On April 20, 2015, the Office of Inspector General of the U.S. Department of Health and Human Services, in collaboration the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association, released compliance guidance for governing boards of health care organizations. The guidance is intended to assist Boards in their oversight and compliance duties. This guidance provides Boards with procedures and best practices to follow to ensure they are effectively working with their management and staff to achieve compliance at their organizations. The guidance details several issues for Boards to consider to maximize their compliance efforts.
1. Information and Reporting Systems
The guidance notes that Boards have unconditional duties to ensure that corporate information and reporting systems are present to provide appropriate and sufficient information regarding compliance with applicable laws to allow both management and Boards to make informed decisions concerning their organizations’ compliance with legal and ethical requirements.
2. Use of Widely Recognized Public Compliance Resources
The guidelines state that the Federal Sentencing Guidelines, HHSOIG’s voluntary compliance program guidance documents, and HHS OIG Corporate Integrity Agreements (CIAs) can form the
groundwork of an effective compliance program and be used as a baseline for Boards and management to assess a corporation’s compliance program. The guidance notes that though these public compliance resources should be helpful starting points for developing an oversight framework, organizations should customize their compliance plans to reflect the size, complexity, and resources of their organization. The guidance states that there is no “one size fits all” compliance program. Notably, smaller organizations are expected to implement a compliance program that is adequate for their needs, although Board members of smaller organizations may have to be more involved in the organization’s compliance program than the Board of a larger organization.
3. Board Education
Boards should develop a system to stay informed of current and proposed regulatory requirements and related guidance. The guidance suggests that Boards can do this in a variety of ways, including: requiring updates from current staff or management, adding a board member who is an experienced regulatory, compliance or legal professional or consulting with such a professional, and taking advantage of outside educational programs.
4.Define and Coordinate Audit, Compliance and Legal Functions within an Entity
The guidance recommends that Boards clearly define roles and relationships in the organization to ensure they are adequately compiling compliance information from all relevant sources. HHSOIG offers the following example of five functions for maintaining compliance oversight.
- The compliance function works to prevent, discover, and resolve actions that may create illegal or inappropriate activity.
- The legal function advises management and the Board regarding the legal and regulatory implications of the organization’s activities.
- The internal audit function helps an organization evaluate its existing monitoring framework for prevention/identification of compliance risk.
- The human resources function hires and trains employees for the organization and provides training and development opportunities for current employees.
- The quality improvement function focuses on ensuring the organization is providing high quality patient – care.
The guidance strongly recommends that an organization’s Compliance Officer should not be the organization’s counsel, or subordinate to the legal department. The compliance officer and in-house counsel should be independent from each other but work collaboratively. The guidance also states that internal auditors should be independent to the extent possible. Boards should also be vigilant and regularly evaluate the sufficiency, independence and performance of individuals carrying out compliance functions, including ensuring that all individuals have access to appropriate information to fulfill their responsibilities.
Boards should evaluate how management addresses risk, including its role in : 1) identifying compliance risks; 2) investigating compliance risks and avoiding duplication of effort; 3) identifying and implementing appropriate corrective actions and decision- making; and 4) communicating between individuals in various compliance functions.
5. Reporting Compliance Issues to the Board
Boards should seek regular reports on compliance efforts from key staff, including employees responsible for audits, compliance, human resources, information technology, and legal and quality issues. Boards may want to consider conducting sessions with leadership from key compliance functions and excluding senior management. Finally, Boards should also consider using a formal education calendar, which would consist of consistent and recurring updates from key staff in order to document the Board’s monitoring activities.
6. Identifying and Auditing Potential Risk Areas
The guidance recommends that Boards ensure that management and the Board have strong procedures for identifying risk areas, which should include both internal (e.g., hotline or internal audits) and external sources (e.g., professional organization publications, consultants, or news media reports about compliance issues at other healthcare organizations). In designing risk assessment plans, Boards should also look to recent industry trends that create new incentives and compliance risks, such as the increased emphasis on value-based purchasing and bundled payments.
7. Encouraging Accountability and Compliance
Boards should seek to encourage compliance on individual, department-wide, and facility-wide levels through systems of bonuses or penalties. The guidance suggests that Boards should evaluate whether systems and processes encourage communication and that employees believe that the organization addresses compliance concerns, questions or complaints in a meaningful way.
Please feel free to call or email Jim Pyles (202-872-6731 or Jim.Pyles@ppsv.com), BarbaraStraub Williams (202-872-6733 or Barbara.Williams@ppsv.com) or Steven Postal (202-349-4243 or Steven.Postal@ppsv.com) if you have any questions about the HHS OIG guidance for Boards of Directors.