Small Entity Compliance Programs
Most enforcement efforts involve small entities that lack compliance programs
Both the Office of Inspector General (OIG) and the Department of Justice expect small entities to meet the seven standard elements of an effective compliance program. However, in the OIGโs General Compliance Program Guidance (GCPG), there is recognition that small entities may face financial and staffing constraints that prevent them from supporting a full-time or even part-time compliance officer. The OIG notes that one possible means to meet the standards is to designate an internal staff member to oversee the compliance program as a secondary duty. However, the person must not have any responsibilities related to legal services or be involved in the billing, coding, or submission of claims. Additionally, the designated person must have direct access to and report to the CEO or owner who ultimately bears responsibility for the entityโs compliance with applicable laws and regulations.
Duties of the designated individual include overseeing the Code of Conduct, managing compliance-related policies and procedures, conducting compliance training, as well as the need to keep current with the ever-changing legal, regulatory, and business environment. If HIPAA privacy compliance is also included in the designated individualโs duties, this adds a substantial workload, including the need to conduct compliance risk assessments and address breaches involving protected health information. To meet these demands, the designated individual would require significant training and education.
This raises the question of whether using internal staff to oversee compliance programs is a practical solution, especially considering the GCPGโs recognition that the cost of employing a full- or part-time compliance officer may not be financially feasible. It also assumes that compliance risks can be properly managed by someone whose primary role lies elsewhere and who may lack the necessary compliance knowledge, education, and experience. The better option may be to outsource the development and management of the compliance and privacy programs to a qualified compliance expert, who would serve as the Designated Compliance Officer (DCO) on a part-time basis.
The OIG has long recognized that smaller health care organizations may reasonably decide to outsource compliance functions,ย noting in its compliance guidanceย that: โFor those companies that have limited resources, the compliance function could be outsourced to an expert in compliance.โ Hiring an outside expert part-time can accomplish more than assigning compliance duties to an internal staff member with limited experience and competing responsibilities. Aย compliance expertย will already possess the necessary expertise and can deliver results more efficiently by spreading costs across multiple clients. This often results in significantly reduced time, effort, and expense compared to an in-house part-time solution. The time commitment needed for the work depends on the type and size of the entity. However, Strategic Managementโs typical engagement of this nature requires 10 to 30 hours per month. Furthermore, as the compliance program develops, the amount of time and effort required to oversee it generally decreases.
For more information on this topic, contact [email protected].
