A compliance officer is tasked with preventing, detecting, and responding to compliance concerns, in addition to sustaining the ethical culture of an organization. The role is deemed to be distinct from the practice of law in that compliance officers are not representing an organization, like attorneys who work with or as general counsel. Thus, this is a less advocacy-oriented role. The compliance program is supposed to ensure an “independent and objective” review of compliance efforts, whereas attorneys act as zealous advocates for the interests of an organization. As noted in the Emory Law Journal, “Compliance officers ‘should be charged with and empowered to reveal issues—and may even advocate disclosing to, and cooperating with, the government in certain instances,’ while the general counsel’s role should be ‘to rigorously defend the company.’”
To prevent, detect, and respond to possible False Claims Act (FCA) issues, a compliance officer must have command of a wide variety of legal subject matters. It is nearly impossible to memorize the body of statutory, regulatory, and subregulatory authorities that are applicable to most healthcare organizations. Fortunately, the Office of Inspector General (OIG) for the U.S. Department of Health & Human Services (HHS) provides an abundance of guidance in this regard, suggesting key areas needing attention as well as methods for identifying additional areas of concern, applicable to many healthcare providers.
This chapter provides an overview of the role of a compliance officer in dealing with FCA risks, highlighting important distinctions between compliance efforts and the practice of law. The application of an effective compliance program to FCA issues is a key responsibility of the compliance officer.
Elements of an Effective Compliance Program
A key responsibility of a compliance officer is to maintain an infrastructure of controls for preventing, identifying, and responding to compliance issues, including suspected FCA violations. OIG provides guidance for multiple types of healthcare providers for developing such an infrastructure, the first of which was released for hospitals on February 23, 1998. The purposes of such guidance is to encourage healthcare providers to voluntarily institute a compliance program and use such guidance as a benchmark of expectations. (Note: When fraud is discovered and prosecuted, an entity’s efforts to address substantial risks that were inherent in the nature of its business is one factor that will be considered in sentencing, according to the Federal Sentencing Guidelines.) The creation of compliance program guidance was a major initiative of the OIG in its effort to engage the private health community in combating fraud and abuse. Here is an overview of such guidance, but it is also important to understand that federal and state regulations may impose specific rules and requirements beyond guidelines on certain provider types with respect to compliance efforts. For example, as of November 2019, skilled nursing facilities are required to have a compliance program. Also, facilities that are part of a chain of five or more are further required to have a compliance officer.
Designation of a Compliance Officer and Compliance Committee
OIG suggests every provider designate a compliance officer who serves as the “focal point for compliance activities.” (Note: OIG technically lists designating a compliance officer and compliance committee as the second element in most compliance guidance publications, after implementing policies and procedures; however, considering the scope and purpose of this chapter, this element is presented first.) Notwithstanding differences among the size, structure, and resources of organizations, compliance officers should be in a position to effectuate the compliance program. This requires having adequate resources, such as funding and staff, as well as authority, such as the ability to report directly to an entity’s chief executive officer or other senior management. To avoid potential conflicts of interest, the OIG specifically suggests the compliance officer should not report directly to general counsel or the chief financial officer.
The primary responsibilities of a compliance officer can be summarized as:
Overseeing and monitoring the compliance program;
Communicating and collaborating with the governing body on compliance issues;
Making changes to the compliance program in response to the needs of the organization;
Training and educating employees, management, and contractors on compliance standards;
Coordinating personnel issues with human resources, especially ensuring practitioners are appropriately licensed and not excluded from Medicare/Medicaid programs;
Collaborating with other department managers and personnel in conducting internal compliance reviews and monitoring activities; and
Investigating compliance matters and implementing corrective actions, including appropriate reporting obligations.
(Note: OIG acknowledges that, depending on the resources of an organization and the ability to retain a full-time compliance officer, these responsibilities may have to be added to other management responsibilities.)
Depending on the size and complexity of an organization, it may be impossible for one compliance officer to effectively accomplish all these responsibilities. For this reason, the OIG “recommends that a compliance committee be established to advise the compliance officer and assist in the implementation of the compliance program.” The compliance committee is essentially an extension of the compliance officer, with the goal of effectively fulfilling the same responsibilities listed for the compliance officer. This goal is furthered by utilizing personnel with a variety of skill sets and personality traits that may enhance the effectiveness of compliance efforts.
Depending on the type of provider, federal and state regulations may impose requirements for additional compliance personnel. For example, as of November 2019, federal regulations require nursing facilities that are part of a chain of five or more to have designated compliance liaisons at each facility. To some extent, each nursing facility may operate as a separate unit of the organization, so having a facility-level compliance liaison ensures the compliance officer has a direct line of communication with each nursing facility. In sum, adequate staffing is a key component of any effective compliance program.
The compliance officer is in a unique position to identify suspected FCA violations and other fraudulent activities. A clear and documented procedure should be in place for reporting all compliance concerns through means that end with the compliance officer. In this manner, the compliance officer is able to recognize widespread concerns or patterns of suspicious activity, which may appear trivial in isolation.
The FCA is specifically concerned with fraud (i.e., intentional misconduct or reckless disregard for the law). Widespread and repeated patterns of misconduct may serve as strong evidence of intentional misconduct. Generally speaking, when a compliance officer identifies the possibility of intentional misconduct, the stakes are higher, and the compliance officer should consider whether legal counsel outside of a strictly compliance function should be involved.
Development of Written Policies and Procedures and Standards of Conduct
The compliance officer should direct the development of written policies and procedures that guide the conduct of personnel throughout day-to-day operations. The subject matter of such policies and procedures should cover FCA risk areas that are unique to each provider type. FCA violations have been alleged against providers of different type, size, and location based on the following areas:
Quality of care: Where applicable, policies and procedures should begin with a commitment and process for reviewing performance and patient outcomes to assure quality care is rendered.
Patient rights: Policies should address a patient’s right to a dignified existence, freedom of choice, self-determination, and reasonable accommodation of individual needs.
False billing and cost reporting: Because the consequences for fraudulent billing can be detrimental to a provider, the identification of risk areas associated with billing and cost reporting should be a key component of a compliance program.
Employee screening: A reasonable process should be in place for screening employees who have access to patients or discretionary authority to make decisions that may involve compliance with the law. (Note: Some providers may be subject to state and federal laws that require background checks. Additionally, all employees should be screened for exclusion from Medicare/Medicaid programs.)
Kickbacks, inducements, and self-referrals: Policies should address business arrangements that are at risk for improper inducements or otherwise unlawful influence over patient care and referral activities.
At a minimum, policies and procedures should be distributed to all affected employees, contractors, and consultants. If an organization has already settled an FCA matter by entering into a corporate integrity agreement (CIA), the organization should be mindful of any additional distribution requirements pursuant to the CIA.
In addition to policies and procedures, the OIG suggests providers establish a code of conduct, which is described as “a foundational document that details the fundamental principles, values, and framework for action within an organization.” Unlike the detailed policies and procedures described, the code of conduct should be brief, applicable to all employees, and accompanied by a certification that employees have received, read, and will abide by the organization’s code.
Virtually any violation of law may serve as the basis of FCA liability, if other key elements such as intent are met. Policies and procedures should, of course, be aimed at promoting compliance with the law. There have been legal disputes, however, as to whether the violation of a policy and procedure itself may give rise to FCA liability. This debate is beyond the scope of this chapter. Organizations should nonetheless be wary of establishing unrealistic, aspirational policies and procedures that set standards above and beyond regulatory requirements or practical limitations.
Conducting Effective Training and Education
The compliance officer should design and oversee the implementation of a training and education plan that addresses the organization’s compliance program, including fraud and abuse laws such as the FCA. As with policies and procedures, specific training should be provided on compliance topics including fraud and abuse risk areas that may be unique to each provider. A variety of teaching options is available, depending on the organization’s resources. But training should always be provided in a manner that accounts for the skill, experience, knowledge, and responsibilities of the relevant trainees.
State and federal authorities may establish minimum hourly training requirements on particular topics, including common state and federal FCA violations. Regardless of whether an organization is subject to mandated requirements, OIG suggests the compliance officer establish a minimum hourly requirement that is a condition of continued employment. The compliance officer should document all training undertaken as part of the compliance program. When potential FCA violations are identified, records of training conducted in an effort to prevent such violations should be collected and preserved. The organization may be able to use these materials in its defense or as evidence of preemptive, ameliorative measures.
Developing Open Lines of Communication
As discussed, clear methods for communicating potential FCA violations should exist. Procedures may contemplate supervisors as a first line of communication for reporting compliance issues, but the compliance officer should serve as a contact point in the chain of communication. Further, personnel should also look to the compliance officer for clarification on policies and procedures. Yet personnel cannot effectively communicate with a compliance officer who is inaccessible, or worse, unknown to personnel. Thus, it is incumbent on the compliance officer to develop open lines of communication for reporting compliance concerns, which may include hotlines, emails, newsletters, and other forms of information exchange.
There may be times when employees feel more comfortable reporting substantial compliance concerns anonymously. Procedures should be established and communicated that allow reporting while preserving anonymity to the extent possible. Regardless of how compliance issues are reported, a log should be maintained to record nonprivileged information about the issue, investigation, and results.
Internal Monitoring and Auditing
The compliance officer should facilitate and document an ongoing process for monitoring and auditing the implementation and effectiveness of the compliance program. Whoever conducts the review should have subject matter expertise, be objective and independent, and have access to all necessary resources. Reports on compliance activities should be communicated directly to compliance personnel and the chief executive officer.
Assessment areas should include specific FCA risk areas unique to the provider, based on past self-audits and compliance history. There are many techniques available for monitoring and identifying risk areas, including the following methods:
Sampling protocols that allow identification and review of variations from established baselines or national trends.
On-site visits and unannounced mock surveys and audits to evaluate and test compliance with federal and state healthcare statutes, regulations, and program requirements.
Examination of the organization’s complaint logs and investigative files.
Legal review of contractual relationships with contractors, consultants, and potential referral sources.
Reevaluation of compliance issues identified by past external surveys and audits.
Reevaluation of personnel who previously have been reprimanded for conformance.
Questionnaires designed to elicit feedback from a broad cross section of personnel on compliance matters.
The compliance program itself should also be subject to this ongoing auditing and monitoring process. The compliance officer should periodically confirm whether the program’s compliance elements have been satisfied. If areas for improvement are identified, then the compliance officer should ensure the program is modified accordingly.
A common issue in FCA investigations is analyzing whether the identification of specific misconduct triggers the requirement for further audits or internal reviews. Organizations that identify evidence of widespread noncompliance have an obligation to investigate the full scope of the problem. In certain circumstances, failing to appropriately conduct internal audits and monitoring may itself give rise to FCA liability.
FCA liability can, in some circumstances, be based on patterns of fraudulent activity, which evidence intentional schemes. Such fraudulent schemes may be sophisticated and elude detection by laypersons. Thus, the compliance officer should consider whether internal or external subject matter experts should be used for purposes of internal monitoring and auditing of more complicated risk areas (e.g., cost reporting).
Responding to Detected Deficiencies and Developing Corrective Actions
In some form, the compliance officer should be apprised of all violations of an entity’s compliance program. This is true even if management in the department where the violation occurred is appropriately detecting and responding to the issue. FCA violations take many forms and may endanger patients and affect a provider’s legal status and reputation. Even seemingly minor transgressions may reveal trends or patterns indicative of intentional, fraudulent schemes.
Upon receipt of a report of suspected noncompliance, the compliance officer should facilitate an immediate review of the situation to determine whether a material violation has occurred. While any response depends on the situation, a key consideration is whether fraud is involved (i.e., intentional or reckless misconduct). Where fraud is involved, the stakes are potentially much higher, and an internal investigation by outside counsel may be warranted. Special considerations for internal investigations of fraud are discussed later in this chapter.
When a violation is detected, the compliance officer should facilitate decisive action to correct the issue. Such action may include a corrective action plan, discipline of employees, return of an overpayment, and a self-report to the government. Incidents involving mistreatment, neglect, and abuse of patients must be immediately reported. When overpayments are detected but fraud is not present, normal repayment channels can be used by the billing department. For reporting fraud, the OIG has established self-disclosure protocols to encourage voluntary reporting of fraud. OIG suggests the report and return of an overpayment should occur no more than 60 days after the overpayment is identified and quantified. The 60-day rule applies to certain types of Medicare payments. In other context, the 60-day rule may not apply, but the OIG nonetheless suggests using the guidance accompanying the 60-day rule to avoid the possibility of a reverse false claim. The compliance officer should maintain thorough documentation of the allegation, review, and corrective action taken.
Consistently Enforcing Disciplinary Standards
The compliance officer should facilitate the development and dissemination of disciplinary policies that set out a range of consequences for compliance violations. The severity of disciplinary sanction should be tailored to the severity of the violation, which may include termination for fraudulent (i.e., reckless or intentional) misconduct. Managers and supervisors should be aware of their obligation to discipline employees who violate the compliance program. Sanctions should be applied consistently across all levels of employees, which means managers and supervisors must also be subject to discipline for their own failures.