This article provides a high-level summary of healthcare compliance programs in the United States, including who is required to have a compliance program, the seven core requirements of a compliance program, and the risks of not having a compliance program.
A compliance program is a formalized system of policies, procedures, and processes developed and implemented to prevent, detect, and correct conduct that is inconsistent with applicable federal and state laws, rules, and regulations governing a healthcare organization.
When it comes to compliance programs, there is no “one-size fits all.” Rather, each healthcare organization should tailor its compliance program to fit its own unique needs and circumstances. Furthermore, compliance programs should not be “paper” only; there should be implementation of the paper, training and auditing. A compliance program should be a living thing – changing as issues arise and as the laws change.
Since the late 1990s, the US Department of Health and Human Services – Office of Inspector General (“HHS-OIG”) recommended that healthcare providers of all types establish compliance programs to prevent and mitigate violations of federal healthcare program rules and regulations, but such guidance had always been advisory. HHS-OIG’s recommendation regarding such programs can be found at https://oig.hhs.gov/compliance/compliance-guidance/.
In 2010, the US Patient Protection and Affordable Care Act (“ACA” or the “Act”), amended the US Social Security Act to give the Secretary of Health and Human Services (“Secretary”) the authority to require Medicare and Medicaid providers, as a condition for enrollment, to establish compliance programs. The ACA also amended the Social Security Act to require nursing facilities and skilled nursing facilities to establish compliance programs as well.
Specifically, section 6102 of the ACA established a new section 1128I of the US Social Security Act, which requires that a nursing facility or skilled nursing facility “have in operation a compliance and ethics program that is effective in preventing and detecting criminal, civil, and administrative violations.” Formal compliance plan requirements were issued for skilled nursing facilities in 2017.
In addition to skilled nursing facilities, section 6401(a) of the ACA required enrolled providers and suppliers, Medicare Advantage Organizations, and Medicare Prescription Drug Plans, to adopt and implement an effective compliance program which includes seven core elements, as discussed below.
For healthcare providers that are not required by law to adopt a compliance plan, why should they adopt one? The answer is that a compliance program creates an ethical environment promoting adherence to state and federal law and payor requirements, and such a program can help protect against fraud, waste and abuse and other potential liability.
This answer is reinforced by US Department of Justice Criminal Division’s guidance entitled “Evaluation of Corporate Compliance Programs” that is intended “to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
The benefits of having an effective compliance program include increasing the proper submission and payment of claims, reducing billing errors, avoiding the potential for fraud, waste, and abuse, promoting patient safety and quality of care, and providing protection against a government enforcement action.
Not having a compliance program – or having an ineffective compliance program – increases the level of risk that the government will bring an enforcement action against the organization for failure to comply with the federal healthcare laws. The government has many tools to address such non-compliance, including exclusion or termination from the Medicare program, lawsuits under the US False Claims Act, Civil Monetary Penalties, disallowances and recovery of payments, and criminal prosecution.
There are seven core elements that should be included in every healthcare compliance program. These core elements are derived, in part, from the seven elements of an effective compliance and ethics program as described in Chapter 8 of the US Federal Sentencing Guidelines Manual.
Remember, there is no one-size-fits all compliance program a healthcare organization, and that a healthcare organization should tailor its compliance program to fit its unique needs. To assist, HHS-OIG has provided a number of helpful resources on its public website such as Compliance Guidance directed at particular provider types, including but not limited to hospitals, nursing homes, physician group practices, home health agencies, and durable medical equipment suppliers.
Before discussing each of the core elements, we note that one of the most important aspects of any compliance program is the resources an organization dedicates to such program. In designing its compliance program, an organization must do so in a manner that aligns with the organization’s available resources. Without adequate resources devoted to the compliance program, however, an organization may look like it has a “good” compliance program on paper, but will likely fail.
The US Centers for Medicare and Medicaid Services (“CMS”), in its Medicare Managed Care Manual, has indicated that adequate resources are those that are sufficient to:
(i) promote and enforce the organization’s standards of conduct and compliance program;
(ii) effectively train and educate the organization’s governing body members and staff;
(iii) effectively establish lines of communication;
(iv) establish and implement an effective system for routine auditing and monitoring; and
(v) identify and promptly respond to risks and findings.
CMS has many helpful webinars and resources, such as a webinar, that address the compliance program requirements. HHS-OIG also has many resources, including its Health Care Compliance Program Tips.
At a minimum, the following core elements must be included in a compliance program:
Below is an overview of each element:
1. Written Policies, Procedures, and Standards of Conduct.
Policies and procedures implement particular standards of required conduct related to risk areas. Those policies, procedures and standards should be readily available to all staff, and regularly reviewed and updated. The standards of conduct (also known as a “code of conduct”) is a high-level outline of the organization’s approach to compliance, and it sets expectations for staff and leadership.
As such, the code should clearly reflect the organization’s commitment to compliance, values and quality treatment of patients, customers, and staff. The code of conduct should also describe the procedures to be utilized by staff to report incidents of non-compliant or unethical behavior. We recommend that the code be written at a 6th grade reading level to ensure that it can be easily understood by all staff.
Written policies and procedures should be detailed and specific and also be easy to read. At a minimum, an organization’s written policies and procedures should include the following:
(i) a description of the operational duties and responsibilities of the organization’s compliance officer, of the organization’s compliance committee (and how the committee is constituted), and of management’s and staff’s responsibilities for compliance;
(ii) a description of the organization’s employee training program and requirements;
(iii) a description of how the compliance program operates (e.g., compliance reporting structure, reporting mechanisms, investigation process, corrective action process, resolving compliance issues, and monitoring and auditing);
(iv) an enumeration of the duties and responsibilities for each operational area;
(v) an explanation of how the compliance department interacts with the organization’s internal auditing, legal, and human resources functions; and
(vi) the methods the organization utilizes to measure the effectiveness of the compliance program.
2. Compliance Officer, Compliance Committee, and High-Level Oversight.
An organization should (1) designate a compliance officer who will oversee its compliance program and (2) establish a compliance committee to assist the compliance officer.
The compliance officer is responsible for the day-to-day operations of the compliance program. A compliance committee is a multi-disciplinary committee whose members have diverse backgrounds and expertise. The compliance committee is involved in all facets of the compliance program. It should meet on a regular basis, be involved in the creation, implementation, maintenance, and enforcement of policies and procedures, be involved in investigations or reviews, and establish guidelines for disciplinary or corrective action plan, and be part of the open lines of communication discussed below.
The compliance officer and compliance committee are responsible for administration of the compliance program (e.g., overseeing compliance operations, being informed about audit and monitoring outcomes, reporting on compliance enforcement activity, performing effectiveness assessments of the compliance program, etc.). The compliance officer and compliance committee should directly report to the chief executive officer or other senior management of the organization.
One question that is raised from time to time is whether in-house counsel can/should also serve as the compliance officer for an organization. HHS-OIG prefers those roles to be separate. We also note that the dual roles can affect whether the attorney-client privilege applies, i.e., if the individual is wearing his/her compliance officer hat, the attorney-client privilege would arguably not apply.
3. Training and Education
General compliance training should be provided to all staff, managers and supervisors and cover the compliance plan requirements (including reporting mechanisms) and the organization’s code of conduct. The primary purpose of training is to ensure staff and leadership are aware of organization expectations and standards. Compliance training should also be provided to vendors and other agents, if applicable.
Initial training should be conducted for all new staff occurring at or near the date of hire. In addition, an annual refresher compliance training should be conducted for all staff, managers, supervisors, and leadership. Testing at the conclusion of a training session should occur to ensure understanding of the material.
4. Open Lines of Communication
Open lines of communication should be established to address compliance issues, education, and concerns, and those lines of communication should run both from staff to managers/management, and from managers/management to staff.
Staff should be strongly encouraged to utilize these lines of communication, to be proactive, and to report issues timely; and Company should clearly communicate methods for reporting compliance issues throughout the organization. Those methods should include a process to allow anonymous reporting without fear of retaliation, (i.e., anonymous hotline or open-door policy).
A compliance plan should also require that a log of reported compliance issues be maintained that reflects:
Document, document, document are the three words that healthcare compliance lawyers repeat to all clients.
Additional training should occur if gaps were found in compliance, and/or individuals were disciplined for any noncompliant behavior.
The compliance officer and the compliance committee should be readily available to an organization’s staff to facilitate open communication in furtherance of the organization’s compliance objectives and compliance plan.
5. Internal Monitoring and Auditing
A system to monitor and audit the compliance program must be implemented to measure the effectiveness of the compliance program, ensure compliance with federal and state healthcare laws, rules, and regulations, and identify other compliance risks. Monitoring and auditing, while related, have two distinct purposes.
Monitoring is in the nature of a regular (often checklist-type) review to determine whether procedures are being followed and working as intended. The results of an organization’s monitoring processes can lead to audits, or audits can result from reported issues or complaints or other sources.
Auditing involves a more comprehensive, “deep dive” review than monitoring. Auditing tends to focus on one or more specific areas, issues or concerns and evaluates compliance with a particular set of standards or base measures.
For example, an organization may identify a potential billing issue (i.e., services are not billed per CMS rules), and an audit would be used to determine whether the issue is occurring, how often it occurs, and why. An audit typically includes written reports containing findings, recommendations, and proposed corrective actions, if necessary.
An effective compliance plan should include both internal monitoring and audits, including external audits by a third-party, if/as appropriate.
The HHS-OIG Work Plan includes compliance risk areas that HHS-OIG has identified for the upcoming year. We recommend adding these risk areas to an organization’s monitoring, auditing and compliance objectives to ensure the organization swiftly identifies and addresses any risk areas that are HHS-OIG priorities.
6. Consistent Enforcement of Standards Through Well-Publicized Disciplinary Guidelines
An organization should consistently enforce its standards policies, and procedures through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect and/or report actual or suspected non-compliance.
Discipline policies should be clearly written and clearly articulate expectations and consequences for noncompliant conduct. As with all other policies, the disciplinary policies should be widely publicized, readily available, and reviewed at least annually with staff.
7. Corrective Action - Prompt Response to Compliance Issues
When vulnerabilities or actual or suspected non-compliance is identified and/or reported through a risk assessment, monitoring, or audit, corrective action should be taken. Corrective action may include repayment of overpayments, disciplinary action against those responsible, additional education or training, and/or re-visiting or adopting policies to prevent potential future violations.
Lauren Carboni is an Associate with Foley & Lardner LLP in Denver, Colorado. She is a member of the Foley Health Care Industry Team. Her practice focuses on health care fraud and abuse protection, regulatory compliance, investigation defense, and litigation matters.
Find more resources in the ACC Resource Library
Connect with peers, join the ACC Health Law Network and other ACC Networks (for ACC members only)
Region: United StatesThe information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.