Documentary Pillars to Support Effective Compliance Programs

Twenty Key Documents.

Both the Department of Health and Human Services Office of the Inspector General (OIG) and Department of Justice (DOJ) note that proper infrastructure is necessary to support an effective compliance program. This infrastructure, in turn, depends upon key documents that serve as supporting pillars. Without these documents, no compliance program can be considered truly effective. Most of these documents are identified in the OIG compliance program guidance documents and DOJ Evaluation of Corporate Compliance Programs guidance.

The following list describes some important compliance program supporting documents.

1. Code of Conduct. This item can be viewed as the Constitution of the organization and should be distributed to all covered persons. It should provide general guidance, while the details of compliance operations should be outlined in written policies and procedures.
2. Board of Directors Compliance Committee Charter. A charter that establishes the board’s support of the compliance program provides evidence of commitment to compliance from the top of the organization.
3. Executive Compliance Committee Charter. This document should establish the committee’s oversight and support for the compliance program and define its roles and responsibilities. It provides additional evidence of promoting a “culture of compliance.”
4. Compliance Officer Position Description. It is important to formally document the responsibilities, authority, and reporting relationships of this position.
5. Protocols for Interactions Between the Compliance Department and Legal Counsel, Human Resources, Internal Audit, etc. Many functions overlap or intersect with compliance, and working relationships need to be defined to avoid “turf issues” that undermine effectiveness.
6. Compliance Education and Training Policy. This item should describe the development and implementation of regular, effective education and training programs for all affected parties. It should describe the general topics to be covered, the frequency of training administration, and the documentation of training completion.
7. Hotline Policy. Organizations should maintain a written policy that establishes a process to receive and handle complaints. The policy should also describe how individuals can report concerns, ask questions, and request guidance without fear of retaliation.
8. Duty to Report Policy. The organization’s written guidance must clearly communicate that all covered persons have an affirmative duty to report suspected and known wrongdoing, including violations of the Code of Conduct, policies, laws, and regulations.
9. Policies Addressing Ongoing Monitoring of High-Risk Areas. Program managers are responsible for monitoring operations to identify risks, developing and implementing written guidance for staff, training staff on compliance, and overseeing policy implementation.
10. Policies Addressing Ongoing Auditing of High-Risk Areas. These policies should address independent reviews of high-risk areas to verify that ongoing monitoring is operating effectively and mitigating compliance risks.
11. Policies Addressing Non-Engagement of Sanctioned Individuals and Entities. These policies should specify that there will be no engagements, contracts, referrals, or prescriptions accepted from individuals and entities that are sanctioned, excluded, or debarred from federal and state health care programs.
12. Sanction Screening Policy. This policy should describe (a) who must be screened, (b) which databases must be utilized for screening, (c) frequency of screening, (d) the individuals responsible for managing the screening process, (e) how potential matches are resolved, and (f) how screening results are documented.
13. Conflicts of Interest Policy. This policy should require that all potential conflicts of interest be disclosed and outline a method for addressing them.
14. Anonymity Policy. The OIG and DOJ stress the importance of permitting employees to report potential wrongdoing anonymously.
15. Confidentiality Reporting Policy. A separate policy document should address protection of identity for individuals who make reports and request confidentiality. This process is different from that for anonymous reporting, wherein the reporting party is not identified.
16. Non-Retaliation Policy. This policy should address protection against retaliation for those who report potential wrongdoing.
17. Document Management and Retention. This policy should outline retention and destruction requirements for physical and electronic documents.
18. Compliance Investigation Policy. Both the OIG and DOJ make it clear that complaints and allegations of wrongdoing should be properly investigated through resolution. Organizations should ensure that a policy document outlines an internal investigation process.
19. Disciplinary Policy. The OIG and DOJ expect that organizations with effective compliance programs will take appropriate action when violations are detected and implement consistent disciplinary action for individuals at all seniority levels.
20. Disclosure Policies. Overpayments are common. When identified, they may need to be disclosed to the proper authorities. The same holds true for potential violations of law or regulations.

Developing and implementing these documents is only a starting point. All compliance program documents should be reviewed on an annual basis and updated as necessary. All policies should be written in a consistent format to be user-friendly and prevent confusion or conflicting statements.

For more information on this topic, contact Richard Kusserow at [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.