In addition to the inherent challenges of patient care and trends such as reduced reimbursement and increasing costs, providers and organizations are subject to ever-increasing and often-complex rules governing the coverage and reimbursement of healthcare services. Since federal- and state-sponsored healthcare programs pay for approximately one-third of the nation's total healthcare spending, and as the protections afforded the government by fraud and abuse laws grow increasingly robust, the risks of noncompliance are quite serious. These risks have grown dramatically for healthcare providers and organizations in recent years, to the extent that corporate compliance has become one of the most significant risk areas that healthcare enterprises face. (OIG and AHLA; Staman; Troyer and Coons)
Substantial adverse consequences, including fines, penalties, civil or criminal liability, exclusion from federal program participation, and reputational damage, await those who commit healthcare fraud. In response, the industry continues to embrace efforts such as compliance and ethics programs to improve adherence to federal and state healthcare program requirements. (OIG and AHLA)
Such programs help mitigate the risks associated with operating in a heavily regulated environment, whether by preventing illegal behavior entirely or by detecting it quickly and stopping it effectively. (OIG and AHLA; Snyder) Considering recent trends in whistleblowing and an increasingly robust enforcement climate, the opportunity to identify noncompliance and intervene quickly is quite valuable.
Enforcement
The federal False Claims Act (FCA) has long been the government's primary weapon against healthcare fraud; amendments and strengthened enforcement activity in the last five years have made it even more powerful. Penalties for violation of the FCA include up to $11,000 plus treble damages for each violation in addition to potential criminal liability and exclusion from participation in federal programs. (31 USC § 3729)
The vast majority of FCA settlements in recent years have involved healthcare. Of these, most were initiated by private citizens alleging fraud and filing suit on behalf of the government (i.e., "whistleblowers"); the majority of these individuals were current or former employees. (Rhoad and Fornataro)
Since enforcement authorities are rarely positioned to stop noncompliance before it starts, they must rely on deterrents such as large fines and the potential for program exclusion. Considering this, in addition to the fact that the risk of detection and punishment has never been higher from a technological and regulatory standpoint, compliance is particularly important. (Snyder)
Impact of the PPACA
Both the compliance landscape and the fraud and abuse enforcement climate have been impacted by sweeping changes resulting from the PPACA (Pub. L. No. 111-148). There is an urgency to address federal deficits and government spending on healthcare costs; one intent of the PPACA is to contain healthcare costs and provide increased coverage by protecting federal healthcare programs from fraud, waste, and abuse (Jessep; Vallas). The PPACA, in section 6401(a), therefore mandates that all healthcare providers establish and maintain effective compliance programs as a condition of enrollment in Medicare, Medicaid, and the federal- and state-funded Children's Health Insurance Program (CHIP). (Patient Protection and Affordable Care Act)
In remarks following the passage of the PPACA, OIG Inspector General Daniel R. Levinson spoke to compliance professionals regarding their preparedness for the transparency, quality, and accountability demands of the new law. Transparency requires organizations to have proper systems and technologies to meet new demands for the complete and accurate collection, organization, tracking, retention, and reporting of data. Compliance professionals must be mindful that quality of care is not only a clinical concern but also increasingly integral to payment and ensure that charting, collection, and reporting of quality data and clinical documentation are accurate, complete, and sufficient to justify payment. Organizations have increased accountability for identifying and addressing a variety of fraud and abuse risk areas that may be implicated by new payment and delivery systems (e.g., accountable care organizations, value-based purchasing, bundling of services, global payments). (OIG "Some")
PPACA also created compliance obligations for drug and device manufacturers that have the potential to impact providers and facilities. For example, section 6002, the Physician Payments Sunshine Act, required the establishment of a transparency program, known as Open Payments, with the intent of increasing public awareness of financial relationships between manufacturers and certain healthcare providers. It requires applicable manufacturers of covered medical products to report payments or other transfers of value they make to physicians and teaching hospitals to the Centers for Medicare and Medicaid Services (CMS). This data is then made available to the public on the Open Payments website. Items for which reporting of payment to physicians and teaching hospitals is required include but are not limited to consulting fees, education, food and beverages, and research. Although they are not required to report (this responsibility falls to manufacturers), CMS encourages physicians and teaching hospitals to keep records of all transfers of value received from industry, examine information submitted by manufacturers on their behalf, and work with manufacturers to resolve any discrepancies. (CMS)
Scope of Enterprise Risk
The "enterprise-wide compliance risk universe" is as broad in scope as the range of all healthcare operations. For example, compliance for contract management encompasses not only vendor agreements and physician arrangements but also joint ventures and maintenance of such documents; compliance for quality improvement intersects with patient safety, medical errors, quality indicator monitoring and reporting, and review by accrediting bodies. (Hagan and Satija)
Compliance officers, billers, coders, medical staff leadership, quality officers, and risk managers must work together to achieve regulatory compliance. Although certain staff (e.g., audit, compliance, and legal staff) serve key roles as advisors, evaluators, identifiers, and monitors of risk and compliance, the entire organization shares responsibility for execution of the compliance program (Moses Chaitt et al.; OIG et al.).
Additionally, both institutional and departmental compliance programs are needed, especially for high-risk areas (Hagan and Satija). For example, while an entire hospital workforce needs general compliance training, billing and coding staff need targeted and detailed instruction to manage the high-risk work tasks within their scope of responsibility. Similarly, clinical staff working in high-risk compliance areas highlighted in recent enforcement actions (e.g., interventional cardiology, skilled nursing facilities, hospice) should receive additional training that reflects lessons learned from recent events. For example, in 2014, multiple hospitals entered into settlements with the government to resolve allegations of false billing for unnecessary heart procedures (e.g., pacemakers, catheterizations) over a period of years; review of medical necessity criteria for such procedures could be instrumental in avoiding similar allegations (U.S. DOJ "King's"; U.S. DOJ "Saint").
The Quality Connection
Far from solely supporting adherence to reimbursement regulation, compliance in the era of healthcare reform also encompasses quality and risk as critical components of a combined process (Jones). The inextricable connection of compliance to quality is at the core of the purpose of all healthcare organizations; compliance officers cannot be effective without integration into quality improvement activities. Consider, for example, that all OIG guidance on the development of an effective compliance program includes reference to quality measures; likewise, every OIG work plan (i.e., annual initiatives to improve federal healthcare program integrity and efficiency) since 2002 has addressed quality issues. (Gosfield)
Many financial relationships under healthcare reform (e.g., pay-for-performance, outcomes management arrangements) address quality-of-care issues, and Medicare Conditions of Participation extend beyond payment requirements to include quality concerns. Today's compliance investigations and enforcement actions are increasingly focused on the quality of care provided to beneficiaries of government-funded healthcare programs (Jones; Moses Chaitt et al.; OIG and AHLA).
Role of the Governing Body
Healthcare boards of directors are critical partners, given their capacity to exercise oversight responsibilities in promotion of high-quality care and compliance with applicable laws and regulations. Although directors may not be providers or attorneys, they can make valuable contributions by leveraging business compliance experience. (OIG and AHLA)
Among other contributions, a board focused on compliance risk can help set the tone for appropriate risk management by formulating strategy, setting high-level objectives, and ensuring approval of appropriate resources. In order to do so, and thereby align compliance efforts and investments with other strategic priorities, the board must have a sufficient level of insight into the organization's compliance obligations, risks, and control mechanisms. (Hagan and Satija)
The board must also embody their support of the compliance program. It is not enough to simply go through the motions; leaders must demonstrate in words and action that compliance is important and mandatory. (Snyder)
The Value of Compliance
Commitment to compliance is a fundamental loss prevention strategy. By promoting organizational culture and operational strategies that reflect the imperative to provide services and bill according to program requirements, organizations protect against a variety of potential losses. Ensuring that appropriate revenues are received and not in danger of being recouped by the government is just the beginning; protection against the significant costs of investigations and enforcement actions (e.g., attorney's fees, fines, penalties, reputational damage) is even more significant.
Compliance functions in an advisory role, promoting processes to achieve operational adherence with regulations and standards. However, it also plays an important role in developing strategies regarding organizational viability in light of the long-term implications of healthcare reform. To truly maximize the value of regulatory compliance, rather than simply keeping pace with the dramatic changes in the current healthcare landscape, operational compliance capabilities must strive to outpace the evolution of the industry. (Pawlak and Moran)
Depending on the size, scope, and requirements of an individual organization, an effective compliance and ethics program can be relatively modest in scale or require significant investment of resources. The government has acknowledged that, although smaller organizations must demonstrate the same commitment to compliance as larger organizations, this may be accomplished with less formality and fewer resources (USSC). The case has been made that small organizations can make a significant compliance impact for a dollar a day, while close to one-third of healthcare respondents to a 2014 survey conducted by a large accounting firm estimated that their annual budget for compliance exceeded $1 million (Murphy; Zaino).
In either case, an effective compliance and ethics program is more than an important loss prevention strategy; it also has the potential to make a positive impact on revenue (Zaino). Some of the value that a front-end investment in compliance can yield includes avoiding the costs of government investigations, the resulting imposition of a compliance program, and reputational harm while promoting organizational pride, community trust, and employee morale. An effective compliance and ethics program is also a mitigating factor in any government assessment of penalties. (Mauriello and Stearns)
Costs of Noncompliance
Healthcare leaders cannot afford to neglect the imperative for an effective program. In collaboration with the compliance officer, the risk manager can provide valuable input to the organization's compliance process and help manage the compliance problems that inevitably intersect with traditional risk management issues. (Troyer and Coons)
The negative consequences of noncompliance are significant from financial, legal, and reputational perspectives. Settlements with providers and organizations involving large fines and penalties, exclusion from participation in federal healthcare programs, and even incarceration are announced by government authorities on a near-daily basis. For a detailed discussion of recent enforcement actions against providers and institutions alleged to have committed fraud against government programs, see the guidance article
Fraud and Abuse Laws.
Despite all that is known about the risks of noncompliance in today's robust enforcement climate, in some organizations, there remains ongoing tension between the ideals of an effective compliance program and a win-at-all-costs culture. There is an important distinction between an "effective" compliance and ethics program and what is sometimes referred to as a "paper" program. (Snyder)
An effective compliance and ethics program, the cultivation of which is discussed throughout this guidance article, is characterized by accountability and transparency without fear or threat of retaliation in response to raising a concern. In contrast, so-called "paper" compliance programs may have the basic outward appearance of an effective program on paper but are a relatively hollow framework in practice. While a "paper" program may have an identified leader, appropriate policies and procedures, and annual training for all employees, the corresponding ethical imperative is not reflected in day-to-day operations.
For example, in a "paper" program, while employees are likely told to act ethically, they may lack leadership examples or struggle to complete job tasks in a compliant fashion. Whether due to factors such as compensation structures that cause conflicts of interest or unrealistic productivity expectations coupled with management pressure, such inconsistencies send a decidedly mixed message.
An effective compliance and ethics program is instrumental for adherence to the numerous state and federal laws impacting the business of healthcare for providers and organizations alike. See the guidance article
Fraud and Abuse Laws for additional information on the False Claims Act, Anti-Kickback Statute, Stark Law, Civil Monetary Penalties Law, and more.
PPACA
Two sections of the PPACA mandate the establishment of "effective compliance and ethics programs." Section 6102 addresses skilled nursing facilities and nursing facilities and requires the following specified elements of an effective compliance and ethics program (Patient Protection and Affordable Care Act):
- Establishment of standards and procedures that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations, to be followed by employees and other agents
- Assignment of overall compliance responsibility, resources, and authority to specific individuals within high-level personnel
- Use of due care to prevent the delegation of substantial discretionary authority to individuals the organization knew, or should have known, had a propensity to engage in criminal, civil, or administrative violations
- Communication of standards and procedures to all employees and other agents (e.g., training)
- Use of reasonable steps to achieve compliance, including monitoring, auditing, and maintaining a reporting system that can be accessed without fear of retribution
- Consistent enforcement of standards for discipline, including for failure of responsible parties to detect an offense
- Appropriate response to any offenses and prevention of similar offenses with modification to the program as indicated
- Reassessment of the compliance program periodically
Section 6401(a) applies to all "provider[s] of medical or other items or services or supplier[s] within a particular industry sector or category," who must, as a condition of enrollment in federal healthcare programs (e.g., Medicare, Medicaid, and Children's Health Insurance Programs), establish a compliance and ethics program. Section 6401(a) does not specify "core elements" of a compliance program.
The PPACA states that both section 6102 and 6401(a) will be followed by information on final compliance plan requirements and a timeline for implementation from the HHS secretary. Although to date, such information has not been published in a final rule, the secretary has stated that HHS intends to establish compliance program core elements for section 6401(a) that closely match the required compliance program components of section 6102 "at some point in the future." (OIG "Medicare")
Delayed release of regulations and guidelines does not relieve providers and organizations from their responsibility to implement and follow a compliance and ethics program; there is already much publicly available information to assist in this endeavor (Berry).
Federal Sentencing Guidelines
The federal sentencing guidelines, developed by the U.S. Sentencing Commission, are significant in the compliance context because, in addition to governing the sentencing of individuals and entities found guilty of fraud, they provide incentives, structure, and guidance for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct. The guidelines provide factors for consideration in determining organizational culpability for the purpose of assessing fines for criminal wrongdoing. Aggravating factors include the following (USSC):
- Upper-level employees who participate in, condone, or are willfully ignorant of the offense
- Repeat offenses
- Interference with the government's investigation
- Pervasive awareness and tolerance of the violation
Mitigating factors include the following (USSC):
- Presence of an effective compliance program
- Prompt reporting of the violation
- Cooperation with the government's investigation
- Acceptance of responsibility for the violation
Chapter eight of the guidelines states that to have an effective compliance and ethics program, an organization shall do the following (USSC):
- Exercise due diligence to prevent and detect criminal conduct
- Promote an organizational culture that encourages ethical conduct
- Use reasonable efforts not to include as high-level personnel individuals who the organization knows or should know have engaged in illegal or unethical activities
- Conduct regular compliance training for governing bodies, high-level personnel, employees, and agents
- Take reasonable steps to monitor, audit, and periodically evaluate the effectiveness of the compliance program as well as maintain a system for confidential reporting
- Employ appropriate incentives for compliance and disciplinary measures for engaging in criminal conduct
- Respond appropriately to any criminal conduct
Office of Inspector General
Through OIG, HHS provides additional compliance guidance for providers and organizations in various segments of the healthcare industry, such as hospitals, nursing homes, third-party billers, and durable medical equipment suppliers, to encourage development and use of internal controls to monitor adherence to statutes, regulations, and program requirements. Although each document contains nuances for specific sectors, in general, OIG guidance provides principles for developing a compliance program that are similar to chapter eight of the federal sentencing guidelines. (Troklus and Warner)
OIG guidance repeatedly states that there is no "one size fits all" approach to compliance; rather, an effective program depends on an organization's size, structure, and resources (OIG "Medicare"). See
Resource List for links to OIG resources, including compliance program guidance.
Accreditation Standards
Compliance with applicable laws and regulations is also important from an accreditation standpoint. For example, the Joint Commission explicitly requires that hospitals comply with laws and regulations, and their rationale reinforces the connections among leadership, culture, and compliance: "[Leaders'] decisions and work affect, either directly or indirectly, every aspect of operations. They are the driving force behind the culture of the hospital. Leaders establish the ethical framework in which the hospital operates, create policies and procedures, and secure resources and services that support patient safety and quality care, treatment, and services." (Joint Commission)
Cultivate a Culture of Compliance
Action Recommendation: Create and foster an environment in which all stakeholders feel both empowered and obligated to "do the right thing."
More than simply meeting legal and regulatory mandates (i.e., following the law), compliance requires a fundamental dedication to doing everything needed to achieve ongoing organizational self-improvement (i.e., acting ethically). Compliance program efforts should be designed to establish a culture that educates staff about what is right and what is wrong conduct and to promote the prevention, detection, and resolution of illegal and unethical conduct. With time and effort, such an approach will become the fabric of the organization's routine operations. (Jessep; Troyer and Coons)
As with the overall compliance initiative, organizational culture simply will not evolve and maintain a consistent default to acting ethically as a matter of course without the full support and engagement of senior leadership and the governing body. Employees invariably detect management's lead; this can move the compliance imperative, and therefore the entire organization, in either a very positive or very negative way:
Even though they are at the top, senior management must help lay the foundation upon which a company builds its culture of compliance. It does not matter how comprehensive a company's compliance program is if the senior management does not make it a foundation of the company's corporate culture. (Snyder)
Regardless of the impetus, changing a corporate culture can take years and requires multidisciplinary collaboration. Compliance officers cannot be solely charged with the organizational transformation required to instill a culture of compliance and will need to work with the chief executive officer (CEO), human resources, legal counsel, and communications teams to supervise the change initiative and supply compliance-specific guidance as needed. This team will need to address issues such as performance management and compensation, training, leadership development, and communications. (Deloitte)
A culture of compliance is one in which all stakeholders feel comfortable raising a concern without fear of retribution, as well as one in which compliance staff are visible and responsive to those concerns. The tone and attitude surrounding the compliance initiative is also important. Although the prevention and detection of unethical conduct and illegal behavior is a high priority, leadership must also guard against presuming the worst; a prevailing attitude of intentional wrongdoing will have a negative impact on executives, managers, and staff alike. (Jessep)
Making Compliance Meaningful
Just as even the most well-planned compliance program cannot be effective without top-down support from senior management, neither can it be successful without commitment from every employee. Employees whose management exemplifies a commitment to compliance are far more likely to take compliance seriously, and leaders have the ability to make compliance meaningful to individual employees through strategies and techniques designed to guide and motivate performance. (Snyder)
Objective assessment of performance at individual, departmental, and/or facility levels is increasingly used to reinforce the culture of compliance. For example, both quality-of-care and compliance objectives should be incorporated into job descriptions, performance appraisals, and review conversations. Performance on such objectives should factor into compensation decisions, including those for incentive-based pay; likewise, failure to meet compliance objectives should be met with interventions or disciplinary measures appropriate to the situation (e.g., withholding or providing bonuses based on quality and compliance outcomes). (OIG "Toolkit"; OIG and AHLA; OIG et al.)
OIG advocates measuring and incentivizing performance against a system of defined compliance goals and objectives to demonstrate shared responsibility for compliance. According to OIG, organizations that make incentives contingent on compliance performance and institute both employee and executive recoupment provisions for failure to meet compliance goals mirror government trends (e.g., pay for performance, nonpayment for certain hospital-acquired conditions). OIG has also begun to require certifications of compliance from managers other than the compliance officer. (OIG et al.)
Exemplify Top-Down Compliance
Action Recommendation: Set the tone for the organization with visible commitment from the governing body and executive leadership.
An effective compliance and ethics plan starts at the top, and without visible commitment from the governing body and executive leadership, it can never fully achieve its intended purpose. As stated in compliance program guidance, OIG "strongly encourages the participation and involvement" of the following individuals in the development of all aspects of the compliance program (OIG "Supplemental"):
- Members of the governing body
- Corporate officers, including the chief executive officer
- Members of senior management
- Representatives of medical and clinical staffs
- Other personnel from various levels of the organization, including representatives from the ethics committee
Board of directors involvement. Oversight of compliance programs is part of a director's fundamental duty of care. As stated in the landmark
Caremark litigation, "a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards" (In re Caremark Int'l Inc. Derivative Litig.). Although this opinion established a board's duty to oversee a compliance program, it did not specify a particular method for doing so. Application of duty of care and reasonable inquiry should be tailored to specific facts of individual situations, bearing in mind that compliance with fraud and abuse laws and regulations is nonnegotiable for lawful behavior and corporate success of healthcare organizations. Furthermore, third parties (e.g., regulators, courts) continue to evaluate board exercise of compliance plan oversight. (OIG and AHLA)
Directors are responsible for oversight, while managers are responsible for operations. However, if a director is presented with any information that causes (or should cause) concern about illegal or unethical activity, an obligation is created to make further inquiry until the concern is resolved. (OIG and AHLA)
Senior leadership. By maintaining a visible commitment to compliance, high-level individuals within the organization send a clear message regarding the importance and achievability of adhering to applicable laws, regulations, and program guidelines. Senior leadership can demonstrate support of the compliance program in the following ways (Snyder):
- Comprehensive knowledge of compliance initiatives
- Allocation of necessary resources
- Assignment of appropriate personnel to manage the program
- Verification of successful implementation
- Attention to ongoing maintenance
Accountability for the performance of the compliance program is another powerful way to demonstrate the commitment of high-level personnel. For example, one large for-profit healthcare corporation maintains a human resources policy to promote corporate management's adherence to quality and compliance standards. Established annually by the compliance officer and senior vice president for human resources, these standards are used to evaluate clinical quality and compliance program effectiveness. They are additionally incorporated into the performance review for each member of corporate management, which in turn links quality and compliance to both base and incentive compensation. (Tenet Health)
Empowering the Compliance Function
Ensuring that the compliance officer and team are appropriately positioned within the organization (e.g., authority, independence, budget) is an important strategy not only for demonstrating high-level commitment but for ensuring the success of their mission. As stated by the federal sentencing guidelines, compliance officers must be given "adequate resources, appropriate authority, and direct access to the governing authority or appropriate subgroup" in order to carry out such responsibility (USSC). The CEO and governing body should empower compliance officers with the authority required to drive change, financial resources, political support, and enforcement as needed. (Deloitte)
Authority. Sufficient authority to lead the compliance function is evident operationally through measures such as appropriate placement in the organizational structure and functionally through the ability to access all relevant information necessary for compliance processes. Philosophically, it is demonstrated by the support provided and accountability demanded of the compliance officer by the governing body. (Deloitte; Troklus and Warner)
Independence. Given potential legal implications and the reach of compliance into virtually every area, the compliance officer must be sufficiently separated from operations to accomplish his or her fundamental mission free of influence, pressure, or bias.
Such independence requires that organizations proactively separate the compliance role from legal counsel and senior management and carefully define the interrelationship of audit, compliance, and legal functions. Although cooperation and collaboration among these functions is necessary to further organizational interests, the process should occur within predetermined functional boundaries. (OIG "Toolkit"; OIG et al.)
As recommended by OIG, the compliance officer should neither serve as counsel to providers nor be subordinate in function or position to the legal department. Additional indicators of true compliance officer independence include uninhibited access to the relevant board committees and freedom from organizational bias through an appropriate administrative reporting relationship. (OIG et al.)
Budget. Appropriate funding for the compliance function includes not only resources for infrastructure, such as a hotline and training, but also for appropriate staffing levels to be able to realistically accomplish essential activities, such as investigations and audits. Funding requirements will naturally vary depending on the size of the organization, and surveys indicate a positive correlation between compliance budgets and organizational size. Committing the necessary resources for compliance not only increases the likelihood of a successful program, it also serves as a tacit reminder of executive support and can even be protective in the case of an investigation. For example, the value of a compliance program (i.e., effective versus "paper") in a government investigation, and therefore its potential to serve as a mitigating factor against fines and penalties, is largely dependent on the government's assessment of organizational commitment to good corporate citizenship. (Troklus and Warner)
Incorporating Lessons Learned
Organizations found in violation of healthcare laws and regulations typically share the following problems with the position and status of the compliance function: (1) a compliance officer who has responsibility but lacks the authority, creditability, and/or status to perform the role effectively; (2) poor or absent communication with the board of directors; (3) a board of directors that does not prioritize compliance; and (4) inconsistent compliance committee meetings and follow-up (Mauriello and Stearns). Governing bodies and executive leaders should be aware of the lessons learned by other organizations and ensure that they are not vulnerable for the same reasons.
Authorities have begun to address such organizational disconnects of the governing body and compliance function as part of enforcement actions. For example, OIG required boards to provide heightened scrutiny of their institutions' compliance systems and placed responsibility for the effectiveness of internal controls upon them in a number of recent corporate integrity agreements accompanying fraud settlements. (OIG and AHLA)
Comprehensive Risk Assessment
Action Recommendation: Complete an organizational risk assessment as the foundation of an effective program.
The universe of regulatory compliance risks for healthcare organizations reaches well beyond traditional corporate compliance to include activities such as clinical care, quality, billing, and health information management; a risk-based approach to compliance prioritizes efforts and justifies resources while demonstrating value. Once identified, risks can be prioritized according to the following (Hagan and Satija):
- Anticipated impact (estimated magnitude of loss)
- Vulnerability (extent of exposure after existing controls have been taken into account)
- Speed to onset (rate at which the risk and its consequences could materialize)
Organizations must consider both internal and external risks. Internal, or organizational, sources for risk assessment include interviews, surveys, historical issues or recent events, employee reports, and prior audit findings. External, or industry, sources include OIG guidance, work plans, and data mining activity; Medicare recovery audit activity; media reports; enforcement activities; and government program requirements. (Hagan and Satija) High-risk clinical areas are typically also high-priority areas for compliance operations. These areas include departments with high net revenues (e.g., oncology, radiology) that also have complicated billing and coding requirements. (Budryk) Teaching hospitals have additional areas of risk (e.g., supervision of students and residents, billing for clinical trials).
Risk assessment results can also be used to achieve operational efficiencies such as identifying and aligning existing resources to demonstrate how risks are managed and monitored, highlighting gaps in resources, and developing a strategy to address high-priority risks. Highlighting the relationship between enterprise risk assessment and planned compliance efforts demonstrates the value of compliance initiatives and helps stakeholders understand how priorities were identified. (Hagan and Satija)
Enterprise Risk Management
Action Recommendation: Embed compliance into operations, and reduce duplication of efforts with an enterprise risk management approach.
Compliance and risk management have a fundamental shared interest in improving risk management effectiveness (Deloitte). By working in partnership with the risk manager and expanding the traditional scope of compliance risks to a broader view, compliance officers can utilize existing systems and resources to minimize the potential of noncompliance across the organization. In the context of compliance, an enterprise risk management approach encompasses risk areas including but not limited to administration, finance, human resources, staff education, clinical services, quality improvement, coding, credentialing, billing, and internal audit.
An enterprise risk management approach not only draws from organizational resources in furtherance of compliance objectives but also has the capacity to strengthen operational areas through adherence to best practices. The most progressive healthcare organizations actively use the imperative for compliance excellence as a tool to promote operational excellence through standardized and consistently driven workflow management. Management of regulatory "triggers" is one such example. Regulatory triggers are items such as changes to the
Code of Federal Regulations and Medicare process changes that prompt both compliance and operations to respond accordingly. They do not impact the same areas every time yet often affect many areas at once (e.g., compliance, internal audit, regulatory affairs, legal, claims, billing, quality), so collaboration among business areas is valuable. (Pawlak and Moran)
Embedding Compliance in Clinical Operations
Regardless of how it is articulated and which strategies are used to achieve it, all healthcare providers share a fundamental mission of providing quality care to patients; quality improvement and compliance should operate in a complementary fashion to promote consistent, safe, and high-quality practices. This can be demonstrated, for example, by staffing sufficiently to ensure quality care and by requiring accurate clinical documentation that clearly establishes the medical necessity of care rendered.
Quality is of utmost importance from a compliance standpoint for several reasons. First, quality deficiencies can form the basis for compliance liabilities such as false claims due to worthless services. Next, quality failures are often indicative of additional operational problems and thus may represent "the tip of the iceberg." Finally, federal program reimbursement is tied to quality metrics. (Gosfield; OIG "Toolkit")
Given the critical importance of clinical quality to compliance success, organizations must proactively ensure the reliability of quality processes and the accuracy of supporting data. Organizations must share required quality data regardless of whether it reflects favorably on the organization and investigate any significant inconsistencies; failure to do so not only weakens the quality initiative, it can lead to compliance liability. (OIG "Toolkit")
Embedding Compliance in Business
Viewed as a cultural ethic, the enterprise risk management approach will promote and benefit steps to embed compliance imperatives into business operations. Ideally, compliance will run through all business processes, with all employees sharing responsibility. (Deloitte) The goal of sustaining compliance in operations is supported by strong regulatory workflow management and implementation effectiveness enabled by people and technology (Pawlak and Moran).
By embedding compliance thinking and activities into business processes (e.g., claims, contract management, procurement), healthcare leaders teach employees to think and act with compliance in mind rather than fall victim to a cycle of "react and respond," whether triggered by internal oversight or external regulators. In so doing, leaders will create a natural first line of defense within operations. Embedding compliance processes into daily operations has been recommended for both large healthcare organizations and small physician practices alike (Pawlak and Moran; Shuman).
Strategies to Increase Value
The coordination of traditional compliance risk management with an enterprise risk management framework provides an opportunity for compliance leadership to articulate and validate a relationship between compliance and enterprise value (Deloitte).
Technology. Optimizing technology resources (e.g., software capabilities) across various business functions is a critical strategy to maximize the effectiveness of an enterprise risk management approach to compliance. Implementing automated controls that are designed to reduce duplication of effort can both increase reliability and lower costs; for example, initiatives for the documentation of medical necessity can be integrated with audit, appeals, and clinical quality initiatives. (Deloitte)
Technology is also critical to reduce the risk of burnout and inevitable human error in the repetitive and detailed activities required to verify compliance. However, only after the human and operational (e.g., strong governance, robust processes) aspects of compliance have been optimized can technology be used to enable regulatory excellence. (Pawlak and Moran)
Reduced duplication of effort. A fundamental benefit of enterprise risk management, seeking opportunities to reduce duplication of effort with other operational areas can help compliance officers stretch limited budgets and resources. For example, the compliance officer can leverage internal audits to support compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can streamline and maximize the process by advising the internal audit team on what tests would be most useful to the compliance function and by remaining involved for tests better left to specialists. (Deloitte)
Cost reduction. In response to both compliance departments and operational areas spending tremendous amounts of time with limited budgets attempting to comply with an influx of regulatory requirements, organizations are implementing strategies to increase the quality of regulatory work performed while decreasing time and money spent. For example, an analysis of which compliance processes are most time-intensive, followed by an analysis of where in those processes breakdowns may occur, will enable increased understanding of any need for rework and remediation. (Pawlak and Moran)
Seven Essential Elements
Action Recommendation: Design a program around the seven essential elements delineated by the federal sentencing elements and HHS OIG guidance.
OIG has published detailed compliance program guidance tailored to specific sectors of the healthcare industry; see
Resource List for links. The following discussion broadly addresses the common critical elements of an effective program as described in OIG guidance and the federal sentencing guidelines; however, there is simply no substitute for developing a working knowledge of the full guidance applicable to individual settings. (OIG "Supplemental"; USSC)
While establishing each element is necessary for the development of an effective program, none is static; rather, ongoing attention and allocation of appropriate resources for each is a major part of maintaining established programs. Each section below is followed by selected points for program appraisal.
Written Policies, Procedures, and Standards of Conduct
Code of conduct. A code of conduct, championed by the ethics committee and applicable to all leaders, employees, and contractors, provides a foundation of ethical principles to guide all individual and organizational decision-making. It should articulate management's commitment to compliance and summarize the broad ethical and legal principles under which the organization must operate. In contrast to detailed policies and procedures, the code of conduct should be brief, easily readable, and cover general principles applicable to all members of the organization. (OIG "Supplemental")
Questions to assess the effectiveness of the code of conduct include the following (OIG and AHLA):
- Is the code of conduct known, accepted, and understood throughout the organization?
- Does leadership publicize the importance of the code to all employees?
Policies and procedures. Written to address identified risk areas, compliance policies and procedures are intended to help employees perform job functions in compliance with applicable laws and regulations, as well as to further the organization's clinical mission (OIG "Supplemental"). Among the policies and procedures that OIG expects an organization to maintain as part of its commitment to compliance are operational policies (e.g., claims, coding), business development policies (e.g., relationships with physicians), and employment policies (e.g., conflict of interest, protection of whistleblowers, nonemployment of excluded individuals) (Troyer and Coons). The conflict-of-interest policy is critical to identify and manage financial interests with the potential to affect clinical judgment (OIG "Toolkit").
Factors to consider regarding the effectiveness of policies and procedures include the following (OIG "Operating"; "OIG and AHLA):
- Whether policies correlate with identified risks and the importance of corresponding controls
- Whether policies are appropriately tailored to the audience and job function
- Whether policies are reviewed at least annually, updated as indicated, and presented to employees accordingly
Designated Compliance Officer and Compliance Committee
Given the responsibility of the compliance department in ensuring that the organization meets all applicable requirements for participation in the federal healthcare programs, it must be led by a well-qualified compliance officer who is a member of senior management and supported by a compliance committee comprised of trained representatives from operational areas and senior management. The compliance officer must have direct access to the governing body, the CEO, all senior management, and legal counsel. However, the relationship between the compliance officer and legal counsel should be sufficiently independent that each party can fulfill their complementary duty to the organization. (OIG "Supplemental")
Considerations regarding the compliance infrastructure include the following (OIG and AHLA):
- Is the authority (e.g., status in hierarchy, reporting relationship) granted the compliance officer sufficient to lead the program?
- Does the compliance department have adequate staff and budget to perform assessments and respond to misconduct?
Effective Training and Education
It is axiomatic that employees may not fully comply with laws and regulations if they are not trained to do so. Every individual who functions on behalf of the organization, including the governing body, leadership, staff, and contractors, must participate in not only general compliance training, including detailed instructions on applicable laws and regulations and high-risk areas, but also demonstrate an understanding of the compliance program's structure and how to report a concern. Publicizing this training will convey to employees the importance the board places on compliance (OIG "Toolkit").
Employees should be instructed in how to perform their jobs in compliance with applicable regulations; real-life scenarios will be helpful in such training. Employees must also understand both their obligation to report noncompliance as well as their employer's obligation not to retaliate against individuals who make reports in good faith. Efficacy should be verified with testing, and all training materials should be maintained in some form (e.g., proof of attendance, tests, handouts). (Shuman)
Indicators of training efficacy include the following (OIG "Operating"; OIG "Supplemental"):
- Whether completion of training is a job requirement
- Whether training content is evaluated and updated on a regular basis
- Whether training is tailored to address identified high-risk areas (e.g., trends in hotline reports)
Effective Lines of Communication and Reporting
A compliance program cannot be effective without open, effective lines of communication and reporting to identify and respond to potential problems. In addition to a reliable mechanism for anonymous reporting of compliance concerns, this element should include a strong stance of nonretaliation against individuals who make reports in good faith. Leadership should speak with employees to gain the frontline perspective on organizational values and culture. (OIG "Toolkit")
Compliance staff should track resolution of issues on an ongoing basis and complete a periodic review of hotline calls or complaint logs; this information should be reported to the governing body on a quarterly basis (Mauriello and Stearns).
Questions for evaluation of an organization's culture of communication include the following (OIG "Operating"; OIG "Supplemental"):
- Does leadership foster open communication without fear of retaliation?
- How is the reporting mechanism (e.g., hotline) publicized and managed? How are reports documented, addressed, and resolved with callers?
- Does the compliance officer have a direct line of communication with the governing body?
- Does the governing body engage in the pursuit of remedies to institutional or recurring problems?
Internal Auditing and Monitoring
Effective auditing and monitoring techniques should emulate government techniques (e.g., data mining) to prevent the submission of incorrect claims to federal healthcare programs. This is important not only to protect revenue but also to avoid negative consequences (e.g., false claims allegations with attendant fines and penalties) in today's robust enforcement environment. Audits and continuous monitoring are also important for early identification of operational weaknesses. The compliance officer should prioritize areas for audit and reevaluate them regularly based upon the organizational risk assessment. (OIG "Operating")
In assessing the effectiveness of an internal auditing and monitoring strategy, organizations should do the following (OIG "Supplemental"):
- Ensure that audits address billing, claims, and clinical documentation
- Evaluate error rates and facilitate reduction
- Empower the compliance officer to conduct additional audits and monitoring as needed
Prompt Response and Corrective Action
Since risk exists not only based upon the conduct under scrutiny but also in the organization's response, appropriate action in the face of a suspected compliance violation is critical. Consistent response to detected deficiencies demonstrates commitment, facilitates development of effective corrective action plans, and prevents further noncompliance. (OIG and AHLA; OIG "Supplemental")
Internal investigations of suspected wrongdoing should address issues such as the origin, timing, and extent of the problem. Any identified problem must be corrected immediately, and organizations will need to evaluate how return of overpayments and/or self-disclosure protocols may apply. (Trolkus and Warner)
Questions to consider in evaluating an organization's response capabilities include the following (OIG and AHLA; OIG "Supplemental"):
- Is there a response team composed of representatives from compliance, audit, and other business areas that can evaluate detected offenses quickly?
- Are there policies addressing protection of employees and preservation of documents?
- Are there procedures to reevaluate the results of corrective action plans to ensure ongoing compliance?
Enforcement of Standards through Well-Publicized Disciplinary Guidelines
Consistent and transparent enforcement of disciplinary standards is instrumental in cultivating a culture of compliance. This may include the dismissal of individuals who have violated the organizational code of conduct; retention of culpable employees in positions where they can repeat their conduct poses serious questions about an organization's commitment to effective compliance. (OIG "Supplemental"; Snyder)
Questions to consider in assessing the efficacy of internal disciplinary efforts include the following (OIG "Supplemental"):
- Are disciplinary standards well publicized, readily available, and consistently enforced?
- Is enforcement of disciplinary standards thoroughly documented?
Use Resources for Compliance
Action Recommendation: Incorporate updates and tools from enforcement authorities and other resources into training and compliance initiatives.
There are many publicly available resources that healthcare organizations should use to ensure that all leaders and employees have access to the latest recommendations from the government, enforcement authorities, and appropriate professional organizations.
Some resources, such as OIG compliance guidance for specific healthcare settings (e.g., hospitals, nursing facilities, home care), should be used to create and verify the appropriateness of compliance and ethics programs. Other resources, such as self-disclosure information and regulations for Anti-Kickback Statute safe harbors and Stark Law exceptions, should be used to write and implement organizational policies and procedures for applicable business areas.
Additional resources include OIG work plans and advisory opinions, corporate integrity agreements, special fraud alerts, bulletins, and other guidance. Typically generated in response to industry or enforcement developments, these resources can strengthen compliance programs in a variety of ways. They can be referenced to assist in compliance program design as well as to validate an existing approach and can be monitored to assess enforcement trends and applicability to an organization's risk areas; they can also be used as an ongoing method of staff education on compliance issues.
Because corporate integrity agreements impose structural and reporting requirements upon entities resolving fraud allegations and include specific obligations designed to address known compliance failures, they are especially useful for evaluating the application of fraud and abuse laws. Publication of corporate integrity agreements allows interested parties to see the tailored operational strategies that the government requires in specific settlements (e.g., increased audit frequency, increased governing body accountability, specialized training for staff in high-risk areas). Publicity regarding compliance allegations and settlements should prompt the governing body and leadership to verify controls and processes to identify and reduce the risk of similar failures. (OIG and AHLA)
See
Resource List for a link to OIG's comprehensive compliance website, which contains links to all of the resources described in this section.
See the self-assessment questionnaire
Corporate Compliance for a tool that can be used to evaluate compliance program structure and function.
Maintain Gains
Action Recommendation: Implement strategies to ensure ongoing effectiveness of the compliance and ethics program.
A compliance and ethics program is not static and is never "finished"; ongoing effort is required to ensure continued efficacy.
Monitoring
Along with training, education, and continuous quality improvement, proactive monitoring has been identified as effective in the development of early warning systems to detect noncompliance. Experts agree that rather than simply receiving standard, periodic reports on all areas, organizations must also identify high-risk areas and develop processes and techniques to ensure accuracy and completeness of reports. Only then can they be relied upon to identify problems and decrease variations in practice. (Gosfield; Snyder; Zaino)
Governing Body Oversight
Healthcare boards of directors also play an important role in measuring and maintaining compliance effectiveness. Governing bodies must use objective criteria to measure progress in quality, outcomes, and patient satisfaction; ensuring that the organization can validate the accuracy of such data is of critical importance. OIG recommends that directors actively question program effectiveness and collaborate with frontline managers on strategies for improvement. (OIG "Toolkit")
Periodic Program Evaluation
OIG recommends that healthcare organizations review implementation and execution of compliance and ethics programs on a regular basis, at least annually. In addition to evaluating outcomes measures (e.g., error rates, overpayments, hotline calls), the underlying structure and process of each of the seven essential elements should be assessed individually; overall program function should be assessed as well. Any identified shortcomings should then be addressed, with changes made as indicated. (OIG "Supplemental")
Regular Education, Training, and Disclosures
Ongoing training of all staff not only demonstrates organizational commitment to compliance but also facilitates the maintenance of compliance gains in very practical ways. In addition to keeping staff up to date on regulatory developments and enforcement actions, periodic training and education helps keep compliance prioritized amid competing clinical and professional responsibilities.
Staff can participate in simple and inexpensive educational activities year-round, such as e-mail updates and compliance quizzes. Such communications may contain information on how to streamline and better leverage resources, when and how to self-report errors, and updates on best practices. (Jessep)
Corporate Compliance and Ethics Week, promoted by the Health Care Compliance Association, is observed the first week in November. This annual event can promote the compliance and ethics program in a variety of ways, such as the following (HCCA):
- By increasing awareness of the code of conduct, conflict-of-interest disclosures, reporting mechanisms, and laws and regulations
- By recognizing compliance successes
- By reinforcing the organizational culture of compliance
Live training gives employees the opportunity to meet the compliance staff, and the presence of executives at such events demonstrates top-down commitment to compliance. Other strategies include posters, banners, and competitive "compliance challenges." (HCCA)
Corporate Compliance and Ethics Week, or another time period designated by the organization, should also be used to complete annual compliance refresher training for all staff. This training should be updated annually to reflect evolving risk and contain an evaluation component to ensure comprehension. Staff should be afforded ample time for completion, both to promote learning and underscore the importance the organization places on compliance. This time period could also be used to complete annual conflict-of-interest disclosures if they are not completed at the beginning of the calendar or fiscal year.