Blog Post

Compliance Officers Should be Independent of Legal Counsel

Richard P. Kusserow | November 2023

Key Points:

The OIG has issued its long-awaited new “General Compliance Program Guidance.” This 91-page document provides updated Guidance built off decades of experience. Among key points is the clear statement concerning Compliance Officer reporting structures. The Guidance states, “the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board.” The OIG has long held that the compliance function should not be subordinate to Legal Counsel or the CFO, as stated in the Compliance Program Guidance for Hospitals. The DOJ and OIG have maintained the view that Legal Counsel is an advocate for the organization, protecting its interests, and not an independent gatherer of facts and evidence who voluntarily discloses violations of law and regulation to appropriate authorities. They have also often encountered Legal Counsel attempting to put information under privilege to avoid full disclosure. Corporate Integrity Agreements (CIAs) reinforced the OIG’s position regarding Legal Counsel’s involvement with compliance. They included standard language: “The Compliance Officer shall be a member of senior management…and shall not be or be subordinate to the General Counsel or Chief Financial Officer.” Organizations with Compliance Officers reporting through or to Legal Counsel or other executives will be considered outside the acceptable standard. Despite this repeated concern, many healthcare organizations continue to do this. Results from the 2023 SAI Global Healthcare Compliance Benchmark Survey, developed with and analyzed by Strategic Management, found that 15% of respondents reported their compliance office function is part of or is reporting to Legal Counsel. Although this is more common with smaller organizations, large organizations also follow this model.

The Differences Between Compliance and Legal

Although the functions of Legal Counsel and Compliance Officer are closely related, with both performing compliance-related functions, there are significant differences that should operate separately. Legal Counsel represents the organization’s interests in providing legal advice related to corporate transactions, contracts, intellectual property protection, dispute resolution, and other operations and business strategy matters. On the other hand, the Compliance Officer is responsible for establishing and managing the compliance program that supports compliance with regulatory requirements, best practices, and ethical standards. To carry this out effectively, they must provide independent oversight and mitigate potential non-compliance risks. As such, they must keep leadership and the Board aware of issues and ensure that identified potential weaknesses are properly addressed. When the Legal Counsel assumes a dual role of providing legal counseling and overseeing the Compliance Program, it limits the range of viewpoints concerning compliance-related issues. However, the OIG recognizes that Legal Counsel can play a critical role in supporting an organization’s compliance program. The OIG stresses the importance of Legal Counsel in coordinating with the Compliance Officer, as needed and upon receipt of reports or reasonable indications of suspected non-compliance, to promptly investigate and determine whether a material violation of applicable law has occurred.

For organizations with the Compliance Officer subordinate to Legal Counsel, executive leadership and the Board should be informed that this is a questionable practice and should be reviewed.

You can keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog