Small Entity Compliance Programs
Most enforcement involves small entities lacking compliance programs
Both the Office of Inspector General (OIG) and the Department of Justice expect small entities to meet the seven standard elements of an effective compliance program. However, in the OIGโs General Compliance Program Guidance (GCPG), there is recognition that small entities may face financial and staffing constraints that prevent them from supporting a full-time or even part-time compliance officer. The OIG notes that one possible means to meet the standards is to designate an internal staff member to oversee the compliance program as a secondary duty. However, the person must not have any responsibilities related to legal services or be involved in the billing, coding, or submission of claims. Additionally, the designated person must have direct access to and report to the CEO or owner who ultimately bears responsibility for the entityโs compliance with applicable laws and regulations. Duties of the designated individual include overseeing the Code of Conduct, managing compliance-related policies and procedures, conducting compliance training, as well as the need to keep current with the ever-changing legal, regulatory, and business environment. If HIPAA privacy compliance is also included, this adds a substantial workload, including the need to conduct compliance risk assessments and addressing breaches involving protected health information. To meet these demands, the designated individual would require significant training and education. This begs the question of whether using internal staff is a practical solution, especially considering the GCPGโs recognition that the cost of employing a full- or part-time compliance officer may not be financially feasible. It also assumes that compliance risks can be properly managed by someone whose primary role lies elsewhere and who may lack the necessary compliance knowledge, education, and experience. The better option may be to outsource the development and management of the compliance and privacy programs to a qualified compliance expert to service as the Designated Compliance Officer (DCO) on a part-time basis. The OIG has long recognized that smaller health care organizations may reasonably decide to outsource compliance functions, noting in its compliance guidance that: โFor those companies that have limited resources, the compliance function could be outsourced to an expert in compliance.โ Hiring an outside expert part-time can accomplish more than assigning compliance duties to an internal staff member with limited experience and competing responsibilities. A compliance expert will already possess the necessary expertise ย and can deliver results more efficiently by spreading costs across multiple clients. This often results in significantly reduced time, effort, and expense compared to an in-house part-time solution. The time commitment needed for the work depends on the type and size of the entity. However, Strategic Managementโs typical engagements of this nature require10 to 30 hours per month. Furthermore, as the compliance program matures, the amount of time and effort required generally decreases.
For more information on this topic, contact [email protected].
