Among the seven—by now well-known—elements of an effective compliance program, the first element deals with assignment of responsibility and infrastructure (board, compliance committee, and compliance officer), and another covers auditing and monitoring of the compliance program. Both elements are particularly important as they can harbor significant risk of inefficiencies, abuse, and potentially even fraud, let alone reputational and financial damage, if they are weak and ineffectively implemented. Governing bodies, such as boards of directors, boards of managers, owners, or advisory boards (hereafter referred to as “board”), play a critical role in overseeing the compliance program of a healthcare entity. These boards need to make judgments and decisions based on information from the compliance office, internal audit, legal, operations, and external reviewers—which they may have engaged or be required to engage in certain circumstances.
Most effective compliance programs require the compliance officer to provide quarterly reports to the governing body. The reports should integrate findings and corrective actions resulting from internal auditing and monitoring activities and other compliance operations conducted by the compliance office. The compliance committee often vets content in these reports to boards before it goes to the board. However, the details, scope, and sophistication of these quarterly reports can vary greatly. Even when such routine reporting happens, there may be instances when a deeper or more independent look at the program (i.e., by an external compliance expert to the board) may greatly benefit the board’s oversight and effectiveness of the program in the long run.
Compliance expert role
An independent external compliance expert should be a seasoned professional. The expert to the board can be very helpful in strengthening the oversight and seeing the program through a fresh pair of eyes. The expert may detect ineffective structures and patterns and suggest improvements that can become a structural shift for the better. An independent expert could help bring the compliance program back on track or maintain its effectiveness in a changing and challenging environment. Assistance with, for example, risk of groupthink, personnel pressures, turnover, lacking skill sets or experience, onboarding issues in merger and acquisition situations, expansion into new business lines, significant regulatory changes, and external government scrutiny. Ultimately, a compliance expert to the board can be a tool in the compliance program’s toolbox and an investment in the entity’s compliance knowledge base.
The Practical Guidance for Health Care Governing Boards on Compliance Oversight, issued by U.S. Department of Health & Human Services, Office of Inspector General (OIG), Association of Healthcare Internal Auditors, American Health Law Association, and Institute of Internal Auditors, provides guidance, tips, and expectations for effective board oversight and states:
Although compliance program design is not a ‘one size fits all’ issue, Boards are expected to put forth a meaningful effort to review the adequacy of existing compliance systems and functions. Ensuring that management is aware of the Guidelines, compliance program guidance, and relevant [corporate integrity agreements] CIAs is a good first step. One area of inquiry for Board members of healthcare organizations should be the scope and adequacy of the compliance program in light of the size and complexity of their organizations.
Finally, a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, or periodically consulting with, an experienced regulatory, compliance, or legal professional. The presence of a professional with healthcare compliance expertise on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations. Board members are generally entitled to rely on the advice of experts in fulfilling their duties.
Clearly, based on this practical guidance that outlines regulatory expectations and best practices, having a compliance expert present or working with a board can help support the board’s compliance oversight role. Larger organizations often have a compliance professional on a board audit and compliance committee. These professionals can assist the board in asking management and the compliance office the right questions. They also can provide a broader perspective on compliance risk areas and industry trends—even on the performance of the compliance officer. Feedback on the overall design of the compliance program based on their experience and other programs they might have seen is another benefit. The expert can also offer board training that addresses the unique compliance responsibilities of healthcare board members, including the risk and oversight areas, and strategic approaches to conducting oversight of a healthcare entity.
CIAs set out the government’s expectations for a compliance program. In addition to independent review organizations (IROs) that are used to assist OIG with monitoring entities that have settled with the Department of Justice (DOJ) and entered into a CIA with OIG as part of the settlement. Many entities under CIAs also are required to have a compliance expert to the board. The requirement in CIAs typically is as follows and may be performed annually after the first reporting period of the CIA or less frequently:
The board must retain an individual or entity with expertise in compliance with federal healthcare program requirements (compliance expert) to review the effectiveness of the entity’s compliance program (compliance program review).
The compliance expert must create a work plan for the compliance program review and prepare a written report about the compliance program review.
The written report (compliance program review report) shall include a description of the compliance program review and any recommendations concerning the entity’s compliance program.
The board must examine the compliance program review report as part of its review and oversight of the entity's compliance program.
The corporate integrity obligation of having a compliance expert engaged by the board, i.e., not by the compliance office, provides for both an independent review and insight into the compliance program but also an obligation to read and act upon the report. While the expert performs a reviewer role and does not have to comply with the stringent independence and objectivity requirements consistent with Yellow Book standards and scope outlined in such appendices of the CIA that IROs must follow, a certain level of independence and objectivity would still be expected to avoid reviewing one’s own work.
However, there is plenty of room for assistance to the board by the expert through findings and recommendations as an outcome of the review and report. In my experience, the review process is often as much a learning opportunity for the entity undergoing the review as it is an audit experience for the compliance office, management, and the board. With appropriate timing of the review corrections can be made well before the annual report to the OIG is due.
Compliance expert activities
When hiring a compliance expert, on a voluntary basis or due to a CIA, a seasoned professional can be expected to cover the following areas (and possibly more):
Job description of compliance officer and charters of compliance-related committees
Compliance policies and procedures’ comprehensiveness and updates
Training plan, materials, and timely completion rates
Exclusion screening documentation for employees and vendors
Centralized risk assessment process
Role of the compliance committee in risk assessment and identification
Certifications and licensure issues
Compliance monitoring of high-risk areas (e.g., related to provider arrangements, billing and coding, marketing, patient privacy, etc.)
Design of the overall compliance program
In CIAs with OIG, the board and management members need to sign annual certifications submitted to the government. These certifications imply that they conducted proper oversight and ran operations in a manner that included adequate compliance procedures and controls in their processes. Compliance officers and CEOs are also required to certify their annual reports to OIG. The compliance expert typically coordinates and works with the compliance department and interacts with compliance committee members. Therefore, the expert’s review process will provide feedback on the compliance program to most (if not all) who need to sign certifications and benefits—not just board members.
DOJ resolution agreements
DOJ in a recent corporate resolution with Glencore mandated that the CEO and chief compliance officer certify that their program is reasonably designed to detect and prevent violations. This is the first corporate resolution agreement requiring such certification and appears to become DOJ policy. A specific compliance certification form is part of the resolution agreement.
Certifications generally have the advantage of strengthening attention to compliance. But while these certifications in resolution agreements may be intended to incentivize the CEO and chief compliance officer to put forward a strong and good faith program, they may also make them personally liable under penalty of perjury if their attestations are made without due diligence and care to ensure the effectiveness of their company’s compliance program. Boards, the compliance officer, and CEO will be better protected if they have a compliance expert conducting an independent review and preparing a report for their use and action as part of their due diligence to support the certifications.
A compliance expert who periodically reviews the compliance program for effectiveness in design and implementation is a reasonable and prudent investment into the compliance knowledge of a healthcare organization. Any mature program would want a periodic independent look and some new ideas to consider. Working directly with the board will likely also put more emphasis and support on follow-up action based on the compliance expert’s findings and can make such experts agents of change.
Compliance experts to boards are seasoned professionals and can be mandatory or voluntary.
Compliance experts review programs for core elements of an effective program independently and objectively.
Compliance officer certifications mandated by U.S. Health & Human Services, Office of Inspector General in corporate integrity agreements or Department of Justice in corporate resolution agreements are noteworthy.
Compliance experts’ reports can contribute to due diligence and a good faith effort by the compliance officer, management, and board to sign a certification.
Compliance experts to boards are independent and can be an investment in compliance knowledge.