Effective compliance programs are instrumental to successfully run healthcare organizations that engage their workforce and implement ethical systems that contribute and provide patient care and services consistent with healthcare laws, rules, and regulations. The ever-changing regulatory landscape can be daunting. Running the daily operations of an effective program isn’t easy. However, certain basic elements provide a guide to running an effective compliance program and, if monitored and implemented properly, make the job easier and help guide the organization out of harm’s way.
What are the benefits of having an effective compliance program and the risks of not having one? This chapter explains those benefits and risks, and it details the by-now-familiar seven elements that apply to every compliance program. These elements are based on the seven steps outlined in the Federal Sentencing Guidelines issued by the United States Sentencing Commission (USSC). Every effective compliance program should begin with a formal commitment by the governing body/board to these elements. The seven elements drive an organization’s operation and require tailoring to its unique circumstances to ensure that processes are efficient and effective. This chapter also provides a background on government programs and what expectations regulatory enforcement groups have set forth for effective programs, such as the United States Sentencing Commission (USSC), U.S. Department of Health & Human Services (HHS) Office of Inspector General (OIG), Department of Justice (DOJ), and the Centers for Medicare & Medicaid Services (CMS), among others.
The compliance profession has evolved and matured over the last 30 years, and much has been learned. This manual provides an overview of the major concepts as a useful refresher for veterans as well as a helpful go-to guide for newcomers. The following sources of information can be consulted on background, regulatory requirements, and reasons for voluntary and mandatory compliance programs. Keep these sources and concepts in mind when updating and maintaining a compliance program.
Benefits of a Compliance Program
On a very basic level, a compliance program is about prevention, detection, correction, collaboration, and enforcement. It is a system of policies, procedures, and processes developed and implemented to assure compliance with and conformity to all applicable federal and state laws and regulations governing a healthcare organization. An effective compliance program is not a quick fix to the latest hot problem nor a project that would ever be completed—it must be an ongoing process and part of the fabric of an organization, a commitment to an ethical way of conducting business, and a values-based system for doing the right thing. The compliance program relies on the participation of everyone at a healthcare organization.
There are many benefits to having a compliance program at an organization. The HHS OIG specifically addresses these benefits in all its program guidance documents. First and foremost, an effective compliance program safeguards an organization’s legal responsibility to abide by applicable laws and regulations. Other important potential benefits identified by the OIG include the ability to:
Demonstrate to employees and the community the organization’s commitment to good corporate conduct.
Identify and prevent criminal and unethical conduct.
Improve the quality of patient care.
Create a centralized source of information on healthcare regulations.
Develop a mechanism for reporting.
Develop procedures that allow the prompt and thorough investigation of alleged misconduct.
Initiate immediate and appropriate corrective action.
Reduce the organization’s exposure to civil damages and penalties, criminal sanctions, and administrative remedies such as program exclusion.
Legal Consequences of Noncompliance
Avoiding penalties and fines that impact not only the financial health but also the reputation of an entity can be a major incentive to having a compliance program. Should the government find that an organization is guilty of fraud and abuse, the penalties can be severe. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) added healthcare fraud related offenses to the federal criminal code. That is, it makes it a criminal offense to commit healthcare fraud, which in some cases can include actions such as submitting false or fraudulent claims based on incorrect codes, providing medically unnecessary services, or billing for services not provided, and the government has the power to exclude the organization from Medicare, Medicaid, and a long list of other government programs. Indeed, the Balanced Budget Act of 1997 has a “three strikes and you’re out” clause, requiring permanent expulsion for any healthcare organization found guilty of fraud a third time. The financial implications due to loss of business can be profound.
Without an effective compliance program in place, there is also increased threat of qui tam lawsuits. The False Claims Act (FCA) empowers the government to investigate and bring civil action in fraud cases. The FCA also allows private citizens to bring civil actions against an organization in the name of the United States. The act provides significant financial incentives for private citizens to come forward. Such actions are called qui tam suits (a qui tam relator is a whistleblower). In healthcare fraud and abuse actions, the whistleblower can be eligible to receive anywhere from 15%–25% of the government’s total award for the case if the DOJ decides to assume the case, and 25%–30% of the total award if the DOJ declines the case.
The government has no requirements or expectations about a whistleblower informing or approaching an organization first, creating a “qui tam paradox.” The government promotes an environment of trust where problems are brought forward and resolved; yet whistleblowers are rewarded whether they have tried to solve the problem internally or not. It is not out of the realm of possibility for an organization to hear about an issue for the first time directly from the government.
The government can also impose an agreement, such as a corporate integrity agreement (CIA) or an integrity agreement (IA), against an organization. In order to avoid lengthy and expensive litigation, an organization that negotiates a CIA or IA with the government admits no fault or liability but does submit itself to a government plan for corrective action. Government-imposed CIAs have been onerous in the past—and there is every reason to think they will likely become more onerous in the future. CIAs usually have a five-year duration, and IAs for smaller entities typically have a three-year duration.
Furthermore, follow-up for CIAs is becoming more severe, with potentially more unannounced audits. Reporting requirements can be extensive. In CIAs there are often mandatory independent review organizations that perform external reviews as part of the healthcare entity’s corporate integrity obligations. These mandatory reviews typically involve systems- and transactions-related reviews, such as for claims or arrangements. In some cases, an on-site government-appointed monitor is mandated as part of the agreement, whose responsibilities are integrated into the compliance program oversight process. Overpayments identified as part of the review can lead to reporting and refunds to federal healthcare program payers. And in CIAs, the government may even require the board to consult with a compliance expert who annually reviews the compliance program for its effectiveness and prepares a report for the board.
Assessing Fines and Determining Culpability
An organization found guilty of fraud is also subject to fines. In 1984, Congress enacted the Sentencing Reform Act of 1984, which was designed to correct inequities in federal sentences. This legislation includes the Federal Sentencing Guidelines, which include guidance for assessing fines and detailed methods for calculation of a culpability score. Chapter eight, titled “Sentencing of Organizations,” “is designed so that the sanctions imposed upon organizations and their agents, taken together, will provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct.” Possible sanctions include fines, restitution, forfeiture, and probation. The existence of an effective compliance program, self-reporting, cooperation, acceptance of responsibility by the organization, and having made a good faith effort are important factors that mitigate an organization’s punishment.
In 2004, the USSC released “Chapter 8 Part B—Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program.” These revisions also focused on effective compliance programs. Part C of the chapter defines how organizations are fined, including how culpability scores are calculated. There are four aggravating factors to a culpability score:
If an upper-level employee has “participated in, condoned, or was willfully ignorant of the offense”;
If the violation is a repeat offense;
If the government was hindered during its investigation; and
If awareness of and tolerance of the violation were pervasive.
There are also four mitigating factors to a culpability score:
If the organization had an effective compliance program, even though there was a violation;
If the organization reported the violation promptly;
If the organization cooperated with the government investigators; and
If the organization accepted responsibility for the violation.
These factors can have a profound effect on the fine’s amount and potential sentencing of the organization. These factors also provide insight into the government’s approach to compliance programs. Keep in mind that the USSC has stated that a “compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.” That suggests that no program will ever be foolproof or perfect, but instead remains a work in progress and in need of periodic assessment and recalibration to remain effective.
On January 21, 2010, Congress adopted new amendments to the Federal Sentencing Guidelines proposed by the USSC. Two sections of chapter eight were changed. The amendments to Section 8B2.1 list the required steps an organization must take to have an “effective compliance and ethics program.” These steps are required to entitle an organization to mitigation under the guidelines. If criminal conduct has an identifiable victim or victims, reasonable steps should include providing restitution and otherwise remedying the harm from the criminal conduct. Self-reporting and cooperation with authorities are also necessary. Additional information on the USSC and its guidelines that affect compliance programs can be found later in this chapter.
Other reasonable steps include assessing the organization’s compliance program and modifying it if necessary to ensure effectiveness of the program. If the program is modified, the organization may want to retain an independent reviewer or monitor to ensure adequate assessment and implementation of modifications.