On April 20, 2015, four organizations (including OIG, American Health Lawyers Association, the Association of Healthcare Internal Auditors and the Health Care Compliance Association) issued “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (referred to herein as the “Guidance”) providing suggestions concerning how governing boards might discharge their oversight responsibilities with respect to compliance. The Guidance does not carry the weight of law, but it remains to be seen how influential it will be in shaping the customary practices or the standard of care in the industry. On April 27, 2015, this firm issued an advisory summarizing the Guidance, expressing some concern with the directive nature of some of the language and suggesting the need for more flexibility, particularly for organizations with limited resources.
The purpose of this follow-on advisory is to identify approaches healthcare organizations with limited resources might consider to address the suggestions contained in the Guidance. At the outset, from the Caremark, Abbot Laboratories and other cases, the law is clear that the Governing Board needs to ensure that the organization has a system in place to attempt to detect and prevent violations of, and encourage compliance with, applicable law and corporate policy. Stated another way, the board needs to be aware of and engaged with respect to the organization’s compliance function, including its information and reporting system. The level of such engagement is the real issue in play here. In that vein, a couple of preliminary observations warrant emphasis. First, management should help guide the board as to the appropriate level of activity and advice needed from compliance experts. We recognize and agree with the old adage “the tone needs to be set at the top”, but boards may appropriately rely on management to help them focus on the right issues in the right context. Governing boards, particularly volunteer boards, need guidance as to how to prioritize their time and attention. Second, many organizations do not have the resources to have officials dedicated solely to compliance activities, as these officials often wear many hats. There should be flexibility with respect to the expectations placed on such officials and build appropriate support around them.
Most healthcare organizations we advise have adopted written compliance programs structured around the seven elements from the Federal Sentencing Guidelines and tailored in light of the OIG’s compliance guidance. These compliance programs have designated compliance officers that often report to a board committee (with “independent” members) whose charter includes compliance-related activities and conduct some training on compliance issues. The scope of each organization’s compliance activities varies depending on resources, risks, recent history and a variety of other circumstances. With this perspective in mind we turn to some suggestions.
Budget and Schedule
If compliance is to be a priority, it needs to be treated as such by the Governing Board and the board needs to set a budget for annual compliance related expenditures and a schedule for its compliance activities. In much the same way the budget and financial reporting are scheduled by the board on an annual basis, the compliance priorities, objectives and time frames need to be set over the course of the board year. In this way, compliance will be given attention and objectives will be set that will hopefully enable the organization to prioritize compliance appropriately in the context of the other initiatives on the board’s calendar. The budget needs to include the involvement of auditors or professionals from outside the organization who can give an “industry perspective”. The schedule should address appropriate reporting to the board and possibly management certifications or board findings with respect to compliance. Any reporting schedule should also accommodate unexpected issues that surface and require immediate board attention.
Compliance Professionals on the Board
The Guidance suggested it would be useful to have a compliance professional on the Governing Board. This poses two challenges for most organizations – first, experienced and competent healthcare compliance professionals are hard to come by; second, you do not want an individual board member charged with the responsibility of making compliance judgments. First, this may conflate the board member’s role as a director with the professional advice he or she might provide as a lawyer or compliance professional. Second, judgments relating to operational compliance of the organization are more appropriately initiated at the management level. Our suggestion is that the Board identify a member who is an accountant, attorney or other professional familiar with regulatory schemes to participate in the compliance function (whether chairing an appropriate Board committee or sitting on such a committee). If sufficiently engaged this person should be able to improve the board’s understanding and oversight of the organization’s compliance activities and keep the board focused on key issues when necessary. The Guidance suggested as an alternative to Board membership, that the Board periodically consult with compliance professionals. Given the complexity of the regulatory landscape, calling on outside experts to assist management and the board would be beneficial for all organizations, whether they have a compliance professional on the board or not.
How to Stay Current on Compliance Priorities
Management should play an important role in informing the Board as to industry developments and compliance priorities. The Guidance emphasized the Board’s need to “stay abreast of the... regulatory landscape and operating environment.” There are a number of resources available, but the OIG’s work plan and the recent compliance issues faced by the organization can serve as useful guideposts. Board educational sessions and advice from experienced compliance professionals can also assist the board and management in keeping up to speed.
Roles and Relationship
The Guidance provides a nice summary of the compliance function, legal function, internal audit function, HR function and quality improvement function. The Guidance also suggests that Boards need to be aware of and evaluate how these functions operate and interact within the organization. It is important that the Board and management understand the differences in these functions, but as noted above, it is not required (or necessarily optimal) for every organization to maintain these functions as separate and independent. The Board with the assistance of management should periodically assess the functions and, where appropriate, make clear to operational personnel the distinctions and purposes of the various functions.
“Executive Sessions”
The Guidance suggests that the Board regularly schedule executive sessions with compliance officers. Executive Sessions are typically portions of a meeting where management (including management who serve on the board) is excused and the board members meet on their own or, as suggested by the Guidance, with compliance personnel. Most public companies schedule executive sessions to permit the Board to meet with the auditors without management present. Many nonprofit Boards do not hold executive sessions, for a variety of reasons. The chair may not feel competent without the support of management, management may feel threatened or the Board is not familiar or comfortable with such a process. In our experience, and with some appropriate ground rules, companies can learn to appropriately use executive sessions and board members embrace the opportunity to “speak freely” and ask the tougher questions. It is typical for the chair and CEO debrief after each session.
These suggestions are a starting point for approaches to be considered by organizations seeking to enhance Board oversight of compliance while working with limited resources. Appropriate planning and analysis needs to be given to adopting any of these approaches, for at least two reasons. First, to make sure the approach is appropriate and will be effective for your organization and, second, to make sure that the organization understands that compliance is a priority that should be integrated into its operations and governance processes.
