Blog Post

Q & A Series on the Current State of Healthcare Compliance Programs – I

Richard P. Kusserow | May 2024

On April 30, 2024, Strategic Management Services and SAI360 hosted the Current State of Healthcare Compliance Programs: 2024 Benchmark Results Webinar. The speaker, Richard Kusserow, former HHS Inspector General and CEO of Strategic Management, reviewed the results of the 15th Annual Healthcare Compliance Benchmark Survey and provided his analysis of the results and the changing landscape of compliance departments.

Part I of the series will focus on questions related to reporting chains and organizational structures for the Compliance Department and Chief Compliance Officer.

  • Can you provide more details as to why the Compliance Officer reporting through Legal Counsel is viewed negatively by the OIG and DOJ?

Such a practice goes against what both the DOJ and OIG have made clear in their guidance documents. In short, they believe attorneys are legal advocates defending the organization who may try to conceal disclosable issues under attorney-client privilege, whereas they see the Compliance Officer as an independent gatherer of information who would more likely disclose problems when identified. Under these circumstances, the job of Compliance Officer would likely be more difficult when subordinate to the Legal Counsel. There is also the question of potential conflict of interest in having that same party responsible for both the Legal and Compliance Programs.

For more on this topic, see the blog article at

  • I serve as a Compliance Officer and Privacy Officer for my organization and report directly to the General Counsel with no direct reporting to the CEO or the Board. Why might this be a problem, and what can I do if my concerns are ignored?

First, there is no legal or regulatory requirement for the Compliance Officer to avoid reporting directly through the Legal Counsel. However, all regulatory guidance, including the US Sentencing Commission, DOJ, and OIG, call for the Compliance Officer to report directly to the CEO. They see the function as one that is independent of other operating officials. As part of Corporate Integrity Agreements, the OIG mandates no reporting or subordination of the Compliance Office to Legal Counsel. Therefore, the burden would be on the organization to convince enforcement authorities investigating potential violations of law or regulation that having the Legal Counsel responsible for compliance was the best method they had for preventing wrongful behavior and promoting an effective Compliance Program. This would be a tough sell under those circumstances.

The DOJ and OIG see the critical role of the Legal Counsel as a legal advisor, advocate, and protector of management, whereas the Compliance Officer is viewed as a function that looks out for the interests of all those in the workplace, not just management. As such, they see a potential conflict of interest in having both legal and compliance authority under one roof. They also believe that the Compliance Officer should have independent authority to disclose to appropriate authorities any overpayments and potential wrongdoing. All any Compliance Officer can do under the circumstances described in this question is inform leadership and the board of the potential problem with the hope that they will view the merits of the arguments and act accordingly. If they do not, depending on how difficult the situation is, this may leave them with the choice of living with the arrangement or leaving the organization.

For more on this topic, see the blog article at

  • Should Internal Audit be part of (or report up to) the Compliance Officer/Department or be a part of (or report up to) the Finance Department?

Internal Audit reporting directly to the CFO or Finance Department is not considered a best practice, as it can create a conflict-of-interest problem, especially when a review involves questions about the operation of financial functions. The best practice for reporting can be one of two tracks. The Institute of Internal Auditors notes that to achieve the necessary independence, a separate Internal Audit function should report directly to the Board Level Audit Committee. Alternatively, many organizations have had the Internal Audit function subsumed under the Compliance Officer who reports directly to the CEO and Board, which also gives it the necessary independence.

You can keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog