In the context of compliance and ethics program effectiveness, “stakeholder” should be viewed broadly, encompassing far more than just government regulatory and enforcement agencies like the OIG and the U.S. Department of Justice (DOJ). The term also includes patients or consumers, healthcare providers, and business partners, including government clients (e.g., Medicare, TRICARE, Medicaid).
Increasingly, investors are a critical stakeholder for both public and private companies. Public companies more frequently face activist shareholder groups focused on compliance and ethics matters, access to or quality of care, or enterprise risk management. Further, private equity firms continue to invest in privately owned healthcare organizations and install experienced board members to enhance oversight of compliance and ethics and risk management, to protect their investment. Tax-exempt healthcare organizations face their own unique stakeholder: the U.S. Internal Revenue Service (IRS) and related state agencies, which have shown increasing interest in verifying healthcare organizations’ charitable activities to maintain tax-exempt status.
Even among government regulatory and enforcement agency stakeholders, the OIG and the DOJ are also joined by the U.S. Sentencing Commission (USSC), the Centers for Medicare and Medicaid Services (CMS), state Medicaid administration agencies, and state Attorneys General in publishing compliance and ethics program guidance or investigating and prosecuting organizational non-compliance. The heavy costs of organizational non-compliance can range from reputational damage and loss of trust to treble damages and civil monetary penalties, criminal convictions, or even the healthcare “death penalty”—administrative exclusion from operating in all federal healthcare programs.
The OIG’s Seven Elements are foundational. In order to function, every compliance and ethics program needs:
- A compliance officer supported by a compliance committee
- Compliance policies and procedures, including standards of conduct
- Open lines of communication
- Training and education
- Internal auditing and monitoring
- Corrective actions
- Enforced disciplinary standards
Both the OIG and the DOJ now also emphasize “Tone at the Top” and commitment to continuous improvement as hallmarks of effective compliance and ethics programs. “Tone at the Top” refers to the culture established by executive management and the governing body with respect to compliance and ethics. Leaders are expected to set an example for the rest of the organization to follow. The organization is expected to devote adequate resources and proper authority to the compliance and ethics leader, with direct access to the executive leadership team and the governing body to reinforce and crystallize that Tone at the Top.
Finally, a commitment to continuous improvement requires annual holistic risk assessments, root cause analyses when issues arise, and periodic compliance and ethics program testing to reveal risk areas or broken processes that develop over time.
As a foundational matter, a compliance and ethics program effectiveness assessment can be conducted by an in-house team or an independent expert. The assessment protocol described in this section is appropriate for either type of assessor. In-house teams should annually assess compliance and ethics program effectiveness; organizations should engage an independent expert in the scenarios outlined in the following section.
The first step in assessing the effectiveness of an organization’s compliance and ethics program is to intimately understand the organization’s business, its corporate structure, and its mission, values, and strategic imperatives. Inherently, this is an easier task for in-house teams than independent assessors, but equally important for both in understanding the regulatory landscape and setting the stage for assessment.
With a firm understanding of the organization’s business and values, the assessors then need to synthesize the rules, regulations, and guidance from each applicable regulatory and enforcement source. Using a dashboard, scorecard, or some other measurement tool, the assessors will verify that the organization’s Seven Elements are in place and functioning optimally.
In order to evaluate the organization’s ethical North Star, the assessors need to understand how the compliance and ethics program is perceived from the top of the organization and how that perception filters throughout the organization. This requires interviews and extensive review of relevant data, information, and materials. The assessors should interview governing body members, executive leadership, and compliance and ethics staff, in addition to any providers, sales and marketing personnel, or other business unit employees who interact with the compliance and ethics program. The assessors should also review anonymous and open-door compliance reporting metrics and trends to gauge whether employees feel empowered to report wrongdoing they may observe. Many organizations utilize annual employee engagement surveys to measure compliance and ethics program perceptions—if possible, the assessors should also review these surveys and any trends they might reveal over time. Once completed, this protocol will reveal any new risk areas or weak spots in the organization’s compliance and ethics program.
Now, for the most important part—mitigation strategies and an implementation work plan. The assessment should result in a report, verbal or written, that highlights strengths and details any shortcomings in the compliance and ethics program with appropriate mitigation strategies outlined. This usually results in at least a one-year work plan to implement the mitigation strategies.
Appropriate Independent Assessment Scenarios
An independent compliance and ethics program effectiveness assessment is usually necessary in one of three contexts: transactional due diligence, voluntary evaluation, or mandatory evaluation.
Transactional Due Diligence
Financial sponsors and healthcare organizations considering a merger, acquisition, joint venture, or other business combination should require a program assessment during due diligence. This is necessary both to understand the regulatory risk involved in the transaction and to develop a work plan for mitigating gaps and integrating separate compliance functions.
Voluntary Effectiveness Assessment
Organizations choose to evaluate their compliance and ethics program’s effectiveness for a number of reasons—a change in leadership, change in regulations, etc. If in-house personnel are already spread thin in these situations, an independent assessment is often the best practice. In these cases, the assessment is meant to verify that a high-performing organization is still maintaining its standard. Any work plans developed from these assessments are likely to enhance areas that are already capably functioning.
Mandatory Effectiveness Assessment
At the other end of the spectrum are organizations forced to assess their compliance and ethics programs’ effectiveness as part of an enforcement action settlement agreement. These independent assessments are frequently required by the OIG in Corporate Integrity Agreements and by CMS in Systems Improvement Agreements. In these cases, the agency will have identified one or more large risk areas for the assessors to further explore and will mandate certain operational improvements as well. The bulk of the work under these circumstances is in developing an implementation work plan and, subsequently, an implementation report for the agency mandating the assessment.
Developing and maintaining an effective compliance and ethics program in a healthcare organization is a highly nuanced endeavor. With various layers of rules, regulations, ethical expectations, and competing economic realities, many organizations may have let themselves fall into a “check-the-box” approach to compliance and ethics over the past few years. As noted above, this approach is insufficient to prevent FWA and to reduce the chance of suffering the heavy costs of non-compliance. As we return to more normal operations post-pandemic (regulators and enforcers included), healthcare organizations will be best served by checking in on their ethical North Stars.