Evaluating and Improving a Compliance Program: A Resource for Health Care Board Members, Health Care Executives …news.wolterskluwerlb.com/media/chapterHC_Compliance.pdf · for Health

Evaluating and Improving a Compliance Program: A Resourcefor Health Care Board Members, Health Care Executives and

Compliance Officers¶52,015 Overview program. In most instances however, what the or-

ganization is advised to do depends on its size,The goal of the Health Care Compliance Associ-resources, business activities, and past behaviors.ation (HCCA) Compliance Performance Measure-The HCCA recognizes and emphasizes that, “onement Initiative is to improve the quality andsize does NOT fit all.” Compliance activities are besteffectiveness of compliance programs by identifyingtailored to the unique needs and risks of the organi-and sharing information regarding the operationzation. The common indicators identified in thisand evaluation of compliance programs.document will not be applicable or appropriate for

Due to the complexity and volume of health every organization, and even those common indica-care regulations and of compliance programs in tors that are relevant may need to be adjusted orhealth care organizations, management and gov- modified by the organization to achieve the objectiveerning bodies frequently have questions about com- of compliance.pliance programs. Are we focused on the right Nevertheless, investigative and enforcement en-issues? Is the program addressing our principal tities have consistently stated that a compliance pro-risks? How much should we spend? Are we deriv- gram should be judged, at least in part, by how iting maximum value from our efforts? How do we compares to programs of similarly situated organi-evaluate the quality and effectiveness of our pro- zations. The HCCA believes that this document willgram? While this document does not provide defini- help governing bodies, management teams, andtive answers to these questions, it is intended to compliance professionals effectively evaluate com-assist governing bodies, management teams, and pliance programs and serve as a useful tool in thecompliance officers in health care organizations in effort to improve the quality and efficiency of com-evaluating and improving compliance activities. In pliance activities.short, this document is provided by the HCCA as a

While the HCCA initiative is conducted princi-tool to help an organization determine whether thepally as a benefit and service to HCCA members, theresources it devotes to compliance are effectively,work of this initiative will be shared with otherefficiently, and appropriately utilized.interested public and private parties in a sincere

Simply stated, the objective of a compliance pro- effort to promote greater understanding and pro-gram is to create a process for identifying and reduc- gress in the field of health care compliance.* *

ing risk and improving internal controls. Statedanother way, from a legal enforcement standpoint, Introductionan effective compliance program reduces the likeli-

¶52,020 Introductionhood that an organization will be found to haverecklessly disregarded or deliberately violated the We live and operate in an era of risk. Nowherelaw. The aim of this document is to be a fluid guide is this truer than in the health care industry. Whileto common indicators and recommended best prac- we have decades of experience in the developmenttices for compliance programs, not a collection of of programs to address risks associated with patientrigid standards. In rare instances the HCCA has care, infectious diseases, workplace injuries, and nat-taken the position that a particular action or practice ural disasters, most health care organizations haveis an essential component of an effective compliance only recently recognized the seriousness of the risk

* Source: 2003 Health Care Compliance Association. * This chapter was updated in May 2007 by John Falcetano,MA, CHC, CIA, Chief Audit and Compliance Officer for Uni-versity Health Systems of California.

posed by noncompliance with the complex laws that • The structural component includes the basicframework necessary to build and operate angovern business practices in health care, like theeffective compliance program. The structuralFalse Claims Act (FCA), fraud and abuse, tax andcomponent includes those elements articulatedantitrust laws. In addition, reimbursement has nowby the Office of the Inspector General (OIG) asbeen tied to the quality of patient care provided.necessary elements of a compliance program.State agencies are citing governing bodies for notThese elements would typically be included inensuring the organization is providing patient careany compliance program, regardless of the sub-in a safe environment. Many organizations have im-stantive legal or regulatory issues the organiza-plemented compliance programs to address thesetion is trying to address. Generally, a programrisks and to answer new challenges like those posedwould include standards (policies and proce-by the Health Insurance Portability and Accountabil-dures), high-level oversight, reporting, em-ity Act (HIPAA). Highly publicized failures of cor-ployee screening, education, auditing/porate governance have raised questions regardingmonitoring, enforcement, and prevention.the role of governing bodies and increased the em-

phasis on promoting and enhancing board • The substantive component relates to the spe-oversight. cific body of substantive law (Medicare, Medi-

caid, antikickback, Stark, insurance, ERISA, tax,Compliance programs play an important role inantitrust, environmental, privacy, etc.) withhelping health care organizations fulfill their obliga-which the organization is attempting to comply.tions to public and private payers, shareholders orOrganizations frequently develop policies andbondholders, and the community at large. Healtheducation programs that explain to affected em-care organizations have recognized that such pro-ployees the obligations that the law imposesgrams are important because the regulatory environ-upon them in the performance of their particu-ment in which we operate is exceedingly complex,lar job function. For example, if the Medicareand we have a fundamental obligation to our pa-program requires patient care providers to doc-tients and the public to ensure that our participationument patient care and treatment, an organiza-in government and private reimbursement systemstion would seek to ensure that its patient careand the operation of our health care organization isstaff understands the documentation require-consistent with applicable laws and regulations.ments. Similarly, where services must be pro-vided by properly licensed and approved¶52,030 What is a Compliance Program?providers, care would be taken to ensure that

In its simplest terms, a compliance program is a providers are properly qualified and enrolled.systematic process aimed at ensuring that the organ- Also, health plans comply with laws governingization and its employees (and perhaps business mandated benefits, appeals and grievance pro-partners) comply with applicable laws, regulations, cedures, and timely claims payment.and standards. In the context of health care, it usu-

A compliance program is much more than aally includes a comprehensive strategy to ensure thepolicy communicating the organization’s intent tosubmission of consistently accurate claims to federal,comply with the applicable laws. In order to bestate, and commercial payers. It frequently includes effective, the compliance program must be designedan effort to adhere to other applicable laws and in a manner which

regulations relating to the delivery of health care• Addresses the organization’s business activitiesproducts and services. Some programs go beyond

and consequent risks;these areas and address antitrust, environmental,tax, and other laws, as well. However, the principal • Educates those persons whose jobs could have afocus of most compliance programs is on health care material impact on those risks;specific laws.

• Includes auditing and reporting functions de-In a general sense, a compliance program has signed to measure the organization’s actual

two basic components—structural and substantive. compliance and the effectiveness of the pro-

©2010 CCH. All Rights Reserved.

gram, and to identify problems as quickly and 3. Trustworthy Individuals: “The organizationas efficiently as possible; must have used due care not to delegate sub-

stantial discretionary authority to individuals• Provides a method for employees and others towhom the organization knew, or should havereport potential violations;known through the exercise of due diligence,

• Provides for the prompt remediation of had a propensity to engage in illegal activi-problems which are identified; and ties.” Comment 3.(k)(3).

• Contains enforcement and discipline compo- 4. Education: “The organization must have takennents that ensure that employees take seriously steps to communicate effectively its standardstheir compliance responsibilities. and procedures to all employees and other

agents, by requiring participation in trainingCreating an effective compliance program re-programs or by disseminating publicationsquires the commitment of the organization to com-that explain in a practical manner what is re-ply with applicable laws. That commitment must bequired.” Comment 3.(k)(4).at all levels of the organization from the frontline

employee to the governing body. It also requires a 5. Monitoring and Auditing: “The organizationsystematic effort (scaled to the size, resources, and must have taken reasonable steps to achievecomplexity of the organization) to understand its compliance with the standards, by utilizingprincipal legal obligations and risks, and to make monitoring and auditing systems reasonablyemployees aware of how the relevant laws and risks designed to detect criminal conduct by its em-impact the performance of their job functions. In ployees and other agents and by having inaddition, employees will be made aware of their place and publicizing a reporting systemobligation to be an active participant in the organiza- whereby employees and other agents couldtion’s compliance effort. report criminal conduct by others within the

organization without fear of retribution.”¶52,040 Compliance Program Foundation Comment 3.(k)(5).In its various guidance documents, the OIG has 6. Enforcement and Discipline: “The standards

spoken authoritatively on the basic elements of an must have been consistently enforced througheffective compliance program. The federal Sentenc- appropriate disciplinary mechanisms, includ-ing Guidelines have defined an effective compliance ing, as appropriate, discipline of individualsprogram as “a program that has been reasonably responsible for the failure to detect an offense.designed, implemented, and enforced so that it gen- Adequate discipline of individuals responsibleerally will be effective in preventing and detecting for an offense is a necessary component ofcriminal conduct.” Clearly, this requires more than enforcement; however, the form of disciplinejust policy statements reminding employees of their that will be appropriate will be case specific.”obligation to obey the law. In fact, the Sentencing Comment 3.(k)(6).Guidelines discuss seven elements of a compliance

7. Response and Prevention: “After an offense hasprogram.been detected, the organization must have

1. Compliance Standards: “The organization must taken all reasonable steps to respond appropri-have established compliance standards and ately to the offense and to prevent further simi-procedures to be followed by its employees lar offenses—including any necessaryand other agents that are reasonably capable of modifications to its program to prevent andreducing the prospect of criminal conduct.” detect violations of law.” Comment 3.(k)(7).Comment 3.(k)(1).

¶52,050 Evaluation and Measurement2. High Level Responsibility: “Specific individual(s) within high level personnel of the organiza- In recent years, compliance professionals,tion must have been assigned overall responsi- boards, and executive leadership of organizationsbility to oversee compliance with such that have implemented compliance programs, andstandards and procedures.” Comment 3.(k)(2). enforcement officials who have an interest in compli-

ance effectiveness have all wrestled with how to adopted (APCs, RUGs, Home Health PPS, Medicareevaluate an organization’s compliance efforts. Due Advantage), new rules will be adopted (Stark), andto the relative infancy of such programs, there is new laws will be enacted (HIPAA). Each of thesescant data of measurable and objective criteria on events may temporarily slow our improvement.which to build an evaluation process. Similarly, efforts will not always be perfect. An issue

may be overlooked, an employee may ignore theAs a practical matter, and in order to create a rules, or systems may temporarily fail us. In thesestarting point for efforts to improve the quality and instances we must show that we have movedefficiency of compliance programs, we believe that a promptly to address an issue missed in the past,compliance program can be evaluated by analyzing appropriately disciplined the individual who disre-two dimensions: effort and outcomes. garded the rules, and corrected the mistakes causedEffort is the time, money, resources, and com- by human error or system failure.

mitment that an organization puts into building and However, a compliance program that cannotimproving a compliance program. While effort by demonstrate improvement in mitigating risk areasitself will not guarantee compliance, it is unlikely cannot be deemed effective. Many providers are be-that outcomes will improve if the organization de- ginning to develop measurement tools to objectivelyvotes inadequate time and resources to the task. evaluate compliance programs. This document re-Particularly in the first several years of a program, flects some of the benchmarks or indicators that areeffort is one measure of effectiveness that an organi- in use, and the HCCA will continue to gather andzation can use to assess its compliance program. share these tools with the health care industry. InHow do the resources devoted to the program com- doing so, it is our goal to improve the quality andpare to similarly situated organizations (size and efficiency of compliance programs in the organiza-complexity)? Are we addressing the issues that cre- tions we are honored to serve.ate the greatest risk for similar organizations en-gaged in similar activities? Are we promptly ¶52,060 Scalabilityrefunding overpayments? Have we addressed the

Provider groups and representatives are under-issues that the OIG has identified in its guidancestandably concerned about the time and effort re-documents?quired to implement, maintain, and improve a

Outcomes are the impact that our efforts have compliance program. In many segments of healthon our level of compliance. As the compliance pro- care, margins are razor thin, if they exist at all.gram matures, the principal measure of effectiveness Providers are struggling with new government man-moves from effort to outcomes. If our processes are dates, declining reimbursement, increasing numbersappropriate, patients admitted for care in a hospital of uninsured, professional shortages, and technologysetting would meet admission criteria. If our educa- challenges. While resources may be limited, the costtion efforts are adequate, coding will improve over of investigating and reprocessing claim denials ortime. If our screening is consistent, we would not litigation in defense of an organization can be signif-discover that we have employed or contracted with icantly reduced with an effective compliance pro-an excluded individual. If our processes are ade- gram where everyone does the right thing the firstquate we will have fewer instances where employees time. The resources that an organization can devotefail to receive required training. Our claim denial to a compliance program are directly linked to bothrates will decline, the number of payments to physi- its size and its margins.cians without an appropriate contract should be While many of the specific activities discussedeliminated, and we will consistently have documen- in this document—and even in the federal guidancetation that supports the claims we have submitted. documents noted above—are relevant to most orga-

Obviously, progress will not always be linear. nizations, we recognize some activities will not workStaff turnover or personnel shortages will occur, in all organizations. For example, comment 3(k)(5)something will fall through the cracks, the rules will suggests that organizations must have reporting sys-change, new reimbursement methodologies will be tems which employees and other agents may utilize


“ . . . without fear of retribution.” The OIG suggests, believes that it is the compliance officer’s job toand many organizations utilize, hotlines (staffed ei- oversee the development and/or implementation ofther internally or externally) designed to preserve the compliance program, to monitor adherence tothe anonymity of callers. As a practical matter, ano- the program, and to assess the impact of the pro-nymity is difficult, if not impossible, in the context of gram on the organization’s compliance (outcomes).a small physician practice, which employs only a These duties would include the program structure,handful of people. Even if the caller did not identify content, education programs, monitoring processes,himself or herself, it is unlikely that the members of and other pieces of the program working with thosethe clinic would not be able to identify the source of in operations in the organization and appropriatethe call. However, while anonymity may be a good resources (e.g., legal, human resources, procurement,idea in many contexts, the important element is that billing, coding, reimbursement, and accounts paya-the clinic has a process in place, which encourages ble) within and/or outside the organization. In anemployees to articulate their concerns (e.g., through era of resource constraints, it is also the compliancea suggestion/question box). In addition to expres- officer’s job to ensure that the program developed issing a potential compliance concern, employees as efficient as possible.should have a method to ask questions. The clinic The role of management is to ensure that theshould also have a mechanism to reasonably evalu- compliance officer is provided adequate resourcesate and address the concerns, and a culture that (taking into consideration the organizations size,ensures employees do not suffer retaliation as a re- risk, and resources) and to ensure that the program,sult of participating in the process. once developed, is effectively implemented. Funda-

mentally, it is management’s job to ensure that theIn short, with rare exceptions, the componentsprogram developed by the compliance function isof an effective compliance program described in thisproperly implemented.document can be altered if they are not relevant to

the organization, or if they are impractical given the The role of the board is to ensure that the organ-organization’s size and structure. This document fre- ization has implemented a compliance program thatquently suggests multiple alternatives for achieving is reasonably calculated to be effective. One purposea specific objective. Finally, this is the HCCA’s initial of this document is to help the board (and manage-effort in this regard, but certainly not the last. Ac- ment) understand the components of an effectivecordingly, this reference should be used as a “living compliance program, and enable the board to moredocument”—one that will evolve over time with intelligently and efficiently fulfill its responsibility.advances made and lessons learned in the compli-ance profession. This document has been formally ¶52,065 Indicator #1—Policies and Proceduresissued by the HCCA only after the HCCA Board,

RationaleHCCA members, other interested persons and orga-nizations, and the government had a meaningful In order to effectively operate a compliance pro-opportunity to review the document, provide com- gram, an organization must generally develop writ-ments and feedback, and participate in collaborative ten standards, policies, and procedures designed todiscussions about how to make the document more address its principal risks. These written standardsuseful. We fully expect that the quality and utility of communicate organizational values and expecta-this document will improve as we continue to gather tions regarding employee behavior, explain the op-information and comments from our members and eration of the compliance program, clarify andother interested persons, review our practices, mea- establish internal standards for compliance withsure our programs, and improve our understanding laws and regulations, and help employees under-of the laws, our organizations, and our profession. stand the consequences of noncompliance to both

the organization and the individual.Questions are frequently raised regarding therespective roles of the compliance officer, manage- Health care law and regulations are very com-ment, and the board of directors (or relevant board plex. Providers and other health care organizationscommittee) in the compliance process. The HCCA must comply with thousands of pages of laws, rules,

manual provisions, and other requirements that are Substantive policies address the principal legalrisks of the organization. As noted above, the vol-specific to health care alone. Most health care organi-ume of laws applicable to health care organizationszations must also comply with the same tax, anti-is immense, and precludes policies on every issue.trust, employment, environmental, and other lawsConsequently, most health care organization policiesthat apply to business organizations, generally.are focused on addressing applicable risk areas that

Meeting this obligation is most effectively ac- have already been identified in the context of OIGcomplished in organizations that have developed guidance, fraud alerts, OIG work plans, or frequentpolicies designed to guide employee conduct. These enforcement actions. Organizations may also de-policies will distill relevant laws and regulations into velop policies in response to specific issues identi-clear, understandable direction for employees. They fied in the course of the organization’s own audits,will help focus the employee’s attention on the prin- investigations, or other reviews and assessments.cipal compliance pitfalls or risks the organizationfaces. Implementation

Relevant Issues Policies and Procedures

1. The organization develops policies and proce-Building an effective compliance program doesdures designed to address its principal busi-not require the development of hundreds or evenness risks.dozens of policies and procedures. However, most

compliance programs include policies and proce- • The organization has evaluated its principaldures that fall into three broad categories: (1) a code risks.of conduct; (2) policies relating to the operation of

• The organization’s policies address issuesthe compliance program; and (3) policies addressingidentified in guidance documents (e.g., OIGthe organization’s principal legal (substantive) risks.guidance, fraud alerts) or enforcement ac-

The code of conduct is typically a document tions by the OIG and other governmentthat sets forth in general terms the organization’s agencies whose legal requirements are ap-commitment to comply with the law. It varies from plicable to the organization.one or two to more than 30 pages in length. It

• The organization’s policies address previ-frequently includes statements or guidelines ad-ously identified serious weaknesses in itsdressing the organization’s principal legal risks, ex-practices.pectations relating to employee conduct,

2. The organization develops policies that de-information regarding the organization’s compliancescribe how the organization’s compliance pro-program, and instructions on how an employee cangram operates and the consequences ofaccess the organization’s reporting mechanisms (seenoncompliance.Indicator # 3). It may outline fundamental expecta-

tions regarding employee behavior applicable to all • The organization has developed and distrib-employees. It is typically distributed to all employ- uted a code of conduct or similar documentees upon commencement of employment. to all employees.

Operational policies and procedures address the • The organization has communicated alter-operation of the compliance program itself. Policies native complaint mechanisms to employees.may address issues such as the compliance reporting

• The organization has a process in place tostructure in the organization, compliance educationpromptly address and rectify employeerequirements, the operation of the hotline or othernoncompliance.complaint mechanisms, how the organization will

investigate complaints or problems, and how the 3. The organization ensures that relevant employ-organization will institute remediation efforts when ees and agents are promptly oriented to appli-issues are identified. cable new and revised policies and procedures.


• The organization ensures prompt orienta- • Do policies and procedures exist for relevanttion to applicable policies for new topics and areas?employees. • Has a risk assessment been completed to

identify the relevant risk areas?• The organization ensures prompt distribu-tion of revised policies to existing • Are the policies comprehensive?employees. • Are policies understandable and capable of

4. The organization’s policies and procedures are being fully applied?periodically reviewed and are updated to re- • Have the requirements of the policies andflect changes in laws, regulations, or processes. procedures been communicated to

employees?5. The organization monitors adherence to itspolicies and procedures (see Indicator #4). • Have any audits been conducted to monitor

compliance with the policies and• The organization reviews policies and pro-procedures?cedures at regular intervals.

2. Outcome• The organization has a process to monitorsignificant changes in law and modify poli- • Have audits revealed fewer errors in areascies, as appropriate. where policies have been implemented?

• Upon testing, are the internal controls estab-6. The organization appropriately disciplines em-lished by policies working?ployees who do not adhere to the organiza-

tion’s policies or procedures (see Indicator #5). • When interviewing employees during anaudit or review, do they understand what

Role of Compliance Officer, Management, and the policies require?Board

¶52,070 Indicator #2—Ongoing Education and1. Compliance Officer: advises organization on pol-Trainingicies that may be required; oversees develop-

ment, distribution and implementation of Rationalepolicies; ensures that policies accurately and

Internal standards in the form of a code of con-effectively communicate legal and regulatoryduct and compliance policies are useful in initiatingrequirements; periodically reviews policies andthe process of explaining health care laws and regu-initiates needed updates.lations, and establishing processes for compliance

2. Management: provides adequate resources (tak- within an organization. However, to promote under-ing into account the organization’s size, risk, standing of these internal standards and of the re-resources, and scope of the compliance pro- quirements of external laws and regulations, angram); participates in policy development to organization’s compliance program should includeensure that policies will be consistent with op- an active education and training program. An effec-erations and capable of being implemented tive compliance training program will generally pro-and followed; implements policies by con- vide ongoing education and training specificallyforming operations to policy requirements. designed for management employees, nonmanage-

3. Board: may serve as originator or final adopter ment employees, and non-employed business asso-of some written standards, such as the code of ciates. Training will generally be designed to provideconduct (compliance officer will generally de- an overview of compliance program activities andvelop for the board’s approval and adoption); requirements that is appropriate to the audiencemay monitor to ensure that legal risks are (e.g., information needed by management is gener-addressed. ally distinct from that needed by nonmanagement

employees). Specific training is generally also pro-Evaluation and Measurement vided to address legal and regulatory requirements

1. Effort that impact the performance of each significant cate-

gory of job function within the organization (e.g., Implementationphysicians, billing staff, admission staff), and pro-

Common Structural Education Topicsvides information on how to raise questions.• Why the organization is implementing the com-

The existence of an education and training pro- pliance program.gram is an important component of compliance pro- • The organization’s commitment to compliance.grams for a number of reasons, including the

• The necessity of adhering to the organization’sfollowing: policies and procedures as well as applicablelaws and regulations.• To promote understanding of and compliance

with relevant federal, state, and local laws and • The duty of employees to report concerns ormisconduct.regulations.

• A description of the organization’s compliance• To enable implementation of the compliance

program including reporting/complaint mecha-program’s policies and procedures, and to en- nisms, and the organization’s commitment tosure that employees understand their role in the nonretaliation.compliance process.

Substantive Education Components• To demonstrate the organization’s commitment

In health care delivery, context educationto compliance and to ensure that commitment isshould include, a description of key substantivecarried out throughout the organization.laws and regulations that affect the employee’s jobfunction. This education obviously varies for differ-• To communicate the effect that industry stan-ent employee groups, but frequently includes infor-dards and governmental requirements have onmation on such topics (as applicable and by way ofan organization’s business activities and to im-example only) as:prove skills for identifying potential compliance

issues. • admitting/registration requirements medicalnecessity

The overall benefit to an organization from an• documentation requirementsongoing compliance education and training program• charge entry risksis constant reinforcement of an organization’s com-

mitment to compliance, and the expectation that • privacy/confidentiality issueseveryone working for or affiliated with the organiza- • coding requirementstion is an integral part of the compliance effort. In

• coverage and billing rulesaddition, employees develop an understanding of

• HIPAAthe legal and regulatory requirements that most di-• EMTALArectly impact their specific job function.• cost report preparation

Relevant Issues • licensure/qualification requirements

In addition, employees are typically providedEducation and training programs typically in-with information regarding the consequences of vio-clude information regarding how the organization’slations of the various laws (e.g., false claims act(s),compliance program operates (structure), as well asStark, antikickback) that may be imposed on indi-information on specific laws and regulations (e.g.,viduals or organizations. This typically includes dis-reimbursement, coding, prompt payment require-cussion of fines, penalties, exclusion, and otherments, etc.) that impact the organization (substan-remedies that may be imposed on an offending en-tive). Education also frequently includes atity or individual.discussion of the consequences of noncompliance,

(e.g. recoupment, fines, penalties, exclusion) for both Those individuals in the management/adminis-the organization and the individual. trative roles or those involved in negotiating, draft-


ing, or administering arrangements with other training requirements among the organiza-providers or business partners are also frequently tion’s staff; provides necessary accountabilityprovided education regarding laws that may impact measures to support the mandatory nature ofprovider relationships with referral and payment compliance training requirements.sources as well. These may include (as applicable 3. Board: reviews periodic (e.g., annual) reportsand by way of example), antikickback laws, Stark on status of completion of compliance traininglaws, tax laws, and other laws. requirements throughout the organization; pe-

riodically reviews compliance training plan toCompliance training strategies include the en-confirm that necessary training is beingtire range of traditional and emerging education pro-provided.grams. Lectures, videos, interactive CDs or Internet

training, and other self- and group-study methodsEvaluation and Measurementare utilized. These training sessions typically are

part of an ongoing process and repeated on a regular 1. Effortcycle. Training sessions typically occur for both new • Organizational policies require employees toand existing employees with appropriate revisions receive periodic training and education re-to the training content as the rules change or at garding the organization’s complianceregular intervals. The frequency of the training or program.length of the training interval depends on the direct-

-Percentage of employees who receive train-ness of the link between the employees’ jobs anding regarding the organization’s complianceprincipal risks of the organization, the frequency ofprogram promptly following commence-rule changes in the context of the employee’s jobment of employment.functions, and the level of noncompliance in the

particular area to which the education applies. -Percentage of employees in higher riskroles who receive specific, job related educa-Education can be one of the most expensivetion designed to reduce the incidence ofcomponents of a compliance program. In addition,noncompliance in the department or func-development of education and training programstion at intervals established by the provider.can be difficult, as some organizations lack the ex-

• The organization evaluates the roles of itspertise to develop those training programs inter-agents and provides education (or requiresnally. However, for the small organization there arethe agent’s organization to provide educa-a number of resources where education can be ob-tion) if such agents directly impact the or-tained free of charge or at relatively nominal prices.ganization’s compliance.In addition, hospitals and other larger providers are

frequently willing to assist the small physician prac- • The organization can demonstrate it hastices in a community in compliance education ef- evaluated the role of nonemployee agentsforts, a practice encouraged by the OIG in its and contractors and assessed the need tocompliance guidance for hospitals. ensure they are adequately trained.

• The organization has a plan to train thoseRole of Compliance Officer, Management, andnonemployee agents or contractors who areBoarddetermined to need training.1. Compliance Officer: develops training programs

• The content of the education and trainingthat suit the unique needs of the organization,addresses the operation of the complianceensuring that training accurately reflects andprogram and the substantive legal issuescommunicates legal and regulatory require-that most directly impact the organization’sments; develops and implements trackingrisk and the employee’s duties.mechanisms to document attendance at and/

or completion of required training. -The organization has engaged in an assess-2. Management: provides necessary funding to ment of its most significant risks by review-

support compliance training program; enforces ing applicable OIG guidance, fraud alerts,

and work plans, through consultation with ness partners to report suspected wrongdoing, sohealth care counsel or other experts, or by that it can be investigated and properly addressed.some other mechanism (consistent with the An organization’s compliance efforts will be lessorganization’s size and resources) reasona- effective if only a small number of individuals arebly calculated to identify its principal risks. willing to confront impropriety, than if the majority

of employees are empowered to report their con--The organization has a process to monitorcerns. As an organization increases its numbers ofchanges in laws and regulations relating toemployee-watchdogs, it will be better able to iden-its greatest risk areas and modifies educa-tify possible violations early and more immediatelytion content, as appropriate.initiate investigation, determine the materiality of• The organization assesses the effectivenessviolations and, if necessary, implement the appropri-of its education efforts by utilizing tests,ate corrective action. An organization that encour-which evaluate employee comprehensionages open communication will be more effective atand measure impact on job processes, oridentifying risk areas on which to concentrate itssome other mechanism designed to ensureperformance improvement efforts.the training is effective.

To achieve an open environment, employees at-Failure to fulfill compliance education re-every level of the organization must believe thatquirements is grounds for an employee’stheir good-faith report of possible noncompliancediscipline, up to and including termination.will be taken seriously. They must be assured that• The organization consistently ensures thatthe organization will not tolerate retaliation. Theyemployees complete required education andmust be confident that if an investigation confirmstakes appropriate steps where employees doimpropriety, it will be appropriately addressed. Cre-not.ating an environment where open communication2. Outcome about suspected misconduct is encouraged often re-

• The organization has documentation that quires ongoing affirmative efforts by those withtraining and education of employees has leadership responsibility for the complianceoccurred. program.

• The organization and its compliance officerRelevant Issueshave documentation that proves that poli-

cies and procedures and the code of conduct The creation and maintenance of mechanisms tohave been distributed to all applicable em- encourage and facilitate candid communication areployees. Frequently, organizations will have frequently components of an effective compliancea tear out sheet in the back of the code of program. The following issues are generally consid-conduct and will request that individuals ered and addressed in an organization’s compliancesimply sign the form and send it to the program strategy:compliance officer upon receipt of the code

• Creation of an environment in every segment ofof conduct.the organization within which employees feel• There is documentation in employee filesfree to report concerns, questions, and instancesshowing discipline for employees who doof improper conduct without fear of retributionnot complete training, or who do not returnor retaliation.the receipt of the code of conduct.

• Provision of a mechanism for confidential or¶52,075 Indicator #3—Open Lines ofanonymous reporting for employees who areCommunicationuncomfortable reporting concerns to a supervi-sor or to the compliance officer.Rationale

• Tracking, documentation and oversight mecha-Compliance programs operate most effectivelynisms to ensure that reports of suspected non-in organizations that encourage employees and busi-


compliance are fully and timely investigated • Managers and supervisors receive formal com-and addressed. munication on their responsibility to respond

appropriately and honestly when possible• Mechanisms to ensure that management and thewrongdoing is brought to their attention. Theyboard are properly and regularly apprised of,are often trained on how to respond to questionsand can take appropriate action on, issues iden-and concerns and their responsibility to relaytified in investigations that resulted from reportsreports of noncompliance to the complianceof noncompliance.officer.

The clearly articulated expectation of open com-• Generally organizations adopt, publicize, andmunication needs to permeate all levels of the organ-

enforce a no-tolerance policy for retaliation orization. Board members, executive leadership, andretribution against an employee or associatethe compliance officer need to promote the messagewho reports suspected compliance violations orthat they expect everyone to adhere to a “culture ofmisconduct.compliance” and give the assurance that reported

issues and concerns will be acted upon.Establishing Confidential/Anonymous ReportingMechanismsImplementation

Establishing a variety of reporting mechanismsCreating a Culture of Open Communicationcan be an effective way to demonstrate the organiza-

To create a culture of open communication, or- tion’s desire that potential compliance issues be re-ganizations typically address some or all of the fol- ported. Independent, confidential mechanismslowing issues in compliance program literature, outside of more traditional reporting methods (i.e.,organizational policies, training programs, or directly to supervisor, human resources, etc.) mayotherwise: give reluctant employees greater assurance when

• Organizations often require employees and making reports.other associates at all levels of the organization

• Independent mechanisms may include hotlines,to report compliance concerns, significant legal suggestion boxes, employee exit interviews,risk questions, and suspected or actual miscon- emails, and other forums that promote informa-duct, and to allow this reporting requirement to tion exchange.be satisfied by a report to a supervisor, a com-• Reporting mechanisms need to be convenient topliance officer, or through the organization’s

employees and those associated with the organi-confidential reporting mechanism.zation. This may mean having at least one• Organizations with compliance programs com-mechanism that is available at all times.municate and publicize the existence, intent,

process, and mechanisms available for raising • Assurance of confidentiality, except where dis-compliance concerns. closure of identity is required by a legal obliga-

tion to resolve discovered noncompliance may• Communication mechanisms used for clarifica-also be important.tion (both external and internal), questions, or

education can be the same mechanisms as those • Those reporting should be provided with clearused for reporting potential concerns and issues. information about what they may expect after

reporting a suspected compliance issue (i.e.,• Compliance programs typically explain howtimely response, striving to preserve confidenti-employees and those affiliated with the organi-ality, progress reports, if appropriate).zation can expect reported concerns to be

handled.Documentation of Compliance Related Reports

• The compliance officer and compliance depart-ment staff often publicize their availability to Compliance officers will be able to more effi-receive reports of noncompliance from employ- ciently and accurately manage the compliance pro-ees and others affiliated with the organization. gram if they have developed a formalized means to

document and track reported questions and inquiries and reports are investigated and ad-concerns. dressed in a timely manner.

• Establishing a process to document and track Role of Compliance Officer, Management, andreported concerns, including the status of re- Boardlated investigations and corrective action, may

1. Compliance Officer: establishes and maintainsimprove an organization’s efficiency in resolv-reporting mechanisms; manages response toing reports and preventing or correcting ongo-reports, including determining when investi-ing noncompliance.gation may be required; reports regularly to

• Confidential intake forms can be used to record the board and executive leadership on reportsan initial report of a potential compliance issue. and inquiries received; assists in setting a tone

and creating a culture of open communication.• Thorough documentation of corrective actionsimplemented, disciplinary measures imposed, 2. Management: primarily responsible for creatingand any overpayments returned should gener- a culture of open communication by respond-ally be maintained in conjunction with the or- ing appropriately when reports are received;ganization’s tracking mechanisms. works with the compliance officer as needed to

investigate reported concerns; executive lead-• The tracking process may be housed and main-ership and/or compliance committee providestained manually, or may be automated to facili-oversight and receives regular reports ontate referral, trending and reporting.trends or issues identified.

Reporting to Board and Executive Leadership 3. Board: provides oversight and receives regularreports on trends or issues identified; assists inRegularly informing an organization’s boardsetting a tone by mandating a culture that pro-and executive leadership of reported concerns willmotes open communication and assures effec-foster the culture of open communication, and willtive response.allow organizational leaders to respond appropri-

ately to risks or improprieties that are identified Evaluation and Measurementthrough the organization’s reporting mechanisms.

1. Effort• An organization’s executive leadership, compli-

• Do the necessary communication policiesance committee, and board of directors often exist, and have they been implemented andreceive statistical and trending information on maintained?reports or inquiries received through compli-

• Are reporting mechanisms appropriate toance reporting mechanisms. Reports and inquir-the size of the organization (i.e., suggestionies may be categorized by area of concern,boxes in smaller facilities vs. continuouslyseriousness of allegation, and otherwise, to al-available hotlines in larger, more geographi-low organizational leaders to assess whethercally diverse, organizations)? Is the report-trends in use of the reporting mechanisms or ining mechanism available to all levels of theorganizational operation or behavior suggestorganization and to those affiliated with thethat improvements may be required.organization?

• Reports to executive leadership and/or to the• Are reporting mechanisms publicizedboard often include specific reports on areas of

throughout the organization?material legal risk or significant breaches of pol-2. Outcomeicy or misconduct that have been identified, and

the status of necessary corrective action steps. • Is analysis being conducted on reports todetermine whether response is timely and• An aging of reports and inquiries, from date ofthorough?receipt by the compliance office, to date of reso-

lution, may be maintained and reported periodi- • Is there a trending of questions, issuescally to organizational leaders to ensure that raised, or potential misconduct to direct


where the organization should be focusing Relevant Issuesits efforts? Compliance guidance documents often use a

variety of terms when referring to the auditing and• Have employees been surveyed to evaluatemonitoring components of a compliance program.their knowledge of the reportingAn audit is typically a more formal review of compli-mechanism?ance with a particular set of internal (e.g., compli-

• Does evidence show that there is a confi-ance policies) or external (e.g., laws and regulations)dence in the reporting mechanism?standards. Audits are typically conducted by indi-viduals who are independent from the area being¶52,080 Indicator #4—Ongoing Monitoring andaudited—usually compliance department staff orAuditingoutside auditors. Monitoring refers to reviews thatare repeated on a regular basis during the normalRationalecourse of operations. An organization may monitor

Effective compliance programs include proac- its activities as part of a corrective action plan, totive monitoring and auditing functions that are de- ensure that corrections implemented continue to besigned to test and confirm compliance with legal effective. Monitoring may also be initiated when norequirements, and with the organization’s written specific problems have been identified to confirmcompliance standards. These functions serve to test and document ongoing compliance.compliance with internal policies and procedures

Prospective audits occur before billing, allowingand with federal, state, and local laws, regulationsan organization to correct discovered errors beforeand rules. As such, they may assist an organization’ssubmitting the bill. Retrospective audits occur aftercompliance activities by identifying possible miscon-billing, and may require an organization to correctduct or criminal activity.discovered errors by rebilling or self-disclosing to a

Self-evaluation that occurs as a result of a com- payer or to the government. A baseline audit is typi-pliance auditing and monitoring program is often cally the initial audit in a series of identical audits,critical in identifying areas where compliance stan- and as such establishes the baseline against whichdards have not been fully understood or fully imple- progress measured by future audits is compared. Amented. An effective monitoring and auditing risk assessment is typically a broad- based audit thatprogram may allow an organization to correct any may be used to identify opportunities for improve-oversight or resulting noncompliance before it cre- ment either before development of the complianceates significant risk to the organization. program or work plan or periodically, thereafter.

The auditing and monitoring function of the Critical issues to consider in developing an au-compliance program can also be used to test the diting and monitoring program include:completion and effectiveness of functions at the • Comprehensive programs typically include aheart of the compliance program, such as compli- variety of both auditing and monitoringance training programs, employee and vendor functions.screening, or whether disciplinary action is occur-

• Properly trained and independent audit re-ring and is appropriate. This function also providessources are key to a successful compliance audita unique opportunity for a compliance program toprogram. Will the organization use internal ormeasure and benchmark its own effectiveness. Com-external resources? Does the organization havepliance audits are typically structured to test compli-existing internal resources with necessary exper-ance in a finite cross section or functional area of thetise and independence from the areas to be au-organization. It is, therefore, generally possible todited? At what level will the organizationrepeat the same audit periodically, and thereby tosupport budget allocation for a compliance au-measure not only the organization’s current level ofdit program?compliance, but also its progress in attaining higher

levels of compliance as the compliance program • Compliance auditors must be given authority tomatures. conduct audits and access to documents and

other information needed to complete the audit • The auditing and monitoring plan may includeprocess. review of compliance with substantive internal

(e.g., compliance policies) and external (e.g., an• The most effective compliance audit programs intermediary’s local medical review policies)

review operations in areas where the organiza- standards, and of operational components of thetion is at risk. The results of past internal re- compliance program (e.g., the OIG databaseviews may help identify what risk areas an screening process).organization should focus on, or which areas

• The methods used for each monitoring and au-may no longer require the same amount of at-diting activity should be documented, so thattention. Patient/member satisfaction surveysauditing and monitoring functions can be re-can quickly point to risk areas, as can patient/peated in the future, if that becomes necessary.member complaint logs, payment denial logs,

and other indicators. An organization should Conducting Auditing and Monitoring Activitiesalso review its compliance plan within the con-

• To the extent practicable, an organization’s com-text of recent government issuances, such as thepliance audit activities should be conducted byOIG’s annual work plan, fraud alerts, bulletins,audit personnel who have expertise in the areasand other guidance documents.being audited, and who are independent fromthe activities being reviewed.Implementation

• Monitoring activities may be conducted by in-Developing an Auditing and Monitoring Plan dependent audit staff or by operational staff

responsible for compliance in the area that isOrganizations typically develop an auditing being audited.

and monitoring plan, setting out the areas that will• Findings from auditing and monitoring activi-be the focus of auditing or monitoring activity for a

ties should be reported, as appropriate, to thegiven period of time, such as a calendar or fiscalcompliance officer, to the organization’s man-year.agement, and to the board.

• An organizations’ monitoring and auditingThe Method of Reviewplans are often constructed based upon a review

of risk areas that are generic to all health care Organizations may collect information using aorganizations, in addition to those risk areas variety of methods to increase their ability to iden-specific to the organization itself. tify improper procedures or activities. Methods of

review that organizations might use include:• Past organizational performance, patient com-• Site visitsplaints or satisfaction surveys, and guidance

from the OIG (e.g., work plans and fraud alerts) • Interviews of personnel in areas such as man-are examples of resources that an organization agement, operations, coding, claim develop-uses to identify issues for audit. ment and submission, patient care, and other

activities• Consideration of the organization’s audit• Questionnaires given to a cross-section ofbudget and audit staff resources are critical to

employeesdeveloping a workable auditing and monitoringplan. • Reviews of records and source documents, such

as medical and financial records that support• Issues that have previously been discovered andclaims for reimbursement and Medicare costcorrected by the compliance program shouldreportsgenerally be included in the organization’s mon-

itoring and/or auditing plan, especially in peri- • Reviews of written materials and documenta-ods immediately after they were discovered and tion prepared by departments not included incorrected. the current review or audit


• Trend analyses or longitudinal studies that iden- compliance officer to implement corrective ac-tify deviations, positive or negative, in specific tion as required by adverse audit findings.areas over a given period of time 3. Board: is accessible to receive reports of severe

adverse audit findings from the complianceAddressing Adverse Findings officer; periodically reviews summary reports• When auditing or monitoring activities identify of audit findings; ensures that compliance of-

opportunities for improvement or compliance ficer has adequate resources to conduct an ade-failures, it is often appropriate and/or necessary quate auditing and monitoring program.to take corrective action to address the findings.

Evaluation and MeasurementWhen corrective action is taken, follow-up au-diting and/or monitoring should be conducted 1. Effortto confirm the effectiveness of the corrective • Is the organization conducting a regular au-action. diting and monitoring program consistent

• Findings of significant noncompliance are gen- with the size, complexity, and scope of itserally promptly reported to the organization’s business operations?internal management and the board of directors. • To the extent possible, are audit staff respon-

sible for conducting compliance audits inde-• Organizations promptly evaluate (usually inpendent from the areas of the organizationconsultation with legal counsel) whether there isthat they are auditing?an obligation to report the existence of miscon-

duct that may violate criminal, civil, or adminis- • Does the organization have a written com-trative law to the appropriate governmental pliance auditing and monitoring plan thatauthority within a reasonable time after discov- includes subject, method, and frequency ofery. (In some instances, violations may be so audits?serious, as to warrant immediate notification to

• If any major findings were made, was seniorgovernmental authorities prior to, or simultane-management and/or the board notified asous with, commencing an internalappropriate in a timely manner?investigation.)

• When appropriate, have government agen-• Not all instances of errors necessitate the initia- cies been notified of adverse findings in a

tion of a formal disclosure process. For example, timely manner?clerical or inadvertent billing errors with no ap-

• Have written corrective action plans beenparent pattern are different from intentionalproduced and followed when adverse find-“upcoding” or deliberate overbilling.ings were made?

Role of Compliance Officer, Management, and the • Are overpayments promptly refunded?Board

• Are audit plans built on organizational1. Compliance Officer: establishes auditing and history?

monitoring plan; oversees compliance audit• Have audit results been disseminated to the

functions; continuously reviews organizational appropriate groups for corrective actions?risk areas to identify necessary auditing and

2. Outcomemonitoring activities; assists management withformulation of corrective action plans and • Do the results of audits indicate that theoversees and/or verifies implementation of organization understands and is complyingcorrective action. with internal and external laws, regulations,

rules, and policies?2. Management: works cooperatively with compli-ance officer to facilitate compliance audit activ- • Does analysis of the results of repeat auditsity; conducts or oversees monitoring activities indicate an upward trend of improvement inof operations in manager areas; works with the organization’s understanding of and

compliance with internal and external status—are accountable for compliance, are sub-standards? ject to the same disciplinary standards, and are

expected to fully participate in the compliance¶52,085 Indicator #5—Enforcement and Discipline effort. One important element of full participa-

tion that should be emphasized is that reportingRationale potential compliance failures is a duty of all

employees and business partners.There are significant risks when health care or-ganizations fail to meet the requirements and legiti- • Enforcement of standards generally requires es-mate expectations of their stakeholders. Compliance tablishing an effective working relationship be-programs play a key role in helping organizations to tween the compliance program and thefulfill this obligation in the legal, regulatory and functional areas of the organization that havepolicy arenas. In so doing, an effective compliance primary responsibility for administeringprogram can assist an organization in earning and discipline.maintaining public trust. • Effective enforcement and discipline requires an

investigative process capable of substantiatingThe effectiveness of an organization’s compli-alleged compliance failures (see Indicator #6).ance effort is generally tied directly to its ability to

affect the conduct of each individual in or associated • Oversight by an organization’s compliance com-with the organization. In many instances the compli- mittee or another appropriate body may bolsterance program’s success will be achieved one individ- effectiveness by enhancing the organization’sual at a time. Building and maintaining meaningful ability to demonstrate that discipline is propor-structures of accountability is critical to this effort. tionate, and is administered fairly andWhen compliance failures occur, there must be a consistently.process for enforcing compliance standards and for

Implementationdisciplining responsible individuals, when disciplineis appropriate. Enforcing standards and disciplining

Screening Employees and Business Partnersthe individuals who violate them underscores theEffective compliance programs include a pro-organization’s commitment to compliance.

cess for avoiding relationships with individuals orRelevant Issues entities that have a tendency toward inappropriate

conduct. This process generally includes some or all• There are a number of relevant issues to con-of the following:sider when building enforcement mechanisms

• Review of OIG’s list of individuals and entitiesand disciplinary procedures. To assist in en-that are excluded from participation in govern-forcement of standards, effective compliancement health care programs, and of the Generalprograms generally include a process for identi-Service Administration’s (GSA) list of individu-fying individuals and organizations whoseals and entities that are excluded from partici-background indicates a tendency toward im-pating in government contracts.proper conduct. Effective organizations gener-

ally avoid employing or contracting with such • Criminal record checks, when appropriate or asindividuals or entities. required by state law.

• A communication strategy that results in clear • Standard reference checks.communication of enforcement and disciplinary • Review of the National Practitioner Databank.standards throughout the organization will bol-ster the effectiveness of a compliance program. Tying Compliance Standards to Existing

Disciplinary Processes• Communicating a commitment to compliance ismost credible when this commitment clearly Because discipline is generally carried out by, orstates that all individuals involved in the work in accordance with, standards developed by otherof the organization—regardless of position or functional areas within the organization, compliance


standards are typically tied to existing disciplinary Role of the Compliance Officer, Management, andprocesses. the Board

1. Compliance Officer: assists organization in de-• Compliance program documents and an organi-veloping appropriate standards for disciplinezation’s disciplinary policy for employees gen-and enforcement, and in tying complianceerally cross-reference each other to facilitatestandards to functional areas within the organ-progressive discipline of employees pursuant toization that are responsible for administeringexisting human resources policy and procedure.discipline; establishes and implements a com-

• Medical staff bylaws, credentialing/privileging munication strategy to ensure that enforcementprograms, and vendor contracts are often writ- and discipline standards are understoodten or amended to require compliance with an throughout the organization; maintains recordsorganization’s compliance standards, and to fa- of discipline resulting from compliance viola-cilitate temporary or permanent removal from tions and reports periodically to the compli-an organization’s medical staff upon violation of ance committee and/or other oversight body.compliance standards.

2. Management: assists compliance officer in com-• Medical staff bylaws, credentialing/privileging municating standards for enforcement and dis-

programs vendor contracts, and the organiza- cipline throughout the organization; workstion’s policies allow an organization to immedi- with compliance officer to ensure that con-ately terminate any medical staff member, tracts, policies and procedures, and other con-vendor, or employee who is excluded by either trolling documents include appropriate ties tothe OIG or GSA. Generally, these same docu- compliance standards so that the organizationments require any individual or organization will be able to take appropriate disciplinarythat is excluded on the OIG or GSA lists to action when needed; generally responsible forimmediately notify the organization of the carrying out discipline of employees andexclusion. others within their area of responsibility.

3. Board: may periodically review aggregate dataCommunication of Enforcement and Disciplinaryon enforcement and discipline to verify thatStandardscompliance standards are being followed

The compliance program includes processes for within the organization.communicating enforcement and disciplinary stan-

Evaluation and Measurementdards to employees and business partners.1. Effort• An expectation that all employees and business

• Does the organization have policies and pro-partners will report suspected unlawful activi-cedures addressing enforcement of compli-ties or compliance violations is generally com-ance standards and discipline of individualsmunicated throughout the organization.who violate them?

• Employees and business partners are informed• Does the organization screen employees andthat violation of compliance standards may re-

business partners before initiating a relation-sult in appropriate discipline, up to and includ-ship and periodically, thereafter, to ensureing termination, of employment, medical staff,that they have not been excluded by theor contract relationship with the organization.OIG or GSA?

Oversight of Compliance Discipline • Are enforcement and disciplinary standardscommunicated throughout the organiza-• Records of discipline for compliance violationstion? Is compliance an element of perform-are generally maintained and reviewed periodi-ance reviews and incentive compensationcally by the organization’s compliance commit-decisions?tee or other appropriate oversight body to

promote consistency and fairness. 2. Outcome

• Percentage of success in meeting the report- and thorough response to discovered impropri-ing requirements of corporate integrity ety may be the most accurate barometer of theagreements (CIAs). organization’s compliance culture.

• Percentage of success in meeting audit Implementationrecommendations.

The following practices related to response and• Does a review of disciplinary actions taken prevention of noncompliance are often found in ef-

as a result of compliance failures indicate fective compliance programs:that discipline is consistently and fairly

1. An investigation protocol outlining how the organi-administered?zation will respond to reported, suspected, or con-

• Percentage of employees who satisfy the firmed noncompliance. The term “investigation”compliance elements of their performance is often used as shorthand to describe the vari-reviews and incentive compensation ous responses an organization might take todecisions. address known or suspected misconduct. De-

pending on the circumstances involved in the¶52,090 Indicator #6—Investigation, Response andsuspected misconduct, an investigation may bePreventionmerely an informal inquiry, or it may involvemore formal steps like a detailed audit ofRationaleclaims. As part of its compliance efforts, anWhile compliance programs are intended toorganization should consider establishing andpromote adherence to applicable substantive lawsoperating according to written protocols orand regulations, situations may still arise where con-policies for conducting investigations. Suchduct inconsistent with legal requirements is re-protocols or policies may address some or allported, suspected or even confirmed. An effectiveof the following:compliance program will include a process by which• Who in the organization is responsible forthe organization can respond to these actual or po-

and authorized to determine (1) whether thetential violations.suspected noncompliance and related cir-

Relevant Issues cumstances warrant an investigation, and(2) what form the investigation will take.When an instance of potential noncompliance is

• A system of checks and balances to ensurereported or suspected, an effective compliance pro-that decisions to abstain from initiating agram will generally take some or all of the followingformal investigation are reviewed by othersteps:objective individuals.• Promptly halt the noncompliance and halt or

• The role and/or qualifications of those whomitigate to the extent possible any ongoingmay be involved in conducting an investiga-harm caused by the suspected noncompliance.tion, including:• Fairly and expediently investigate to determine-Requirements for requisite experience and/the existence, scope, and seriousness of the non-or substantive knowledge level, andcompliance, and to identify the underlying con-

duct or process that caused the noncompliance. -Requirements for assuring the objectivity ofinvestigators and avoiding conflicts.• Respond with appropriate corrective action to

confirmed noncompliance. Implement prevent- • Guidelines or policies for determining whenative measures to avoid similar instances of mis- legal counsel or external experts should beconduct in the future. involved in an investigation.

• This document outlines a number of proactive • A requirement that investigations be con-measures that an organization can take to pro- ducted in a timely fashion, and a process formote and facilitate compliance with laws and accountability and oversight to ensure thatregulations. However, an organization’s timely this requirement is met.


• A process for tracking progress on and the broad categories of corrective action. These protocolsstatus of an investigation. may include a process to enable independent verifi-

cation that necessary corrective actions have been• Proper safeguards for preventing the inap-completed, and a requirement that all corrective ac-propriate or inadvertent disclosure of confi-tion taken must be appropriately documented.dential information that is obtained in or is

part of the investigation. 3. Responding to discovered noncompliance with pre-ventative measures and monitoring. After deter-• Processes for securely maintaining evidencemining the causes of discoveredobtained in an investigation.noncompliance, measures should be devel-• Requirements for documentation that inter-oped and implemented to prevent future re-nal investigators must maintain, which gen-currences, and appropriate monitoringerally should include a description of theinstituted to ensure that preventative measuresissue(s) investigated, the source of the alle-are operating effectively. Preventative mea-gation( s), a summary of evidence consid-sures may include some or all of the following:ered, and the final disposition of the• Identification and repair of any internal con-investigation.

trol or management deficiencies that may• Record retention requirements for investiga-have caused or contributed to thetive reports and files. (Reports summarizingnoncompliance;the investigation’s findings along with the

underlying evidence relied upon to reach • Additional education in those departmentsinvestigative conclusions should be gov- that contributed to the deficiency;erned by the organization’s document reten- • Identification of and appropriate response totion policies.) any deficiencies in competency or qualifica-

• Clear delineation of who has the authority tions that may have contributed to theto close an internal investigation. noncompliance;

• The organization’s processes for reporting • Development and/or modification of poli-findings of investigations to appropriate cies, procedures or systems to address theoversight or governing bodies. deficiencies involved in the noncompliance;

and2. Responding to discovered noncompliance with ap-propriate corrective actions. Appropriate re- • Identification and repair of similar deficien-sponse to discovered noncompliance might cies that may be causing risk of similar non-require an organization to take affirmative compliance in other areas of thesteps to address the noncompliance and to cor- organization.rect any harm that may have been caused by

In addition to any other preventative measures,the noncompliance. Corrective actions stepsan effective response to identified noncompliancethat are frequently used in health care organi-will include appropriate monitoring of ongoing ac-zations include any or all of the following:tivities to assure that preventative measures have

• Discipline or termination of employees or effectively eliminated recurrence of the noncompli-agents who intentionally or recklessly ance. This monitoring may be incorporated into thecaused the noncompliance (see Indicator organization’s auditing and monitoring program#5); (see Indicator #4), or may be addressed separately.

• Repayment of identified overpayments; and Generally, the compliance officer or his or her desig-nee will be directly involved in monitoring for com-• Self-reporting of the noncompliance to lawpliance during the months immediately followingenforcement or regulatory officials.implementation of preventative measures.In developing a compliance program, an organi-

zation may want to develop written protocols that 4. Reporting investigation findings and outcomes toset out specific steps to be followed in each of these appropriate oversight bodies. Findings of investi-

gations and outcomes of corrective action and subject to the attorney-client privilege, and investi-prevention plans should be regularly reported gative work conducted at the direction of counselto appropriate managerial and governing bod- may be protected by the attorney-work-producties. Compliance programs generally include privilege. These privileges should not be used by theone or more of the following reporting organization to avoid taking necessary corrective ac-protocols: tion steps. However, they may prove valuable in

ensuring that resolution of discovered problems is• Regular reports to a compliance committeeequitable and just.composed of individuals from upper man-

agement on the status and progress of ongo- 6. Appropriate response to government inquiries anding investigations; investigations. Effective compliance requires

that an organization respond in a lawful and• Regular reporting to key members of upperappropriate manner upon learning of a gov-management (e.g., CEO, CFO) who are noternment investigation of the organization’s ac-members of the compliance committee ontivities. Appropriate response to governmentthe status and progress of ongoinginvestigations requires:investigations;• Preserving (i.e., preventing alteration or de-• Tracking and reporting to appropriate man-

struction of) any written or electronic mater-agerial and/or governing bodies on theials that are or could reasonably be knownamount of time that elapses between theto be the subject of a governmentopening and closing of an investigation;investigation;• Periodic reporting to the board of directors

or to a designated committee of the board • Notification of organizational leaders when(e.g., the Audit Committee), of the status a government inquiry is initiated; andand progress of ongoing investigations that • Appropriate response by employees whoinvolve serious violations of law or signifi- are contacted directly by government inves-cant risk to the organization. tigators. (Employees should be advised that

The minutes of all governing or managerial they may speak with investigators, but arebodies receiving reports on the findings, status, and generally not obligated by law to do so; thatoutcomes of compliance investigations should ap- they may be entitled to have an attorneypropriately reflect oversight of the compliance pro- present, if they do speak with investigators;gram’s investigative activity. and that the organization is willing to work

with investigators and the employee to5. Involving legal counsel in response and prevention.schedule an interview at an appropriateThe purpose of a compliance program is totime. The organization should never directprevent violations of law and to ensure that ifemployees not to speak with governmentinadvertent violations occur, the organizationinvestigators.)responds appropriately. Competent legal coun-

sel can assist an organization in achieving An organization may wish to develop writtenthese ends by providing legal advice, and by policies or protocols that address each of these areasassisting in the development of the investiga- of response to government investigation or inquiry.tive plan and the organization’s subsequent

Role of Compliance Officer, Management and Boardresponse to an investigation’s findings. Organi-zations should consider involving legal coun- 1. Compliance Officer: primarily responsible forsel any time that suspected noncompliance overseeing or performing independent investi-may involve criminal misconduct, civil law vi- gations and for documenting investigative ef-olations, or significant overpayment liability. forts; reports findings of investigations to

One benefit of involving legal counsel in re- management and the board as required by or-sponse and prevention is that communications be- ganizational policy; recommends corrective ac-tween the attorney and the organization may be tion and prevention strategies for adoption


and implementation by management and/or • Do the organization’s monitoring efforts in-the board, as appropriate. dicate that preventative measures taken in

response to noncompliance are effective in2. Management: responsible for cooperating in in-eliminating future instances of similarvestigations of reported noncompliance; com-noncompliance?mits appropriate resources to conduct

investigations and to corrective action and pre- ¶52,100 Board Fiduciary Dutyvention measures.

In 2003, the Office of Inspector General and the3. Board: oversees compliance efforts by receiving American Health Lawyers Association collaborated

and assessing reports of findings and progress in creating a resource for Health Care Boards ofof internal investigations, and of corrective ac- Directors in order to assist them in exercising theirtion and prevention measures; ensures that it fiduciary duties regarding oversight of corporate af-benefits both from the recommendations of the fairs. The resource provided the following list ofcompliance officer and from the advice of questions that board members should ask ofcounsel when corrective action may require management:report of the noncompliance to outside parties,including the government. Structural Questions:

1. How is the compliance program structuredEvaluation and Measurementand who are the key employees responsible for

1. Effort its implementation and operation? How is theBoard structured to oversee compliance issues?• Has the organization developed a process

for investigating reports of suspected 2. How does the organization’s compliance re-noncompliance? porting system work? How frequently does the

Board receive reports about compliance issues?• Are the findings, status, and outcomes ofinternal investigations reported regularly to 3. What are the goals of the organization’s com-appropriate oversight and management pliance program? What are the inherent limita-bodies? Do these bodies record their over- tions in the compliance program? How doessight of the organization’s investigation, re- the organization address these limitations?sponse, and prevention activities in their 4. Does the compliance program address the sig-respective minutes? nificant risks of the organization? How were

those risks determined and how are new com-• Has the organization developed written pol-pliance risks identified and incorporated intoicies or protocols for responding to govern-the program?ment investigations?

5. What will be the level of resources necessary to2. Outcomeimplement the compliance program as envi-

• Can the organization demonstrate that sioned by the Board? How has managementongoing harm is halted promptly upon dis- determined the adequacy of the resourcescovery of confirmed noncompliance? dedicated to implementing and sustaining the

• Does an aging of closed and ongoing inves- compliance program?tigations demonstrate that the organization

Operational Questions:is promptly resolving reports of suspectednoncompliance? A. Code of Conduct

• Are the organization’s corrective action re- How has the Code of Conduct or its equivalentsponses to investigations consistent with le- been incorporated into corporate policiesgal requirements, and with the across the organization? How do we know thatrecommendations of relevant regulatory the Code is understood and accepted acrossagencies? the organization? Has management taken af-

firmative steps to publicize the importance of compliance violations? How are reportingthe Code to all of its employees? systems, such as the compliance hotline,

monitored to verify appropriate resolutionB. Policies and Proceduresof reported matters?Has the organization implemented policies and

2. Does the organization have policies thatprocedures that address compliance risk areasaddress the appropriate protection ofand established internal controls to counterwhistleblowers and those accused ofthose vulnerabilities?misconduct?C. Compliance Infrastructure

3. What is the process by which the organiza-1. Does the Compliance Officer have suffi-tion evaluates and responds to suspectedcient authority to implement the compli-compliance violations? What policies ad-ance program? Has management provideddress the protection of employees and thethe Compliance Officer with the autonomypreservation of relevant documents andand sufficient resources necessary to per-information?form assessments and respond appropri-

4. What guidelines have been established forately to misconduct?reporting compliance violations to the2. Have compliance-related responsibilitiesBoard?been assigned across the appropriate levels

5. What policies govern the reporting to gov-of the organization? Are employees heldernment authorities of probable violationsaccountable for meeting these compliance-of law?related objectives during performance

reviews? In 2004, the Office of Inspector General issuedD. Measures to Prevent Violations supplemental guidance for Health Care Board of

Directors concerning the roles of the in-house corpo-1. What is the scope of compliance-relatedrate general counsel and an organization’s Chiefeducation and training across the organiza-Compliance Officer in supporting the compliancetion? Has the effectiveness of such trainingoversight function of health care organization gov-been assessed? What policies/measureserning boards. Below are the suggested additionalhave been developed to enforce trainingareas of inquiry the OIG believes Board membersrequirements and to provide remedialshould ask management:training as warranted?

1. To what extent is the General Counsel utilized2. How is the Board kept apprised of signifi-by the Board to provide relevant advice re-cant regulatory and industry developmentsgarding compliance matters?affecting the organization’s risk? How is

the compliance program structured to ad- 2. Where and how is the General Counsel in-dress such risks? volved in each of the fundamental elements of

the compliance program?3. How are “at risk” operations assessed froma compliance perspective? Is conformance 3. How does the General Counsel receive noticewith the organization’s compliance pro- of, and provide input on, the organization’sgram periodically evaluated? Does the or- response to identified or suspected complianceganization periodically evaluate the failures?effectiveness of the compliance program? 4. What are the roles of the organization’s Chief

4. What processes are in place to ensure that Compliance Officer and General Counsel inappropriate remedial measures are taken in operating the corporate compliance program?response to identified weaknesses? Who has responsibility for reporting to the

Board on compliance matters?E. Measures to Respond to Violations1. What is the process by which the organiza- 5. How is the Board notified when there are dis-

tion evaluates and responds to suspected agreements among management, the Chief


Compliance Officer and/or the General Coun- Are processes in place to enable the Generalsel relating to the organizational response to Counsel to bring issues of legal compliance to thespecific compliance matters? appropriate authorities within the organization?

6. Does the Board understand how the organiza- In January 2005, the OIG issued supplementaltion utilizes the attorney/client and work compliance program guidance for hospitals. In thatproduct privileges when responding to third document the OIG identified some factors that anparty requests for information? organization may wish to consider in its evaluation

of their compliance program. The following checksheet is a list of those factors:


[The next page is 58,001.]


Documents

Evaluating and Improving a Compliance Program: A Resource for Health Care Board Members, Health Care Executives …news.wolterskluwerlb.com/media/chapterHC_Compliance.pdf · for Health