2 The Seven Essential Elements

1. Standards of Conduct (Code)/Policies and Procedures
2. Compliance Officer and Compliance Committee
3. Education
- General Compliance Training would at least include:
- Training Adult Learners
4. Monitoring and Auditing
5. Reporting and Investigating
6. Enforcement and Discipline
7. Response and Prevention

1. Standards of Conduct (Code)/Policies and Procedures

Policies and procedures help to set the expectations for all employees. The Federal Sentencing Guidelines and all OIG program guidance describe this area as one of the seven elements of an effective compliance program. The first of the prescribed elements calls for “The development and distribution of written standards of conduct, as well as written policies and procedures that promote [a]…commitment to compliance.” These two documents, the standards or code of conduct and the policies and procedures, become the tools with which you can begin to build your compliance program.

The standards of conduct, first and foremost, demonstrate the organization’s ethical attitude and its “enterprise-wide” emphasis on compliance with all applicable laws and regulations. The code is meant for all employees and all representatives of the organization, not just those most actively involved in compliance issues. This includes third parties, e.g., vendors, suppliers, and independent contractors, which are the frequently overlooked groups. From the board to volunteers, everyone must receive, read, understand, and agree to abide by the code of conduct. It is required in most Corporate Integrity Agreements (CIA) that all employees attest to the Code on an annual basis. The attestation of the Code is a standard practice for organizations. For this reason the code should be written plainly and concisely in an accessible style. An eighth-grade reading level or below is recommended. Plain and concise does not mean generic, however. The contents of the Code will need to be tailored to the organization’s culture, business, and corporate identity. Also, institutions with a diverse constituency should consider providing the Code in appropriate languages for the organization’s culture.

The Code provides a process for proper decision-making, for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the Code whenever possible, even incorporating elements or standards into performance reviews. Compliance with the standards must be enforced through appropriate discipline when necessary. Disciplinary procedures should be stated in the standards, and the penalty—up to and including dismissal—for serious violations of the Code must be mentioned to emphasize the organization’s commitment. (See Enforcement and Discipline later in this chapter.)

Code of Conduct: Content Checklist

Reflects cultures and values of the organization
Written plainly and concisely so all employees can understand the standards
Translated into other languages as appropriate
Mentions organizational policies without completely restating them
Is consistent with company policies and procedures.

Code of Conduct and Employees

All employees must receive, read, and understand the standards
Training should be provided specific to the Code
Employees should attest in writing that they have received, read, and understood the standards on an annual basis
Employee compliance with the standards must be enforced fairly and consistently through appropriate discipline when necessary
Employees should understand that noncompliance will bring about discipline; this should be stated in the Code.

Code of Conduct Purpose

To represent the culture of the organization
To summarize specific guidelines for employees to follow
To assist all employees to comprehend what is required of them
To provide a process for proper decision-making
To confirm that employees put standards into everyday practice
To elevate corporate performance in basic business relationships
To confirm that the organization upholds and supports proper compliance conduct.

(See Appendix A.1, Sample Letter to Vendors.)

Whereas a code of conduct provides guidelines for decision-making and behavior, the compliance policies and procedures are specific and address identified areas of risk. Most organizations already have an employee manual that outlines all policies and procedures. Whenever possible, compliance policies and procedures should be integrated into existing policies. And while it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it. Develop your policies and procedures carefully and review them on a regular basis. Take care that they are realistic and measurable. Lofty goals and platitudes may seem appealing but they are too frequently open to interpretation.

Developing your policies and procedures must begin with areas of risk. The OIG Work Plan (http://oig.hhs.gov/reports-and-publications/workplan/index.asp) released in the fall of each year highlights those areas the government will give close attention to in the coming months. Be sure those targeted areas that apply to your organization are adequately addressed in your policies and procedures (and your educational and auditing/monitoring plans). Every health care organization that bills Medicare should also review the Compliance Program Guidance for Third-Party Medical Billing Companies for the seventeen billing risk areas and seven coding risk areas, and have compliance policies and procedures for all relevant areas.^[1] No matter the size or setting, every organization needs to assure that compliance-related policies and procedures exist for:

Auditing and monitoring
Compliance record retention (attestations, audit results, investigative documents, etc.)
Self-disclosure
Regular sanction checks (may be in HR):
- System for Award Management (SAM) is the Official U.S. Government system that consolidated the capabilities of Central Contractor Registration (CCR), Office of Research in Clinical Amplification (ORCA), and Excluded Parties List System (EPLS).
- OIG Exclusion Database
- State Medicaid Exclusion Database
- Specially Designated Nationals List (SDN)
Specific areas of risk, e.g., conflict of interest, billing, clinical integrated networks, third-party relationships, etc.
Non-Retaliation (may be in HR)
Stark/Anti-Kickback
HIPAA Privacy and Security
Others.

Fraud and abuse offenses can often be attributed to documentation and billing irregularities. Medicare in-patient reimbursement is based on the approximately 17,000 numeric codes that make up the International Classification of Diseases, 10th Edition, Clinical Modifications or ICD-10-CM/PCS. These codes are organized into diagnosis related groups (DRGs), which form the basis for government payment. The federal government pays a fixed amount according to the assigned diagnosis. This approach, at least in theory, provides incentive to the organization to deliver care as cost effectively as possible.

Some DRGs reimburse at a higher amount than others. A diagnosis of pneumonia with septicemia, for example, will reimburse more than regular pneumonia. Upcoding is the practice of using a billing code that provides a higher reimbursement rate than the billing code that actually reflects the service furnished. Upcoding has been a major focus of the OIG’s enforcement efforts, and HIPAA added an additional civil monetary penalty to the OIG’s sanction authorities for upcoding violations. The OIG also identifies DRG creep as a risk area. DRG creep is the practice of billing using a DRG code that provides a higher payment rate than the DRG code that accurately reflects the service furnished to the patient.

Physician services are described in codes from the Current Procedural Terminology (CPT) published by the American Medical Association. Submitted codes for physician services must reflect actual services provided. Physicians in teaching situations have additional guidelines. CMS Medicare’s Final Rule for Teaching Physicians, effective July 1996 and revised in November 2002, outlines documentation regulations for services provided by residents and teaching physicians. Proper documentation of physician supervision of residents is critical to appropriate billing. Billing policies need also to prohibit both billing for services never provided and billing for medically unnecessary services.

There are additional policies and procedures not specifically tied to the OIG Work Plan or OIG guidances that should be a part of any effective compliance program.

A policy on non-retaliation/non-retribution should be developed and communicated. It may be that one exists currently as an HR policy. Compliance needs to review and assure it is applicable to reporting potential non-compliance. This is one of the most important policies that affects compliance program effectiveness. All employees should understand that they will not be retaliated against for bringing issues forward. If employees are afraid to bring issues forward a compliance program could not be effective. Employee participation is key to the identification of issues. (See Appendix B, Sample Non-retaliation/Non-retribution Policy.)

You must be prepared in the event the government comes knocking at your door. However unlikely, a government investigation is always possible and prior planning is critical. Develop policies so that your staff knows what to do if presented with a subpoena, search warrant or if questioned by a government investigator. Remember, you can’t tell them what they must do, but you can tell them what their rights are. Your organization’s legal counsel should be a partner in the development of these policies. (See Appendix C, Responding to Search Warrant.)

The anti-kickback statute prohibits any knowing and willful conduct involving the solicitation, receipt, offer, or payment of any kind of remuneration in return for referring an individual or for recommending or arranging the purchase, lease, or ordering of an item or service that may be wholly or partially paid for under a federal health care program. The anti-kickback statute is a criminal statute. Hefty fines can be levied, as well as imprisonment, and, in addition, any reimbursement secured under an illegal referral may be considered a false claim. Potential anti-kickback violations might include offering office space at no charge or less than fair market value to physicians, cut-rate support services such as dictation or secretarial services to physicians, or computer equipment provided at no charge by a pharmaceutical company. Be sure you understand the safe harbors provided under the anti-kickback statute. A clear, well-publicized policy in support of the anti-kickback statute can prevent confusion and possible problems.

Similarly, the Stark Law applies to physician referrals. The law states that if a physician or an immediate family member has a financial relationship with an entity that provides designated health services (DHS) that the physician may not make a referral for any DHS that is reimbursable by Medicare, and the entity that provides the services may not bill Medicare for the services provided as a result of the prohibited referral. The Stark Law is a civil act, and penalties are substantial. There are exceptions to the Stark Law referral prohibition, but the regulations are complicated and consulting legal counsel is advised. The applicable Stark exception must be strictly complied with.

Policies and procedures must be living documents, not just a policy binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what the government will look for. Are the policies and procedures applied every day? Is someone responsible for the revisions? Are they incorporated into performance reviews and educational programs? Are they reviewed and updated regularly? Revising policies and procedures is something like painting the Golden Gate Bridge; just when you think you’re finished, you have to start again at the beginning. You will also need a policy defining what a policy is, the process for developing a policy, the accountable management role, and the steps for how and when your review and revision of policies and procedures will be accomplished.

The Code of Conduct should not be embedded in a policy or an HR manual, but should be a stand-alone document that everyone in the organization is aware of. The Code should be included in every general compliance training session.

Again, standards of conduct, policies and procedures are the tools of compliance. But they must be reflective of the actual process and practice to be effective.

2. Compliance Officer and Compliance Committee

The OIG and the Federal Sentencing Guidelines call for the designation of a compliance professional “to serve as the focal point for compliance activities” (see the OIG’s Model Compliance Guidances, and Chapter 8 of the Federal Sentencing Guidelines). Whether the position is full time or part time will depend on the size, scope, and resources of the institution. Also, according to the OIG, assigning the Compliance Officer “appropriate authority is critical to the success of the program.” The Federal Sentencing Guidelines states, “To carry out such operational responsibility, such individuals shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.” On a specific level, for example, the Compliance Officer must have full authority to access any and all documents that are relevant to compliance activities; documents such as patient records, billing records, contracts with third parties, agents, and any areas of compliance interest. But in the big picture, “appropriate authority” comes from the unquestionable backing of the board of directors or its equivalent, the source of the respect that will get things done.

Appropriate authority and the full backing of the board of directors and management are consistent with the OIG’s call for the appointment of a “high-level official…with direct access to the governing body, the CEO, all other senior management and legal counsel.”^[2] This is logical because it is the board that launched the compliance initiative and approved the hiring of the Compliance Officer. Board members may even have been actively involved in the interviewing and hiring of the compliance officers. They should also have been involved in the drafting—certainly the reviewing—of the Compliance Officer’s job description. And they will be an important part of the Compliance Officer’s reporting structure.

The OIG considers there to be some risk involved in having the Compliance Officer report to general counsel or to the Chief Financial Officer (CFO). Some liken this reporting arrangement to the fox minding the chicken coop. Separation of compliance from legal and finance when possible, the OIG argues, helps ensure that legal reviews and financial analyses are independent and objective. In 2015 the OIG released Practical Guidance for Health Care Governing Boards on Compliance Oversight. This guidance states, “Boards should be aware of, and evaluate, the adequacy, independence, and performance of different functions within an organization on a periodic basis. OIG believes an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner. According to a 2014 survey conducted by HCCA and SCCE, The Relationship Between the Board of Directors and the Compliance Officer, most compliance officers in health care report directly to the organization’s board or CEO.

Compliance Officer Reporting Structures Based on Type of Organization
Q: To whom does the Compliance Officer directly report?	Not-for-profit	For profit, privately held	For profit, publicly traded	Total	Percent
CEO/President	70	25	2	97	24.4%
Board	187	39	15	241	60.1%
CFO/Finance	4	1	0	5	1.3%
General Counsel	14	4	1	19	4.8%
HR	1	0	0	1	0.3%
Audit	2	0	0	2	0.5%
Other	24	8	0	32	8.0%
Don’t Know	1	0	0	1	0.3%
Total Respondents	303	77	18	398

The Compliance Officers’ duties also will vary depending on size and scope of the program. The main focus of the position should be the implementation, administration and day-to-day oversight of the compliance program. Primary responsibilities, according to the OIG, should include:

Overseeing and monitoring the implementation and ongoing operation of the compliance program
Reporting on a regular basis to the governing body, CEO, and compliance committee
Revising the compliance program periodically as appropriate
Developing, coordinating, and participating in a multifaceted educational and training program
Ensuring that independent contractors and agents are aware of the organization’s compliance program requirements
Ensuring that appropriate background checks are done to eliminate sanctioned individuals and contractors
Assisting with auditing and monitoring activities
Independently investigating and acting on matters related to compliance.

Health care compliance is evolving as a profession. Education and skill sets vary among those in all industries who have chosen compliance as their profession. The most recent HCCA survey, 2015 Healthcare Chief Compliance Officers and Staff Salary Survey found that among the 679 responding to the survey, 18% were attorneys (Juris Doctorate), 26% had master’s degrees, 14% had MBAs, 31% held bachelor’s degrees, 53% were CHC-accredited (Certified in Healthcare Compliance), 10% were CHPC-accredited (Certified in Healthcare Privacy Compliance), and 4% were CHRC-accredited (Certified in Healthcare Research Compliance), 2% held doctorates, and 10% had some college. (Note percentages do not total 100% because some respondents listed more than one degree.) Among the survey respondents, 11% have managed a compliance department for more than 10 years, and 8% have managed one for more than 15 years. Whatever the tenure or the educational level, the Compliance Officer as “focal point” of the program must be a figure respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix D, Compliance Officer Job Description.)

As compliance has grown and matured as a profession, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective Compliance Officer. Through rigorous testing, HCCA’s certification program, administered by the Compliance Certification Board (CCB), identifies and certifies those who can meet such high standards of expertise. A compliance certification designation (CHC, CHC-F, CHPC, CHRC, etc.) after a compliance professional’s name indicates that he or she is thoroughly knowledgeable in all areas of compliance. Becoming certified in a health care compliance field is becoming a goal of many compliance professionals and is being requested as a job requirement by many organizations.

Moreover, like all health care professionals, compliance officers are also stewards of the public trust and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The Health Care Compliance Association has prepared and published the Code of Ethics for Health Care Compliance Professionals. (See Appendix J.) This document addresses three principles, which are broad standards of an aspirational and inspirational nature. They include:

Principle I: Obligations to the Public—Health care compliance professionals should embrace the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their conduct in order to contribute to the public good.

Principle II: Obligations to the Employing Organization—Health care compliance professionals should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance programs.

Principle III: Obligation to the Profession—Compliance professionals should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance programs and to promote professionalism in health care compliance.

These principles and the accompanying Rules of Conduct should be reviewed and studied—and adhered to—by all compliance officers.

The Compliance Officer may be the “focal point” of a compliance program, but he or she cannot be the only point. The OIG also urges a compliance committee be established “to advise the Compliance Officer and assist in the implementation of the compliance program.”^[3] Although there is no specific direction about the composition of the committee, the OIG does note that the committee will benefit from having varying perspectives “such as operations, finance, audit, human resources, utilization review, social work, discharge planning, medicine, coding and legal, as well as employees and managers of key operating units.”^[4]

(See the OIG Compliance Program Guidance for Hospitals, II.B.2., footnote 39, 1998.) It will serve the organization well to a have a physician representative.

The Compliance Officer’s role with the compliance committee can vary. In some organizations the CO sits ex officio, but in most, the CO chairs the committee. The 2014 Compliance and Ethics Program Environment Survey reports that 68% of respondents’ companies maintain an internal compliance and ethics committee and 15% say that internal stakeholders meet on an ad hoc basis. Of those with a formal committee, 57% are chaired by the Chief Compliance and Ethics Officer or the Compliance and Ethics Officer. Those meetings are held quarterly for 58%, and more often for another 35%. The survey, sponsored jointly by the New York Stock Exchange Governance Services and the Society of Corporate Compliance and Ethics, represented compliance professionals from several industries, including 31% from health care.

Physicians are strong leaders in the health care field and so other organizations may have a physician chair of the committee. No matter who chairs the committee, the compliance department will in all likelihood be responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up. The committee should not meet less frequent than on a quarterly basis.

The compliance committee should develop goals and objectives on an annual basis. The compliance committee has many functions in addition to aiding and supporting the Compliance Officer. They include:

Participating in the identification and prioritization of risk
Regularly reviewing and assessing compliance policies and procedures
Assisting with the development of standards of conduct and policies and procedures
Conducting an annual review of the Compliance Plan document
Determining the appropriate strategy to promote compliance
Developing a system to solicit, evaluate, and respond to complaints and problems.

The importance and potential influence of the compliance committee cannot be understated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance program.