Blog Post

11 Compliance Program Tips for Boards of Directors

Richard P. Kusserow | October 2022

Register for a complimentary CEU credited webinar “Building Blocks for Effective Compliance Programs (,” November 10, 2022, at 2 PM Eastern. The Compliance Certification Board (CCB)® has approved this event for up to 1.2 Live CCB CEUs.

The Department of Justice (DOJ) and the Department of Health and Human Services Office of Inspector General (OIG) have repeatedly noted that all effective compliance programs begin at the top of the organization, at the Board of Directors’ level. When organizations are being investigated for violating laws and regulations, government investigators will look to see whether the Board took key steps and actions to evidence whether they had been meeting their compliance fiduciary duties and responsibilities in promoting a culture of compliance. The review results will lead to decisions on whether to bring charges or negotiate pleas or other agreements, as well as what terms and conditions would apply in any settlement agreements. For example, when negotiating Corporate Integrity Agreements (CIAs), it is common for the OIG to mandate that Board members attest to and certify compliance standards.

The following are eleven suggested actions boards should consider to ensure they are meeting compliance expectations:

  1. Establish a charter requiring that the Board be kept informed of compliance program operations, management, risks, and reports. Compliance information needs to flow up the chain of command, so it is advisable to have an executive/management level Compliance Committee, in addition to the Compliance Officer, that reports to the Board on compliance-related matters.
  2. Charter a Board Compliance Committee to assist the full Board in overseeing and keeping abreast of compliance-related matters. The Committee should meet regularly with the Compliance Officer to monitor the compliance program operations. This would provide additional evidence that the Board is committed to compliance and ensures adequate and necessary resources for the program.
  3. It is extremely important that the Board and its Compliance Committee maintain minutes evidencing their discussions and actions regarding compliance-related matters to demonstrate active commitment and support for the compliance program. Both the DOJ and OIG will ask for these minutes.
  4. The Board should meet regularly with the Compliance Officer regarding the status and progress of the compliance program and answer questions. In addition, the Compliance Officer should meet in executive sessions with the Board without members of senior leadership or management present for frank and candid open discussions about any sensitive issues, particularly those that may involve senior leadership.
  5. The Board should be briefed and educated on the current regulatory environment, identified high-risk areas, recent enforcement actions, new or amended federal and state laws/regulations, etc. Both the OIG and DOJ look to see if this is being done.
  6. There should be evidence of active involvement in overseeing and supporting the Compliance Program. For example, there should be evidence of being kept informed of compliance-related matters and taking actions, where needed, to reinforce compliance efforts.
  7. The Board should request information about the compliance risk assessment processes, including a listing of known risks, and seek evidence on how the risks are being addressed. This would include information on and results of the compliance ongoing monitoring by program managers and compliance ongoing auditing process and results.
  8. There should be at least one independent Board member who is “compliance literate.” This means someone who has extensive background and experience with healthcare compliance. Examples of such parties would include those that had served as compliance officers, compliance consultants, attorneys who specialized in compliance-related issues, etc. It is common for the OIG, if it observes a lack of Board compliance expertise, to include a requirement in a CIA that a Board engage a Compliance Expert to help guide them on their duties.
  9. Periodically (at least every three years), the Board should engage an independent evaluation of the compliance program effectiveness by outside experts and review the resulting full reports. These evaluations should focus on outcome and not just process as would be the case with gap analysis and checklist reviews. Results should document evidence of the progress of the program, opportunities for program improvement and enhancement, and recommended actions. The DOJ and OIG have repeatedly declared that all compliance programs should be works in progress, always improving and enhancing efforts. Reviews of these types follow that thinking.
  10. An important duty is ensuring that there are compliance communication channels whereby employees and others may report (‘whistleblowing’) suspected or potential violations of laws, regulations, standards, Code of Conduct, and policies. The principal channel would be a hotline that permits anonymous and confidential reporting without fear of retaliation.
  11. The Board should receive reports on all third parties that have been engaged on behalf of the organization and what steps were taken to ensure they are complying with applicable laws and regulations. This is particularly important for those organizations that engage part-time services of physicians who make referrals to the organization, as it is the number one enforcement area for the DOJ and OIG.

Keep up-to-date with Strategic Management Services by following us on LinkedIn.

For related FAQs, see

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog