HHS-OIG Guidance — Chock Full of Compliance Best Practices and Strategies (Part II of III)
Board Oversight of the Compliance Program
The GCPG cross-references the US Sentencing Guidelines board responsibility requirements of the organization’s compliance program, and provides that the board shall “be knowledgeable about the contents and operation of the compliance and ethics programs and shall exercise reasonable oversight” of the program.
The board has to specifically oversee the compliance officer and the compliance committee, and “review information necessary to understand the entity’s compliance risks,” and “access to sufficient knowledge and resources to fulfill its compliance-related obligations.” To this end, the board has to oversee and support the compliance officer to ensure that he/she “has sufficient power, independence, and resources to implement, maintain, and monitor the entity’s compliance program and advise the board about the entity’s compliance operations and risk.” In particular, the board must ensure that the compliance officer’s stature is “commensurate” with other “senior leaders,” and that the compliance officer has “direct and uninhabited access to the board,” and is free to inform the board of compliance risks without “fear of personal or financial repercussions.” Further, the board must “regularly review” whether the compliance officer and program “have sufficient staff and resources for an entity of its size, complexity, and interaction with Federal health care programs.” The GCPG mandates that the compliance officer must meet with the board no less than quarterly, and provide the board with reports regarding the organization’s compliance program, activities and risks and participate in an “oral discussion” of the report with board members, and the board should reserve time after each session for an executive session without any non-board members.
As part of its oversight responsibilities, the board should monitor the performance of the Compliance Committee to ensure that it is effectively operating, reaching decisions on important issues and exercising appropriate responsibility for the operation of the compliance program. The compliance committee has to understand its critical role in supporting the organization’s compliance program and not specifically directing the activities of the compliance officer. The Compliance Committee should provide the board with regular reports on its activities. Before joining the compoliance committee
The GCPG specifically stated that the board should take “every opportunity” to communicate and reinforce its audiences and stakeholders of its commitment to compliance. Such communications should include entity leaders, personnel, individual owners, shareholders, customers, patients, payors, Federal and State governments, and the public.
Written Policies and Procedures
The GCPG cites the importance of written policies and procedures as providing a “roadmap for relevant individuals, outlining their duties within the organization, developing workflow management, imposing documentation requirements, defining individual and organizational oversight roles, and implementing controls entity-wide to mitigate compliance risks specific to the entity.”
As noted, a code of conduct and compliance policies are essential elements of any compliance program, and send an important messages as to the importance of a culture of compliance in the entity’s day-to-day operations. The GCPG assumes that the code of conduct and compliance policies should be developed under the direction and supervision of the compliance officer and “the Compliance Committee.” Further, the GCPG notes that compliance with the code of conduct and applicable policies should “be part of the performance evaluations of all employees and contractors.”
A code of conduct is an important statement of an organization’s mission, goals and ethical requirements central to its operations, and should broadly apply to directors, officers, employees, contractors, medical staff and others who work in or on behalf of the organization. The code, in combination with applicable policies and procedures, should be “regularly updated” as statutes, regulations and federal health care program requirements change.
Compliance policies and procedures should, at a minimum, address two areas: (1) implementation and operation of the entity’s compliance program and the seven elements; and (2) risk mitigation processes consistent with the entity’s specific risk profile. Some common risks in the industry include: billing; coding; sales; marketing; quality of care; patient incentives; and arrangements with physicians, other providers, vendors and other sources or recipients of health care business.
The GCPG assumes that a compliance committee should ensure that the organization has appropriate practices to ensure that the policies and procedures are kept up-to-date and communicated within the organization prior to any revisions taking effect. In evaluating the effectiveness of the company’s code, policies and procedures, the GCPG cross-references the Justice Department’s Evaluation of Corporate Compliance Programs, and HHS-OIG’s Compliance Toolkits page.
As part of this overall requirement, all organizations should have a policy and procedure for screening employees, contractors and other individuals and entities that furnish items and services for or on behalf of the organization against the LEIE and any State Medicaid program exclusion lists. The individuals responsible for this function should be designated and the process for screening and verifying potential matches as well as resolution of any red flag of exclusion or potential exclusion.
All relevant individuals in a health care organization should have access to the code of conduct and applicable policies and procedures, typically through an internal intranet site or other communications tools. Individuals who speak a foreign language must have access to translated version of the code, and written policies and procedures.
General Tips from GCPG:
- CEOs should include, at a minimum, a signed introduction in the code of conduct;
- The Board should include a signed endorsement or similar written statement to support the entity’s compliance commitment;
- Entities should review their codes when a new CEO is hired, in order to update the CEO statements, references and endorsements, and implement any new initiatives or modifications to its compliance program;
Entities should review their code, policies and procedures in accordance with a regular schedule, at least annually, to account for any changes to statutes, regulations and Federal health care program requirements.
Organizations may rely on contractor to conduct the screening requirements (e.g. staffing agency, physician group or third-party billing or coding company) but OIG recommended that entities take steps to validate that the contractor is satisfying the screening requirements by requesting and maintaining screening documentation. The health care provider is responsible for any overpayment or CMP liability for employing or contracting with an excluded entity.
Training and Education
The GCPG directs organizations to establish a multifaceted education and training program that addresses the entity’s compliance program, Federal and State standards, and board governance and oversight obligations. Each year, the compliance officer should establish a training plan that includes training topics and target audience.
An organization’s training program should incorporate any issues identified in audits and investigations. The compliance committee should review the training program at least annually. The training program has to include at least annual training for all board members, officers, employees, contractors and medical staff.
Targeted training program should be tailored to specific risks and audiences. Depending on the audience, these issues may include: billing, coding, documentation, licensing requirements, medical necessity, beneficiary inducements, gifts, interactions with physicians and other sources or recipients of referrals of Federal health care program business, and sales and marketing practices.Targeted training should also be delivered for board members. A compliance training program has to be delivered through online or in-person training and accessible to other audiences who speak foreign languages. In addition, a training program should be offered to third-party contractor employees or obtain a training waiver when the third-party has its own training program. The third-party’s failure to ensure proper training should have consequences to the contract with the health care organization, up to termination.