chevron-down Created with Sketch Beta.
August 28, 2023

Beyond the Seven Elements

Effective Compliance and Ethics Programs Need an Ethical North Star

By Robert L. Yates and Thomas F. O'Neil III


Click here for the audio version of this article


The US Department of Health and Human Services (HHS) Office of the Inspector General (OIG) developed its first set of comprehensive healthcare industry compliance and ethics program guidance in 2005. “The Seven Elements of an Effective Compliance Program” focused on core controls and functions designed to mitigate fraud, waste, and abuse (FWA) in federal healthcare programs. Many well-meaning organizations sought to comply with the OIG’s expectations by establishing the Seven Elements on paper, but government regulatory and enforcement agencies, among other stakeholders, quickly determined that this “check-the-box” approach was insufficient to prevent FWA.

In the 18 years since, the collective guidance from relevant stakeholders makes clear that effective compliance and ethics programs require buy-in and empowerment from the top down. The governing body and executive management team must lead by example, forging an ethical North Star that aligns with the organization’s core values. To drive and fuel an effective compliance and ethics program, those values should include integrity, accountability, acceptance of responsibility, an open-door environment, and operational transparency.

Without an ethical North Star, the compliance and ethics program will quickly become isolated and perceived by the rest of the business as a rules-based gatekeeper to circumvent instead of a trusted business partner willing to collaborate. This is not “effective” in any sense of the word. Conversely, a compliance and ethics program in an organization guided by an ethical North Star not only fulfills stakeholder effectiveness expectations but also drives alignment within and between business units, generates considerable enterprise value, and, ultimately, delivers a competitive advantage in the marketplace.

This article briefly summarizes relevant stakeholder compliance and ethics expectations, suggests a protocol for assessing compliance and ethics program effectiveness, and outlines scenarios when an independent assessment is appropriate. 


Stakeholder Expectations

In the context of compliance and ethics program effectiveness, “stakeholder” should be viewed broadly, encompassing far more than just government regulatory and enforcement agencies like the OIG and the U.S. Department of Justice (DOJ). The term also includes patients or consumers, healthcare providers, and business partners, including government clients (e.g., Medicare, TRICARE, Medicaid).

Increasingly, investors are a critical stakeholder for both public and private companies. Public companies more frequently face activist shareholder groups focused on compliance and ethics matters, access to or quality of care, or enterprise risk management. Further, private equity firms continue to invest in privately owned healthcare organizations and install experienced board members to enhance oversight of compliance and ethics and risk management, to protect their investment. Tax-exempt healthcare organizations face their own unique stakeholder: the U.S. Internal Revenue Service (IRS) and related state agencies, which have shown increasing interest in verifying healthcare organizations’ charitable activities to maintain tax-exempt status.

Even among government regulatory and enforcement agency stakeholders, the OIG and the DOJ are also joined by the U.S. Sentencing Commission (USSC), the Centers for Medicare and Medicaid Services (CMS), state Medicaid administration agencies, and state Attorneys General in publishing compliance and ethics program guidance or investigating and prosecuting organizational non-compliance. The heavy costs of organizational non-compliance can range from reputational damage and loss of trust to treble damages and civil monetary penalties, criminal convictions, or even the healthcare “death penalty”administrative exclusion from operating in all federal healthcare programs.

The OIG’s Seven Elements are foundational. In order to function, every compliance and ethics program needs:

  1. A compliance officer supported by a compliance committee
  2. Compliance policies and procedures, including standards of conduct
  3. Open lines of communication
  4. Training and education
  5. Internal auditing and monitoring
  6. Corrective actions
  7. Enforced disciplinary standards

Both the OIG and the DOJ now also emphasize “Tone at the Top” and commitment to continuous improvement as hallmarks of effective compliance and ethics programs. “Tone at the Top” refers to the culture established by executive management and the governing body with respect to compliance and ethics. Leaders are expected to set an example for the rest of the organization to follow. The organization is expected to devote adequate resources and proper authority to the compliance and ethics leader, with direct access to the executive leadership team and the governing body to reinforce and crystallize that Tone at the Top.

Finally, a commitment to continuous improvement requires annual holistic risk assessments, root cause analyses when issues arise, and periodic compliance and ethics program testing to reveal risk areas or broken processes that develop over time.

Assessment Protocol

As a foundational matter, a compliance and ethics program effectiveness assessment can be conducted by an in-house team or an independent expert. The assessment protocol described in this section is appropriate for either type of assessor. In-house teams should annually assess compliance and ethics program effectiveness; organizations should engage an independent expert in the scenarios outlined in the following section.

The first step in assessing the effectiveness of an organization’s compliance and ethics program is to intimately understand the organization’s business, its corporate structure, and its mission, values, and strategic imperatives. Inherently, this is an easier task for in-house teams than independent assessors, but equally important for both in understanding the regulatory landscape and setting the stage for assessment.

With a firm understanding of the organization’s business and values, the assessors then need to synthesize the rules, regulations, and guidance from each applicable regulatory and enforcement source. Using a dashboard, scorecard, or some other measurement tool, the assessors will verify that the organization’s Seven Elements are in place and functioning optimally.

In order to evaluate the organization’s ethical North Star, the assessors need to understand how the compliance and ethics program is perceived from the top of the organization and how that perception filters throughout the organization. This requires interviews and extensive review of relevant data, information, and materials. The assessors should interview governing body members, executive leadership, and compliance and ethics staff, in addition to any providers, sales and marketing personnel, or other business unit employees who interact with the compliance and ethics program. The assessors should also review anonymous and open-door compliance reporting metrics and trends to gauge whether employees feel empowered to report wrongdoing they may observe. Many organizations utilize annual employee engagement surveys to measure compliance and ethics program perceptions—if possible, the assessors should also review these surveys and any trends they might reveal over time. Once completed, this protocol will reveal any new risk areas or weak spots in the organization’s compliance and ethics program.

Now, for the most important part—mitigation strategies and an implementation work plan. The assessment should result in a report, verbal or written, that highlights strengths and details any shortcomings in the compliance and ethics program with appropriate mitigation strategies outlined. This usually results in at least a one-year work plan to implement the mitigation strategies.

Appropriate Independent Assessment Scenarios

An independent compliance and ethics program effectiveness assessment is usually necessary in one of three contexts: transactional due diligence, voluntary evaluation, or mandatory evaluation. 

Transactional Due Diligence

Financial sponsors and healthcare organizations considering a merger, acquisition, joint venture, or other business combination should require a program assessment during due diligence. This is necessary both to understand the regulatory risk involved in the transaction and to develop a work plan for mitigating gaps and integrating separate compliance functions.

Voluntary Effectiveness Assessment

Organizations choose to evaluate their compliance and ethics program’s effectiveness for a number of reasons—a change in leadership, change in regulations, etc.  If in-house personnel are already spread thin in these situations, an independent assessment is often the best practice. In these cases, the assessment is meant to verify that a high-performing organization is still maintaining its standard. Any work plans developed from these assessments are likely to enhance areas that are already capably functioning.

Mandatory Effectiveness Assessment

At the other end of the spectrum are organizations forced to assess their compliance and ethics programs’ effectiveness as part of an enforcement action settlement agreement. These independent assessments are frequently required by the OIG in Corporate Integrity Agreements and by CMS in Systems Improvement Agreements. In these cases, the agency will have identified one or more large risk areas for the assessors to further explore and will mandate certain operational improvements as well. The bulk of the work under these circumstances is in developing an implementation work plan and, subsequently, an implementation report for the agency mandating the assessment.


Developing and maintaining an effective compliance and ethics program in a healthcare organization is a highly nuanced endeavor. With various layers of rules, regulations, ethical expectations, and competing economic realities, many organizations may have let themselves fall into a “check-the-box” approach to compliance and ethics over the past few years. As noted above, this approach is insufficient to prevent FWA and to reduce the chance of suffering the heavy costs of non-compliance. As we return to more normal operations post-pandemic (regulators and enforcers included), healthcare organizations will be best served by checking in on their ethical North Stars.

    Robert L. Yates

    Berkeley Research Group, Washington, DC

    Rob Yates is a managing consultant in Berkeley Research Group’s Washington, DC office. He regularly advises healthcare organizations across the industry spectrum regarding complex regulatory compliance and corporate governance matters. Prior to joining BRG, he served as a civil fraud prosecutor with the Indiana Medicaid Fraud Control Unit. He can be reached at [email protected] or on LinkedIn.

    Thomas F. O’Neil III

    Berkeley Research Group, Washington, DC

    Tom O’Neil is a managing director in BRG’s Washington, DC office. He leads a healthcare-focused practice providing independent effectiveness assessments of governance models, compliance and ethics programs, and quality and access programs. He is an advisor and corporate director with deep private and public sector experience, including leadership roles in the boardrooms and C-suites of companies in the consumer, financial services, and healthcare sectors. Mr. O’Neil’s expertise has been curated over several decades, allowing him to develop an exceptional track record of accelerating cultural transformation and restoring trust with key stakeholders including customers, patients, investors, regulators, and enforcement officials. He can be reached at [email protected] or on LinkedIn

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.