The Office of Inspector General (OIG) white paper, “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (OIG Guidance), provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations.
As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It states:
The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.
The OIG Guidance sets out four areas of Board oversight and review of a compliance function:
- Roles of, and relationships between, the organization’s audit, compliance, and legal departments;
- Mechanism and process for issue-reporting within an organization;
- Approach to identifying regulatory risk; and
- Methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.
While noting that a corporate compliance function should promote the prevent, detect and remediate of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather, the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should evaluate and discuss how management works together to address risk, including the role of each in:
- Identifying compliance risks,
- Investigating compliance risks and avoiding duplication of effort,
- Identifying and implementing appropriate corrective actions and decision-making, and
- Communicating between the various functions throughout the process.
A key component of Board oversight is the flow of information. According to the OIG Guidance, the Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these reports help to create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board.
But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” The key component, however, is that the organization delivers the message that everyone is responsible for compliance.
A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions on this:
Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.
Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally, especially those that can track and identify trends in performance that be red flags and call for corrective action.
Ultimately a Board should drive home of the message of compliance as a way of life so that it permeates into the DNA of an organization. If a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.
The OIG Guidance is an excellent review for not only compliance professionals and others in the healthcare industry but a good primer for Boards around their own duties under a best practices compliance program. The US Sentencing Guidelines, the Hallmarks of an Effective Compliance Program, the OIG Guidance, and OIG Corporate Integrity Agreements can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program.