A practical guide for the governing boards of healthcare organizations was recently released through the joint effort of the Office of the Inspector General (“OIG”) of the Department of Health and Human Services, the American Health Lawyers Associated, the Association of Healthcare Internal Auditors and the Health Care Compliance Association. The guide builds upon previous commentary from the OIG about the role of a healthcare organization’s board when it comes to overseeing compliance activities. As the guide states, it is important to define roles within an organization.
Prior OIG guidance set out the path for implementing a good compliance program and explained why the OIG expects a compliance program to exist. A good compliance program will assist organizations in uncovering potential criminal, fraudulent or wasteful conduct. Uncovering such information can, in turn, enable an organization to self-disclose and self-police its own conduct, which can reduce potential penalties in the event improper conduct did occur.
However, from the OIG’s perspective it is not enough to just put a compliance plan into place, or expect an organization’s officers to run it. The Board of Directors/Trustees (the “Board”) must also play a role. The Board should actively oversee the compliance plan, which includes reviewing the plan and receiving reports about what compliance issues are being presented and resolved. The size and complexity of a compliance program can be scaled to match its organization, but regardless of size the Board should be involved.
How can a Board help oversee and manage a compliance plan? For one, the Board may consider including at least one member with healthcare compliance experience of expertise. This could be a healthcare lawyer, a compliance person or anyone else that understands what compliance means in the healthcare realm.
The OIG is quite clear about its expectations for separation. In the guide, the OIG states: “Boards should be aware of, an evaluate, the adequacy, independence, and performance of different functions within an organization on a periodic basis. OIG believe an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner. While independent, an organization’s counsel and compliance officer should collaborate to further the interests of the organization. OIG’s position on separate compliance and legal functions reflects the independent roles and professional obligations of each function.”
As suggested by the above statement, the Board would be well advised to ensure that compliance and legal are separate and independent bodies within an organization. Compliance is intended to “promote the prevention, detection, and resolution of actions that do not conform to legal, policy, or business standards” The legal function is similar, but is providing advice about the “legal and regulatory risks of [an organization’s] business strategies,” which means advising an organization about the relevant laws and regulations. As indicated, the roles are similar but fundamentally different too. While both functions should collaborate with each, the advice and views of both can differ. Further, maintaining clear legal counsel can help preserve the attorney-client privilege when an organization could want to cloak discussions in privacy.
Another important role for the Board is to identify areas of risk and ensure that appropriate audits occur to assess the organization’s relative strengths and weaknesses. The Board itself will not conduct these reviews, but can hold management accountable to perform them No organization can expect that everything it does is completely compliant because healthcare laws and regulations are so complex.
The new guidance is not groundbreaking and does not seek to impose new duties or obligations. It is a very good reminder of what organization’s should be looking at and reviewing though. In the government’s eyes, individuals in every level of an organization can and should play a role in promoting a culture of compliance. With this warning from the OIG, organizations would be well advised to take a look in the mirror and ask if what they are doing is enough.