open communication, entities should also have written policies safeguarding the confidentiality of a reporter’s identity, to the extent possible, and non-retaliation for reporting concerns in good faith. The OIG also recommends that entities have an independent path of communication, such as a hotline, email address, website form, or mailbox for reporting of compliance concerns. All reported concerns should be tracked on a log, investigated, and resolved. The compliance officer should include information about reported concerns to the compliance committee and reports to the CEO and board.
Enforcing Standards Through Consequences and Incentives – The OIG recommends that entities establish policies and procedures for identifying, investigation, and remediating non-compliant behaviors, including identifying potential disciplinary or corrective actions that may be imposed under specific circumstances. Consequences for noncompliance should be consistently applied and enforced, and there should be similar consequences for similar offenses, regardless of the level of employee. New for the CPG, the OIG also recommends entities develop incentives for compliant behavior, such as recognition for specific compliance goals in a department or performance of certain compliance activities.
Risk Assessment, Auditing, and Monitoring – For the updated CPG, the OIG recommends that health care entities conduct an annual compliance risk assessment to identify, prioritize, and address regulatory and legal risks specific to the entity. The compliance officer and compliance committee should develop compliance work plans to audit and monitor the identified risks. Entities should use data analytics to identify internal trends in the identified risk areas. In addition to scheduled audits, the compliance work plan should include capacity for audits arising from risks identified during the year as well as monitoring of ongoing risks (e.g., monthly screening for excluded persons).
Responding to Detected Offenses and Developing Corrective Action Initiatives – The CPG recommends that compliance programs have processes and resources to investigate compliance concerns, identify root causes, take remedial actions, and self-report to government programs, when appropriate. The CPG expects investigations to typically include interviews and review of documents, data, and processes, and the CPG recommends that all investigations be documented.
In addition to the seven elements, the CPG also contains summaries of key federal health care laws, recommendations for adapting compliance programs for small and large entities, and links to other resources. The CPG is available on the OIG’s website, oig.hhs.gov, under the “Compliance” heading.