Mandatory Compliance Programs Under the Affordable care Act

Now Is The Time To Re-Examine Compliance “Best Practices” In Your Organization

Historically, compliance programs have not been per se mandatory.  However, most larger health care organizations have established formal compliance programs to foster an atmosphere of compliance and to take advantage of possible benefits under the Federal Sentencing Guidelines.  The Patient Protection and Affordable Care Act of 2010 has made compliance programs mandatory for many providers.  The exact scope of what type of provider will be required to establish formal compliance programs has not yet been set in stone by the Office of Inspector General.  However, it can probably be expected that most providers will be required to formalize their compliance efforts.

Institutional health care compliance has been growing for well over a decade now.  Compliance is becoming of major importance to health care providers of all nature and size.  The OIG has promoted compliance programs by releasing compliance guidance covering a number of industries, including billing companies, physician practices, hospitals, home health agencies, long term care facilities, ambulatory surgery centers and others.  Smaller providers who have previously not had the establishment of formal compliance programs on their radar will now be required to adopt formal plans.

It is not enough to simply adopt a compliance plan, place it on a shelf, and let it collect dust.  A compliance program requires active monitoring.  There are seven basic elements that are necessary for a compliance program to meet regulatory requirements and the requirements under the Federal Sentencing Guidelines.  The seven primary elements of an effective compliance program include:

1)      The establishment of written compliance policies and procedures;

2)      The designation of a high ranking individual within the organization to serve as compliance officer;

3)      The establishment of an effective training and education program for all levels of personnel;

4)      The establishment of effective lines of communication, such as a compliance hotline,  to enable individuals within the organization to report compliance breaches;

5)      Performing ongoing internal auditing and monitoring

6)      The creation of a system that enforces breaches of the compliance program including appropriate discipline and corrective measures

7)      The establishment of effective measures to respond to compliance problems that are detected.

 An effective compliance program establishes an atmosphere of compliance that permeates the entire organization.  A compliance program should be tailored to the specific circumstances of the provider.  The program should also feed and grow on itself.  As problems are detected appropriate changes should be made to the program and related policies and procedures.

 Mandatory compliance programs also highlight the importance of compliance on larger institutions who may have already adopted formal programs.  These institutions should take the signal that compliance is of growing importance.   Providers who have already adopted compliance plans should take the opportunity to dust them off and re-examine the role of compliance within their organization.  Now is the time to increase the focus on compliance and assure that compliance is an active system rather than a written plan that is sitting on the shelf.

Best Practices In Compliance Program Operation

 Given the increased importance of compliance, it is helpful to for providers to get a feel for what constitutes “best practice” when operating a compliance program.  “Best Practices” is a term that is thrown around all of the time in the business world.  It is used in many contexts and takes on a variety of meanings depending on who is using it and for what purpose.  Wikipedia defines “best practices” as follows:

Best practices are generally-accepted, informally-standardized techniques, methods or processes that have proven themselves over time to accomplish given tasks. Often based upon common sense, these practices are commonly used where no specific formal methodology is in place or the existing methodology does not sufficiently address the issue. The idea is that with proper processes, checks and testing, a desired outcome can be delivered more effectively with fewer problems and unforeseen complications. In addition, a “best” practice can evolve to become better as improvements are discovered.  Best practice is considered by some as a business buzzword, used to describe the process of developing and following a standard way of doing things that multiple organizations can use.  http://en.wikipedia.org/wiki/Best_practice

As I was thinking about the concept of “best practices” in health care compliance, the Wikipedia definition seems to fall al little bit short of what I would have in mind when discussing “best practices” in health care compliance programs.

The Miriam-Webster Dictionary defines “Best” as the superlative form of “good.”  “Best” means “excelling all others” and “offering or producing the greatest advantage, utility, or satisfaction.”  I believe that the definition from Wikipedia is an accurate depiction of what the term “best practices” has become in the business world.  The term has been thrown around loosely to the  point that is no longer carries the meaning of the plain words that make up the two word “buzzword.”

In the health care compliance context, I believe that it is not advisable to direct you efforts toward the standard “buzzword” meaning of “best practices.”  Instead, you should focus toward attempting to achieve the meaning of “best practices” that is tied to the superlative form of the word “good.”  You should not focus on the “we are doing what everyone else is doing” or the “what we are doing will pass by in most cases” version of best practices when looking at your compliance plan.  The consequences of that approach could easily come back to bite you in the superlative.

 In reality, you may never be able to meet the truly “best” standard.  However, the point of the compliance program requirement is that you are trying to make your compliance program and your organization “the best” when it comes to compliance.  Here are a few tips to help you attempt to meet the “best practices” standard:

 1.         Act as if you are under a Corporate Integrity Agreement.  Always assume that the government is looking over your shoulder and that you will be called upon at some point to justify the effectiveness of your compliance program.

2.         Follow the government guidelines to the tee.  Familiarize yourself with the Federal Sentencing Guidelines and OIG Industry Guidance and integrate these requirements into your compliance plan.

3.         Keep up with government releases, speeches, regulations, comments, advisory opinions, and all other communication that help to define your obligations.

4.         Make your compliance plan a “living and breathing” documents that is continually up for revision based on specific things that you learn about your specific organizations.

5.         Make sure your compliance officer focuses on compliance and does not wear other hats that compete for time, attention or perspective.

6.         Make certain that sufficient resources are devoted to compliance.  Adopt the view that it is better to spend money on compliance that to pay for mistakes down the road.

 If there is any area where you are not able to achieve “best practices” for financial or other reasons, be prepared to justify your shortcomings.  Key to all of this is to operate as if you will someday be required to defend the effectiveness of your compliance program.  In all likelihood you will someday be in exactly that position given the current state of the health care industry and mentality of the governmental agencies that are charged with enforcement.

 These are just a few tips to get you thinking about your compliance approach.  Health care reform has made compliance programs mandatory for the first time.  There are also multiple indications that the government wants organizations to devote more to compliance as a way to save health care costs.  It is clearly time for organizations of all types and sizes to re-focus their efforts on compliance within their organizations.

Health Care Compliance Officer and Legal Counsel Relationships

Should Compliance and Counsel Functions Be Separated?

There is a current debate within the health care industry about the relative roles of the Chief Compliance Officer (CCO) and Legal Counsel.  More specifically, questions are raised regarding whether the Legal Counsel should serve the dual role of legal counsel and compliance officer and whether the primary compliance officer can report through legal counsel.  There are arguments on both sides.  This is an extremely important issue to many organizations.  As such, I will be devoting several articles to the various aspects of this issue over the next several weeks.

In all but the very smallest organizations that clearly cannot absorb the cost of two separate functions, it presents increased compliance risk to the organization for the legal counsel to also be the prime individual responsible for compliance within the organization.

Dividing the compliance and legal counsel functions is clearly the “best practice” when it comes to organizational compliance. This conclusion is supported by comments from the Office of Inspector General (OIG), a consistent reading the the Federal Sentencing Guidelines (FSG), the position taken by the government in Corporate Integrity Agreement fraud and abuse settlements, and by the general ethical standards that apply to the general counsel.

The case for dividing the functions of legal counsel and compliance officer and creating a separate Compliance Office with direct line of authority to the Board or a Committee of the Board is quite compelling.  In fact, many organizations who had previously run the compliance role through the office of general counsel are now reviewing that practice and are making changes to their organizational structure and compliance plans.

A study done by the American Health Lawyers Associations and the Office of Inspector General in 2004 found that at that time, only 20% of the health care organizations that were polled had their compliance function under the authority of the Legal Counsel’s office.  It is safe to say that in view of more recent pronouncements by the OIG and by comments made in the Compliance Guidance for Hospitals that was released in 2005, the percentage of “dual role” organizations is now less than that figure.

The first source to be examined when defining the role of the compliance officer within an organization is the Federal Sentencing Guidelines.  The FSG do not specifically mention a compliance officer per se, but require that the compliance and ethics program be assigned to “high-level” personel.  When organizations first began creating compliance programs in response to the Federal Sentencing Guidelines, oftentimes the responsibility was assigned to the legal counsel.  This seemed to be a natural outgrowth of the function of the office of legal counsel.  In that regard, it made organizational sense because the office of legal counsel had resources and personnel in place to implement the compliance program without creating an entire new organizational division.

Over time, the assignment of compliance functions to the legal counsel began to raise questions.  Concerns were raised as to whether the legal counsel was in fact a “high level” personnel.  Additionally, questions were raised as to the degree that giving the legal counsel the dual role of compliance officer and legal counsel sufficiently conveyed the appearance of the importance that the organization placed on compliance.  As a result, some lawyers and compliance experts began to question whether creating a “dual role” compliance officer put the organization at risk of not receiving the benefits afforded under the Federal Sentencing Guidelines if the organization was ever in a position to need these benefits.

The Office of Inspector General has made its position clear that legal counsel should not exercise a dual role.  An examination of many of the recent Corporate Integrity Agreements that have been entered between providers and the OIG clearly demonstrate the OIG’s position on this matter.  Most CIAs outline the role and position of the compliance officer in the organization.  The standard language being used by the OIG is as follows:

“The Compliance Officer shall be a member of senior management of [Provider], shall make periodic (at least quarterly) reports regarding compliance matters directly to the Board of Directors of [Provider], and shall be authorized to report on such matters to the Board of Directors at any time.  The Compliance Officer shall not be or be subordinate to the General Counsel or Chief Financial Officer. [Emphasis Added]

Although the Sentencing Guidelines do not affirmatively address dual role situations, Commentary to the Sentencing Guidelines state that “applicable industry practice or the standards called for by any applicable governmental regulations” are factors to be considered.  Failure to follow these standards “weighs against a finding of an effective compliance and ethics program.”

At the same time, both the Sentencing Guidelines and the OIG Compliance Guidance recognize that the size of the organizations a factor in judging the level of compliance.  This recognizes that in cases where the organization is small and fewer resources are available, the organization can meet its obligations without necessarily creating a structure that separates the roles between the legal counsel and the compliance office.  However, there is no precise definition as to whether an organization is a “small organization” that can fulfill its compliance functions in less formal ways or a “large organization” which will be expected to devote suitable resources to create a completely separate compliance function.

This uncertainty leave an organization’s board of directors without precise guidance concerning an appropriate structure given the size and nature of its organization.  At the same time, best practices, given available resources, is to separate the compliance and legal counsel functions.  The potential consequences of failing to use an appropriate structure for the size of the organization is increased penalties in the event of an event of organizational criminal misconduct; so the consequences can be quite serious.