Healthcare Compliance Programs: The Basics
You are now in charge of putting in place a compliance program for your healthcare company. You start from the beginning. You have just left a company where you designed and implemented an FCPA compliance program. Can you transfer any of those components or skills?
You will quickly learn that the compliance principles share a striking resemblance to each other. For starters, the US Sentencing Guidelines apply and your framework for working will be much the same. The Guidelines list minimum requirements which apply in both situations. These standards are a necessary starting point, but they are only part of the story.
More specific requirements have been outlined by the Center for Medicare and Medicaid Services (CMS). The Healthcare Reform bill mandated that all providers participating in CMS must adopt a compliance program as directed by CMS regulations. Those regulations have not been issued. The HHS Office of Inspector General however has issued guidance on compliance programs and they should be consulted as a good reference.
The Basic Seven Elements of a compliance program are:
• Compliance Officer
• Internal Monitoring and Audits
• Written Standards and Policies
• Training and Education Programs
• Open Lines of Communication
• Respond to Detected Problems
• Disciplinary Standards
Before starting a program, it makes sense to examine the risks your business faces by conducting a compliance risk inventory and assessment. In addition, you need to designate a compliance and/or ethics officer. The compliance officer must have the necessary resources, and top management support. Having the person report to an independent committee of the board helps achieve this goal. In addition to a compliance officer, there should be supporting structure, such as a multi-departmental compliance committee.
The compliance officer needs to design and implement standards and procedures for compliance. Companies typically start with codes of conduct. But more specific have to be designed, including controls, education and training, communication, response to violations and disciplinary measures, as well as monitoring.
With respect to education and training, the compliance officer needs to work closely with subject matters experts to assign specific support roles and responsibilities. Training is used to focus management and employees on key risk areas. Physician training is critical. Training records must be maintained and audited to ensure participation by everyone.
The oversight of the compliance program requires participation by the board, the audit committee (or compliance committee if one exists), compliance officers who exist throughout the organization and subject matter experts. It is important to share responsibilities and encourage buy-in as much as possible.
Critical to the oversight process is the auditing and monitoring functions. The compliance officer needs to distinguish between auditing and monitoring. An annual plan is developed from the risk assessment and includes reviewing prior audits. Monitoring functions is an effective way to detect potential problems before they grow into major problems. For audits to be credible, the auditors need some degree of independence. It is important to measure what you are doing. Is the training working? Is the program reaching people?
Companies use surveys, focus groups, deep dives and other study techniques to measure the impact of their programs. As for reporting systems, some companies have internal helplines, and others use outside professional services. Companies are also using online reporting systems.
Reporting potential violations anonymously has to be an option. Employees who report potential violations need to receive updates and information to track their complaint. When this occurs, the compliance program must make sure that there is no retaliation and confidentiality is maintained. In advance, an internal investigation or teams should be established to handle important issue as they arise. Punishment for violations must be consistent and meaningful. Companies should also look for the underlying causes of the violations, and improve their preventive steps based on that input.
At its core, the compliance program must include specific protocols to document every aspect of its operation. Regulators require proof and there is nothing better to show reasonable judgments if you can point to contemporaneous documents.