Here are a few of the elements of a spreadsheet developed by the compliance team at UofL Health in Kentucky to document their progress in comparing the seven elements of their compliance program to the best practices described in the HHS Office of Inspector General’s General Compliance Program Guidance, which was released in November 2023 (see story above). Shelly Denham, chief compliance officer at UofL Health, has developed a full spreadsheet for all seven elements. The language of the elements comes from the GCPG. Contact Denham at shelly.denham@uoflhealth.org.
|
1) Written Policies and Procedures |
Tips |
Notes | |
|---|---|---|---|
|
Code of Conduct |
A code of conduct is an important tool to communicate an organization’s mission, goals, and ethical requirements central to its operations. The code articulates the entity’s commitment to comply with all Federal and State laws and regulations. It defines the entity’s ethical standards necessary to fulfill its mission and govern the conduct of its officers, employees, contractors, medical staff, and others who work with or on behalf of the organization. Although the code by its design may not need regular review, any handbook delineating or expanding upon the code of conduct should be regularly updated as applicable statutes, regulations, and Federal health care program requirements change. |
CEOs or board members may add a signed endorsement or written statement to support the commitment to compliance. | |
|
Compliance policies and procedures |
Compliance policies and procedures should encompass at least two areas: (1) the implementation and operation of the entity’s compliance program, including the seven elements discussed; and (2) processes to reduce risks caused by noncompliance with Federal and State laws. A discussion of Federal fraud and abuse authorities is included in Section II above. Entities should assess how their operations may present risk areas specific to them and design policies and procedures that address these risks. Common compliance risk areas are: billing, coding, sales, marketing, quality of care, patient incentives, and arrangements with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business. The Compliance Committee should ensure that a system exists to ensure that the entity’s policies and procedures foster rather than undermine the entity’s compliance culture. When the entity creates, revises, or deletes a policy, it should consider whether the change affects the entity’s compliance with government health care program requirements, encourages or incentivizes noncompliance, or impairs the entity’s risk-mitigation efforts. All organizations should have a policy and procedure on the screening of employees, contractors, and other individuals and entities that furnish items and services for or on behalf of the organization against the LEIE and any applicable State Medicaid program exclusion lists. The policy should clearly identify which individual(s) in the organization are responsible for conducting the screening, the process for performing the screening and verifying any potential matches, and the steps that should be taken in the event an entity learns that an individual or entity that has been excluded by the OIG or a State Medicaid program. |
Recommends review of the current healthcare subsector Compliance Guidance on the OIG website for a further discussion of Subsector-specific risks. | |
|
Policy Maintenance |
All relevant individuals should be able to easily access their organization’s code, policies, and procedures. Many entities now maintain their code, policies, and procedures on an internal intranet site or use other electronic communication tools to ensure that everyone has access to the same documents. If the entity’s communication method does not provide access to all relevant individuals, the entity should employ an alternative mechanism for such individuals to obtain access to the code, policies, and procedures. Besides being accessible, the code, policies, and procedures also should be comprehensible by all relevant individuals (e.g., translated into other languages, where appropriate, and written at appropriate reading levels). The organization’s compliance officer should ensure that compliance policies and procedures are effectively created, coordinated, and maintained. Up-to-date policies and procedures are a critical element of a compliance program. Entities should ensure that they finalize and make available to relevant individuals any new or revised policies and procedures before implementing or altering practices and processes. The entity’s employees, contractors, and other relevant individuals should be able to rely on an entity’s policies and procedures as the entity’s current instructions on a particular subject. Having policy and procedure documents that are not up to date diminishes their credibility to the users of such policies and procedures and other interested parties, including Government regulators. Inaccurate or unreliable policies and procedures also reduce the compliance program’s authority, credibility, and effectiveness at the entity. OIG encourages entities to include in their disclosure program a means for employees, contractors, and other relevant individuals to contact the compliance officer or members of the Compliance Committee with questions about a policy or procedure. |
DOJ has compiled a useful set of questions for entities to consider in setting up and reviewing their system of policies and procedures. These may be found at DOJ Evaluation of Corporate Compliance Programs. The OIG’s toolkit on Measuring Compliance Program Effectiveness also provides useful tools for evaluating policies and procedures, as well as identifying gaps that may require new or revised policies and procedures. It may be found on the OIG’s Compliance Toolkits page. | |
|
2) Compliance Leadership and Oversight |
Tips |
Notes | |
|
Compliance Officer |
Every entity should designate a leader as the entity’s compliance officer. A key indicator of the board and senior leadership’s commitment to compliance is the appointment and support of a compliance officer who has the authority, stature, access, and resources necessary to lead an effective and successful compliance program. Designating a compliance officer with appropriate authority is essential to the success of the compliance program. The compliance officer should report either to the CEO with direct and independent access to the board or to the board directly; have sufficient stature within the entity to interact as an equal of other senior leaders of the entity; demonstrate unimpeachable integrity, good judgment, assertiveness, an approachable demeanor, and the ability to elicit the respect and trust of entity employees; and have sufficient funding, resources, and staff to operate a compliance program capable of identifying, preventing, mitigating, and remediating the entity’s compliance risks. |
Compliance officer should report to the CEO with direct and independent access to the board or to the board directly. Sufficient stature within the entity to interact as an equal of other senior leaders of the entity. Demonstrates unimpeachable integrity, good judgment, assertiveness, and approachability. Sufficient funding, resources and staff to operate a program capable of identifying, preventing, mitigating, and remediating the entity compliance risk. | |
|
Compliance Officer: Responsibilities |
Overseeing and monitoring the implementation and operation of the compliance program; advising the CEO, board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program; chairing the Compliance Committee; reporting to the board on the implementation, operation, and needs of the compliance program, the compliance risks the entity faces, and the methods through which the entity is addressing or can address those risks; revising the compliance program periodically in light of changes in the needs of the organization, applicable law, and policies and procedures of third-party payors; coordinating with Human Resources to ensure that all directors, officers, employees, contractors, and medical staff, if applicable, are screened before appointment or engagement and monthly thereafter against the LEIE and any applicable State Medicaid program exclusion lists; coordinating with other relevant entity components (e.g., as applicable, Internal Audit, Risk, Quality, IT) to develop work plans for reviewing, monitoring, and auditing compliance risks; independently investigating and acting on matters related to compliance, including the flexibility to design and coordinate internal investigations (e.g., responding to reports involving, for example, compliance concerns or suspected legal violations) and to make recommendations for process and policy changes and corrective action; and developing policies and programs that encourage personnel to report suspected fraud and other improprieties without fear of retaliation. |
Some compliance officers have the dual role of a privacy officer. In that case, OIG recommends that the entity ensures that the compliance officer has sufficient staff and resources to perform the additional duties associated with that expanded role. | |
|
To fulfill their duties, the compliance officer should be empowered, and independent of other duties to the entity that might impair their ability, to identify and raise compliance risks and advise on how to mitigate risks, achieve and maintain compliance with Federal health care program requirements, and succeed as a compliant entity. Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles. To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care items and services or billing, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. | |||
|
Coordination and communication are the compliance officer’s key tools for planning, implementing, and monitoring an effective compliance program. The compliance officer should strive to develop, and the entity should strive to promote, productive working relationships with organizational leaders. Coordinating work and sharing information with leaders of other support functions, including (as applicable), Legal, Internal Audit, IT and Health Information Management (HIM), Human Resources, Quality, Risk Management, and Security will enhance the strength and success of the compliance program. The compliance officer should have the authority to review all documents, data, and other information that are relevant to the organization’s compliance activities. This includes, but is not limited to, patient records, billing records, sales and marketing records, and records concerning the entity’s arrangements with other parties, including employees, independent contractors, suppliers, physicians, and other health care professionals. The compliance officer also should have the authority to interview anyone within or connected to the organization in connection with a compliance investigation, or designate an appropriate person to conduct such an interview. | |||
|
Compliance Committee |
The Compliance Committee’s purpose is to aid and support the compliance officer in implementing, operating, and monitoring the Compliance Program. The Compliance Committee should meet no less than quarterly. Having a regularly scheduled meeting may enhance routine attendance. Primary duties include analyzing the legal and regulatory requirements applicable to the entity; assessing, developing, and regularly reviewing policies and procedures; monitoring and recommending internal systems and controls; assessing education and training needs and effectiveness, and regularly reviewing required training; developing a disclosure program and promoting compliance reporting; assessing effectiveness of the disclosure program and other reporting mechanisms; conducting annual risk assessments; developing the compliance workplan; evaluating the effectiveness of the compliance workplan and any action plans for risk remediation; and evaluating the effectiveness of the compliance program. The compliance officer should be the chair of the Compliance Committee. The Compliance Committee should be comprised of the relevant leaders of both operational and supporting departments, which could include Billing and Coding, Clinical and Medical, Finance, Internal Audit, IT, HIM, Human Resources, Legal, Quality, Risk Management, Sales and Marketing, and other operational managers. All members should be sufficiently knowledgeable regarding their department’s subject area. All members should have the authority and ability to speak for the department they represent. |
Before joining the committee, provide training to the new member on the committee’s duties and responsibilities and the entity’s expectations of them in their role as a committee member. Circulating and agenda before the meeting will inform members of the meeting topics and give them an opportunity to prepare. | |
|
Actively leading the Compliance Committee and its meetings is an important and integral function of the compliance officer. As the Compliance Committee chair, the compliance officer should establish and facilitate committee discussion and encourage active participation by all committee members. The compliance officer should assist with the identification of risk areas and monitor and report on progress toward committee objectives. The compliance officer should mediate any disagreement between or among committee members and escalate committee matters that remain unresolved to the CEO. Throughout each meeting of the Compliance Committee, the compliance officer should continue to focus the committee’s attention on compliance program effectiveness and the benefits of an effective compliance program to the organization. The tone for all aspects of the Compliance Program, including the Compliance Committee, should be established and maintained by an organization’s leadership, including the board and the CEO. Expectations for regular, diligent member attendance at Compliance Committee meetings should be set by the board and enforced by the CEO. Member attendance, active participation, and contributions should be included in each member’s performance plan and compensation evaluation. In their communications with individual committee members, the board and the CEO should regularly convey the importance of, and their interest in, the member’s Compliance Committee responsibilities and participation. The compliance officer should periodically provide a report to the board assessing the Compliance Committee’s performance. This report should compare the entity’s expectations of the committee’s performance with its actual performance. As part of the assessment, the compliance officer should seek input from the members of the Compliance Committee, the CEO, and the board. The compliance officer also should examine how the entity implemented committee decisions and recommendations. | |||
|
Indicators of Committee Success:
In their report to the board, the compliance officer should include any recommendations they may have on adjustments to improve the Compliance Committee’s performance. Adjustments could include revisions to committee charter, scope, or membership, expectations regarding membership, and methods of ensuring committee and member accountability. | |||
|
Board Compliance Oversight |
The United States Sentencing Commission’s Guidelines require that an entity’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program. The board’s exercise of this responsibility should include overseeing the compliance officer and the Compliance Committee and receiving and reviewing information necessary to understand the entity’s compliance risks. The board also should have access to sufficient knowledge and resources to allow it to fulfill its compliance-related obligations competently. Oversight of the compliance officer is a critical component of the board’s compliance role. The board should ensure that the compliance officer has sufficient power, independence, and resources to implement, maintain, and monitor the entity’s compliance program and advise the board about the entity’s compliance operations and risk. To ensure the compliance officer is sufficiently empowered, the board should assure that the compliance officer’s stature is commensurate with their responsibilities and those of other entity senior leaders and that the organization is structured to permit the compliance officer to inform the board of challenging compliance risks without fear of personal or financial repercussions. Regardless of the reporting structure, the board should also ensure that the compliance officer has direct and uninhibited access to the board at any time. To ensure the compliance officer’s independence, the board should determine that the compliance officer is free of organizational responsibilities that would impede the compliance officer’s ability to evaluate and report on compliance risk. The Compliance Officer section discusses roles and responsibilities for which the compliance officer should not be responsible. The board also should regularly review whether the compliance officer and the compliance program have sufficient staff and resources for an entity of its size, complexity, and interaction with Federal health care programs. The board should meet with the compliance officer on a regular basis and no less than quarterly. The compliance officer should provide the board with regular reports regarding the entity’s compliance program, activities, and risks, and participate in an oral discussion of the report with board members. The board should reserve time at each session for an executive meeting with the compliance officer, without non-board members present, to permit the board and the compliance officer to have an uninhibited discussion of compliance risks of concern, including the adequacy of compliance staff and resources. | ||
|
Another important component of the board’s compliance role is Compliance Committee oversight. The board should ensure that: (1) the Compliance Committee fully understands and exercises its role, (2) the Compliance Committee’s decisions and activities are appropriately implemented and performed, and (3) the board understands and evaluates how the Compliance Committee addresses risk. Compliance Committee members sometimes mistakenly see their role as overseeing the compliance officer and the compliance program, rather than supporting and working with the compliance officer on the compliance program. Boards should strive to ensure that Compliance Committee members correctly understand their role. The Compliance Committee should provide the board with regular reports on member attendance and the board should ensure that the CEO enforces accountability. The board should also assure that Compliance Committee members’ role and performance on the committee are reflected in their performance plans and considered in compensation and promotion decisions. The board should take every opportunity to communicate to each of its audiences its commitment to compliance. Every board has a variety of audiences, which could include entity leaders, personnel, individual owners, shareholders, customers, patients, payors, Federal and State Governments, and the public. The board should encourage the Compliance Officer and other senior leaders to report on how Committee decisions are implemented and supported by leaders throughout the organization. The board also should ensure that it understands how the Compliance Committee identifies and addresses risks, including health care compliance risks and any other risks that impact the entity’s direct or indirect interaction with Federal health care programs and beneficiaries (e.g., privacy, quality, IT, data). It should receive, at least annually, reports on the entity’s effectiveness in addressing and resolving committee-identified risks. The board also should periodically evaluate the effectiveness of the Compliance Committee’s risk assessment process. |
