On April 20, 2015, the Office of Inspector General in the U.S. Department of Health and Human Services (OIG), together with the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA), released new guidance for the governing boards of health care organizations, titled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” This guidance (the "2015 Guidance") expands on documents previously issued by OIG and AHLA in 2003 (“Corporate Responsibility and Corporate Compliance”), 2004 (“An Integrated Approach to Corporate Compliance”) and 2007 (“Corporate Responsibility and Health Care Quality”) but represents the first time that HCCA and AHIA have been involved in the collaboration. In the press release announcing the publication, the four contributors stated that “the cross-disciplinary approach highlights the complementary roles of the internal audit, compliance and legal functions in any comprehensive compliance program” and provided that the document will not only assist the governing boards of health care organizations but the internal auditors, lawyers and compliance officers that report to those boards as well.

Overview

Board oversight over the effectiveness of the organization’s corporate compliance activities emanates from the core fiduciary duty of care (In re Caremark Int’l Derivative Litig., 698 A.2d 959 (Del. Ch. 1996)) and is accentuated by the U.S. Sentencing Commission Federal Sentencing Guidelines Manual. The Sentencing Guidelines provide that the existence of an effective compliance and ethics program can reduce a company’s fine or sentence in the event of a prosecution. To be “effective”, the organization’s governing authority must “be knowledgeable about the content and operation of the compliance and ethics program” and “exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program”.

The 2015 Guidance aims to address four critical issues relating to board oversight and review of compliance program functions:

1. Roles of, and relationships among, the organization’s audit, compliance and legal departments

Organizations are encouraged to use charters and other organizational documents to define the interrelationship of the audit, compliance and legal departments with a goal of setting both boundaries and an expectation of collaboration. Recognizing that there is no “one size fits all” approach to the compliance program, these functions are generally characterized in the 2015 Guidance as follows:

• Compliance: promotes prevention, detection and resolution of actions that do not conform to legal, policy or business standards; develops policies, procedures, plans, metrics to measure execution and reports to evaluate effectiveness.
• Legal: advises the organization on the legal and regulatory risks of its business strategies; defends and initiates legal proceedings.
• Internal Audit: provides objective evaluation of risk and internal control systems; ensures monitoring functions are working as intended.

Additionally, human resources, quality improvement and information technology are noted as key players in an effective compliance program.

Boards are encouraged to be aware of and evaluate the adequacy, independence and performance of the various roles contributing to the overall compliance program. The 2015 Guidance reiterates OIG’s strong recommendation that the Compliance Officer and General Counsel be separate roles and that the Compliance Officer not report to the General Counsel.

2. Mechanisms and the process for issue-reporting within an organization

The board should set clear expectations for receiving compliance-related information, such as through the use of dashboards or scorecards. Expectations regarding what should be discussed with the board should also be established and should include both risk-based reports and regular snapshots.

3. Approach to identifying regulatory risk

Boards should ensure that strong processes for identifying risk areas have been implemented and are encouraged to take into account recent industry trends when designing new risk assessment plans. For example, new forms of reimbursement, such as value-based purchasing and bundling of services create new incentives and compliance risks. Boards are also encouraged to consider how publicly available data resulting from new reporting requirements can be put to beneficial use, such as by comparing accessible data against organizational peers. Further, Boards are reminded that the many industry initiatives focused on transparency – e.g. the Sunshine Act – may result in Board members being asked significant compliance-oriented questions by patients, employees, government officials, the media, donors and whistleblowers.

4. Methods for encouraging enterprise-wide accountability for achievement of compliance goals and objectives

Governing boards must support the notion that compliance is a “way of life” for the organization and that it is the responsibility of the entire organization to execute the compliance program. The 2015 Guidance points out that some companies have tied annual incentive programs to satisfactorily meeting compliance goals while others have implemented claw-back or recoupment provisions if compliance metrics are not met. The Guidance also identifies external incentives that encourage self-identification of compliance failures, specifically calling attention to the statutory requirement to report and refund overpayments (the “60 Day Rule”) and the potential for False Claims Act or civil monetary penalty liability for failure to comply.

Key Take-Aways and Recommendations

The 2015 Guidance encourages boards to raise the level of their substantive expertise by adding to the board, or periodically consulting with, experienced regulatory, compliance or legal professionals, noting that “boards of smaller organizations may need to become more involved in the organizations’ compliance and ethics efforts than their larger counterparts.” The expertise of such professionals serving as board members may be used to shed light on areas of sensitivity or regulatory complexity. Lawyers and non-lawyer compliance professionals alike should be cognizant, however, of their position as a function of governance rather than counsel and should consider how to navigate the ethical and professional implications that may arise as a result of board membership.

• Health care organizations and their governing boards should evaluate the interrelationship among the compliance, audit and legal functions.
• Health care organizations and their governing boards must be mindful of industry trends and should use internal (e.g. hotline calls) and external (e.g. OIG guidance, news media) mechanisms to identify key risk areas.
• Health care organizations and their governing boards are encouraged to consider the increased industry focus on transparency and build mechanisms for ensuring that board members are informed and prepared to answer questions from key stakeholders about publicly available data.