Health care governing boards can look to “Practical Guidance for Health Care Governing Boards on Compliance Oversight” for advice in designing a compliance program. Developed by the U.S. Department of Health and Human Services Office of Inspector General (OIG), in conjunction with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the Health Care Compliance Association (HCCA), this educational resource is designed to assist governing boards of healthcare organizations to fulfill their compliance plan oversight obligations.
The healthcare governing boards compliance guide addresses:
1. The role of, and relationships between, the healthcare organization’s audit, compliance, and legal departments;
2. Mechanism and process for reporting issues within the healthcare organization;
3. An approach to identifying regulatory risk; and
4. Methods of encouraging enterprise-wide accountability for achievement of compliance goals.
The Healthcare Board’s Compliance Responsibilities
The healthcare board’s compliance responsibilities include:
- The healthcare organization’s governing board must act in good faith in its oversight capacity to ensure that there is an adequate corporate information and reporting system, so that the organization can evaluate and respond to potentially illegal activity within the healthcare organization.
- The board should use widely recognized public compliance resources, such as OIG’s voluntary compliance program guidance documents. These provide “baseline assessment tools” for Boards and healthcare management in determining what compliance is necessary. Corporate integrity agreements, if they exist, also establish benchmarks.
- The compliance program should be scaled to the size and complexity of the healthcare organization. Smaller organizations may meet guidelines with the “same degree of commitment to ethical conduct and compliance,” but with “less formality and fewer resources.”
- Boards should develop a formal plan “to stay abreast of the ever-changing regulatory landscape and operating environment.”
The guidance document recommends that healthcare governing boards raise their “level of substantive expertise with respect to regulatory and compliance matters” by “periodically consulting with, an experienced regulatory, compliance, or legal professional.’ This “sends a strong message” about the healthcare organization’s commitment to compliance, and also helps Board members fulfill their duties.
Among other things, legal and other regulatory experts can help boards:
- identify compliance risk areas
- provide insight into best governance practices
- consult on substantive or investigative matters.
OIG Compliance Program for Individual and Small Group Physician Practices
The guidance document references this super-helpful OIG rule from 2000, which identifies the following components of an effective healthcare compliance program:
- Conduct internal monitoring and auditing;
- Implement compliance and practice standards;
- Designate a compliance officer;
- Conduct appropriate training and education;
- Respond appropriately to detected offenses, and develop corrective action;
- Develop open lines of communication; and
- Enforce disciplinary standards through well-publicized guidelines.
These are, by the way, also essential components of a HIPAA compliance program.
And again, the approach for physicians and small group practices should be scaled to the operation’s size, complexity, and resources. OIG recognizes that physician practices may have limited financial and staffing resources, and therefore allows them to scale to size.
Compliance is voluntary but highly recommended–i.e., in case of investigation (for example, for a data breach), penalties are likely to be less severe if regulatory authorities find that the healthcare organization in good faith implemented operational controls in a robust compliance program. As well, OIG makes the case that implementing a voluntary compliance program will:
- speed and optimize proper payment of claims
- minimize healthcare billing mistakes and potentially reduce fraudulent claims
- reduce the chance of an audit by federal regulatory authorities
- avoid conflicts prohibited by the Stark / self-referral and anti-kickback laws
The OIG document goes into detail about each step in compliance program outlined above. This includes, for example, a periodic audit (at least yearly) to ensure the compliance program is being followed. For example, a representative sample of medical records should be reviewed to ensure the coding was accurately performed.
OIG notes that written standards and procedures are a central component of any compliance program. OIG suggests creating a written practice manual (this is an area where legal counsel can help draft and review).
What’s the Point of a Compliance Program?
The guidance document defines the compliance function as promoting the “prevention, detection, and resolution of actions that do not conform to legal, policy, or business standards.”
- guiding employees regarding compliance
- incentivizing employee compliance
- developing plans to sustain or improve regulatory compliance
- developing metrics to measure execution of compliance and implementation of corrective actions
- developing reports and dashboards to help management and the Board implement the effectiveness of the compliance program.
How Does a Healthcare Organization Achieve “Compliance?”
Compliance is a goal, not a guarantee that nothing will ever go wrong. Organizations achieve “compliance” by taking reasonable, significant steps to meet the standards identified in the guidance document.
Overall, there are 5 inter-related functions within the organization, all of which sustain compliance:
- the compliance function (above)
- the legal function
- the internal audit function
- the human resources function
- the quality improvement function
Each function has its own piece of the compliance puzzle. For example, the legal function is to advise on compliance risks, and provide legal support and counsel in case of regulatory investigation.
The Board should receive risk mitigation and compliance reports from all five departments.
Key Areas of Compliance Risk
The guidance document points out where healthcare organizations are most likely to run into compliance trouble:
- Referral relationships and arrangements (hint: Look for Stark, self-referral, anti-kickback, and fee-splitting violations)
- Billing issues (e.g., upcoding, submitting claims for services not rendered or medically unnecessary services)
- Data breaches (privacy gaffes)
- Quality-related events (i.e., malpractice)
Regulatory authorities expect boards to active monitor industry events and changes, as well as internal processes, to be sure compliance hot spots are adequately addressed.
This includes, for example, having legal counsel review compensation arrangements to Stark, self-referral, anti-kickback, or fee-splitting issues.
Astutely, the guidance document points out that more and more information about healthcare organizations’ practices is becoming public; which means that Boards may be asked “significant compliance-oriented questions by various stakeholders, including patients, employees, government officials, donors, and the media, and whistleblowers.”
Compliance is “A Way of Life”
In a mantra that almost sounds like a soft drink jingo, the guidance document emphasizes that the organization must support a culture of compliance throughout its ranks, spreading the notion that compliance “is a ‘way of life.'”
Put very simply: healthcare organizations must “effectively communicate the message that everyone is ultimately responsible for compliance.”
Let us know if we can help you craft a healthcare compliance program, by contacting our healthcare compliance lawyers. From HIPAA to FDA regulatory counsel, we advise companies on ways to mitigate their regulatory risk.
If you’re a small shop, especially–such as a solo medical practice or a small medical group–then the guidance document has a strong message for you. It is: do not to be daunted by the compliance machine; rather, understand that compliance programs are, at the moment, voluntary but highly recommended. As well, your compliance program is not a one-size fits-all; but rather, must be scaled and tailored to you.