The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued a document entitled General Compliance Program Guidance in November 2023. The OIG’s stated purpose in issuing this document was to provide a reference guide for the healthcare compliance community and other healthcare stakeholders. The Guidance covers a wide range of topics, from laws and regulations with compliance implications to OIG resources and processes. However, the majority of the Guidance covers the 7 elements of an effective compliance program.
What are the 7 Elements of an Effective Compliance Program?
The 7 elements of an effective compliance program for healthcare entities can be listed simply.
- Written Policies and Procedures
- Compliance Program Leadership and Oversight
- Education and Training
- Effective Lines of Communication with the Compliance Officer and Disclosure Programs
- Enforcing Standards: Consequences and Incentives
- Risk Assessment, Auditing, and Monitoring
- Responding to Detected Offenses and Developing Corrective Action Initiatives
Let’s look at each one of these elements in some detail.
1. Compliance Program Written Policies and Procedures
Most healthcare programs are underpinned by a foundation of policies and procedures and standards of conduct. Many policies are required by laws or regulations that govern healthcare services and billing, or by the requirements of accrediting organizations. Compliance programs are no different.
- Code of Conduct: For many business organizations, the Code of Conduct may simply be part of an employee handbook, and consist mostly of unacceptable personal conduct – using illegal drugs at work or harassing other employees. For healthcare organizations following OIG compliance guidelines, the Code of Conduct will be much broader and will emphasize desired standards of conduct vs. conduct which makes a staff member subject to disciplinary action. The Code of Conduct can also reflect the organization’s view of effective ethics as well as the mission and goals of the organization.
- Compliance program policies and procedures: Healthcare organizations can use this element to centralize the descriptions of compliance processes adopted by the organization. Policies range from descriptions of the role of the Compliance Officer and Compliance Committee to risk areas of the organization to the procedures for investigating detected problems.
Other policies and procedures include areas like screening prospective and current staff members against the OIG Exclusion List. Compliance program policies and procedures should also address enforcing standards, training, and internal monitoring and auditing.
As anyone in management can tell you, implementing written policies and procedures is more than half the battle. Another important piece is the timely updating and communication of revised policies. Enforcement of policies is more difficult if staff members can reasonably claim not to be aware of new guidelines.
2. Compliance Leadership and Oversight
At least some of the compliance program guidelines that evolved over the years were a result of healthcare organization leadership and management not exercising effective oversight of the activities of the organization, especially those related to laws, regulations, and risk areas.
2a. Board Compliance Oversight
This has led the OIG to emphasize the responsibility of the governing body, aka the Board, to oversee the Compliance Program of the organization.
These requirements stem from 3 sources.
- The United States Sentencing Commission’s Guidelines require that an organization’s governing body be knowledgeable about the content and operation of the compliance and ethics program. It should also exercise reasonable oversight of the implementation and effectiveness of the compliance program.
Why pay attention to the U.S. Sentencing Commission’s Guidelines? Because when an organization is facing fines due to violations related to its lack of compliance with billing or other laws or regulations, an organization with an effective compliance program could be eligible for a reduction of up to 90% of the amount of the fine.
- The second source of requirements for governing bodies is the compliance guidance issued by the OIG. This guidance advises the Board to empower the Compliance Officer and to supervise the activities of the Compliance Officer and the Compliance Committee. For some healthcare organizations like skilled nursing facilities and affordable care organizations, the requirements are more than guidance; they are spelled out in regulations.
- The third source of requirements is state law. Most state laws impose various duties on corporate boards. Boards have fiduciary duties and duties of care to make good decisions. To carry out these duties, boards must receive sufficient information and make sufficient inquiries to enable them to fulfill their other duties.
This adds up to the Board empowering the Compliance Officer and the Compliance Committee, and then receiving periodic reports from those sources. The OIG recommends quarterly as the regular reporting requirement.
2b. The Compliance Officer
The OIG guidance sets high expectations for the position of the Compliance Officer (CO) in a healthcare organization.
- The CO should report to the Chief Executive Officer and should have direct access to the Board, or even report to the Board. CEOs are busy, and Boards may not be interested in supervising a staff member of the organization, so these exact reporting relationships may be modified in many organizations.
- And of course, a senior leader with another management role may also be assigned the role of CO as a collateral duty. In any case, the important point is to make sure the CEO, other senior management leaders, and the Board are accessible and listening when the CO makes routine or special reports.
- A large part of the responsibility for an effective compliance program rests, of course, with the person filling the role of the compliance program. An employee’s stature or actual position is also affected by his or her judgment displayed, by an approachable demeanor, and by engaging others based on mutual respect.
- There are a few roles in a healthcare organization that are not suitable for assignment as a compliance officer. A senior leader responsible for billing/claims submission, contracting, physician relations, or financial reporting may have conflicts of interest if assigned the duties of a compliance professional as well.
The duties of the CO are numerous and far-reaching. Besides reporting to the Board and the CEO, compliance officers are also usually responsible for:
- Chairing the Compliance Committee;
- Revising the compliance program and other compliance-related policies and procedures as necessary;
- Investigating and coordinating internal investigations into reported concerns about compliance with laws and regulations affecting compliance risk areas.
- Drafting or otherwise initiating the planning of the annual compliance work plan.
The scope of access of the CO must also be commensurate with the scope of the risk areas enumerated in the Compliance Program. Most healthcare providers share multiple risk areas if they are submitting claims to government healthcare programs like Medicare or Medicaid. These include activities such as:
- Documenting care and services in medical and accounting records;
- Coding and submitting claims for services;
- Managing financial arrangements or joint ventures with physicians who refer patients to the organization;
- Employing persons for roles in patient care or coding/billing who may have been previously excluded from such activities when claims for their services are submitted to government healthcare programs.
Given this range of operations, the CO needs the authority to review all the types of documents or data related to these activities. The CO must also be able to contact and interview staff members throughout the organization when conducting a compliance investigation. Guidelines for third-party billing services even include an authority for the CO to halt the submission of claims to government programs which the CO believes contain errors or will be problematic for other reasons.
2c. The Compliance Committee
- Analyzing the legal and regulatory requirements – and risk areas – that apply to the healthcare entity;
- Regularly assessing and updating the compliance program and compliance policies and procedures;
- Assessing education and effective training needs, including the content and effectiveness of training;
- Developing and publicizing the annual compliance work plan;
- Conducting risk assessments and evaluating the effectiveness of the compliance program;
- When sufficient confidentiality can be maintained via attorney/client privilege, reviewing the results of compliance investigations and targeted internal or external audits.
Membership on the CC should include senior leaders of operations and support departments or services. These would typically include Billing/Coding, Clinical Services, Finance/Accounting, Information Services, Medical records/Health Information Management, Risk Management, Human Resources, Legal, Quality, and Sales/Marketing. When the CC also serves as the HIPAA Privacy Committee, the Privacy Officer will also be a member.
The CO should chair the CC, and ensure an agenda and minutes are prepared. The OIG recommends at least quarterly meetings. Larger organizations may find monthly meetings necessary. New members should be oriented to the duties and responsibilities of the CC and to the need to maintain confidentiality of certain matters such as investigations, before attending.
What shouldn’t the Compliance Committee do or become? The CC is not some sort of super management committee, responsible for compliance with all laws, regulations, and accreditation standards affecting the organization’s activities. The CC and its members should always focus on the risk areas outlined in their charter, and leave other management structures to supervise compliance in other aspects of operations.
These three elements of leadership and oversight together comprise the foundation of an organization’s efforts to foster a culture of compliance in the institution.
3. Training and Education
Maybe only dedicated compliance professionals can get excited about compliance training and education, but it is nevertheless an important component of the 7 elements of an effective compliance program.
What is the scope and content of compliance training and education training for healthcare organizations? The training should be specific to the activities and risks of the entity. It should include at a minimum information on:
- The role of the CC, CO, and Board in the compliance program;
- The provisions of the Code of Ethical Conduct of the organization;
- The elements of the compliance program and annual work plan;
- How to contact the CC or CO;
- How to find information on compliance policies and procedures, and the non-retaliation provisions of those policies.
Effective training should also be customized to some extent based on the roles and responsibilities of employees. For instance, staff members involved in coding or billing should be aware of the false claims risks associated with those activities. Managers dealing with referring physicians who have financial arrangements with the organization need training related to Stark regulations and the Anti-Kickback Statute.
Many organizations rely on education programs from a third-party vendor. Most of the time, these programs are well done and cover the subject material. What they may not cover as thoroughly are the local particulars of the compliance program: the specific risk areas or how to report a compliance concern. Healthcare entities should make sure to cover these local issues and procedures as well through alternative information channels, especially for new employees.
Participation in training like compliance and privacy should not be optional for any employee, manager, volunteer, independent contractor, Board member, or medical staff member. Initial training should be part of the initial orientation for new staff members, with periodic reviews at least annually for everyone.
4. Effective Lines of Communication with the Compliance Officer and Disclosure Programs
This element, along with Element 5, Enforcing Standards: Consequences and Incentives, is one of the most challenging of the 7 Elements. The OIG guidelines describe several effective lines of communication for staff members to reach the compliance professional(s) of the organization:
- A website portal;
- An email address dedicated to compliance;
- An internal mailbox.
At least one method should enable staff members to report anonymously. This can be accomplished with an internal hotline or a hotline maintained by a third-party vendor. Staff members should not be required to bring a concern to a supervisor or manager before reporting it to the Compliance Department.
The methods for reaching the Compliance Department should be featured prominently in the compliance training, and repeated frequently in things like posters or newsletter articles. Information should also address the confidentiality of reporting and the non-retaliation policy of the entity. Of course, confidentiality cannot be guaranteed, especially if a concern turns into an investigation by the government.
A log of compliance concerns and investigations is also strongly recommended by the OIG. The log should be used to record several pieces of information:
- Date Received,
- Description of the concern or issue,
- Description of investigatory steps, including dates,
- Corrective Actions or other resolution,
- Date of resolution, and
- Any follow-up actions such as refunds or disclosure to government authorities.
Consider bringing the log under the protection of attorney/client communications, with in-house counsel or outside counsel if possible.
It is worth noting that many individuals who eventually became whistleblowers attempted to report their concerns internally. After being rebuffed or ignored, they found an outside attorney who would listen – and take action. Healthcare providers should always take compliance concerns seriously; it is better to spend a little time explaining why a concern is not warranted than responding to a government investigation!
5. Enforcing Standards: Consequences and Incentives
5a. Enforcing Standards: Consequences
The idea of consequences, for a reporting person individually or for co-workers, is sometimes a reason why concerns do not get reported. Overcoming this reluctance is one of the issues compliance professionals must address whenever possible.
There are a great many compliance concerns that turn into investigations where corrective action such as repayment of claims or adjustments to physician compensation are the result. Most often, these situations are the result of mistakes based on ignorance, not the result of reckless conduct or even negligence. So it is important to have both non-punitive consequences as well as punitive measures in your sanctions policy development.
Non-punitive measures may include education or other remedial training. When willful ignorance, at-risk behavior or even malice are involved, sanctions should be significant, up to and including termination. They could also include reporting the actions to government investigators.
One of the challenges in all appropriate disciplinary action is making sure that sanctions are imposed fairly and proportionately. Sometimes managers and supervisors, worried about staffing their departments, want to downplay the seriousness of a staff member’s non-compliance. We have even seen managers impose a suspension on an employee, but then permit the person to work on the suspension days. That is definitely asking for trouble the next time a suspension comes up!
Healthcare providers must also consider consequences for managers and corporate officers when compliance concerns turn into investigations with negative consequences for the institution. This is especially true when staff members have raised concerns previously, but no action was taken.
5b. Enforcing Standards: Incentives
The flip side of consequences is incentives. Should there be incentives when compliance means staff members are doing what they are supposed to anyway? Creativity may be required, but incentives for compliance performance are certainly possible.
For instance, mentioning efforts above and beyond what is usually expected of an employee in a performance evaluation is certainly appropriate. This could result from a staff member bringing to light a concern in a particular risk area of the compliance program. Or someone who points out a process improvement that reduces the risk of mistakes that have compliance implications.
Of course, it is not appropriate to reward staff members for reporting compliance concerns for which they were responsible. Incentives cannot be used to reward performance goals that have unintended consequences.
One medical practice created user privileges for staff members to authenticate incomplete physician notes immediately after a patient visit so charges could be released for billing purposes. But no physician or other clinician who could or should have authenticated the note, ever went back and signed them. This had the effect of causing the submission of hundreds of potentially fraudulent claims to government healthcare programs. This practice may have facilitated collections, but definitely put the practice at risk!
6. Risk Assessment, Auditing and Monitoring
6a. Risk Assessment
Auditing and monitoring have been elements of compliance programs for decades. Performing a formal risk assessment is a newer approach to add to the efforts to establish an effective compliance program.
A risk assessment is defined as a process for identifying, analyzing, and responding to risk. Let’s look at the example of a hospital employing or contracting with physicians who provide outpatient care for which the hospital submits claims to government healthcare programs. There are at least 2 major compliance risks inherent in this arrangement.
- As the employer or contractor of the physicians, the hospital is submitting claims based on the medical records documentation and coding choices of the physicians. How could this risk be analyzed and what responses could be implemented? The hospital could analyze the range of office visit CPT codes of each physician. Specialist physicians would tend to use CPT codes indicating more complexity required for patient diagnosis and treatment. Primary Care physicians would be expected to treat a less complex patient population, and the coding of their services should reflect a wider range of CPT visit codes. If an analysis of CPT codes used by individual physicians showed one or more physicians using complex codes for virtually every patient, one might wonder about the accuracy of the physician coding.
What responses could be used to mitigate this risk? Physicians could receive education on correct coding and get reports on their coding patterns over time. Or the hospital could hire certified coders to review the medical records and propose codes that meet the coding requirements in all respects.
- The second compliance risk is the financial arrangement between each physician and the hospital. Stark regulations require that compensation to the physician not exceed fair market value. Data analysis would include an array of physician compensation against benchmarks by specialty and geographic area. A response mitigating the risk could consist of retaining a valuation consultant to consider all the benchmark factors going into physician performance – productivity, time required, and collections for services. These benchmark ranges can be combined into an overall range for the specialty, time, and work effort. A policy limiting physician compensation to an upper limit of the 60th percentile would demonstrate the hospital went to great lengths to achieve a fair market value for physician compensation.
6b. Auditing and Monitoring
Auditing can be defined as the formal examination of records – financial records, medical records or other business records. Audits may be discrete activities, examining records of specific types and specific periods. Monitoring includes routine or periodic review of records or processes to assess the effectiveness of a process.
Examples of monitoring include:
- Routine review of the OIG exclusion list or state Medicaid exclusion lists.
- Annual review of written policies and procedures to update them for periodic changes in laws, regulations, or accreditation standards.
- Routine review at the department level of medical record documentation necessary to support claims for services is another type of internal monitoring. For example, reviewing records of cardiac rehabilitation patients to ensure the physician documentation of patient indications meets the requirements for Medicare coverage of the service.
Audits should be focused on the risk areas of the organization. All healthcare entities submitting claims to government programs should consider an audit documenting the medical necessity of the services for which they are billing. A Designated Health Service compensating referring physicians may want to audit the compensation to ensure it meets the terms of the employment agreement or other contract. Such audits may be external audits or internal audits.
Another type of audit is to assess the effectiveness of the compliance program. The results of this and other types of audits should be part of the routine reports to the Board of Directors.
7. Responding to Detected Offenses and Developing Corrective Action Initiatives
The 7th element of an effective compliance program is having policies on investigating, reporting, and taking corrective action when compliance violations are found.
7a. Investigations of Violations
One characteristic of an effective compliance program is how investigations into detected problems are welcomed and encouraged. While no one relishes finding mistakes or misconduct in their organization, a responsible healthcare provider will not shy away from such situations. And this is an attitude that is best adopted by the Board and senior leadership.
While some investigations lead to refunds of payments by federal healthcare programs, that is not the only outcome of an investigation. There are several considerations when starting an investigation.
- Who needs to be interviewed?
- What kind of documentation needs to be secured?
- Should outside counsel or other types of outside expertise be retained?
- Could the investigation be compromised by current staff members? Should any staff members be placed on leave during the investigation?
It is also important to document all facets of the investigation, including interviews with witnesses, corrective and/or disciplinary action, and the results of the investigation.
7b. Reporting to the Government
Reporting to the government may occur in two ways. Of course, repayment of invalid paid claims is a type of reporting, with repayment usually going to the Medicare Administrative Contractor (or to a State Medicaid program) that issued the payment originally.
A second possibility for reporting comes up when actual misconduct is suspected. The time frame for making such a report is fairly short: no more than 60 days after there is a determination that credible evidence exists of misconduct that violates criminal, civil, or administrative law.
There are even shorter time frames for reporting certain types of misconduct. This includes clear violations of criminal law, significant adverse effects on patient safety, and systematic failure to comply with applicable laws or the terms of an existing corporate integrity agreement.
Healthcare providers can take advantage of the OIG’s voluntary self-disclosure program. This program can be used to self-disclose issues like suspected fraud and violations of the Anti-kickback Statute or the Stark Law. This can be a complicated process, and the minimum settlement amount is $20,000 for claims issues.
7c. Implementing Corrective Action Initiatives
Naturally, the OIG also has guidelines on implementing corrective action initiatives as part of the 7 elements. Part of responding promptly is to refund overpayments within 60 days of determining the overpayment. Healthcare providers should enforce their disciplinary policies and procedures. And of course, they should make changes to policies or processes to prevent a recurrence of the mistakes or misconduct.
Traveling the Path to Compliance Success
The new General Compliance Program Guidance also covers other interesting information, from applicable laws and regulations to compliance adaptations for large and small healthcare providers, and we recommend it to all healthcare organizations and compliance professionals. That said, when it comes to actually implementing the OIG’s 7 elements of an effective compliance program, things might seem a bit overwhelming. But following through on this is essential for your organization to maintain high standards in healthcare. This journey is about more than just following rules; it’s about building a culture of ethical practice and quality patient care.
Remember that you’re not in this alone. Expert help is available, ready to guide you through these requirements. With the right support, these guidelines become less of a burden and more of an opportunity to enhance your healthcare services. Step forward with confidence, knowing that achieving and upholding compliance is within your reach.