The complexity and size of an organization, as well as regulatory requirements and particular preferences of the board or governing body, affect the infrastructure of the compliance program. The size of a healthcare organization and the types of services and/or products influence where the compliance department is housed within the organizational structure and what reporting relationships of the compliance officer and compliance committee exist. As noted previously, three functions—compliance officer, compliance committee, and board/governing body—are the core components that define the infrastructure and assigned responsibility for the compliance program. Organizational charts displaying these three components and their functional relationships vary.
In smaller organizations, such as small group practices for example, the compliance function may be performed as a part-time duty by the practice administrator. Smaller entities or individual practitioners with a very small staff may not have or need separate compliance committees as decision-making is in the hands of very few. Larger national organizations or health systems, on the other hand, usually have a full-time corporate compliance officer/chief compliance officer with regional or facility compliance officers or compliance managers as direct reports. They also establish compliance committees that include senior leadership.
Larger organizations with an international presence, a variety of different types of lines of business, and which are active in multiple segments of the healthcare industry (provider or supplier, insurance, health information technology) or publicly traded organizations sometimes prefer corporate compliance to be more closely linked with the legal department. In these cases, the compliance department may be integrated with the legal department. While this is not considered to be aligned with expectations set forth in corporate integrity agreements (CIAs) (where the subordination of the compliance officer to legal counsel or the chief financial officer should be avoided), healthcare organizations ultimately need to design a compliance program that meets their unique needs and requirements.
Compliance oversight of operations should be independent from operations and hence can also be considered akin to the internal audit department. While internal audit focuses on whether operational processes and internal controls are functioning properly and as expected, compliance is concerned with whether controlled processes have compliant outcomes consistent with compliance policies and procedures, laws, and regulations. Some organizations have combined compliance and internal audit departments. There is much debate in the industry on these relationships across departments. However, the independence of the compliance department and its role to engage the workforce through training/education, maintain confidential channels to report and register complaints without fear of retaliation, and promote ethical behavior are not in question.
A typical requirement in CIAs and a practice that raises the level of importance and authority of the compliance department is the compliance officer’s direct reporting relationship to the CEO. The Office of Inspector General (OIG) considers there to be some risk involved in having the compliance officer report to general counsel or to the chief financial officer. Separation of compliance from legal and finance when possible, the OIG argues, helps ensure that legal reviews and financial analyses are independent and objective. In 2015, the OIG, Association of Healthcare Internal Auditors, American Health Lawyers Association, and the Health Care Compliance Association released the Practical Guidance for Health Care Governing Boards on Compliance Oversight.[2] This guidance states, “Boards should be aware of, and evaluate, the adequacy, independence, and performance of different functions within an organization on a periodic basis.” The OIG believes an organization’s compliance officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner. This separation of duties is also typically mandated in CIAs. According to a 2018 survey conducted by Society of Corporate Compliance and Ethics & Health Care Compliance Association, The Relationship between the Board of Directors and the Compliance and Ethics Officer, a little more than 57% of the compliance officer respondents reported to the board in healthcare organizations. Of those healthcare compliance officers who did not report to the board, 56% reported to the CEO.[3]
Regardless of the functional reporting relationship of the compliance officer within the organizational structure, every effective compliance program should always have a compliance officer with direct access to the board/governing body or board-level committee.
The size of the compliance department and availability of resources also depends on how legal, internal audit, and human resources work together and to what degree the compliance department has access to resources and skill sets that reside in those departments. Knowing the resources and commitments of support available from other departments is important when preparing the compliance department’s annual budget, which should be discussed with the compliance committee and approved by the board.