For over a decade, the Department of Health and Human Services Office of Inspector General (OIG) has focused on Board of Directors’ fiduciary and Compliance Program oversight obligations. Now, Corporate Integrity Agreements (CIAs) also mandate that Boards follow the principles set forth in guidance documents from the OIG and the American Health Lawyers Association (AHLA). The most recent, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight,” was published earlier this year. Other similar publications emphasize the need for Boards to be fully engaged in their oversight responsibility. They also provide guidance on determining the adequacy and effectiveness of the organization’s Compliance Program, evaluating the performance of those who develop and execute that program, and making compliance a responsibility for all levels of management. Reviewing these OIG documents is well worth the time and effort since they telegraph expectations.
The OIG guides address: (1) the roles of and relationships between the organization’s audit, compliance, and legal departments; (2) the mechanisms and processes for issue-reporting within an organization; (3) approaches to identifying regulatory risks; (4) methods of encouraging enterprise-wide accountability for achieving compliance goals and objectives; and (5) the importance of including a professional with health care compliance expertise on the Board. The guides also call for engaging experienced compliance consultants to provide independent feedback on program effectiveness. Such feedback includes identifying risk areas, providing insight into best practices in governance, and advising on other substantive or investigative matters.
Tom Herrmann, JD, is a former Appellate Judge on the Medicare Appeals Board with many years of experience in evaluating Compliance Program effectiveness. He noted, “In my decades-long experience working in the Office of Counsel to the IG, I see what is happening with Boards as part of an evolutionary process. Going back nearly twenty years, the OIG has made clear in voluntary compliance guidance that it believes an effective Compliance Program begins at the top—that is, at the Board level. The OIG has found that most organizations that run afoul of Federal laws and regulations had lax management and Board oversight. As a result, it is logical for the OIG to put more teeth into ensuring proper oversight.”
Board Obligations Under CIAs
In the recent Tuomey Healthcare System CIA, the OIG included a four-page section on “Board of Directors Compliance Obligations.” It requires the Board to include independent members and to review and oversee compliance-related matters. The Board must also oversee the Compliance Officer and Executive Compliance Committee’s performance. Further, the Board must submit a report to the OIG describing the documents and other materials it has reviewed. The report must state any additional steps the Board has taken as part of its oversight, such as engaging an independent advisor or other third-party resource. For each reporting period, the Board must adopt a resolution that each member signs. The resolution summarizes the Board’s review and oversight of the Compliance Program, and the organization’s adherence to Federal health care program requirements and its obligations under the CIA. Another standard element in the CIA requires the Board to appoint a Board Compliance Expert in corporate governance to specifically oversee the Compliance Program.
The Millennium Health CIA carries similar mandates for the Board as the Tuomey CIA. However, for the first time, it also requires retaining a majority of independent Board members. The OIG has underscored the importance of the Board and senior level management’s direct involvement in understanding the meaning of compliance with state and federal requirements, and ensuring that the organization takes steps to be compliant.
Steve Forman, CPA, is a former Director of Management Operations for the OIG. He has developed Compliance Programs and performed Compliance Program evaluations for the past 12 years. He notes that “it is very common to encounter Boards with only a limited understanding of the Compliance Program. Most Boards have an Audit and Compliance Committee with members who are knowledgeable about audit issues, but have very limited understanding of compliance. The result is a tendency for audit issues to drive out compliance matters.”
11 Tips for Compliance Officers
- Brief and educate senior management and the Board on OIG guidance and CIAs as they relate to each group’s responsibilities.
- Advise that the Board to consists of a majority of independent members.
- Recommend that at least one member of the Board’s Compliance Oversight Committee is compliance literate (knowledgeable on health care compliance).
- Advise the Board to develop an annual resolution signed by all members of the Compliance Committee that recaps its compliance oversight activities.
- Educate and train the Board on how to properly oversee the Compliance Program, including what questions it should ask.
- Implement policies, procedures, and protocols for coordinating the Compliance Office with other oversight functions, such as Internal Audit, Risk Management, and Legal Counsel.
- Ensure all high-risk operations are engaged in ongoing monitoring for compliance.
- Develop and implement an aggressive auditing program that verifies ongoing compliance monitoring, and validates that it is achieving its objectives.
- Deliver periodic update reports on Compliance Program effectiveness to the executive and Board level compliance committees, using metrics wherever possible.
- Consider employing validated compliance surveys of employees (alternating between knowledge and culture) as independent evidence of Compliance Program effectiveness.
- Arrange for Independent Compliance Evaluation Reviews, with results going to both the executive and Board level compliance committees.