OIG issues additional guidance to healthcare boards regarding compliance efforts and oversight

The Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services, together with leading legal, audit and compliance collaborators, recently issued the fourth in a series of publications providing practical guidance to healthcare governing boards in developing, implementing, maintaining and evaluating their organizational compliance programs. The latest, entitled Practical Guidance for Health Care Governing Boards on Compliance Oversight, gives additional insight into four specific areas a board should consider when evaluating the effectiveness of its compliance oversight process.

The OIG report reiterates the principle that, as part of their fiduciary duty of care, the directors of every investor-owned and nonprofit healthcare organization have a fundamental obligation to understand and oversee the organization’s compliance efforts. This requires the board to exercise good faith efforts to ensure that there is a corporate reporting system to regularly bring timely and appropriate compliance information to the board’s attention in the ordinary course. The OIG expects the governing board to exercise “meaningful effort” to review the adequacy of the organization’s compliance systems. This is not a “one size fits all” analysis; rather, each board must tailor its processes to the size, complexity and individual risks applicable to its own organization. The board’s efforts may include participation in educational programs and consultation with independent professionals to demonstrate the board’s commitment to identifying and understanding the organization’s scope of risk, emerging regulatory requirements, and industry best practices.

The first area highlighted by the new report is the governing board’s role in oversight of departments critical to the compliance program. The report emphasizes the importance of the board’s role in defining the responsibilities of, and relationships between, the internal audit, compliance, legal, human resources, and quality improvement functions within the organization. These functions should operate independently of physicians and operations management. The board and senior leadership should describe each department’s role within the compliance program and how they are expected to cooperate and collaborate with one another. The board should periodically evaluate the adequacy and independence of each department and whether it is operating free from organizational bias, with uninhibited access to relevant board committees. It should also evaluate how executives and managers interact to identify and investigate risks, avoid duplication of effort, implement corrective actions, and communicate across departments.

Second, the report recommended that a board should set and enforce expectations for regular reporting of risk mitigation and compliance efforts, from key managers in these departments, reporting separately and independently of one another. The organization should identify individuals who are in the best position to provide relevant information about operational risks. The board and management should work together to identify relevant content and a reporting format, such as a dashboard or scorecard, sufficient and workable for the board’s use. The report may include, for example, information regarding internal and external investigations; significant issues raised by audits; allegations of material fraud or senior management misconduct; and management exceptions to the company’s code of conduct or its expense reimbursement policy. The OIG also suggests regular “executive sessions” with individuals from the departments listed above to encourage ongoing dialogue.

Third, a board needs to understand how management defines and identifies compliance risks, particularly in the areas of referral relationships and arrangements, billing and coding, privacy breaches, and quality of care events. The organization should look beyond internal data to external sources of information such as peer information, national benchmarks, and industry developments in reimbursement and quality reporting. The board should understand how management handles identification of probable violations of law and the possibility of voluntary self-disclosure.

Finally, the board should ensure that compliance is a “way of life” for the entire organization, by assuring that the organization has adopted methods of encouraging consistent, enterprise-wide accountability for measuring and achieving compliance goals and objectives. Depending on the organization, this could be a carrot, such as an incentive bonus; a stick, such as a negative evaluation or the withholding or even clawback of an incentive; or both. The board should also evaluate whether employees are generally confident that raising compliance concerns will not result in retaliation.

A robust and effective compliance program is crucial to a governing board’s exercise of its fiduciary duty of care. The release of periodic guidance by the OIG and its industry collaborators provides a perfect opportunity for a board to review and improve its processes and ensure that the organization is aligned with the latest recommendations.

A copy of the latest guidance is available at https://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf

If you have any questions about this update or if we can assist you with these or any other legal matters, please contact one of the lawyers in our Healthcare Industry Practice Group.

This update has been provided for clients and friends of McAfee & Taft A Professional Corporation. It does not provide legal advice, and is not intended to create a lawyer-client relationship. Readers should not act upon information in this update without seeking professional counsel.