Critical Written Guidance for Effective Compliance Programs

Both the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) and Department of Justice (DOJ) have communicated that effective compliance programs depend on written guidance. For most organizations, a set of 20-40 documents is sufficient and should include the following:

• Code of Conduct. This can be considered the Constitution of the organization, and it should be distributed to all covered persons.
• Charters for the Executive- and Board-Level Oversight Committees. These should establish oversight and support of the compliance program and define each committee’s roles and responsibilities.
• Compliance Officer Charter/Position Description. It is important to formally define the role and responsibilities of the compliance officer. This document should also discuss the reporting relationship to the Chief Executive Officer and Board.
• Compliance Program Policy Development Policy. It is highly advisable to standardize the form and format of policies, as well as outline the development and review process.
• Protocols for Interactions Between the Compliance Office and Legal Counsel, Human Resources, Internal Audit, etc. Many functions of other departments overlap or intersect with those of the compliance office. Working relationships need to be defined through written protocols to avoid “turf” issues.
• Compliance Education and Training Policy. This should describe the development and implementation of regular, effective compliance education and training programs for all affected parties. It should describe the topics covered, frequency of administration, and documentation of completion.
• Hotline Charter/Policy. Organizations need to maintain a document that describes the process of receiving and handling complaints. It should describe how individuals can report concerns, ask questions, and request guidance.
• Ongoing Monitoring Policy. This should provide guidance to program managers on their responsibilities to monitor departmental risk areas, develop and implement written guidance, provide training on compliance, and verify that instructions are followed.
• Auditing Policy. This should address independent reviews of high-risk areas to verify that ongoing monitoring is operating effectively. It should also provide guidance on the management of identified problem areas. 
• Internal Investigation Policy. This should outline the general steps that must be taken to investigate reports of possible problems and document the results of investigations.
• Sanction-Checking Policy. This should state that there will be no engagement with, contracting with, nor acceptance of referrals or prescriptions from individuals who are sanctioned, excluded, or debarred by federal and state health care programs.
• Conflicts of Interest Policy. This should require that all potential conflicts of interest be disclosed.  It should also provide a method for addressing conflicts of interest.
• Anonymity and Confidentiality Report Policies. Policies related to reporting compliance issues shouldemphasize that employees are permitted to report potential wrongdoing anonymously. The identities of those who request confidentiality should be protected.
• Non-Retaliation Policy. This should address protection against retaliation for those who report potential wrongdoing.
• Compliance Document Management and Retention Policy. This should outline retention and destruction requirements for physical and electronic documents.
• Disclosure of Overpayments and Violations of Law and Regulations Policies. Overpayments are common and sometimes lead to the identification of wrongdoing. Strict rules should govern the timing and circumstances of required disclosures of overpayments to outside parties. 

The documents described above are only a starting point. All written policies should be reviewed on an annual basis and updated as necessary. This process includes retiring policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits documentation of review and revision dates.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.