James I. Glasser

Getting the Board on Board: The OIG Releases Practical Guidance for Health Care Governing Boards on Compliance Oversight

May 1, 2015 Advisory

On April 20, 2015, the United States Department of Health and Human Services' Office for Inspector General (OIG) published an educational resource titled, "Practical Guidance for Health Care Governing Boards on Compliance Oversight," ("Practical Guidance") in association with the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association.[1] This new resource provides "practical tips" to assist governing Boards of Directors of health care organizations in responsibly carrying out their compliance plan oversight obligations.

In the Practical Guidance, the OIG encourages Boards to become familiar with the Federal Sentencing Guidelines, the OIG's voluntary compliance program guidance documents, and the OIG's Corporate Integrity Agreements and use them as "baseline assessment tools." The OIG reiterates its oft-cited mantra that compliance program design is not "one size fits all," and that Boards are expected to act in good faith to oversee compliance efforts and to ensure that the compliance program is adequate given the size and complexity of the organization.

Here are some of the practical tips offered:

  • Stay Educated. The OIG stresses the importance of having an educated Board that is aware of the regulatory landscape and compliance pitfalls and advises getting periodic reports or review of regulatory resources from informed staff. Boards can benefit from outside educational programs and setting up a formal education calendar. The OIG further suggests adding to the Board, or periodically consulting with, experienced regulatory, compliance or legal professionals.
  • Define the Interrelationship of the Audit, Compliance, and Legal Functions. The OIG recommends that organizations adopt a framework and definitions regarding the different functions that audit, compliance and legal personnel provide within the organization and explain how these functions operate together to identify and mitigate risk. Each of these functions should be separate and distinct, each with the necessary level of independence and access to information and resources to fulfill their roles. Specifically, the OIG expresses its long-standing opposition to having the compliance officer also serve as legal counsel for the organization or having the compliance department be subordinate to the legal department. Yet, the OIG understands that the compliance and legal departments must also often collaborate for the best interests of the organization. The OIG offers specific descriptions of these functions for Boards to adopt and implement.
  • Obtain Reports on Compliance. The OIG expects Boards to receive regular reports regarding compliance activities, including internal and external investigations, serious audit issues raised, hotline call activities, and allegations of fraud or senior management misconduct. The OIG expects the Board to receive reports of risk and mitigation efforts, separately and independently, from a variety of different personnel, such as those responsible for audit, compliance, human resources, legal, quality and information technology. Knowing their organization and industry, Boards will have to find the right balance between getting too much information and not getting enough. The OIG describes how some Boards find it helpful to use dashboards, containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plan, and policies and procedures. A risk-based reporting system, where certain individuals are tasked with providing reports to the Board when certain risk-based criteria are met, is also touted as an effective mechanism. The OIG advocates conducting regular executive sessions, where leadership from compliance, legal, audit and quality functions can communicate openly, without the presence of senior management.
  • Identify and Audit Potential Risk Areas. Ensuring that the organization has strong processes in place for identifying risk areas is an essential role of the Board. The OIG specifically references referral relationships and arrangements, upcoding, submitting claims for services not rendered or not medically necessary, privacy breaches and quality-related events. Having a compliance hotline, conducting internal audits and monitoring industry news and OIG guidance will help an organization mitigate risk. When failures or problems of similar organizations are publicized, the OIG expects Boards to ask their own management teams whether they might be at risk of similar misconduct. According to the OIG, organizations are expected to monitor and audit to detect criminal conduct. It is also important to consider industry trends and emerging models in designing a risk assessment plan.
  • Encourage Accountability and Compliance. While this guidance is directed towards the Boards of health care organizations, the OIG points out that it is the responsibility of the entire organization to execute the compliance program. The OIG recommends that the Board support the concept that compliance is a "way of life" by including compliance efforts as part of the employee assessment process and even withholding incentives or providing bonuses based on compliance and quality outcomes. Ensuring that employees are encouraged to report issues without fear of retribution and that managers appropriately respond to employee reports will help the organization better identify risk. According to the OIG, incentivizing compliance will lead to more self-identification of compliance failures, which is advantageous for the organization. First, an organization whose staff reports problems lowers its risk of running afoul of its obligation to report and return overpayments within 60 days from discovery. Second, internally identifying problems allows organizations to self-report, which has benefits such as faster resolution of the case since the average OIG self-disclosure is resolved in less than a year and lower payment because OIG generally settles self-disclosure cases for 1.5 times damages rather than double or treble damages and penalties under the False Claims Act.

Please join us at Wiggin and Dana's Seventh Annual Health Care Compliance and Enforcement Roundtable, at 4 PM on Thursday, May 14, 2015 at Quinnipiac University Frank H. Netter MD, School of Medicine where we will discuss this new OIG guidance and hear state regulators and experienced practitioners engage in a roundtable discussion about the implementation and use of the Connecticut False Claims Act since its enactment. Learn about the government's enforcement priorities and initiatives, and what providers can do to ensure compliance and avoid liability. Please click here for more details.