Mandatory Compliance Program Requirements – Affordable Care Act Statutory Mandate

Provisions of Affordable Care Act Relating to Mandatory Compliance Programs For Nursing Facilities

SEC. 6102. ACCOUNTABILITY REQUIREMENTS FOR SKILLED NURSING

FACILITIES AND NURSING FACILITIES.

Part A of title XI of the Social Security Act (42 U.S.C. 1301 et seq.), as amended by sections 6002 and 6004, is amended by inserting after section 1128H the following new section:

‘‘SEC. 1128I. ACCOUNTABILITY REQUIREMENTS FOR FACILITIES.

‘‘(a) DEFINITION OF FACILITY.—In this section, the term ‘facility’ means—

‘‘(1) a skilled nursing facility (as defined in section 1819(a)); or

‘‘(2) a nursing facility (as defined in section 1919(a)).

‘‘(b) EFFECTIVE COMPLIANCE AND ETHICS PROGRAMS.—

‘‘(1) REQUIREMENT.—On or after the date that is 36 months after the date of the enactment of this section, a facility shall, with respect to the entity that operates the facility (in this subparagraph referred to as the ‘operating organization’ or ‘organization’), have in operation a compliance and ethics program that is effective in preventing and detecting criminal, civil, and administrative violations under this Act and in promoting quality of care consistent with regulations developed under paragraph (2).

‘‘(2) DEVELOPMENT OF REGULATIONS.—

‘‘(A) IN GENERAL.—Not later than the date that is 2 years after such date of the enactment, the Secretary, working jointly with the Inspector General of the Department of Health and Human Services, shall promulgate regulations for an effective compliance and ethics program for operating organizations, which may include a model compliance program.

‘‘(B) DESIGN OF REGULATIONS.—Such regulations with respect to specific elements or formality of a program shall, in the case of an organization that operates 5 or more facilities, vary with the size of the organization, such that larger organizations should have a more formal program and include established written policies defining the standards and procedures to be followed by its employees. Such requirements may specifically apply to the corporate level management of multi unit nursing home chains.

‘‘(C) EVALUATION.—Not later than 3 years after the date of the promulgation of regulations under this paragraph, the Secretary shall complete an evaluation of the compliance and ethics programs required to be established under this subsection. Such evaluation shall determine if such programs led to changes in deficiency citations, changes in quality performance, or changes in other metrics of patient quality of care. The Secretary shall submit to Congress a report on such evaluation and shall include in such report such recommendations regarding changes in the requirements for such programs as the Secretary determines appropriate.

‘‘(3) REQUIREMENTS FOR COMPLIANCE AND ETHICS PROGRAMS.—

In this subsection, the term ‘compliance and ethics program’ means, with respect to a facility, a program of the operating organization that—‘‘(A) has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal, civil, and administrative violations under this Act and in promoting quality of care; and ‘‘(B) includes at least the required components specified

in paragraph (4).

‘‘(4) REQUIRED COMPONENTS OF PROGRAM.—The required components of a compliance and ethics program of an operating organization are the following:

‘‘(A) The organization must have established compliance standards and procedures to be followed by its employees and other agents that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations under this Act.

‘‘(B) Specific individuals within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance with such standards and procedures and have sufficient resources and authority to assure such compliance.

‘‘(C) The organization must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in criminal, civil, and administrative violations under this Act.

‘‘(D) The organization must have taken steps to communicate effectively its standards and procedures to all employees and other agents, such as by requiring participation in training programs or by disseminating publications that explain in a practical manner what is required.

‘‘(E) The organization must have taken reasonable steps to achieve compliance with its standards, such as by utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations under this Act by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report violations by others within the organization without fear of retribution.

‘‘(F) The standards must have been consistently enforced through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect an offense.

‘‘(G) After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses, including any necessary modification to its program to prevent and detect criminal, civil, and administrative violations under this Act.

‘‘(H) The organization must periodically undertake reassessment of its compliance program to identify changes necessary to reflect changes within the organization and its facilities.

Nursing Facilities Must Have Effective Compliance Programs In Place by March 23, 2013

The statutory deadline requiring nursing facilities to have formal compliance programs in place is upon us.  The Patient Protection and Affordable Care Act (PPACA) requires all nursing facilities and skilled nursing facilities to have formally adopted effective compliance and ethics programs by March 23, 2013.  To date, the Centers for Medicare & Medicaid Services (CMS) has not released final regulations regarding the required elements of nursing facility compliance programs.  However, the failure of CMS to issue final regulations should not deter nursing facilities from adopting compliance programs.  Even though regulations have not been released, the statutory mandate is in place.  Additionally, there is an abundance of guidelines that define what should be included in the compliance progam of a nursing facility. 

It is unclear how the failure of CMS to issue regulations will impact enforcement in this area.  The statute requires effective compliance programs to be in place by March 23, 2013 regardless of whether regulations are released.  Compliance programs are now a “condition of participation” that can be cited in survey reports.  Directions to survery agencies on this issue is not clear, but it is possible that citations could be issued in this area.  Additionally, if a nursing facility is contemplating a transaction, it is likely that the failure to have a compliance program in place by March 23, 2013 will arise in the course of due diligance.

Remember that it is not enough to simply have the appropriate compliance documents in place.  The compliance program must be demonstrated (and certified) to be “effective.”  Documents alone cannot make a compliance program “effective.”  Compliance program effectiveness requires a specific anlysis of both the content and operation of the compliance program.  Compliance programs that do not have a track record of effective operation cannot be considered to be “effective.”  Organizations need to consider what backup they plan to create to meet the certification requirements under PPACA.  Nursing facilities that do not have compliance programs in place need to address this deficiency immediately.  Those that have compliance programs in place need to assess the effectiveness of their programs.  In either event, experienced compliance counsel should be consulted to determine hat is required in order to meet the statutory mandate.

Ruder Ware offers a full range of compliance attorney services.  Health care attorney John Fisher is certified in Health Care Compliance and Corporate Compliance and Ethics and is one of a handful of attorneys in private practice in the country to hold this dual compliance certification.  You can contact Mr. Fisher through the Ruder Ware web site or through the “Contact” section of this blog.

Supreme Court Says “Game On” for Mandatory Compliance Programs

Compliance programs were made mandatory for all providers as a condition of participation in the Medicare program under the patient protection and affordable care act of 2010. With the recent Supreme Court decision upholding the affordable care act,  any uncertainty as to whether the mandatory compliance programs will become a reality has been lifted.

The affordable care act also required the CMS to promulgate regulations that establish the core elements for providers and suppliers to meet with respect to the mandatory compliance programs. CMS is authorized to determine the timing and core elements of the required compliance programs. The first industry segment that are required to adopt compliance programs are nursing facilities which must comply with mandatory compliance program requirements by March 23, 2013. However, CMS missed it statutory deadline (March 23, 2012) for promulgating detailed regulations to guide nursing facilities in the creation of compliance programs. It is expected that these regulations as well as the requirements for other providers will be forthcoming soon now that the Supreme Court has upheld the Affordable Care Act.

The Office of Inspector General has in the past issue compliance program guidance for various industry segments.  We can expect at least some of these requirements to be part of the regulatory clarification coming from CMS under its authority to enforce mandatory compliance programs. We can also expect additional requirements to be added based upon a parallel recent promulgation from CMS that is applicable to Medicare advantage managed-care plans and prescription drug part D plan entities. Although not directly applicable to organizations other than Medicare Advantage Programs and Part D prescription drug programs, the regulatory proposals are instructive of the current thinking of CMS with respect to required elements of compliance programs.

Some key elements of the recent regulatory proposal which were not included in previous OIG compliance program guidance include:

•  A strong recommendation that there be standardized process for the governing body to review the compliance program documents at least annually. Current guidance is much more permissive and only suggests periodic reviews. The new regulations would require a complete effectiveness review and a detailed “gap analysis” to the Board of Directors on an at least an annual basis.
• More details concerning distribution of standards of conduct and policies and procedures to new employees. The new proposed regulations required distribution of these materials within 90 days of initial hire and at least annually thereafter.  Distribution of policies and procedures will be an “obligation” rather than simply a “suggestion” once the new proposed regulations are finalized.
•  The proposed regulations contain the clearest statement to date from CMS that “dual role” compliance officers, where the compliance officer is also the CFO, CEO or General Counsel, present a built-in conflict of interest and are not permitted. This has been a controversial topic in the past as many organizations still maintain their general counsel as their compliance officer. If the recent proposed regulations are any indication, many “dual role” compliance officers will be the way of the past. It appears that it will still be permissible for divisional  managers, such as quality assurance managers, to act in a dual role. However, operational management will not be permitted to act in his rules. This clearly includes CFOs, COOs and General Counsel who are specifically mentioned in the proposed regulations

There are many additional details that are contained in the most recent proposed regulations. There’s every indication that these proposed regulations are a foreshadowing of the eventual requirements that CMS will release under the mandatory compliance program authority that will be applicable to other providers such as nursing homes, physician groups, hospice, DME providers and other health care providers.

In view of these pending requirements and in light of the apparent expansion of compliance program requirements that is being hinted at by CMS,  providers should conduct an effectiveness review of their compliance programs now and begin the ongoing process of conducting such reviews on an at least an annual basis.  Reviews should be conducted with the requirements of the new proposed regulations in mind.

Small organizations, such as physician practices and smaller healthcare organizations should begin immediately to implement scalable compliance program structures that are focused on the specific risk areas that affect their organizations and begin to create an infrastructure for an effective compliance program.

 Organizations who still have their General Counsel, CFO, or COO acting as their compliance officer should begin to set the stage to undo that structure.  A separate office of Chief Compliance Officer should be created and separately budgeted.  The CCO should have autonomy from other operational offices and should have direct access to the Board of Directors, a Compliance Committee and the CEO.  This issue can be politically difficult within an organization and should be addressed soon rather than later.  Ultimately, this is an issue that must be firmly addressed by the Board of Directors under its responsibility to oversee the compliance program.

DEA Waivers Necessary For Access To Controlled Substances

What is a “Convicted Felon” in the Eyes of the DEA

Most health care providers have implemented some sort of screening process for new employees, contractors and medical staff members.  The screening process usually involves some sort of criminal background check along with review of the OIG and GSA exclusion lists.

One aspect of criminal background checks is rarely discussed and involves individuals who will have “access to controlled substances.”  The Drug Enforcement Agency has rules that prohibit any DEA registrant from employing, as an employee or agent, any party who has ever been “convicted” of a felony involving controlled substances.  No such person may ever be employed in a position where they will have “access to controlled substances” unless a waiver is obtained from the Administrator of the DEA.

I placed a few of the operative terms in quotes above for a reason.  The exact definitions of these the terms “convicted of a felon'” and “access to controlled substances” is what makes application of this rule rather tricky.  The first angle involves whether or not a potential employee, staff physician or other has had a “felony conviction” involving controlled substances.  Oftentimes someone who is accused of a drug related crime under state law will plead “no contest” to a felony but the terms of the sentence will provide that the severity of the sentence will be reduced to a misdomeaner, or sometimes even dismissed, upon completion of terms of probation.  If the terms of probation are successfully completed, a subsequent criminal record search may come up with the action having been dismissed or reduced to a misdemeanor.  No issue, right?  Common sense would dictate that there is no felony conviction and the individual can be employed. 

Wrong.  The DEA rules consider there to have been a felony conviction even though the charges may have eventually been dismissed or reduced.  This is applicable whenever there is a plea of “no contest” or “nolo contendre.”  The DEA considers these please to be an admission of and a conviction of a felony offense.  This can be highly problematic for a health care provider who is doing a record search and comes upon a case that may show up as a misdemeanor or having been dismissed.  The provider must look further to determine whether the event could still be considered to be a felony by the DEA.  If it is considered to be a felony, a Waiver must be sought from the DEA to employ or otherwise permit that individual to use the provider’s facilities.  Waivers can be difficult and costly to obtain.  There are no regulations guiding the process and the final decision is in the sole discretion of the Administrator of the DEA.  There are no meaningful appeal rights.

Another thing that should be pointed out is that once a person is convicted of a felony (as defined by the DEA) that involves controlled substances, the issue carries along with the individual forever.  A waiver only applies to a specific facility.  The employee has no standing to apply for a waiver request.  Every place that the employee wishes to work in the future will need to obtain a waiver.

It should be clarified that a waiver is only required if the individual will have “access to controlled substances.”  This is the second definition that becomes important.  There does not appear to be any regulation or case that defines when an individual is considered to have “access to controlled substances.”  The DEA takes a fairly broad view that would generally prohibit any direct patient care.  Practicing medicine in a hospital and most other settings is likely excluded.  However, this definition probably does not extend to administrative tasks that do not involve seeing patients or being located in areas of the facility that do not hold controlled substances.  Yet, the fact that there is no clear definition of “access to controlled substances” makes this rule very difficult to apply in a specific, practical situation.

The takeaway from all of this is that compliance departments, human resource departments, and credentialing departments may need to take a fresh look at this issue to be certain that they have systems in place to flag cases described in this article.  The DEA may consider even a youthful drug conviction, that shows up as a dismissal or a misdemeanor on a criminal background check to be a felony.  If the event is considered to be a felony, a health care organization cannot employ the individual in a position to have access to controlled substances without first obtaining a waiver from the DEA.

Compliance Program Development and Effectiveness Review

John Fisher, JD, CHC

A significant part of our health law practice involves the creation, implementation, and review of compliance programs for health care providers.  Some of our compliance practice is devoted to institutional provides such as hospitals, health systems and nursing homes.  We are increasingly advising our smaller health care clients, such as physician groups, home health agencies and other providers on establishing appropriate compliance programs.  The entire health care industry is trending toward the adoption of compliance programs spurred on by a true desire to reduce risk as well as recent legal changes that mandate the adoption of compliance programs for most health care providers.

We have made a major firm committment to our compliance practice.  Health care attorney John Fisher recently obtained national certification in health care compliance through the Health Care Compliance Association.  We have assembled a team attorneys with various legal backgrounds, including health law, employment law, non-profit tax law and other areas to complement Mr. Fisher’s focus on compliance issues faced by health care providers.

We provide compliance program development and review services to hospitals, individual physicians and group practices, dental groups, chiropractic groups, home health agencies, skilled nursing facilities, durable medical equipment suppliers, ambulance providers, therapy clinics, ambulatory surgery centers, and behavioral health care providers.  We assist providers in conducting internal audits, internal investigations, compliance program gap analysis and effectiveness reviews. We have also assisted providers who are the subject of reviews by institutions where they may be employed or have staff privileges.

Examples of some of our compliance program related involvement in the health care area include:

• Conducting effectiveness reviews and making suggestions for enhancements to existing compliance programs.
• Working with governing bodies to develop initial compliance programs.
• Advising compliance officers and governance with respect to ongoing monitoring and auditing.
• Assisting providers to conduct internal audits and assessments.
• Assisting providers to focus on specific risk areas that may affect their practices.
• Assisting providers in the reacting to compliance reports including investigations and corrective action plan development.
• Conducting detailed compliance related research in the course of acquisitions of other providers.
• Creating programs that leverage existing resources and expertise into an enterprise management system addressed at compliance issues.
• Compliance Programs Are An Essential Element of Health Care Operations

Effective compliance programs have become an essential element of an effective regulatory risk reduction program.  The importance of compliance programs have been repeatedly emphasised by government officials over the past decade.  Recently, Marilyn Tavenner, Acting Administrator of the Centers for Medicare & Medicaid Services (CMS) released a brief article on the CMS Blog emphasizing the use of “predictive modeling” technologies to identify specific providers that warrant further investigation.  The Acting Administrator touts that predictive modeling has already identified 2,500 leads for further investigation, 600 preliminary law enforcement cases, and 400 direct interviews with providers that have taken place due to the use of predictive modeling.

The 2012 Office of Inspector General Annual Work Plan also referred to new methods and programs to detect potential billing anomolies.  The OIG states that it will be using data matching programs to identify not only providers who are at a high risk of having incorrect billings, but also providers who have low risk.  The OIG claims that it will be examining both types of providers to determine the impact that compliance program operations have on the accuracy of billings.  This is alarming because it means that the OIG will be eamining the operations of compliance programs who show low risk of billing anomolies.

The Coming of Mandatory Compliance Programs

The PPACA created the concept of mandatory compliance programs for most providers.  Nursing homes are first on the list and must certify that they have an effective compliance program by 2013.  We are expecting additional regulations on what constitutes and effecive compliance progam as well as specific timelines defining when other provider types will be required to adopt compliance programs as a condition of participation in the Medicare and Medicaid programs.

Compliance Programs – One Size Does Not Fit All

The OIG Guidance on Compliance Programs as well as the Federal Sentencing Guidelines make it clear that one size does not fit all when it comes to compliance program development.  An effective compliance program needs to be strategically developed based on identification of the risk factors that are specific to the size and nature of the organization.  It is not prudent to simply copy the policies of another organization and adopt them as your own.  You should create a structure as well as topical policies that reflect the nature of your particular organization; sometimes right down to the personalities that are involved in the various aspects of your operations.

There are certain core principals that will be common to all compliance programs.  However, your program should be appropriately scaled to the size and resources of your organization.  I am not suggesting that you fail to allocate sufficient resources to compliance.  Decisions regarding allocation of resources are difficult but must be addressed.  At the same time, you do not want to develop policies that you will never have the resources to appropriately follow.  This carries the risk of creating a “Roadmap” that demonstrators to investigators the things that you are NOT doing.  Policies that you do not follows are argueably worse than having no policies at all; at least in some areas.

Mandatory Compliance Programs – Is Your Practice Ready?

The Office of Inspector General has encouraged health care providers to adopt compliance programs since the late 1990s.  Most larger organizations have implemented compliance programs as a way to detect and mitigate risk of non-compliance and to reduce penalties if a problem is detected.  However, many smaller providers, such as physician practices, have not adopted any type of formal compliance program.  The Patient Protection and Affordable Care Act (the “PPACA”) makes compliance programs mandatory for the first time  for all suppliers and healthcare providers enrolled in federal healthcare programs. Providers of all sizes will be required to certify that they have an effective compliance program in place as a condition of participation of federal healthcare programs.

The Office of Inspector General is charged with issuing regulations that define the core elements that providers must implement in order to certify compliance with the mandatory compliance program requirement.  The first set of regulations have been issued relative to nursing home who must certify their compliance programs as of 2013.  Regulations addressed at other provider types have not yet been issues but are expected soon. We can expect that the regulations will be similar to the guidance that has been provide by the OIG covering various industry sectors over the years.

Requirements for nursing home compliance plans have been released.  The nursing home regulations require the following:

• The adoptions of formal written compliance policies, standards and procedures that are effective at reducing the risk of compliance violations.
• The assignment of compliance responsibility to a Specific individual within the organization.  The individual should be a high ranking member of the management team and should report directly to the governing body.
• The compliance program must be adequately funded to assure its proper operations.
• Systems must be put in place to assure that authority is not delegated to individuals who may show a propensity to commit compliance violations.  For example, a program should be put in place to screen employees, staff members, vendors and others against OIG and GSA exclusions lists.
• The program elements and the ability to report compliance violations must be stressed and an atmosphere of compliance should be created.
• A strong system of anti-retaliation for individuals reporting compliance concerns must be maintained and communicated throughout the organization.
• Effective communication of the standards and procedures to all employees and required participation in training programs.
• Systems of monitoring and auditing should be put in place to help detect potential practices that could lead to compliance violations.
• Disciplinary processes must be maintained in order to enforce the compliance program.  Discipline should be coordinated with existing policies and procedures regarding employee discipline.
• The compliance program should “learn from itself.”  In other words, systems of corrective actions should be put in place that includes revisions of policies and procedures based on compliance concerns that are detected or reported.
• Continued review of the effectiveness of the compliance program should be undertaken.  Simply having a compliance program in place is not sufficient.  The organization must assure that the program is effective by continually reassessing and testing the program.

The exact date that compliance programs will become mandatory is not yet certain.  Nevertheless, enforcement activity is on a rise.  Prudent providers will take proactive efforts to reduce their compliance risks.  This includes that creation of an effective compliance program that is specifically tailored to the compliance risks associated with the specific provider.  Many smaller providers have never contemplated creating such a program in the past.  Mandatory requirements, increased enforcement activities and penalties, are all factors forcing providers to take proactive steps to reduce their exposure.  This creates a disproportionate burden on smaller providers such as small group practices.  At the same time, the OIG has in the past recognized that smaller organizations do not need to go to the same extremes as larger systems to meet their compliance obligations.  In other words, compliance programs are permitted to have a degree of scalability and allow for the size and resources of the organization.  It is critical for small providers to know where to place their compliance resources.  A “shotgun” approach will provide very little benefit.  Creating an overbroad plan that can never be operationalized does nothing more than create a roadmap leading authorities to the actions that your organization is not taking.

It is most prudent for providers of all sizes to have some level of compliance plan in place sooner rather than later.  A well focused plan scaled to your biggest risk areas is much better than a robust plan that you can never operationalize.  The point is to start with your compliance efforts and build upon them as time passes and new risk areas are identified.  Your plan should be structured to operationalize the identification of risk areas and address them as they arise in your practice.

Mandatory Compliance Programs Under the Affordable care Act

Now Is The Time To Re-Examine Compliance “Best Practices” In Your Organization

Historically, compliance programs have not been per se mandatory.  However, most larger health care organizations have established formal compliance programs to foster an atmosphere of compliance and to take advantage of possible benefits under the Federal Sentencing Guidelines.  The Patient Protection and Affordable Care Act of 2010 has made compliance programs mandatory for many providers.  The exact scope of what type of provider will be required to establish formal compliance programs has not yet been set in stone by the Office of Inspector General.  However, it can probably be expected that most providers will be required to formalize their compliance efforts.

Institutional health care compliance has been growing for well over a decade now.  Compliance is becoming of major importance to health care providers of all nature and size.  The OIG has promoted compliance programs by releasing compliance guidance covering a number of industries, including billing companies, physician practices, hospitals, home health agencies, long term care facilities, ambulatory surgery centers and others.  Smaller providers who have previously not had the establishment of formal compliance programs on their radar will now be required to adopt formal plans.

It is not enough to simply adopt a compliance plan, place it on a shelf, and let it collect dust.  A compliance program requires active monitoring.  There are seven basic elements that are necessary for a compliance program to meet regulatory requirements and the requirements under the Federal Sentencing Guidelines.  The seven primary elements of an effective compliance program include:

1)      The establishment of written compliance policies and procedures;

2)      The designation of a high ranking individual within the organization to serve as compliance officer;

3)      The establishment of an effective training and education program for all levels of personnel;

4)      The establishment of effective lines of communication, such as a compliance hotline,  to enable individuals within the organization to report compliance breaches;

5)      Performing ongoing internal auditing and monitoring

6)      The creation of a system that enforces breaches of the compliance program including appropriate discipline and corrective measures

7)      The establishment of effective measures to respond to compliance problems that are detected.

 An effective compliance program establishes an atmosphere of compliance that permeates the entire organization.  A compliance program should be tailored to the specific circumstances of the provider.  The program should also feed and grow on itself.  As problems are detected appropriate changes should be made to the program and related policies and procedures.

 Mandatory compliance programs also highlight the importance of compliance on larger institutions who may have already adopted formal programs.  These institutions should take the signal that compliance is of growing importance.   Providers who have already adopted compliance plans should take the opportunity to dust them off and re-examine the role of compliance within their organization.  Now is the time to increase the focus on compliance and assure that compliance is an active system rather than a written plan that is sitting on the shelf.

Best Practices In Compliance Program Operation

 Given the increased importance of compliance, it is helpful to for providers to get a feel for what constitutes “best practice” when operating a compliance program.  “Best Practices” is a term that is thrown around all of the time in the business world.  It is used in many contexts and takes on a variety of meanings depending on who is using it and for what purpose.  Wikipedia defines “best practices” as follows:

Best practices are generally-accepted, informally-standardized techniques, methods or processes that have proven themselves over time to accomplish given tasks. Often based upon common sense, these practices are commonly used where no specific formal methodology is in place or the existing methodology does not sufficiently address the issue. The idea is that with proper processes, checks and testing, a desired outcome can be delivered more effectively with fewer problems and unforeseen complications. In addition, a “best” practice can evolve to become better as improvements are discovered.  Best practice is considered by some as a business buzzword, used to describe the process of developing and following a standard way of doing things that multiple organizations can use.  http://en.wikipedia.org/wiki/Best_practice

As I was thinking about the concept of “best practices” in health care compliance, the Wikipedia definition seems to fall al little bit short of what I would have in mind when discussing “best practices” in health care compliance programs.

The Miriam-Webster Dictionary defines “Best” as the superlative form of “good.”  “Best” means “excelling all others” and “offering or producing the greatest advantage, utility, or satisfaction.”  I believe that the definition from Wikipedia is an accurate depiction of what the term “best practices” has become in the business world.  The term has been thrown around loosely to the  point that is no longer carries the meaning of the plain words that make up the two word “buzzword.”

In the health care compliance context, I believe that it is not advisable to direct you efforts toward the standard “buzzword” meaning of “best practices.”  Instead, you should focus toward attempting to achieve the meaning of “best practices” that is tied to the superlative form of the word “good.”  You should not focus on the “we are doing what everyone else is doing” or the “what we are doing will pass by in most cases” version of best practices when looking at your compliance plan.  The consequences of that approach could easily come back to bite you in the superlative.

 In reality, you may never be able to meet the truly “best” standard.  However, the point of the compliance program requirement is that you are trying to make your compliance program and your organization “the best” when it comes to compliance.  Here are a few tips to help you attempt to meet the “best practices” standard:

 1.         Act as if you are under a Corporate Integrity Agreement.  Always assume that the government is looking over your shoulder and that you will be called upon at some point to justify the effectiveness of your compliance program.

2.         Follow the government guidelines to the tee.  Familiarize yourself with the Federal Sentencing Guidelines and OIG Industry Guidance and integrate these requirements into your compliance plan.

3.         Keep up with government releases, speeches, regulations, comments, advisory opinions, and all other communication that help to define your obligations.

4.         Make your compliance plan a “living and breathing” documents that is continually up for revision based on specific things that you learn about your specific organizations.

5.         Make sure your compliance officer focuses on compliance and does not wear other hats that compete for time, attention or perspective.

6.         Make certain that sufficient resources are devoted to compliance.  Adopt the view that it is better to spend money on compliance that to pay for mistakes down the road.

 If there is any area where you are not able to achieve “best practices” for financial or other reasons, be prepared to justify your shortcomings.  Key to all of this is to operate as if you will someday be required to defend the effectiveness of your compliance program.  In all likelihood you will someday be in exactly that position given the current state of the health care industry and mentality of the governmental agencies that are charged with enforcement.

 These are just a few tips to get you thinking about your compliance approach.  Health care reform has made compliance programs mandatory for the first time.  There are also multiple indications that the government wants organizations to devote more to compliance as a way to save health care costs.  It is clearly time for organizations of all types and sizes to re-focus their efforts on compliance within their organizations.

Health Care Compliance Officer and Legal Counsel Relationships

Should Compliance and Counsel Functions Be Separated?

There is a current debate within the health care industry about the relative roles of the Chief Compliance Officer (CCO) and Legal Counsel.  More specifically, questions are raised regarding whether the Legal Counsel should serve the dual role of legal counsel and compliance officer and whether the primary compliance officer can report through legal counsel.  There are arguments on both sides.  This is an extremely important issue to many organizations.  As such, I will be devoting several articles to the various aspects of this issue over the next several weeks.

In all but the very smallest organizations that clearly cannot absorb the cost of two separate functions, it presents increased compliance risk to the organization for the legal counsel to also be the prime individual responsible for compliance within the organization.

Dividing the compliance and legal counsel functions is clearly the “best practice” when it comes to organizational compliance. This conclusion is supported by comments from the Office of Inspector General (OIG), a consistent reading the the Federal Sentencing Guidelines (FSG), the position taken by the government in Corporate Integrity Agreement fraud and abuse settlements, and by the general ethical standards that apply to the general counsel.

The case for dividing the functions of legal counsel and compliance officer and creating a separate Compliance Office with direct line of authority to the Board or a Committee of the Board is quite compelling.  In fact, many organizations who had previously run the compliance role through the office of general counsel are now reviewing that practice and are making changes to their organizational structure and compliance plans.

A study done by the American Health Lawyers Associations and the Office of Inspector General in 2004 found that at that time, only 20% of the health care organizations that were polled had their compliance function under the authority of the Legal Counsel’s office.  It is safe to say that in view of more recent pronouncements by the OIG and by comments made in the Compliance Guidance for Hospitals that was released in 2005, the percentage of “dual role” organizations is now less than that figure.

The first source to be examined when defining the role of the compliance officer within an organization is the Federal Sentencing Guidelines.  The FSG do not specifically mention a compliance officer per se, but require that the compliance and ethics program be assigned to “high-level” personel.  When organizations first began creating compliance programs in response to the Federal Sentencing Guidelines, oftentimes the responsibility was assigned to the legal counsel.  This seemed to be a natural outgrowth of the function of the office of legal counsel.  In that regard, it made organizational sense because the office of legal counsel had resources and personnel in place to implement the compliance program without creating an entire new organizational division.

Over time, the assignment of compliance functions to the legal counsel began to raise questions.  Concerns were raised as to whether the legal counsel was in fact a “high level” personnel.  Additionally, questions were raised as to the degree that giving the legal counsel the dual role of compliance officer and legal counsel sufficiently conveyed the appearance of the importance that the organization placed on compliance.  As a result, some lawyers and compliance experts began to question whether creating a “dual role” compliance officer put the organization at risk of not receiving the benefits afforded under the Federal Sentencing Guidelines if the organization was ever in a position to need these benefits.

The Office of Inspector General has made its position clear that legal counsel should not exercise a dual role.  An examination of many of the recent Corporate Integrity Agreements that have been entered between providers and the OIG clearly demonstrate the OIG’s position on this matter.  Most CIAs outline the role and position of the compliance officer in the organization.  The standard language being used by the OIG is as follows:

“The Compliance Officer shall be a member of senior management of [Provider], shall make periodic (at least quarterly) reports regarding compliance matters directly to the Board of Directors of [Provider], and shall be authorized to report on such matters to the Board of Directors at any time.  The Compliance Officer shall not be or be subordinate to the General Counsel or Chief Financial Officer. [Emphasis Added]

Although the Sentencing Guidelines do not affirmatively address dual role situations, Commentary to the Sentencing Guidelines state that “applicable industry practice or the standards called for by any applicable governmental regulations” are factors to be considered.  Failure to follow these standards “weighs against a finding of an effective compliance and ethics program.”

At the same time, both the Sentencing Guidelines and the OIG Compliance Guidance recognize that the size of the organizations a factor in judging the level of compliance.  This recognizes that in cases where the organization is small and fewer resources are available, the organization can meet its obligations without necessarily creating a structure that separates the roles between the legal counsel and the compliance office.  However, there is no precise definition as to whether an organization is a “small organization” that can fulfill its compliance functions in less formal ways or a “large organization” which will be expected to devote suitable resources to create a completely separate compliance function.

This uncertainty leave an organization’s board of directors without precise guidance concerning an appropriate structure given the size and nature of its organization.  At the same time, best practices, given available resources, is to separate the compliance and legal counsel functions.  The potential consequences of failing to use an appropriate structure for the size of the organization is increased penalties in the event of an event of organizational criminal misconduct; so the consequences can be quite serious.