On Effective Compliance Programs In Light of the OIG's Supplemental Compliance Program Guidance for Hospitals
by Summer H. Martin, Esq., Powell Goldstein LLP, Atlanta, GA
Healthcare organizations are under ever increasing scrutiny from federal and state governmental agencies. With the watchful eye of the government and the constantly changing regulatory landscape, these organizations are facing significant challenges in monitoring and complying with applicable legal requirements. Under this landscape, it has become increasingly important that healthcare organizations implement and maintain an effective compliance program. Advising healthcare clients in this environment has proven to be both exciting and challenging. As attorneys, we play an important role in assisting our clients in their design, implementation and maintenance of a successful and effective compliance program.
The federal government has taken steps to assist healthcare organizations in developing successful compliance programs. Several years ago, the Department of Health and Human Services, Office of Inspector General (“OIG”) implemented a major initiative to combat fraud and abuse in the Federal healthcare programs by encouraging and promoting voluntary compliance efforts by healthcare organizations and developing a series of compliance program guidances (“CPGs”) for various categories of healthcare providers. One of the first lines of defense against preventing unlawful or erroneous behavior, and ultimately protection from prosecution for healthcare fraud or abuse or reduction in penalties for misconduct, is for providers to establish an effective compliance program. The CPGs provide a sound benchmark for healthcare organizations to use in developing and maintaining such a program.
The OIG has recently a promulgated Supplemental Compliance Program Guidance for Hospitals (“Supplemental CPG”). The original CPG for hospitals was primarily intended to encourage voluntarily design and implementation of corporate compliance programs, through suggested minimal elements to be included in all such plans, along with a discussion of the potential risk areas to be addressed in the implementation process. The Supplemental CPG builds upon the original CPG and focuses on how to maintain existing compliance programs to ensure that they are effective, and it also further refines the fraud and abuse risks areas on which hospitals should focus their compliance efforts for active monitoring.
While the OIG describes the CPGs as “voluntary guidance,” the Supplemental CPG emphasizes that the government fully expects providers to not only implement compliance programs, but to consistently monitor and assess their programs to ensure that they are effective and result in ongoing compliance efforts designed to identify and reduce misconduct. Indeed, enforcement officials are routinely demanding reports on the maturity and effectiveness of existing compliance programs when evaluating potential allegations of fraud or abuse. The existence of an established, effective compliance program will demonstrate a provider’s commitment to compliance and can assist in negotiating reduction to any penalties or sanctions that may be assessed for suspected fraud and abuse.
Components of An Effective Compliance Program
Advice to clients on developing, implementing and monitoring an effective compliance program must focus on the needs and potential risk areas of that particular client. These factors will differ for each client — necessitating different compliance strategies. Both the original CPG for hospitals and the Supplemental CPG place a heavy emphasis on building and establishing a corporate culture of compliance. This culture must originate at the top with the governing body and senior management. The Supplemental CPG indicates that one way for a company to foster this environment of compliance is through the development of a corporate code of conduct, which should set forth the company’s general statement of ethical behavior in compliance with applicable laws. In addition, an effective compliance program will contain, at a minimum, the following components:
(1) written policies and procedures that address the specific areas of risk for that client, including standards of conduct that delineate the company’s commitment to compliance;
(2) a compliance officer and compliance committee who have direct access to the hospital’s governing body and senior management, with sufficient funding and resources;
(3) effective and ongoing training and education for all staff, commensurate to the duties and risk areas that such individuals may encounter;
(4) open and effective lines of communication for reporting suspected instances of unethical conduct, waste or fraud and abuse;
(5) establishment and consistent implementation of disciplinary guidelines for failure to comply with the client’s policies and procedures;
(6) internal and external auditing and monitoring of the compliance programs; and
(7) consistent investigation of reported and detected instances of suspected misconduct.
While the original CPG provided guidance on establishing these seven internal controls, the Supplemental CPG provided guidance on how to monitor these components. The Supplemental CPG strongly recommends that healthcare organizations “regularly review the implementation and execution of their compliance program elements.”
Regular Monitoring of a Compliance Program
Compliance program reviews should be conducted at least annually to assess each of the program's components and the program's overall success (in addition to the continued monitoring of identified risk area indicators, such as billing and coding error rates and audits). To assist providers in their ongoing monitoring, the Supplemental CPG provides a number of factors that a healthcare organization should assess when monitoring and evaluating the compliance program’s underlying elements and overall performance:
- Development of Written Policies and Procedures : Clients should monitor whether their compliance policies and procedures support the compliance program and are written in clear language tailored to the duties for the applicable personnel; are distributed and readily available to the governing body, senior management and all personnel; and that they contain a risk assessment program sufficient to assess and identify weaknesses, risks, Federal healthcare program requirements and applicable laws. In addition, clients should monitor staff compliance with the policies and procedures.
- Designation of Compliance Officer and Compliance Committee : Clients should inquire into whether the compliance department has a clear, well crafted mission; is properly organized and sufficiently active; has sufficient resources and autonomy; has direct access and provides regular reports to the governing body, senior management and legal counsel; and conducts sufficient investigation and monitoring of the compliance program. In addition, the client should determine if the compliance function is sufficiently independent from the general counsel function.
- Appropriate Training and Education : Clients should assess whether the company provides sufficient general and specific training to all personnel by qualified trainers; regularly evaluates the content of its training program, at least annually, to account for any changes in its operations and the regulatory environment in which it is operating; tailors its training to the results of audits and investigations; documents completed training sessions; evaluates the imposition of disciplinary sanctions for failure to attend required sessions; and seeks feedback to assist in the development of the training program.
- Development of Open Lines of Communication: Clients should evaluate whether the company supports open communication that is free from retaliation; has established an anonymous hotline or similar method of reporting that is well publicized; logs, tracks and investigates all reports of misconduct; reports the results of investigations to the governing body and other relevant individuals and departments; and utilizes various methods to communicate compliance matters.
- Internal Monitoring and Auditing : Clients should assess whether the organization has a functional internal audit department that utilizes independent and qualified auditors and conducts scheduled and unscheduled initial and continued reviews; an audit plan that is tailored to identified risk areas and company operations, including the results of previous audits and investigations; an audit plan that also includes assessment of billing systems, claims accuracy and supporting documentation; and monitored error rates and conducted further investigation into those areas that do not show improvement.
- Response to Detected Deficiencies: Clients should inquire as to whether all matters are thoroughly and quickly investigated; corrective action plans are developed and implemented; identified overpayments are repaid; and probable violations of law are disclosed to the appropriate authority.
- Enforcement of Disciplinary Standards : Clients should ensure that disciplinary standards are well publicized, readily available, consistently enforced and that enforcement is documented. In addition, clients should monitor that all employees, contractors and medical staff members are regularly checked against the OIG’s List of Excluded Individuals and the General Services Administration’s Excluded Parties List.
In today’s climate, it is extremely important that healthcare organizations implement an effective compliance program. A well-designed, effective compliance program will identify and reduce risk, improve internal controls, and measure its own effectiveness. In establishing an effective compliance program, providers should first focus on the potential vulnerabilities of the healthcare organization deriving from its relationship with Federal and state healthcare programs. This process should involve a proactive examination of the risk for abuse that exists within the individual healthcare company. Second, as risks are identified and assessed, the next step should involve taking action to fortify internal controls and processes to avoid liability. Third, an ongoing evaluation process is critical to a successful compliance program. Attorneys play a key role in ensuring that not only the objectives for creating a compliance program are met, but also in ensuring that a compliance program is specifically tailored to the needs of an individual healthcare organization.