The health care industry has a rich history of commitment and innovation in developing effective compliance programs. Going back to the 1990s, HHS elevated compliance program requirements for healthcare companies. Many of these innovations translated into strategies that became essential to the compliance industry.
For example, in the 1990s, HHS’ Inspector General (“HHS-OIG”) affirmatively pushed for separation of the legal and compliance functions, resulting in broad industry acceptance of an independent compliance function. HHS-OIG’s push on this issue eventually succeeded in establishing compliance’s reporting relationship to the board and the importance of independence, autonomy and access to resources.
In November 2023, HHS-OIG issued a comprehensive document, the General Compliance Program Guidance (“GCPG”), which outlines important compliance guidance for the health care industry.
The GCPG provides specific guidance on compliance with the Federal anti-kickback statute (“AKS”), the Physician Self-Referral Law (“Stark Law”), the False Claims Act, HIPAA Privacy and Security, Exclusion Authorities, and Criminal Healthcare Fraud. Aside from this important compendium of statutory and regulatory requirements, the GCPG provides important compliance guidance, best practices and established strategies for compliance programs in the health care industry.
The GCPG is organized around the seven established elements of an effective compliance program.
The GCPG reflects HHS-OIG’s experience over 25 years, prior guidance, experience monitoring Corporate Integrity Agreements (“CIAs”), industry stakeholder meetings, lessons learned from investigations and enforcement actions and the continuing innovation and evolution of health care delivery systems.
The 7 Elements of a Successful Compliance Program include:
- Written Policies and Procedures
- Compliance Leadership and Oversight
- Training and Education
- Effective Lines of Communication with the Compliance Officer and Disclosure Program
- Enforcing Standards: Consequences and Incentives
- Risk Assessment, Auditing and monitoring
- Responding to Detected Offenses and Developing Corrective Action Initiatives
The GCPG includes a discussion of each of these program elements and provides important “Tips” for compliance. While focused on the health care industry, the GCPG provides yet another important example of compliance leadership that should be read and used by compliance professionals in all industries.
The Importance of Compliance Leadership
Most importantly, the GCPG repeats and expands the reasons for a strong, independent compliance function, along with best practices and other strategies for ensuring an effective compliance program and a robust compliance function.
Every organization has to appoint and support a chief compliance officer who has the “authority, stature, access and resources necessary to lead an effective and successful compliance program.”
The GCPG directs that a compliance officer should: (i) report either to the CEO with direct and independent access to the board or the board directly; (ii) have sufficient stature within the entity equal to other senior leaders; (iii) demonstrate unimpeachable integrity, judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of employees’ and (iv) have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating and remediating the entity’s compliance risks.
The compliance officer’s primary responsibilities encompass — (i) oversight and monitoring the compliance program; (ii) advising the CEO, board and other senior leaders on compliance risks and the operation of the entity’s compliance program; (iii) chairing the compliance committee; (iv) regular reporting to the board; (v) revising the compliance program periodically as required; (vi) coordinating with human resources to ensure that employees are screened before appointment or engagement and monthly thereafter to ensure no excluded individuals are employed or appointed at the entity; (vii) coordinating with other relevant components (e.g., internal audit, risk, quality, information technology); (viii) conducting independent investigations and recommending changes or corrective actions as needed; (ix) developing policies and program to encourage personnel to report suspected fraud or other misconduct without fear of retaliation.
To underscore the importance of separation from the legal function, the compliance officer should not lead or report to the entity’s legal or financial functions and should not provide the entity with legal or financial advice or supervise anyone who does so. Whenever possible, the compliance officer’s sole responsibility should be compliance.
The GCPG recognizes that compliance officers sometimes share responsibility for privacy risks and compliance. In those cases, the entity has to ensure that the compliance officer has “sufficient staff and resources to perform the additional duties associated with the expanded role.”
Recognizing the importance of coordination and cooperation among the various entity functions, the GCPG stresses that the compliance officer should establish productive working relationships with leaders of Legal, Internal Audit, IT and Health Information Management, Human Resources, Quality, Risk Management and Security.
The GCPG directs that health care entities establish a Compliance Committee to aid and support the compliance officer to implement, operate and monitor the compliance program.
In particular, the Compliance Committee should meet no less that quarterly and should have the basic duties to (1) analyze the applicable legal and regulatory requirements; (2) assess, develop, and regularly review policies and procedures; (3) monitor and recommend internal systems and controls; (4) assess education and training needs and effectiveness and regularly reviews required training; (5) develop a disclosure program and promote compliance reporting; (6) assess effectiveness of the disclosure program and other reporting mechanisms; (7) conduct annual risk assessments; (8) develop the compliance workplan; (9) evaluate the effectiveness of the compliance workplan and any action plans for risk remediation; and (10) evaluate the effectiveness of the compliance program.
The compliance officer should chair the committee, which should include relevant leaders of operational and supporting departments, such as billing and coding, clinical and medical, finance, internal audit, information technology, HIM, human resources, legal, quality, risk management, sales and marketing and other operational managers.
Also, the compliance officer should assist in identifying and monitoring risk areas and report on progress toward committee objectives. The compliance officer should mediate any disagreement among committee members and escalate unresolved issues to the CEO. The board and the CEO should oversee the compliance committee to establish a positive tone and impose specific requirements for attendance and active participation. Member attendance, active participation and contributions should be included in each members performance plan and compensation evaluation.
The compliance officer should “periodically” report to the board assessing the compliance committee’s performance against the committee’s workplan, decisions and recommendations. In particular, the compliance officer should include any recommendations to adjust and improve the committee’s performance.
