The Office of Inspector General (“OIG”) of the U.S. Department of Health and Human Services (“DHHS”) released new compliance guidance for health care governing boards, attorneys, compliance officers and internal auditors on April 20, 2015. The guidance was developed in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association, the Health Care Compliance Association, and OIG.
Previous compliance guidance from OIG emphasized the need for health care governing boards to be fully engaged in their oversight responsibility, ask questions of management regarding the adequacy and effectiveness of the organization’s compliance program, and make compliance a responsibility for all levels of management. The new guidance reiterates these principles, and provides practical suggestions for governing boards regarding oversight and review of compliance program functions. Among other things, the compliance guidance addresses the following areas:
- Information and Reporting Systems. Governing boards must make inquiries to ensure a corporate information and reporting system exists within the health care organization. The reporting system must adequately assure the governing board that appropriate information regarding compliance with applicable laws will come to its attention in a timely manner and as a matter of course.
- Compliance Program Size and Structure. Governing boards are encouraged to use publicly available compliance resources, such as the federal sentencing guidelines, OIG compliance documents, and corporate integrity agreements to determine the functions the organization can implement to meet its compliance obligations. However, OIG notes that compliance programs are not “one size fits all.” Each health care entity’s compliance program must be tailored to the specific needs, size, and complexity of the organization. The compliance program also needs to contain a formal plan for updating governing board members on the changing regulatory landscape. This can be accomplished through regularly scheduled educational programs or through periodic consultations with experienced regulatory, compliance, or legal professionals.
- Audit, Compliance and Legal Functions. Health care organizations should clearly define the roles, structure, and reporting relationships of the audit, compliance, and legal functions within the organization. Additionally, the interactions between the compliance teams and the quality, risk management, and human resources teams should be clearly defined and communicated to all employees. Governing boards should also evaluate how management works to address risk within the organization, and resolves conflicts and disagreements regarding resolution of compliance issues.
- Board Reports. Governing boards should also receive regular reports regarding the organization’s risk mitigation and compliance efforts from a variety of key individuals, including those responsible for audit, compliance, human resources, legal, quality, and information technology. Information regarding compliance and risk should be presented to the board in a manner sufficient to satisfy the interest or concerns of board members.
- Auditing Process. The governing board and management need to work together to ensure the adequacy of the organization’s auditing process. The governing board and management should establish a process for identifying potential risk areas, based on information from external and internal sources. When identifying risk areas, OIG encourages organizations to take into account industry trends, such as the increasing emphasis on quality, industry consolidation, and changes in insurance coverage and reimbursement. The governing board should also ensure that management is consistently reviewing and auditing risk areas, and is developing, implementing, and monitoring corrective action plans.
- Compliance Culture. OIG encourages governing boards to exercise creativity in implementing programs to ensure that compliance is a “way of life” for the health care organization. Widespread implementation of compliance programs, and communication of the organization’s expectations can lead to a culture of compliance within the organization. The governing board should evaluate whether the organization’s systems and processes encourage effective communication across the organization, and whether employees within the organization are comfortable raising compliance concerns without fear of retaliation or retribution.
Health care governing board members are subject to unique expectations regarding their level of engagement and involvement in the compliance obligations of their organizations. This most recent guidance suggests that OIG expects governing boards to understand the organization’s compliance obligations, work closely with management to monitor and enhance the organization’s compliance program, and to encourage compliance accountability across the organization.