According to the November 2023 General Compliance Program Guidance from the OIG, compliance oversight is within a Board of Directors’ (BOD) fiduciary duty of care and a “critical component of the Board’s compliance role.” Conversely, there is increased pressure from a variety of government agencies (SEC, OIG, DOJ) for boards to become active and engaged without becoming involved in operations.   Finding the right balance can be challenging. 

The board’s responsibility also includes understanding the organization’s risks. A strong process for identifying risk areas and managing the risk is one hallmark of an effective compliance program. Monitoring and auditing can pinpoint potential risk factors and the outcomes will either confirm effectiveness or identify deficiencies. The Board should ensure that the risk areas are consistently reviewed, and corrective action(s) are taken. It would be prudent for the Board to generally know or be informed of the trends in the industry that add gravity to the risk areas such as: 

• The use of data analytics and artificial intelligence, which has introduced both positive and negative consequences.  
• The complexity of laws and regulations, somewhat designed to combat fraud, can be a more lucrative form of crime.  
• The abundance of protected health information (PHI) and personal identifiable information (PII) retained in anything electronic. 
• The growth of cybersecurity data breaches, ransomware attacks, and phishing scams are costly to prevent but can be devasting when they occur. 

Everyone enterprise-wide is responsible for compliance, and the Board should encourage compliance accountability. The General Compliance Program Guidance issued by the OIG has become the topic of conversation within the compliance industry. I thought it would be interesting to obtain viewpoints from seasoned professionals in the compliance field on what they believe the BODs should consider now and in the future: 

• “The November 2023 OIG General Compliance Program Guidance document mentions compliance officers 146 times, the board 120 times and the general counsel once. The board should probably know how important the OIG thinks their compliance role is.”   

— Roy Snell, Co-Founder and Former CEO, HCCA/SCCE 

• “Compliance is more than a legalistic view of the DOJ Evaluation of Corporate Compliance Programs (ECCP) guidelines, DOJ Corporate Enforcement Policy (CEP) and the GCPC aggregation of ‘voluntary,’ ‘non-binding’ guidance. In the past many applied their inner lawyer approach to them, by hanging their hat on terms like ‘guidance,’ ‘voluntary,’ ‘non-binding,’ etc. Currently many missed the spirit of the OIG’s and DOJ’s intent for corporate and board fiduciary duties. Now they suffer the very real consequences of judgment when they have to explain how the Board or company did not consider them in their operation risks when under a review, self-report or settlement that is often raising the specter of a false claim. In the future you will not be able to ignore the spirit of the ‘four horsemen’ (ECCP, CEP, GCPC, and the Qui Tam’s sword under the False Claims Act ‘should have known/deliberate ignorance standard’) because you may be accused in judgment to have been informed of the compliance risks, knowingly ignored applying resources to them and being without the easy excuse from blinders of legalism to their requirements to you personally. Simply said, you would be a penny wise and a pound foolish to ignore them as actual requirements in the future.”  

– Brian Flood, Partner, Husch Blackwell 

• “Governance leaders need to be continuously ‘upping their game’ and expertise as regulators and other key stakeholders are increasing expectations and oversight of board performance. This includes ensuring we are looking 2-3 years ahead (same as we require of management) and being proactive in what skillsets are needed on the board to demonstrate we are meeting our fiduciary duty and have the scope and depth to ask the right questions of management. Additionally, for boards that are compensated, we need to ensure we have processes in place to both measure board effectiveness and individual performance, similar to how we measure and compensate CEOs and the C-suite.”  

–Jenny O’Brien, JD, MS, CHC, President and Principal at BlackBridge Advisors 

• “In the coming years we may see boards look to their Chief Compliance Officer (CCO) to not only provide reports around the status of the compliance program and compliance risk areas but to also serve as an advisor on a broader range of topics as part of an enterprise risk management strategy. CCOs should educate themselves and develop the skills they will need as boards lean into ensuring all risks are prioritized and managed as part of corporate decision-making processes.”  

– Cindy Matson, MBA, CHC, CHPC, Vice President, Compliance & Audit Services, Sanford Health 

• “I think a top priority for healthcare Boards of Directors is to ensure someone on the board has healthcare compliance expertise. Many healthcare boards already seek out individuals with specific areas of expertise such as financial, audit, clinical, patient safety, or some other subject matter expertise. Compliance should be added to that list. Some OIG corporate integrity agreements (CIAs) already require this. But for organizations who want to be forward-thinking instead of reactive when it comes to their compliance programs, they should proactively seek out individuals who have compliance expertise to serve on their board. Such an individual would be able to provide leadership and training in how a board should fulfill its compliance program oversight duties. Some of these duties might include engaging experts to perform periodic compliance program effectiveness reviews or approval of compliance risk assessments and annual work plans. Having someone on the board with compliance expertise would aid the board in asking the right questions of executive management and the compliance officer in regard to the compliance program.”  

– C.J. Wolf, MD, CPC, CPC-I 

• “The rapid proliferation of artificial intelligence (AI) software tools available to healthcare companies is outpacing existing regulatory frameworks, leading to both known and unknown compliance risks. Our company survey revealed that fewer than 11% of U.S. healthcare companies have an AI compliance policy or even a registry of AI-utilizing software. As the evolution of AI mirrors the fast-paced digital revolutions of the 1990s, boards of directors and management often lack a clear understanding of the associated risks. Proactive Board governance is essential to ensure that innovation is paired with rigorous oversight, in an effort to effectively mitigate future regulatory and reputational risks.”   

–Jim Rough, CFE, CHC, CCEP, President SunHawk Consulting, LLC 

• “Future Board compliance strategies rely completely on the Board understanding compliance risks and obligations. Compliance Officers should present training and reports in a manner that helps ensure Board members understand the compliance risk. Assume your organization made a self-disclosure to correct a billing issue which, if not remedied, could have been considered a false claim. Reporting the self-disclosure to the Board and providing some background on the issue is expected, but does the Board know or understand the reason the self-disclosure needed to be done versus just refunding the overpayment? Does the Board understand what the False Claims Act is and the implications of a False Claims action? Compliance Officers can better prepare the Board for future discussions about compliance strategies if the Board has received an annual refresher training on the core laws and regulations that impact the organization. To help emphasize the importance and to help guide the strategy discussion, use settlements or first-hand examples to show how the laws and regulations are being enforced or interpreted. This will help ensure compliance strategy discussions are built on a common understanding of the rules and risks.”  

–Darrell Contreras, JD, CHC-F, CHPC, CHRC, Chief Compliance Officer at Millennium Health 

• “As Compliance Programs continue to evolve and mature, Board’s commitment needs to foster a culture of integrity and be visible by the entire organization.”  

—Debbie Troklus, President, Troklus Compliance Consulting 

• “I think with the OIG’s updated General Compliance Program Guidance (GCPG), there will be an increased concern about private equity firms that are financially backing healthcare organizations. More specifically, private equity investments in healthcare can raise unique compliance challenges due to potential conflicts of interest, billing/coding, and fraud and abuse. To guard against this, I think healthcare boards will need to make sure due diligence is done before entering into any partnerships with private-equity backed firms. Also, ensuring the private equity-backed firm has a robust compliance program in place that integrates with the healthcare organization’s own compliance program. Lastly, making sure that typical compliance activities, such as auditing, monitoring, education, and training, include that relationship with a private equity-backed firm.”   

–Jay Anstine, President, Bluebird Healthlaw Partners 

• “I hope the top priority for any healthcare Board of Directors will be the well-being of their workforce and workplace! We need standardized best practices to prevent burnout, detect culture and correct toxic cultures if we want happy and healthy staff who are ethical and compliant to provide quality and safe care!”  

—Maeve O’Neill, MEd, LPC-S, CHC, CDTLF 

The role of a BODs is multi-faceted, and compliance is one program area of oversight responsibility. Regardless of whether it is paid or unpaid, serving can be both rewarding and daunting at the same time, especially if you want to do the job well and make a difference. It takes considerable time and effort to review and digest the web of information involved with decision-making, developing strategy and fulfilling oversight responsibilities.    

Whether you are new to the field or a seasoned professional, hopefully the viewpoints above offer insight that can influence your BOD’s understanding of their oversight responsibility for the compliance program. 

Shawn DeGroot, CHC-F, CCEP, CHRC, CHPC is president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment.  She served on the faculty of the HCCA Privacy Academy and served five years on Board of Directors for St. Charles Health System, Bend, OR.  Shawn’s area of expertise is also Corporate Integrity Agreements to include experience in seven CIA’s with the first CIA pertaining to Stark and Anti-kickback.  She also is a past president of HCCA/SCCE and serves on an advisory group to the HCCA/SCCE Board of Directors. 

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts  

Never miss an article by Shawn DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.   

The post Experts Weigh In: The Oversight Role of a Healthcare Board of Directors  first appeared on YouCompli.

In the complex world of healthcare, compliance with federal, state and international regulations is not just a moral and ethical responsibility—it’s a financial one.  The cost of non-compliance in healthcare can be staggering, with fines, penalties, legal fees, and reputation damage all posing significant risks to healthcare providers. This blog delves into the real cost of non-compliance, highlighting notable examples of fines and penalties while underscoring the importance of robust compliance programs.  

Financial Repercussions  

A myriad of regulations exists in healthcare, including those related to patient privacy (HIPAA), billing practices (Medicare and Medicaid), and data security. Non-compliance can lead to audits, investigations, settlement agreements, and ultimately hefty fines – and those are just some of the tangible costs we can quantify. The cost of non-compliance is sometimes a forgotten topic when finalizing the organization’s budget.  

• HIPAA Violations: One of the most publicized areas of healthcare compliance is the protection of patient information under the Health Insurance Portability and Accountability Act (HIPAA).  Violations can result from inadequate training, employee negligence, and ever-pervasive cybersecurity issues. The gravity of cybersecurity cannot be overstated, as the issues pose significant risks to patient safety, privacy, and integrity of the healthcare system. Breaches can lead to fines and legal challenges, not to mention the erosion of patient trust.  

In the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for CY2022, the Department of Health and Human Services (HHS) reported a significant increase in HIPAA complaints (17% increase from 2018 to 2022) and large breaches (107% increase from 2018 to 2022). The HHS Office of Civil Rights (OCR) completed 846 compliance reviews and required the entities to take corrective action and/or pay civil monetary penalties that totaled $2,425,640 in 674 of the investigations. Covered entities and business associates are not always prepared for compliance reviews that are brought to the OCR’s attention. The cost of an imposed resolution agreement may result in compliance program improvements but can be operationally disruptive.  

• Medicare and Medicaid Fraud: Billing fraud is another area where non-compliance costs can skyrocket. In 2020, Novartis Pharmaceuticals Corp. agreed to pay $678 million to settle a lawsuit that accused the company of paying kickbacks to doctors to induce them to prescribe its drugs. This suit was brought under the Anti-Kickback Statute, a criminal law originally enacted in 1972 and amended and expanded several times since its inception.   

Several organizations have also been issued Corporate Integrity Agreements (CIA) for violations of this statute. Benchmarking your compliance program to the CIA is an excellent exercise and can be used as a means for identifying risks and making program enhancements.  

One of the Seven Elements of Effective Compliance Programs is auditing and monitoring. Auditing contracts for high-risk areas such as items related to the Stark Act and Anti-Kickback Statute can assist with preventing improprieties. A compliance workplan should include the continuous review of physician and/or medical director contracts based on risk, adherence of policies to the contracts, a review of financial payment to the contracts, and all associated documentation to support payment.    

• Quality of Care Violations: Non-compliance related to the quality of care can also lead to significant penalties. For instance, in 2019, a skilled nursing facility chain was fined $3.5 million for not meeting certain federal standards of care, which directly impacted patient health outcomes. The adage, “If it wasn’t documented, it wasn’t done,” not only can lead to financial consequences for billing but truly impacts the care of the patient.     

In February 2024, a settlement agreement of $25.5 million was reached with Lincare for fraudulent billing practices that also impacted the quality of services to patients. Essentially, monthly claims for payment of respiratory equipment were submitted to the federal health care program that were not medically necessary or the beneficiary had stopped using the device.    

Beyond the Fines  

What are the intangible costs of non-compliance? Here are some of them:  

• Reputation Damage: Publicized violations can erode patient trust, potentially leading to a loss of business. Restoring a tarnished reputation can take years – if not decades – and significant investment.  Violating an individual’s right to privacy can impact a community’s trust and confidence in the organization and its leadership. Reputational damage may also negatively impact:  
  • Employee morale  
  • Recruitment of specialty physicians and quality leadership  
  • Philanthropic giving  
• Operational Disruption: Addressing compliance issues can divert resources from patient care and other operational priorities, impacting the organization’s overall performance. Responding to an initial inquiry or reported incident on a compliance matter can consume countless hours investigating; however, ignoring a matter may result in whistleblower action, retroactive audits, data analysis, and/or legal and compliance review that will deplete more resources quickly over a greater length of time. It is best to prevent, detect, and deter.  
• Increased Scrutiny: Once an organization faces penalties for non-compliance, it may come under increased scrutiny from other agencies and regulators, leading to more audits and inspections.  The social media trajectory has created a new level of exposure for all organizations.  
• Insurance Costs: Non-compliance can lead to higher insurance premiums, as insurers assess the organization as a higher risk. This is particularly the case since the advent of cybersecurity breaches of patient information.  

Building a Culture of Compliance  

Key strategies for building and maintaining a robust compliance program include:  

• Ongoing Training: Ensure that all employees understand the relevant regulations and their roles in maintaining compliance. Most important is to emphasize the duty to report a concern or issue. One of the purposes of reporting is to prevent, detect, and deter to give the organization an opportunity to correct an impropriety before the problem becomes systemic and repeated.    
• Targeted training is important for patient registration to obtain accurate data and information from the first point of entry.  
• Specialized training should be given around health information management, regarding documentation requirements and orders that support the service to be delivered.  
• Educate revenue cycle staff to understand payor reimbursement, fee schedules, national coverage decisions, local coverage decisions, denials, and the “why” behind the denial and the circle of services provided to right reimbursement.  
• Train for utilization review and quality to understand the intersection of compliance and quality providing examples from settlement agreements and more.  
• Risk Assessments: Conduct regular assessments to identify and mitigate risks of non-compliance. This establishes a framework for improvement.    
• Policies and Procedures: Develop clear, accessible policies and procedures that align with all applicable state and federal regulations. Then, monitor adherence to the policies to reduce risk to the organization. 
• Compliance Officer: Your organization’s Compliance Officer should be a part of senior management. This sends a clear message throughout the organization, lends credibility to the compliance program itself (internally and externally) and makes it more likely that employees will take compliance seriously.   
• Reporting Mechanisms: Implement confidential reporting mechanisms for employees to report potential compliance issues. The emphasis here is not just one mechanism, but several.  Transparency and the ability to voice concerns without retribution are crucial to the success of establishing a healthy culture.  

The cost of non-compliance in healthcare extends far beyond fines and penalties. It encompasses legal fees, reputational damage, operational disruptions, and more. Investing in compliance is not just a legal obligation—it is a critical component of a healthcare organization’s operational excellence and commitment to patient care.  

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC is president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment.  She served on the faculty of the HCCA Privacy Academy and served five years on Board of Directors for St. Charles Health System, Bend, OR.  Shawn’s area of expertise is also Corporate Integrity Agreements to include experience in seven CIA’s with the first CIA pertaining to Stark and Anti-kickback.  She also is a past president of HCCA/SCCE and serves on an advisory group to the HCCA/SCCE Board of Directors. 

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post The Cost of Non-Compliance  first appeared on YouCompli.

Last month, the Office of Inspector General (OIG) published a new, user-friendly, 91-page General Compliance Program Guidance (GCPG). It is meant to be a helpful reference for everyone in the health care industry about how to develop a compliance program, safeguard their organizations and ensure they operate according to all laws and regulations. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents.  

Previous versions are archived on the OIG website and will no longer be published in the Federal Register. Also, industry segment specific guidance (ICPGs) will be developed for sectors of federal health care programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

• Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether an arrangement violates the federal anti-kickback statute. 
• Exclusions (page 26): OIG recommends that any entity participating in the federal Medicaid program should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
• HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
• Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These people should at least receive new and/or revised policies and procedures before they are implemented. 
• Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

“The Compliance Officer’s primary responsibilities should include advising the CEO, board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

• Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome. The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

• Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on the members, roles direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
• Board Responsibilities (page 43): the OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “the board should also ensure that the compliance officer has direct and uninhibited access to the board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it is effective and promotes transparency. 
• Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences can ask questions.  
• Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all health care compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 

• Large and Small Entities (page 65): There is a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

• The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims. 
• In the absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation. 
• Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

• The OIG repeats the need for compliance officers to report directly to the board to send a message and establish the proper tone for all relevant individuals.  
• For the first time, the OIG says that exceptionally large organizations controlled by an international parent organization need to have sufficient information about applicable law. 

• Quality and Safety (page 76): In the last section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discrimination against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced is “new entrants,” on page 78. The term references technology companies, new investors, and non-traditional service providers in health care settings that may not be aware of the health care industry regulations. To identify and prevent fraud and abuse risks in a complex health care environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG is right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.   

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG)  first appeared on YouCompli.

“As previous OIG compliance guidance(s) are retired to ‘archival’ status, we all should recognize that the original guidance may have been the most important document ever written for healthcare compliance professionals.” — Roy Snell 

In 1998, the Office of Inspector General (OIG) issued its first General Compliance Program Guidance (GCPG). Since then, compliance officers have used it to understand how to develop a compliance program, safeguard their organizations, and ensure they operate according to all laws and regulations. 

This month, OIG published a new, user-friendly, 91-page GCPG. Like the original, it is nonbinding and voluntary – it’s meant to be a helpful reference for all individuals and entities involved in the healthcare industry. Users are encouraged to use the electronic version, to allow access to hyperlinked definitions and resource documents. Previous versions have been archived on the OIG website, and will no longer be published in the Federal Register. Also, industry segment specific guidances (ICPGs) will be developed relating to particular sectors of federal healthcare programs.  

Throughout the GCPG, helpful revisions and clarity are provided to a few areas that have proven problematic over the years. Here are a few areas I think are especially noteworthy:  

• Arrangements (page 10): The GCPG provides a brief overview of pertinent laws and a list of “key questions” to assist with the determination of whether or not an arrangement violates the federal anti-kickback statute. 
• Exclusions (page 26): OIG recommends that any entity participating in Medicaid should check the state Medicaid program exclusion list for each applicable state. Each state has strengths, weaknesses, and a high degree of variation with the knowledge and access of exclusion databases, creating a cumbersome process to validate Medicaid exclusionary status.  
• HIPAA Privacy and Security Rules (page 30): In bold print, the OIG recommends that compliance with Privacy, Security and Breach Notification Rule requirements be included in ALL risk assessments. 
• Relevant Individual (page 36): The OIG wisely introduces this new term and includes employees, contractors, patients, customers, agency staff, medical staff, subcontractors, agents, and other key individuals as relevant. These are people that should at least receive new and/or revised policies and procedures before they are implemented. 
• Compliance Officer (page 38): The OIG clarifies that compliance officers “have sufficient stature within the entity to interact as an equal of other senior leaders of the entity.” The OIG does not provide a sample organizational chart or team structure, but it does position the compliance officers as essential to the development and implementation of strategic initiatives. The OIG also writes: 

“The Compliance Officer’s primary responsibilities should include advising the CEO, Board, and other senior leaders on compliance risks facing the entity, compliance risks related to strategic and operational decisions of the entity, and the operation of the entity’s compliance program.” 

• Relationship to Legal (page 39): The OIG attempts to settle a long-standing debate regarding the roles of compliance and legal. In organizations where compliance reports to legal, conflicts of interest exist and can create barriers that lead to timing and resource inefficiencies. Effective communication and collaboration between compliance and legal is the key to a successful outcome.  The OIG writes:    

“The compliance officer should not lead or report to the entity’s legal or financial function, and should not provide the entity with legal or financial advice or supervise anyone who does.” 

• Compliance Committee (page 40): The OIG provides a detailed list of the Compliance Committee’s primary duties. This includes guidance on members, roles, and direct responsibility for active participation. For the first time, the OIG suggests that an individual’s participation should be included in considerations about their overall performance and compensation. The OIG also provides a list of indicators for committee success – including that Boards should oversee the Compliance Committee and receive regular reports on attendance by members.  
• Board Responsibilities (page 43): The OIG reiterates the need for the compliance officer to be sufficiently empowered commensurate with their responsibilities and in line with other senior leaders. A quote highlighted on page 44 states, “The Board should also ensure that the compliance officer has direct and uninhibited access to the Board at any time.” While this could create awkward situations for compliance officers and CEOs or other senior managers, this approach has become a best practice because it’s effective and promotes transparency. 

• Training (page 46): The OIG recommends that compliance committees ensure training is available in several languages and in various formats. The training plan should be reviewed at least annually by the compliance committee to ensure the content is current and contains information on issues identified through auditing and monitoring. The OIG also suggests that organizations’ audiences have the ability to ask questions.   
• Effective Lines of Communication (page 50): The GCPG clarifies that compliance officers are responsible for reported concerns – but that issues may be referred to human resources, legal, or other departments. The OIG writes: “The compliance officer should remain involved in all healthcare compliance investigations in which counsel takes the lead.” This clarity is especially important for investigations. 
• Large and Small Entities (page 65): There’s a specific section in the GCPG on adaptations for small and large entities.  

In small entities: 

• The compliance contact should not have any responsibility for the performance or supervision of legal. If possible, they should not be involved with billing, coding, or submission of claims.   
• In absence of a hotline or formal disclosure, small entities should have policies and procedures to establish good-faith reporting of compliance issues and prohibit retaliation.   
• Regarding exclusions, an individual or entity or an employee with an invalid license can have a significant negative impact on a small entity. Monitoring compliance in this area should be performed to reduce risk for small entities. 

In large entities:   

• The OIG repeats the need for compliance officers to report directly to the Board, in order to send a message and establish the proper tone for all relevant individuals.  
• For the first time, the OIG says that very large organizations controlled by an international parent organization need to have sufficient information about applicable law. 

• Quality and Safety (page76): In the final section of the GCPG, the OIG suggests that entities should incorporate quality and patient safety oversight into their compliance programs. Risks exist associated with financial incentives and discriminating against more costly patients. It says that compliance officers should include these areas in risk assessments. A new term introduced on page 78, is “new entrants.” The term references technology companies, new investors, and non-traditional service providers in healthcare settings that may not be aware of the healthcare industry regulations. To identify and prevent fraud and abuse risks in a complex healthcare environment, compliance officers should simply follow the money.   

As the compliance industry evolves, the OIG appears to be right on track again. The new GCPG provides more useful tools that address multiple aspects of an effective compliance program. The GCPG should be used to establish a compliance program, clarify roles and responsibilities, identify risks, and align current policies and procedures with what should be done.  

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management   

Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.

The post Key Takeaways from OIG’s New General Compliance Program Guidance (GCPG)  first appeared on YouCompli.

Proactive relationships protect patient rights 

Healthcare organizations often contract with third parties to handle work they are unable to perform themselves. That work often involves protected health information (PHI). This article considers the government’s increasing interest in patient rights in relationship to covered entities or business associates and what proactive compliance officers can do to fulfill those obligations through effective monitoring. Steps for compliance officers include prioritizing the agreements based on risk, establishing channels of communication, and collaborating on a risk analysis. 

Agreements between covered entities and business associates 

Due to the abundance of agreements, covered entities generally develop a template for all business associate agreements with the position that the content cannot be edited by the business associate.  

A template business associate agreement generally addresses definitions, obligations of the business associate, obligations of the covered entity, terms and miscellaneous provisions. The variables are in the details. Business associates are commonly under a multitude of templated agreements from different covered entities. These agreements contain different timelines that add complexity and risk, especially if the business associate does not have an effective compliance program. For example:  

• Breach notifications vary from “immediately” or the number of business days identified as 5 (five), ten (10) or more. 
• Response time to a request from the covered entity for an amendment, access, accounting of disclosures or a restriction also vary.  
• Definitions and policies from the covered entities vary. 
• Outdated business associate agreements sometimes lack contact information or a hotline number for reporting.  

Changing requirements 

Under the original Privacy Rule, HIPAA business associate responsibilities and liabilities for PHI were based purely on the contractual responsibilities of the covered entity. Covered entities were required to include specific provisions in agreements for business associates to safeguard PHI. Although the Rule did not prohibit the covered entity from requiring the business associate to receive and/or address requests regarding patient rights, few agreements contained language specific to patient right provisions. 

In 2013, the HIPAA Omnibus Rule made the business associate subject to the HIPAA Security and Enforcement Rules and parts of the HIPAA Privacy and Breach Notification Rules. The industry flurried with new agreements and addendums that escalated accountability for the business associates. However, frequently the template did not include specific language addressing each of the patient right provisions. 

Fast forward to 2023: covered entities are adding language specific to the time-sensitive patient rights within the business associate agreements: 

• 45 CFR § 164.502 Use and disclosure to include following “minimum necessary” standards. 
• 45 CFR § 164.524 Patient right access to inspect and receive a copy of their PHI in a designated record set 
• 45 CFR § 164.526 Patient right to amend protected health information in a designated record set 
• 45 CFR § 164.528 Patient right to receive an accounting of disclosures. 
• 45 CFR § 164.522 Patient right to restrict disclosures and request confidential communication.  
• 45 CFR § 164.410 Patient right to be notified of a HIPAA breach. 

What is prompting the focus on patient rights?  

The increased focus is due largely to increased enforcement action against covered entities due to violations of patient rights. In the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021, there are 15 Resolution Agreements listed with 13 due to violations of patient’s right to access. One physician office received a Civil Monetary Penalty of $100,000 for violating the provision of patient’s right to access. Resolutions agreements are the result of an investigation by the Office of Civil Rights (OCR). When investigating a breach reported by a covered entity, the OCR may learn that the breach was caused by the covered entity’s business associate and may therefore open a compliance review of the business associate. Both parties bear financial and reputational risk with the outcome. The compliance program effectiveness for both parties will be scrutinized. 

Challenges with using one template business associate agreement 

One can understand the ease of using one standard template for business associate agreements. It simplifies the negotiation and the content is consistent.

However, while a template agreement functions well for most business associates involved with the use and disclosure of PHI, one size does not fit all.

That’s partially due to the fact that not all business associates maintain a designated record set.  

With limited exceptions, a covered entity is required to provide an individual access to his or her PHI in a designated record set. This includes PHI held by a business associate unless the business associate merely duplicates information maintained by the covered entity. A designated record set includes medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Patients have the right to access, inspect, and receive a copy of their PHI in a designated record set. Patients also have the right to amend PHI in a designated record set. While covered entities may follow common principles when defining the designated record set, each covered entity may have varying elements of what is, or is not, included in a designated record set. Unless the covered entity shares their policy with the business associate, the information requested by the covered entity and produced by the business associate may not align.  

Steps for Proactive Healthcare Compliance Officers 

1. Prioritize monitoring business associates by risk 

The scope of work in the business associate agreement may be unique on both ends of the risk spectrum. Business associates that host data pose a greater risk due to cybersecurity issues and the level of scrutiny should be commensurate with the risk. Conversely a third party with a limited scope of work and access to perform a targeted billing audit could be rated at a lower risk. There may also be third parties that are required to retain legacy data as required by the agreement. Assess and prioritize business associates by risk categories for effective monitoring.  

For those business associates identified as high risk, it would be prudent to request a copy of their codes of conduct and pertinent policies (IT Security, Breach Notification, etc.) If the business associate cannot produce the documents, that may signal an ineffective compliance program. Dedicate time to look closer at this business associate and its ability to safeguard protected health information prior to learning the lack of controls when a breach occurs.  

2. Communicate with Business Associate Compliance Teams 

The sophistication of compliance programs may contrast dramatically between third parties; therefore, if you, as the covered entity, truly desire a collaborative approach, ask for (all or high risk) business associates to notify you when a privacy incident (disclosure) arises that may or may not be a breach. The covered entity and business associate may not always agree with the risk analysis performed by either party. The discussion about the privacy incident (disclosure) facts are so important prior to a conclusion. If the business associate is only reporting a breach (as specified in many agreements), the business associate is performing the risk analysis independently. If the business associate compliance program is effective, there shouldn’t be an issue. However, if not, the covered entity may learn a year or two later that an individual filed a complaint regarding an incident. This business associate determined the disclosure wasn’t a breach, and in this example, this created a risky situation for a covered entity.  As noted in the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021, between 2017 and 2021, the number of complaints received by the OCR increased by 39%. The number of compliance reviews initiated by the OCR increased by 44%.  

It has been my experience that most business associates welcome the collaboration with a covered entity. Both learn aspects of their business from each other as well as develop confidence with their respective compliance programs. It has been my experience that notification by the business associate to the covered entity that an incident(s) occurred resulted in accurate risk analysis, effective notification and survived the scrutiny of state and federal investigations without adverse consequences.  

3. Create a Tool to Collaborate on Disclosures  

Both covered entities and business associates should have a list of their agreements and know which involve PHI. The list could include, but is not limited to, the following: 

• Name: company name and individual stakeholder for covered entity and business associate (contract signature). 
• Contact: Phone number and/or email of compliance department for reporting. 
• Risk Rating: Assess the type, quantity as well as frequency of the data use to prioritize attention to that agreement and collaborate with the respective compliance team. 
• Reporting Disclosures: (submitted to covered entity or received from business associate) with subfields for details such number of individuals involved, risk analysis, corrective action, outcome, notifications, etc. 
• Policies: List pertinent policies obtained that would assist with patient rights, breach notification, designated record set, minimum necessary, remote access etc. 
• Exclusion check: Date of verification. 
• Reporting Dates:  

Invest in Communication and Collaboration for Effective Healthcare Compliance 

It is best to build a relationship between the covered entity and the business associate compliance departments proactively. Yes, initially this process requires a time commitment to communicate, collaborate and document reporting expectations. However, the benefit of proactive action at the beginning will reduce risk and save an immense amount of time when managing a breach.  

We live in a world where hacking an electronic data system is no longer “if” but “when.” As compliance professionals we know that investment on the front end is always the preferred approach to maintain an effective compliance program. Prioritizing the agreements based on risk, establishing channels of communication and collaborating on a risk analysis are all proactive measures. As William Shakespeare stated, “Better three hours too soon than a minute too late.”  

Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.  

Get the latest from healthcare compliance experts 

Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.  

Shawn DeGroot

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

The post Complexities of Covered Entities and Business Associates  first appeared on YouCompli.

Incentives, Compensation Structures, and Consequence Management for Healthcare Compliance

A new document from the Department of Justice (DOJ) will give you reason to revisit some of your healthcare compliance benchmarks.

Deputy Attorney General Lisa Monaco recently delivered remarks to the American Bar Association on corporate crime. She also introduced a concept of promoting compliance through compensation clawback programs, consequence management and more.  

This article will focus on two of the topics she addressed in the DOJ Evaluation of Corporate Compliance Programs (ECCP) released in March.  These topics are incentives within healthcare compliance as well as compensation structure and consequence management. The article will also look at ways to partner with Human Resources to implement the additional expectations in the ECCP.  

Healthcare compliance officers previously benchmarked the 2020 DOJ ECCP’s document in an effort to assess their Compliance Program with the expectations of the DOJ. It would be prudent to conduct the same exercise now with the 2023 EECP document.  

Incentives Within Healthcare Compliance

The new guidance released by the DOJ elevates the importance of compliance incentives far beyond the common approach of providing pens, pizza parties and logo-wear. Historically, securing a budget for compliance incentives was not always viewed as a high priority, dismissed as unnecessary and easily eliminated. The updated ECCP creates an unprecedented tone to hardwire salary, compensation, promotions, and dismissals directly to the incentives. These steps are an effort to elevate the level of compliance effectiveness. While the intent is understood, practical application of this guidance for employment contracts, unions, and recruitment may be challenging. State law, employment law, and unions (where applicable) will be factors in establishing clawbacks, promotions and dismissals for compliance-related matters. 

Compensation Structures and Consequence Management

The June 2020 ECCP guidance that referenced “Incentives and Disciplinary Measures” was replaced with “Compensation Structures and Consequence Management.” This includes a specific bulleted paragraph on “Financial Incentive System.” The updated DOJ Evaluation of Corporate Compliance Programs (ECCP) states, “the design and implementation of compensation schemes play an important role in fostering a compliance culture. Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies.”  

Within the Compensation Structures and Consequence Management, prosecutors are to consider the following four factors:

1. Human Resources (HR) Process
2. Disciplinary Measurers
3. Consistent Application
4. Financial Incentive System

An example is provided in the Human Resources Process section that pertains to transparency with the terms of an executive that exited due to a compliance violation. The question is raised whether the reason for discipline due to a compliance violation was communicated to all employees and if not, why not? The sensitivity surrounding the circumstances of an executive’s departure could be multi-faceted and may create complexity with an attempt to be transparent to employees. Either way, establishing clarity upfront with the compensation nuances regarding recoupment and clawbacks in employee handbooks, policies, and employee documents will be necessary. Consequence management is definitely a more sophisticated term that encompasses disciplinary action as well as targets middle and upper management accountability.

Disciplinary Measures now includes a reference to recoup compensation for misconduct. The expectation is that policies and practices are to be in place to put employees on notice that they will not benefit from misconduct.

Consistent Application was included in the previous DOJ 2020 version and in 2023 language was added that the measures be applied to all units, geographies, and levels of the organization.

The fourth area pertains to Financial Incentive System. The question is raised as to what role the compliance function has when it comes to awarding financial incentives for senior levels of the organization.  Questions are raised on the establishment of ethical business objectives and recouping compensation that was paid when there has been misconduct.  Compliance input on financial incentives for senior executives and recoupment for misconduct would be awkward, at best, if the compliance function is not at the same level in the organization. Fortunately, that dynamic will not be an issue for organizations with a healthy culture.

Partner with Human Resources

Implementation of the additional expectations outlined in the ECCP will require commitment from the leadership specifically to apply “consistency” with practice.  Due to the fact that several of the incentives are directly within the scope of human resources, it would be prudent to partner early in the process to brainstorm about an efficient and effective approach.

Risk Analysis

Predominantly, the responsibilities are within the purview of compliance. It is very important that the CEO is apprised and understands the key concepts. Performing a risk analysis of current status with the updated DOJ guidance would be the next step. Suggested questions for consideration in performing a risk analysis on the compensation and consequence management components are as follows:

1. Who (which areas of expertise) in your organization should be at the table?
   • Consider partnering with HR to develop the team.
   • Consider IT, risk, marketing, operations, and/or others based on the size of your organization.
   • Consider consulting legal to establish a platform for misconduct financial penalties and more.
2. Are the substantiated compliance-related allegations tracked across the levels, departments, and geographical units of the organization?
   • Compliance tracking systems are available via third party vendors.
   • Developing compliance tracking internally may save financially on the front end but costs as much, if not more, long-term due to the time required for development and maintenance.
3. Has a tracking system/spreadsheet been established to demonstrate consistent disciplinary action?
   • Consider automated tracking of disciplinary action for monitoring consistency with compliance events.
   • It is important to note that not ALL disciplinary actions are to be shared with Compliance, only those pertinent to Compliance.
4. Is the effectiveness of an investigation and consequence management measured?
5. Is the time to complete an investigation tracked and monitored?
   • This practice can demonstrate competence, cooperation and identify hurdles that are preventing closure to an investigation.
   • The data could be shared with the compliance committee and is a measure of accountability for the compliance team.
6. Is the compensation system tied to conduct to support the company values and policies?
7. Are there financial penalties for misconduct?
8. Is recoupment and/or reduction of compensation imposed due to compliance violations?
9. Do policies and/or practices exist to put employees on notice that they will not benefit from misconduct?
10. Is compliance a means for career advancement?
11. Do metrics exist for compliance that are directly related to management bonuses and/or other compensation?
12. What role does the Compliance team have in designing and/or awarding financial incentives at the senior levels of the organization? 

Risk Management

The questions and analysis above must also align with company policy and applicable laws. A summary of the key elements and/or changes may be beneficial for multiple levels of the organization as well as assist with communication to the CEO and executive management. Once the risk analysis is complete, then the following steps could be taken:

1. Create a checklist with the results of the risk analysis.
   • The checklist results can be prioritized into low, medium, and high risk.
   • Target and address the high-risk areas identified.
2. Assess deficiencies, risk tolerance, and areas in need of improvement. 
3. Consult with legal counsel on matters involving employment expectations, contracts, and employee onboarding documents.
4. Educate the board on key highlights of the DOJ’s ECCP.
   • Recitation of a regulation is burdensome to a board.
   • Create an analogy that would be applicable to a community non-healthcare business that board members could easily understand and relate to. 
   • Summarize the key additions to the ECCP into an action plan for compliance.
5. Monitor consistent application of modified policies and/or processes with compensation and disciplinary action.

These steps will help you manage risk throughout this process.

2023 EECP: Actions for Healthcare Compliance

This new memo from the Department of Justice creates opportunities for Compliance to influence and add value in areas in which we have traditionally been less involved. It’s important to note, though, that incentives directly tied to compensation are very personal. Organizations with compensation clawbacks and recoupment for violations of misconduct may initially cause alarm. Your transparency upfront may cause pushback and impact recruitment on some level. However, pushback may be an indication of the character of an individual the organization is recruiting. Hesitancy may be in order. 

Compliance departments that have been relying on the 2020 ECCP document will want to undertake a new benchmarking exercise with this new memo. The good news is that while consequence management is new for compliance programs, the application of disciplinary action and data relating to disciplinary actions to measure effectiveness is not new. You can use your experience with that application to apply the guidance in the 2023 ECCP document.

Compliance effectiveness reviews sometimes reveal inconsistent application of policies, practices, and disciplinary action. This should be concerning to compliance teams, because it appears that the DOJ is concerned as well. 

Subscribe to weekly emails from YouCompli to make sure you get our expert articles

We never sell or share your contact information.

Shawn DeGroot

Shawn DeGroot CHC-F, CCEP, CHRC, CCPC serves on the advisory board for YouCompli. She is also president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. Previously she served as president of the Health Care Compliance Association (HCCA) and the Society of Corporate Compliance and Ethics (SCCE).

Manage your healthcare regulatory change process effectively and efficiently

YouCompli enables the compliance officers to assign ownership and oversight of tasks to different department heads, functional leaders, or specialists. The solution prompts users to accept, reject, or reassign the task by a stated deadline. Manage the rollout and accountability of new requirements with the best workflow in the business.

The post New DOJ Guidance on Compliance Programs Released March 2023 first appeared on YouCompli.