Developing, implementing, and maintaining effective compliance programs

Paul Mayer

Paul Mayer

Paul Mayer (pmayer@bonadio.com, linkedin.com/in/paul-mayer-027710b/) is Executive Vice President and Partner at The Bonadio Group’s Compliance Solutions Division. With more than 15 years of experience in nonprofit settings, he has held positions of Corporate Compliance Officer, Director of Corporate Compliance, Process Integrity Coordinator, and Case Manager for organizations regulated by local, state, and federal laws.

6 minute read

by Paul Mayer

A compliance program is generally defined as a company’s set of internal policies and procedures established to comply with laws, rules, and regulations. Effective compliance programs are essential in mitigating risk and avoiding penalties associated with regulatory requirements. As risk factors increase and the regulatory landscape continues to shift, maintaining an effective compliance program has become more important than ever. That’s because the consequences of not following an effective program are serious. Not only can there be significant monetary implications, but even criminal charges—depending on the severity of the offense.

One development highlighting the increased need for effective compliance programs is government audits of provider relief funds. Provider relief funds are any kind of funding provided by the government to hospitals and other healthcare providers to compensate for revenue loss and higher costs associated with the pandemic—as well as other COVID-19 federal stimulus acts and programs. These include the Coronavirus Aid, Relief, and Economic Security Act, the Coronavirus Response and Consolidated Appropriations Act, and the American Rescue Plan Act. To prevent fraud, waste, and abuse, federal agencies are now performing audits, investigating fraud claims, and prosecuting funding recipients accordingly. As a result, organizations must have effective compliance programs in place to ensure they closely follow all stimulus funding regulations.

Other recent developments underscoring the significance of effective compliance programs include regulatory compliance updates. For example, in New York State, the Office of Medicaid Inspector General recently updated the 18 NYCRR Part 521 regulations to meet the New York State Social Service Law Section 363-D amendments.[1] This provider compliance program covers providers’ eligibility to receive medical assistance payments for care, services, or supplies and guidelines for submitting claims.

The updated compliance regulations were finalized on December 28, 2022. Enforcement of these updated regulations began on March 28, 2023—90 days after they became effective. These revisions resulted in several key compliance program regulatory updates, requiring providers to understand and implement these updates to avoid noncompliance penalties.

That’s where a comprehensive compliance program comes in. While not required by law, the government does expect that all applicable organizations impacted by regulations have a clear plan for compliance.

Though compliance program requirements will vary according to factors such as industry and location, best practices for developing, implementing, and maintaining an effective compliance program are as follows:

Developing an effective compliance program

The first step is educating yourself and your team on the critical components of a fully developed and implemented compliance program. According to the U.S. Department of Health & Human Services Office of Inspector General, the seven elements of an effective compliance program include:

Written policies, procedures, and standards of conduct

A good place to start in developing an effective compliance program is establishing and documenting your organization’s policies, procedures, and standards of conduct. These written materials should then be made available to all employees within an organization. In addition, these policies and procedures should be periodically reviewed and revised.

Compliance program oversight

To ensure appropriate oversight of your compliance program, your organization must designate a compliance officer. A compliance officer is responsible for the day-to-day operations of an organization’s compliance program. This includes developing, implementing, and monitoring the compliance program. Compliance officers will report and should have direct access to an organization’s governing body. Additionally, a compliance committee should also be appointed to work alongside the compliance officer and support the management of the organization’s compliance program.

Compliance education and training

Proper training and education are vital to creating a culture of compliance and ensuring your organization abides by the relevant laws, rules, and regulations. As a result, educational training programs should be administered across your organization. This training should address topics such as risk areas, policies, procedures, standards of conduct, the role of the compliance officer and compliance committee, methods of reporting compliance concerns, disciplinary measures, and more. Three basic elements of an effective compliance training program should include sharing job-specific compliance knowledge based on need, clear communication of regulatory responsibilities based on the employee’s role, and assessments to hold employees accountable.

Because it’s easy for employees to be consumed by day-to-day tasks and forget compliance training best practices, training should be conducted not only as part of the employee onboarding process but held at least annually thereafter. At these times, employees should be reassessed to ensure the information is resonating.

Effective, confidential communication

Another fundamental element of an effective compliance program is a direct line of communication between the organization’s employees and compliance officer/committee. This line of communication will allow employees to confidentially report any noncompliance issues. Organizations should work to ensure the anonymity of complaints and protect whistleblowers from any potential retaliation. From there, employees should be provided with predetermined guidance on next steps, and the noncompliance issue should be addressed as soon as possible.

Enforcement of compliance standards

All company members—all the way down to the interns—must acknowledge and support your organization’s compliance program. Active participation and commitment to the compliance program are key to ensuring effectiveness. Disciplinary actions should be taken to address offenses to your organization’s policies, procedures, and standards of conduct.

Arguably the most significant buy-in to the compliance program is that of the organization’s senior management team. They are the mouthpiece of influence for the organization to ensure that the policies put forth by the compliance officer are fully embraced. One way to demonstrate the support of leadership is to have C-suite executives sign a management commitment statement once the program is rolled out to lead by example and showcase the importance of adhering to the proposed practices. The CEO, president, or another senior executive should also make their support for the program known by positively reinforcing compliant practices and condemning risky behaviors.

Internal auditing and monitoring

Organizations should employ a process that routinely monitors and identifies compliance risks. This should include deploying internal audits with a focus on the effectiveness of the compliance program. Organizations should focus on the risk areas identified within the regulations and share the results of all audits—both internal and external—with the compliance committee and governing body. Furthermore, these results and risk areas should be incorporated in the compliance program.

For added protection and due diligence, it may be in the best interest of organizations to periodically commission an external audit of their organization from an unbiased, third-party viewpoint. These audits can provide validation to your program or identify new risks your internal committee may have missed that need to be addressed.

Detection, resolution, and response

Continuously monitoring compliance offenses is necessary to compliance program effectiveness. Just as crucial, however, is investigating and responding to identified and reported issues. This can be done through coordinated risk assessments. These include identifying the most vulnerable areas of the organization to noncompliance and building extra safeguards to control these risks.

Assessing compliance program effectiveness

Once your compliance program has been developed and is in place, it is imperative to determine the effectiveness of the program. A compliance program is deemed effective when it is fully rooted in all aspects of an organization and supported by all staff. To determine the effectiveness of a compliance program, an organization should evaluate its program periodically, review and update its policies and procedures, survey its culture of compliance, and conduct testing to confirm that established controls are working and that any corrective plans implemented have been successful.

Another way to assess your compliance program’s effectiveness is through rigorous recordkeeping practices. This not only provides material items to be reviewed and assessed for performance but also creates a helpful paper trail should your organization be audited. Essentially, it is a way to demonstrate that due diligence and proper steps were taken to remain compliant—even if you make a misstep.

Conclusion

Most importantly, don’t get overconfident. The biggest mistake an organization can make is assuming that its compliance program is foolproof, and not being prepared to take corrective action when noncompliance is discovered can make matters worse. Every compliance program should have clear guidelines surrounding what steps to take if they believe they have found an incidence of noncompliance. Early detection and fast resolution to noncompliance can minimize the organization’s exposure to consequences and risks.

Takeaways

  • A compliance program is generally defined as a company’s set of internal policies and procedures established to comply with laws, rules, and regulations.

  • Effective compliance programs are becoming more important than ever due to increased risk factors and a shifting regulatory landscape.

  • The seven elements of an effective compliance program include: policies and procedures; program oversight; training; communication; enforcement; auditing; detection, resolution, and response.

  • Once your compliance program is in place, it is critical to assess the effectiveness of your organization’s compliance program.

  • Consider aligning with a trusted adviser who can offer specific guidance on developing, implementing, and monitoring an effective compliance program.

 
1 New York Codes, Rules and Regulations, “Title: – Part 521 Provider Compliance Programs,” July 1, 2009, https://regs.health.ny.gov/volume-c-title-18/1548014495/part-521-provider-compliance-programs.
This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

What to read next...

A busy year for OIG

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2023 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings