Frequently Asked Questions: Compliance Programs

Compliance is the action or fact of complying with a set of internal or external rules. Internal rules may be in the Code of Conduct, controls, and policy documents. External rules would include laws, regulations, standards, or third-party contractual obligations. 

Compliance programs with gaps in staffing may rapidly degenerate quickly. Engaging contractors to temporarily assume duties is preferable that taking the risk of turning to internal unqualified staff. Properly experienced and knowledgeable professionals can quickly assume duties and provide high-value services for day-to-day compliance program management often on a part time basis, while seeking permanent replacements.

A Compliance Plan is a statement of intent and proposed actions for doing or achieving compliance objectives, whereas a compliance program relates to actions to implement the plan.   

The USSC is a federal agency created to develop Federal Sentencing Guidelines for judges, also used by DOJ prosecutors, in determining aggravating and mitigating factors in cases involving organizations. They define seven standard elements for compliance programs.  The DHHS-OIG Compliance Program Guidance is directed at various segments of the healthcare industry that follow the USSC compliance elements. 

The seven standard elements of an effective compliance program were first defined in the United States Sentencing Commission “Guidelines for Organizations” and included in the DHHS OIG Compliance Program Guidance documents.  They include:  

(1) Implementing written policies & procedures and a Code of Conduct  

(2) Designating a compliance officer and compliance committee  

(3) Conducting effective training and education  

(4) Developing effective lines of communication (e.g., Hotline)  

(5) Conducting internal monitoring and auditing  

(6) Enforcing standards through well-publicized disciplinary guidelines   

(7) Responding promptly to detected problems and undertaking corrective action. 

Beginning in 1997, the DHHS OIG has issued Compliance Program Guidance promoting development of voluntary compliance programs for various sectors of the healthcare industry, including hospitals, nursing homes, third-party billers, and durable medical equipment suppliers. The Guidance encourages development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.  All the guidance is built around the standard seven elements of an effective compliance program. 

The OIG is continuously assessing, evaluating, and prioritizing issues that put Health and Human Services programs (HHS) at risk. The Work Plan is a listing of high-risk focus areas where the OIG will assign resources to conduct audits, reviews, or investigations. The Work Plan is updated monthly, and items are added and removed as new risk priorities are identified and reviews are completed.

In 2019 and 2020, the DOJ issued Guidelines to be used by prosecutors in assessing compliance program effectiveness. The guidelines assist in prosecutors in their’ evaluations and help them determine mitigating or aggravating factors.  The focus is on whether a compliance program is: “well designed”; “being applied earnestly and in good faith”; and “works in practice.”  The DOJ has continued to move away from checklist process output questions to focus more on the outcome of the compliance program and whether it resulted in a “culture of compliance.”    

Both the OIG and DOJ have made it abundantly clear that when they encounter an organization that violated laws and regulations, they will determine whether the wrongdoing was as result of individual (rogue) misconduct or as result of a culture that encourages wrongful practices or failed to actively be involved in preventing them.  The existence of an effective Compliance Program is viewed as a mitigating factor, and the absence of a program is considered an aggravating factor in enforcement actions and level of penalties.  The OIG also determines if a Corporate Integrity Agreement (CIA) is necessary and if so, what conditions should be included. 

Government rules and regulations require healthcare providers to have a compliance program in place. Not having one or having one that is ineffective increases the risk of costs that are economic, reputational, and even criminal. An effective healthcare compliance program is important to help them avoid costly penalties, fines, or more. Furthermore, it can help increase their staff communication, patient care, and even improve the overall bottom line of their business. 

The CO is viewed by government authorities as an important member of executive leadership who is expected to have a direct reporting relationship with the CEO and with access to the governing board.  The CO bears responsibility for overseeing compliance within an organization and ensuring compliance with applicable laws, regulatory requirements, Code of Conduct, professional standards, accepted business practices, and internal standards. They have a duty to identify and manage regulatory risk.  They should provide reasonable assurance to senior management and the board that there are effective and efficient policies and procedures in place, well-understood and respected by all employees, and that the company is complying with all regulatory requirements. 

A Compliance Officers may be viewed as failing for many reasons, beginning with failure to adequately address all the seven compliance program elements. However, one main reason is that the CO focuses only on process numerical output data and not the result or outcome of the process (e.g., how many people trained, number of those sanction screened, hotline complaints received, policies developed, etc.). Constantly reporting process result numbers to executive leadership and board wears thin over time.  They are more interested in knowing about the return on investment in the program by a reduction in the likelihood of acts and events that could give rise to liabilities.  Focusing on process may also create what the DOJ and OIG call “hollow facades,” “paper and sham programs” that merely gives off the appearance of effectiveness, but lack substance (i.e., a “paper” program), which can be viewed as worse than having no program.  Not providing information on the results of the process in terms of outcome and effectiveness is frequently viewed as a CO failure.