Compliance Programs for Health Care Organizations

February 1, 1998 Advisory

I. What Is A Compliance Program?

A compliance program is an internal process designed to help an organization prevent improper conduct, identify such conduct when it occurs and implement corrective action. An effective compliance program promotes compliance by educating and training employees, monitoring and auditing the organization's compliance status, disseminating information regarding changes in the law and applying disciplinary standards for noncompliance consistently and fairly.

II. Why Health Care Providers Should Establish Corporate Compliance Programs?

A. The Enforcement Climate: With heightened emphasis by the Government on detecting and punishing violations of Medicare/Medicaid laws and increased resources targeting that effort, it is essential that any Medicare/Medicaid provider establish systems of internal controls to ensure that the organization is in compliance with all applicable laws and regulations. August 1996 saw the passing into law of the Health Insurance Portability and Accountability Act (HIPAA), commonly referred to by its sponsors' names as Kennedy-Kassebaum. With the signing of HIPAA came dramatic advances in the government's ability to identify, investigate and prosecute health care fraud and abuse. The new landscape created by HIPAA includes a firm commitment towards investigation and enforcement funding and training, and heightens the need for effective corporate compliance programs.

  • Fraud and Abuse and Control Program

    The cornerstone of the health care fraud and abuse provisions of HIPAA is the creation of the Fraud Abuse and Control Program. This program grants joint authority to the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) and the U.S. Attorney General to coordinate state and federal health care fraud investigation and enforcement activities. Increased funding in the form of direct appropriations and a subaccount of the Medicaid Trust Fund support a robust investigation and enforcement effort and will result in the opening of 36 new OIG offices between 1997 and 2002, along with increased enforcement staffing.

  • Expanded Exclusion Authority
  • The ability to exclude health care providers, suppliers and practitioners from participation in the Medicare and Medicaid programs has traditionally been one of the most serious sanctions for health care fraud and abuse. HIPAA expands the reach of mandatory and permissive exclusion authority. Any felony conviction related to health care fraud, whether under state or federal law and even if the underlying fraud is not related to Medicaid or Medicare, now results in mandatory, rather than permissive, exclusion.

  • New Criminal Provisions

    In addition to strengthening civil penalties, HIPAA creates a series of new health care related criminal offenses, such as fraud, theft and embezzlement related to health care services, false statements used to obtain health care benefits or services, obstruction of criminal investigations of health care offenses and laundering of monetary instruments related to health care. While many of these crimes were, and continue to be, prosecutable under other criminal provisions, their inclusion in HIPAA increases the options for prosecutors pursuing health care fraud.

B. "Pay Now or Pay Later"

  1. Government's Strong "Suggestion": Compliance programs are not currently required by law. But the emergence of the OIG's "model" compliance plans and its use of compliance plans in enforcement actions creates the expectation that all health care organizations should develop compliance programs.

  2. Avoiding "Corporate Integrity Program": A voluntary program may allow organizations to avoid government or Court ordered programs in the event problems arise. These mandated programs, which the OIG refers to as "corporate integrity programs," can be extremely intrusive and disruptive. They may include surprise inspections and audits and require periodic reporting to the Government.
  3. The OIG's Perspective:

    • Eileen Boyd, former Deputy Inspector General at the Department of Health and Human Services, stated: "I'm a big believer in hands-on training, where people have a chance to ask questions and get tested on what they were supposed to learn ...putting a manual on a shelf - or herding people into an auditorium to watch a video - doesn't do it for me. If the health-care industry is foolish enough to put in compliance programs that aren't viable, they're making a serious mistake. Traditionally, hospitals have counted on low-level internal auditors to catch problems and report them to senior management. But the new, high profile compliance chiefs are expected to get involved in potential trouble spots much earlier." 1

    • Stephen Davis, from the OIG, said "Inspector General June Gibbs Brown has been a proponent of voluntary compliance for a number of years and views effective compliance programs as an essential element in the management of health care services. We have stated that the Government, especially the OIG, has a zero tolerance policy toward fraud and abuse and will use its extensive statutory authorities and resources to reduce fraud in our health care programs ... if you do not have a compliance program in effect and you or your organization are associated with an OIG, Federal Bureau of Investigation (FBI), the Health Care Financing Administration (HCFA) or other health care fraud investigation organizations, there is a good chance that a corporate integrity/compliance plan will be imposed upon you, in addition to penalties and assuming that you are not excluded or prosecuted criminally." 2

C. Protection from Liability

  1. An effective compliance program protects an organization's officers and directors from civil liability for failing to exercise their duty of care to the organization. A recent ruling by the Delaware Chancery Court (In re Caremark Int'l Inc. Derivative Litigation, 1996 WL 54984 (Del Ch.)) suggested that good faith attempts to implement and monitor internal compliance programs should satisfy directors' duty of care to oversee corporate operations, thus avoiding civil liability of directors for wrongdoing.

  2. Caremark, a health care company, had been issued millions of dollars in fines, due to violations of state and federal laws and regulations. Caremark's shareholders filed a derivative action against the company's officers and directors alleging that they breached their fiduciary duties to oversee employee conduct and prevent violations of certain laws. In approving a settlement proposed by the parties, the court was influenced by the fact that Caremark had implemented an internal compliance program. The program consisted of:

    • An internal audit plan designed to ensure compliance with business and ethics policies;

    • Continuing education for sales force personnel regarding compliance with relevant policies and regulations;

    • An ethics manual that was regularly revised and distributed to employees; and

    • Training sessions concerning compliance that employees were required to attend.

  3. According to the court, once an appropriate compliance program is in place, it is largely determinative on issues relating to the adequacy of the directors' supervision and oversight of the company. "In my opinion," wrote Chancellor Allen, " only a sustained or systemic failure of the board to exercise oversight -such as an utter failure to attempt to assure a reasonable information and reporting system exists-will establish the lack of good faith that is a necessary condition to liability."

D. Preventive Medicine

  1. Developing a compliance program will identify the various federal, state and local laws and regulations that apply to an organization and ensure compliance with those requirements.
  2. A compliance program also provides early detection of violations so they can be quickly addressed.

E. Employee Morale

  1. An important benefit of a compliance program is that it creates a culture where compliance is expected and high ethical standards valued.
  2. The very process of developing a compliance program can boost employee morale by setting and clarifying standards of conduct and encouraging employees to openly communicate about compliance concerns.

F. Avoidance of Whistleblower Suits

  1. An effective compliance program will contain internal reporting mechanisms and procedures for conducting internal investigations. This will enable employees to raise issues or concerns and have them dealt with promptly within the organization.
  2. Employees should not feel they need to call the Government fraud hotline and/or go to court (though a qui tam action) to rectify a problem.

III. The Government's Criteria For An Effective Corporate Compliance Program

A. The Federal Sentencing Guidelines for Organizations:
The Federal Sentencing Guidelines for Organizations ("Sentencing Guidelines") establish seven minimum requirements for an effective compliance program. Most authorities refer back to the Sentencing Guidelines' definition of an effective compliance program, even in administrative and civil enforcement actions.

  1. Establish compliance standards and procedures for employees and other agents (including independent contractors);

  2. Assign specific individuals within top management overall responsibility for establishing the program;

  3. Be careful not to assign substantial discretionary power to individuals that the organization knows or should know have a propensity to engage in illegal conduct;

  4. Effectively communicate standards and procedures to all employees and other agents through training programs, publications or both;

  5. Establish confidential monitoring and auditing systems;

  6. Consistently enforce the compliance program by disciplining employees responsible for both the actual offense and the failure to detect the offense;

  7. Take all reasonable steps after an offense has been detected to deal with the offense, prevent similar offenses, and modify the compliance program to prevent and detect a similar offense in the future.

B. The OIG Model Compliance Program Guidance for Hospitals

  1. The OIG has issued a "model compliance program guidance" for hospitals. Last year, the OIG released a model compliance plan for clinical laboratories. Model plans could be released in the future for other types of providers.

  2. The OIG guidelines are technically "voluntary," but OIG representatives have stated that they view them as "necessary elements" for managing a health care organization.

  3. The OIG's model plans/guidance are based on the Sentencing Guidelines, as well as recommendations from previous investigations and civil settlements.

  4. The OIG's Recommendations to Hospitals

    • Establish compliance standards, procedures, policies.
      Standards of conduct should summarize the relevant fraud and abuse laws and apply to each element of the hospital's organization and all levels of personnel. Standards should implement the governments current regulations regarding billing and medical record documentation and should reflect areas of specific concern to the OIG, including: (1) double billing (2) bundling/unbundling, (3) upcoding, (4) DRG Creep, (5) miscoding, (6) improper billing of tests, (7) admission/discharge /transfer policies, (8) payment polices for physicians and (9) training and education.

    • Assign oversight responsibility to individuals high in the organization's structure.
      Every hospital should designate a compliance officer and form a compliance committee. The compliance officer should be a high level official, such as a director or executive officer, and must have direct access to the Board of Directors. The compliance committee should include the Chief Executive Officer, Chief Operating Officer, members of the Board of Directors and employees and managers from the hospital's key departments. The compliance committee, in conjunction with the compliance officer, must have the authority to develop and implement changes in the compliance program.

    • Communicate standards and procedures through effective training and education programs/publications.
      Attendance and participation in training programs should be a condition of employment. Training should include an analysis of fraud and abuse laws and a thorough review of the government regulations and policies that apply to the hospital's various operations.

    • Utilize monitoring and auditing designed to detect non-compliance.
      Regular audits of the various hospital departments should be conducted to ensure that the compliance standards are being followed. Audits may include on-site visits, employee interviews, document and records review, and trend analysis studies including an analysis of any changes in billing patterns.

    • Develop effective lines of communication for reporting violations and clarifying policies.
      A communications policy should be developed that encourages self-reporting and provides for anonymity and non-retribution. Records of all employee reports and the response of the organization should be maintained.

    • Enforce standards through well-publicized discipline guidelines and procedures.
      Written disciplinary guidelines outlining the possible sanctions for noncompliance should be published and explained to employees. Sanctions should match the severity of the violation and range from verbal warnings to suspension and termination

    • Respond appropriately and immediately to detected offenses and prevent further offenses through modification to systems/policies.
      A suspected violation must be investigated immediately. The investigation should include attorney interviews with any employees who may be involved in or have knowledge of the alleged violation and a review of all relevant documents. If the violation is confirmed, the hospital must take immediate action to stop the misconduct. Changes in the hospital's policies and/or procedures should be implemented to prevent the misconduct from reoccurring.

IV. How To Design An Effective Compliance Program

A. First Steps

  1. Obtain Board Resolution/Commitment:
    The Board of Directors should adopt a resolution expressing commitment to the compliance program. Documented board support is critical in light of the Sentencing Guidelines, model compliance plans and recent case law, such as Caremark, discussed above, regarding civil liability of directors.

  2. Designate Compliance Officer/Compliance Committee:

    • It is not legally necessary to hire an additional FTE or create a new position of "compliance officer." The organization could designate a compliance officer by redefining the responsibilities of an existing executive officer or manager.

    • The compliance officer should not operate in a vacuum. It is important to harness the expertise of a number of high level managers in the form of a compliance committee. The committee could include the chief executives in finance, patient affairs/risk management and human resources. If a committee approach is used, it is important to delegate overall responsibility for coordination to one member of the committee.

  3. Make Organization-Wide Announcement:

    • The announcement should be sent to employees, medical staff and vendors.

    • Such an announcement serves as early documentation of the organization's commitment to compliance.

    • It also helps minimize misunderstandings about the program's purpose.

B. Shaping the Program

  1. Perform Legal Audit/Review

    • The scope and extent of legal audit/review will depend on the organization's needs and specific circumstances. The legal audit/review should focus on identifying issues; it is not necessary to detect and unravel every potential problem.

    • Areas of inquiry could encompass the following areas:
      • Documentation/Coding, Including Upcoding and Miscoding
      • Billing for Services Not Rendered
      • Billing for Medically Unnecessary Services
      • Duplicate Billing
      • 72 Hour Window
      • Cost Reports
      • Teaching Physician Billing
      • Billing for Discharges in lieu of Transfers
      • Patient Freedom of Choice
      • Credit Balances
      • Patient Dumping
      • Joint Ventures/Affiliations
      • Agreements with Vendors, Including "Free Items"
      • Relationships with Physicians, Including Compensation
      • Reimbursement for Physician and Other Professional Services
      • Tax Exemption
      • Agreements with Billing Consultants
      • Confidentiality of Medical Records
      • Document Retention/Destruction Conflicts of Interest

    • Others areas of focus could include:
      • Licensure and Certification Requirements
      • Corporate Governance/Structure
      • Antitrust/Fair Trade Practices
      • Medical Staff
      • Environmental Issues
      • OSHA Compliance
      • Labor and Employment
      • Employee Benefit Plans
      • Intellectual Property/Confidentiality
      • Charitable Assets/Fund-Raising
      • Ethical Issues
      • Consumer Protection
      • Risk Management
      • Political Contributions/Lobbying
      • Compliance With Government Imposed Consent Orders, Settlement Agreements

  2. Develop Compliance Manual/Standards of Conduct

    • The manual should cover all legal obligations affecting operations, focusing on what was gleaned from legal audit/review.

    • The manual should include a letter from the CEO.

    • The manual may also address ethical issues and obligations.

    • The manual should present compliance procedures, including availability of hotline or other internal reporting mechanism, a non-retaliation policy toward whistleblowers and disciplinary mechanisms for noncompliance.

    • Employees should be required to review and acknowledge manual upon hiring and on an annual basis.

  3. Establish Substantive Policies/Procedures in Trouble-Spot Areas Identified Through Legal Audit/Review

    • The Compliance Manual and/or Standards of Conduct set broad parameters and explain how the compliance program works. To build an effective compliance infrastructure, the organization should also create special policies or guidelines in areas that have been identified as potentially troublesome in the audit/review and in areas that are known targets of government scrutiny.

    • Another approach would be to distribute the general Compliance Manual to all employees and then require each Department to assess its compliance issues and then develop specific policies and guidelines addressing those issues.

C. Formulating Compliance Program Procedures:
The Compliance Officer/Committee should design the compliance infrastructure in the form of procedures or guidelines that address the following:

  1. Duties/Responsibilities of Compliance Officer/Committee

  2. Training/Education Requirements

  3. Internal Reporting Mechanism, e.g., compliance line

  4. Procedures for Internal Investigations: Individual(s) Responsible, Timeframe for Completion, Correction

  5. Enforcement: Disciplinary Measures for Non-Compliance with Legal Requirements and with Compliance Program Procedures

  6. Monitoring Mechanisms: Annual Review/Periodic Audits

D. Training Sessions:

  1. Types of Training

    • Targeted training on substantive issues that arise through legal audit/review

    • General review of compliance program procedures

  2. Intensity of training will vary depending upon group

  3. Trainers should be skilled/trained in instructional techniques

V. Practical Considerations

A. Resource Limitations

  1. Development of an effective corporate compliance program takes time, resources and commitment. There is no quick fix.

  2. If you do not currently have an overall corporate compliance program in place, then focus now on specific areas of vulnerability. Establish a system of internal controls with training and monitoring components. That system can be the basis for expanding the compliance program over time.

B. Outside Consultants

  1. Use outside consultants and legal counsel to review, assess and audit areas that require special attention. In order to maintain the attorney-client privilege, outside consultants should be retained by legal counsel and work under privilege.

  2. Beware of pre-packaged plans and systems, and resist the temptation to adopt such a plan or system simply to have one in place. A corporate compliance program is a process, not a product, and it should be specially designed and tailored to fit your organization's corporate culture. The government may view a cookie-cutter compliance program that sits on an organization's bookshelf as worse than no program at all.

  3. Manage use of consultants' time effectively by developing/defining scope of work to match resources committed.

  4. Before outside counsel or auditors arrive on the scene, the organization should announce the development of the corporate compliance program to employees, explaining the purpose of the program and the role of counsel and auditors.

C. Confidentiality Concerns: Preserving the Attorney-Client Privilege

  1. All guidelines, notes, videos, reports and other documentation formulated or used during the creation and maintenance of a compliance program could later be subject to scrutiny by government officials, private parties and courts should the organization be investigated for violations of state or federal law or sued civilly. It is therefore necessary to use good judgment in all documentation.

  2. Make sure that outside counsel and/or in-house counsel solely working in his/her capacity as an attorney are directly involved in the establishment of the compliance program to maximize the availability of the attorney-client privilege.

  3. Involve counsel in all internal audits and investigations of possible violations, and ensure that employees involved understand the legal nature of the communications with counsel.

  4. Ensure that communications between attorneys and employees are conducted in confidence, and that employees understand that they should not discuss the communications with others, even with other employees.

D. Dealing with Employee Reports/Whistleblowing

  1. Be prepared for an increase in employee reporting and whistleblowing.

  2. Respond to and investigate employee reports about potential violations.

  3. Establish in advance how employees committing offenses (as well as those who may have failed to adequately supervise/detect the offense) will be disciplined and consistently apply disciplinary measures.

E. Voluntary Disclosure to Government Officials

  1. If a violation is discovered after an internal investigation, the organization should carefully consider whether to voluntarily disclose the violation to government officials.

  2. See. section on "Internal Investigations" for discussion of voluntary disclosure.
VI. Common Mistakes To Avoid

A.On-the-Shelf Programs

  1. An organization should not establish a compliance program and then leave it on the shelf. A "paper program" will likely increase exposure once it is discovered that the procedures and practices have not been followed.

  2. Government representatives have stressed in public addresses on compliance programs that a paper program may be worse than no program at all. During government investigations, prosecutors often ask employee-witnesses about the day-to-day operations of an organization's program, rather than simply accept a organization's representations about its program.

B. Low-level or Ineffective Compliance Personnel

  1. Appointing a low level employee compliance officer or creating a weak or ineffective compliance committee could indicate that the organization is not truly committed to compliance.

  2. The compliance committee should be comprised of senior executive officers, and it should have the power and authority to implement changes in the compliance program.

C. Failure to Adapt

  1. Failure to adapt and update a compliance program is another common pitfall. The compliance program must constantly evolve and should include an examination of the compliance procedures of any acquired entities.

  2. Likewise, the organization should not neglect to assess the adequacy and efficacy of the compliance procedures, many of which are themselves new for many companies.

D. Ineffective Discipline

  1. Despite a policy professing vigor and fairness, some organizations fail to impose adequate discipline in practice. Worse, some organizations actually reward conduct in a manner that directly conflicts with the stated goals of the compliance program when the pressure to produce overcomes the message to behave in an ethically and legally compliant manner.

  2. Similarly, the company should provide compliance rewards, incentives and advancement in a manner comparable to those for production and sales personnel.

E. Written Record

  1. The lack of a written and permanent record of the compliance program is a common failing that can result in an organization finding itself unable to prove the efficacy of its program despite its best efforts to do the right thing.

  2. The organization should, therefore, ensure that the program itself is documented by memorializing training statistics, disciplinary actions, employee reports, internal investigations, results of audits of all significant risk areas and the results of the program itself.

F. Overreaching

  1. Although an effective program must, at a minimum, satisfy the Sentencing Guidelines' seven criteria, an organization must be careful not to set standards that it cannot meet. A failure to comply with one's own internal standards will not only reflect poorly for criminal liability, but such a failure can also cause problems in civil litigation.

  2. It is, therefore, important that the compliance program be workable, keeping in mind that the Guidelines take into account the size of the company.
II. Maintaining A Compliance Program

A. Creating Compliance Incentives and Imposing Discipline

  1. Create Incentives

    • It is helpful to provide incentives for behavior that achieve the goals of the compliance program.

    • Compliance should be included in an employee's periodic evaluations.

  2. Impose Discipline

    • The Sentencing Guidelines require that the organization's standards be enforced through appropriate disciplinary measures, including the discipline of a supervisor for failure to detect an offense.

    • If a violation occurs, the organization will need to demonstrate that it took appropriate action to discipline any offenders. Any disciplinary action taken should be documented, by, for example, a memorandum to the file and an entry in the employee's personnel file.

    • Discipline should also be imposed against any employee who engages in retaliatory practices against employees who report improper conduct.

B. Monitoring the Program

  1. Measuring the effectiveness of an ongoing compliance program will help ensure that an organization is employing its program effectively. It is not sufficient simply to possess what appears to be a carefully constructed compliance program; the program must work.

  2. Accordingly, periodic monitoring on the efficacy of the program (e.g., are the required actions being taken) is important. The Government will also want to know how an organization's program works.

C. Conducting Internal Investigations

  1. Purpose of Internal Investigation

    • If the organization learns that it is the subject of a government investigation, it should immediately conduct an internal investigation. Also, an internal investigation should be conducted when an employee reports suspected misconduct or when a problem is identified through the organization's internal monitoring.

    • Internal investigations are used to discover the nature and extent of a problem, identify the personnel/ departments involved, determine how long the problem has been going on and assist in the termination of a problem practice or procedure. You may also uncover related or collateral problems before the government discovers them.

    • Early detection will allow for an informed and coordinated response.

    • to provide more effective advice.

  2. Conducting Internal Investigations

    • Employee interviews - One of the first steps in an internal investigation is to gather facts by interviewing employees.

      • Explain Attorney/Client privilege -Always have an attorney present and explain to the employee that all discussions are privileged, the privilege belongs to the organization and not the employee, the privilege may be asserted or waived at the sole discretion of the organization, and the employee should not discuss the interview with anyone else.

      • Interview employees who have been interviewed by the government first.

      • Develop a list of other employees with relevant information and interview up (or down) the personnel chart.

      • Employees will invariably ask if they are in trouble. Explain that the organization is in the process of gathering facts. If an employee asks whether he/she needs a lawyer, often the answer is that it is too soon to know but that, in any event, it is his or her choice. Check the organization's policies and state law regarding indemnification and attorney fee obligations.

    • Document Review

      • During interviews, ask employees to identify all relevant documentation.

      • All pertinent documents, including personal records that an employee may have in his or her possession, should be gathered and reviewed.

D. Deciding Whether To Disclose The Findings Of An Internal Investigation

  1. Mandatory Disclosure

    • In certain industries, certain types of wrongdoing must be reported to the appropriate authorities as soon as it is discovered.

    • Counsel must, therefore, carefully consider whether the discoverd misconduct is required to be disclosed.

  2. Voluntary Disclosure

    • Deciding whether to voluntarily disclose the results of an internal investigation involves an analysis of the potential benefits and liabilities.

    • Voluntary disclosure may decrease the likelihood of prosecution, including exclusion from Medicaid and other government programs. However, to get these benefits, disclosure must be prompt, and you must be prepared to document the corrective action taken, demonstrate that the problem has stopped and show that the organization has instituted policies and procedures to prevent future problems. You may also be asked to waive your attorney-client privilege.

    • Voluntary disclosure may, however, alert the government to wrongdoing that it otherwise would not detect, prompting it to take action and generating adverse publicity.


  1. "Hot New Job in Health Care: In-House Cop." The Wall Street Journal, September 18, 1997.
  2. Speech on "Compliance and Corporate Integrity Activities" by the Officer of the Inspector General Department of Health and Human Services before Health Research and Educational Trust New Jersey Hospital Association, Princeton, New Jersey, June 11, 1997.