OIG Issues Practical Guidance for Health Care Governing Boards on Compliance Oversight

by Dorsey & Whitney LLP

On April 20, 2015, the Office of the Inspector General of the United States Department of Health and Human Services (“OIG”), in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association and the Health Care Compliance Association, issued a new guidance document to assist governing boards of health care organizations carry out their oversight responsibilities. The document, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (“Guidance Manual”), updates and compliments prior guidance issued by the OIG since 2003.

While most of the recommendations have been included in prior OIG publications, the Guidance Manual does include a number of practical tips related to board oversight of compliance activities and is another valuable tool for compliance officers and legal counsel to consider as they review and update their organization’s compliance program. The Guidance Document may be found here.


As the government continues to dedicate substantial resources to combat fraud and abuse in the health care industry, and the number of private whistleblower suits continues to increase, the need for a robust compliance program with appropriate board-level oversight is greater than ever. As the Guidance Document highlights, the health care industry is constantly evolving and health care governing boards must stay abreast of the ever-changing regulatory landscape and operating environment. An effective compliance program helps board members meet this obligation and reduces the organization’s risk of sanctions associated with non-compliance, including criminal and civil monetary penalties.

In an effort to assist health care organizations and their board members with the task of assessing the scope and adequacy of the organization’s compliance program, the Guidance Manual addresses several issues, including the:

  1. roles of, and relationships between, the organization’s audit, compliance, and legal departments;
  2. mechanism and process for issue-reporting within an organization;
  3. approach to identifying regulatory risk; and
  4. methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.

While the OIG reiterates its expectation that health care governing boards put forth meaningful effort to review the adequacy of existing compliance systems and functions, it also recognizes that each organization is unique, and as a result, the compliance program should be structured to meet the specific needs of the organization. As the OIG states in the Guidance Manual, “while smaller or less complex organizations must demonstrate the same degree of commitment to ethical conduct and compliance as larger organizations, the Government recognizes that they may meet the Guidelines’ requirements with less formality and fewer resources than would be expected of larger and more complex organizations.”

Below are some of the key highlights from the Guidance Manual.

Summary of Guidance

1. Clear Identification of Compliance Roles and Relationships

In an organization, there are a number of key players, whose interaction and cooperation should be outlined in compliance policies and managed by the board. The board should review and consider the multiple relationships within its organization, being sure department roles and responsibilities have been adopted and documents are in place that outline the structure, reporting relationships and interactions of these departments and roles. As the Guidance Manual frequently repeats, compliance is an organization-wide function, not the function of a single department.

The Guidance Manual specifically discusses the interrelationship of the audit, compliance and legal functions within an organization. Recognizing that an organization’s exact structure may depend on its size and the resources available to it, the OIG repeats its long-standing position that the compliance and legal functions should be independent of each other. In addition, the Guidance Manual recommends that the board understand how management approaches conflict or disagreements with respect to the resolution of compliance issues and how management decides on the appropriate course of action.

2. Reporting to the Board

An effective compliance program should include a reporting structure that ensures that the board receives regular compliance and risk reports. Ideally, the OIG suggests that the board receive separate and independent reports from a variety of key individuals, including those responsible for audit, compliance, human resources, legal, quality and information technology. The compliance program should detail how the board receives compliance-related information from management. The Guidance Manual states that a board may want to request the development of “objective scorecards” that measure the effectiveness of management in executing and implementing a compliance program.

In addition, the Guidance Manual recommends that the board ensures there are appropriate mechanisms in place to require timely reporting of suspected violations and to evaluate and implement remedial measures. Many compliance issues in health care organizations, including the obligation to report and refund identified overpayments within 60 days of discovery, require the board to take action in a timely manner.

3. Identifying and Auditing Potential Risk Areas

A number of areas unique to the health industry require close monitoring, such as referral relationships and arrangements, billing issues, privacy breaches, and quality-related events. The board must ensure that processes, including the evaluation of both internal and external information, are put into place to identify such risks, such as the use of compliance hotlines and internal audits. External sources such as professional organization publications, OIG-issued guidance, and news reports regarding the health care industry should also be reviewed and evaluated often. The Guidance Manual specifically mentions the need for the board to monitor new areas of risk, taking into account the increasing emphasis on quality, changes in insurance coverage and reimbursement and new forms of reimbursement (including value-based purchasing and bundled and global payments).

4. Encouraging Accountability and Compliance

Everyone within the organization is responsible for executing the compliance program, not just employees serving in audit, compliance or legal roles. Thus, the OIG recommends that the board adopt “a system of defined compliance goals and objectives against which performance may be measured and incentivized” which communicates the message that everyone is responsible for compliance. The Guidance Manual provides specific examples of how an organization can work to meet this goal, including instituting employee and executive compensation claw-back/recoupment provisions if certain compliance metrics are not met and making participation in incentive programs contingent on meeting annual compliance-focused goals.

The OIG again discusses the important of organizations to self-identify compliance failures and to voluntarily disclose such failures to the Government in a timely manner and recommends that boards ask management how it handles the identification and report of probable violations.


Individually, and collectively with prior guidance issued by the OIG, the Guidance Manual is a valuable educational resource to assist board members of health care organizations to responsibly carry out their compliance plan oversight obligations under applicable law. Health care organizations, regardless of size, should use the Guidance Manual to help in developing, implementing or reviewing their compliance program.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP

Dorsey & Whitney LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.