Yesterday the HHS OIG, in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association (AHLA), and the Health Care Compliance Association, released a guidance document entitled Practical Guidance for Health Care Governing Boards on Compliance Oversight (the Guidance). This publication follows two previous guidance documents published by the HHS OIG and AHLA in 2003 and 2007. Below we have summarized the top 5 takeaways from the latest guidance document.
#1: Be Proactive (Avoid the Head-in-the-Sand Approach to Compliance)
Among other things, a Board should:
- ensure that the organization has a corporate information and reporting system that will lead to the Board receiving appropriate and timely compliance-related reports;
- make a “meaningful effort” to review the scope and adequacy of existing compliance systems and functions while taking into account the size and complexity of the organization (the HHS OIG acknowledged that a smaller organization’s compliance function might require less formality and fewer resources but noted that the Board might need to be more involved in compliance efforts than in a larger organization);
- establish a formal plan to stay informed about regulatory developments and the organization’s operating environment, and
- consider consulting with a regulatory, compliance, or legal professional, or adding such a professional to the Board to increase substantive regulatory/compliance expertise.
The bottom line is that the HHS OIG expects the Board to take an active role in oversight of the organization's compliance program. Waiting for the organization's management to provide information is simply not enough. If the organization is ever the subject of enforcement action, the government will consider whether the Board properly carried out this duty. Given the increasing attention paid to pursuit of culpable individuals, Board members should take this advice seriously.
#2: Define Functional Roles and Relationships (Separation and Independence Matter)
Boards should be aware of the “adequacy, independence, and performance” of the various organizational functions related to compliance (e.g., compliance, legal, internal audit, human resources, quality improvement) and evaluate these factors on an ongoing basis. It comes as no surprise that the HHS OIG reiterated its long-standing position that the compliance officer should not be the organization’s legal counsel, and should not be subordinate in function or position to the legal department. If an organization chooses to combine these or other functions, it should consider the potential risks and provide individuals filling multiple roles the ability to execute each one independently when necessary. For example, separate lines of reporting may need to be established.
#3: Set and Enforce Expectations for Reporting (Tailored, Useful Reports Are Important)
Various levels of management should provide regular compliance-related reports to the Board on issues such as risk mitigation. In turn, the Board should enforce its rules in this regard. To ensure that the information is actionable and useful, the Board should require reports to be tailored accordingly. Typically a Board will require the compliance officer to submit a written report to the committee overseeing compliance at the time of the Board's regularly scheduled meeting, and may also have the compliance officer meet with the committee at that time. Boards should consider whether this type of schedule is adequate and also define the circumstances when the compliance officer should submit non-routine reports.
Boards may also want to consider conducting regular “executive sessions” with leadership from the compliance, legal, internal audit, and quality functions. These sessions would exclude senior management with the goal of encouraging an open dialogue and avoiding suspicion among senior management about the purpose of such sessions.
#4: Implement a Strong Process for Identifying and Addressing Potential Risk Areas (New Law and Regulations = New Problems)
Regulatory risk is inevitable in the health care industry, and the risk areas differ by industry sector. Boards thus should draw upon internal and external sources to establish an effective process for identifying risk areas, which should including auditing, monitoring, and implementation of corrective action plans. The Board should do more than just listen to the organization's plans for detecting non-compliance and assessing risk areas; it should provide input based on knowledge gained through their own efforts to understand current regulatory and enforcement developments and how they might affect the organization.
Recent industry trends are an important factor to consider when developing risk assessment plans. The HHS OIG specifically mentioned that new forms of reimbursement (e.g., value-based purchasing, bundled payments) may “lead to new incentives and compliance risks.” New payment models are driving consolidation among health care providers and an increase in contractual relationships that can implicate fraud and abuse laws. Boards should have a clear understanding with management regarding the process for implementing such relationships and the level of risk that is acceptable. The HHS OIG also highlighted the emerging trend of increased transparency. Boards should consider the beneficial use of newly available information through sources such as Sunshine Act reports and Medicare Part B data, as well as the potential for the need to respond to increased compliance-related questions posed by various stakeholders, such as patients, employees, the media, whistleblowers, etc.
To stay abreast of regulatory, enforcement, and industry developments, Board members should, among other things, follow news of enforcement actions, especially cases involving the organization's industry sector. The HHS OIG, the Department of Justice, and similar state agencies publish press releases detailing their big wins. Much can be learned from the misfortune of others....
#5: Encourage Accountability and Compliance (Prioritize Self-Disclosure)
The HHS OIG emphasized the incentives in place to encourage self-disclosure and the reasons why a Board may wish to inquire about the organization's efforts to comply with the so-called 60 Day Rule and its process for addressing the identification of potential compliance violations. It is interesting that the HHS OIG would focus on the importance of complying with the 60 Day Rule (especially the process for identifying an overpayment) given that it has not yet finalized the 2012 proposed regulations that attempted to define key terms. The HHS OIG also touted the benefits of its voluntary self-disclosure process.
The HHS OIG undoubtedly intended the Guidance to be a wake-up call for Boards that are just going through the motions when it comes to their oversight of compliance systems and functions. Every Board should closely read the Guidance and consider what changes, if any, are necessary to ensure the Board is meeting the HHS OIG's expectations.