The Three Lines Model for Healthcare Compliance  

Implementing the Three Lines Model - Identifying and Mitigating Risks Are Shared Responsibilities

Effectively Manage Shared Responsibility

A common challenge for compliance officers in healthcare organizations is collaborating with operational leaders to identify and mitigate risks. Often, operational leaders are unaware of their roles and responsibilities in their organizations’ compliance programs.   

Implementing the Three Lines Model can help you show that identifying and mitigating risks are shared responsibilities – not Compliance’s alone. Using this model can help elevate Compliance as a strategic business partner and enable you to effectively demonstrate how Compliance delivers value to the organization. 

What is the Three Lines Model?  

A concept from the Institute of Internal Auditors (IIA), the Three Lines Model helps explain how key organizational roles work together to facilitate strong governance and risk management. It’s a tool you can use to explain to operational leaders how to identify and mitigate risk. 

The model illustrates the organization’s three lines of responsibility, which include:

  1. First line: Operational areas
  2. Second line: Compliance, or possibly General Counsel, Risk, and Quality
  3. Third line: Independent oversight – usually internal auditor or possibly objective consultants
The Three Lines Model for Healthcare Compliance , Ken Zeko, JD, Principal Advisor, Hall Render Advisory Services

The first line – the operational areas – are responsible for identifying and mitigating risks in their respective department. They’re accountable for the identification of risks and internal controls, as well as partnering with Compliance on monitoring and complying with laws and regulations.  In leading practice organizations, operational areas use the OIG’s seven-elements framework to identify a compliance liaison between the operational area and Compliance, create departmental procedures, provide departmental risk specific training, and conduct ongoing compliance monitoring of compliance risks. 

Compliance is the second line. Compliance’s Departments’ role is to facilitate and help operational leaders with training, creating policies and procedures, auditing, and monitoring. General Counsel, Risk, and Quality can also serve as second-line partners. 

The third line – independent oversight – can be an internal audit, or an organization can hire independent auditors. Auditors assesses what the organization is doing and whether it’s being done as required, based on policy, procedure, laws, regulations, and other requirements. 

To optimize operational effectiveness, it’s imperative for front-line personnel to understand what’s expected of them and to have a collaborative working relationship among these critical functions. It’s particularly helpful for healthcare systems that operate under a decentralized organizational structure – as the vast majority do.  

Everybody must help, healthcare compliance activities are not solely Compliance responsibilities 

The model helps illustrate that compliance activities are not solely Compliance responsibilities; everybody has to help. It’s detrimental to an organization if Compliance is doing too much of the heavy lifting.  

Including the model on a PowerPoint slide, for example, allows you to walk into any operational area and say, 

“I’d like to participate in your departmental meetings. Can we talk about some of the things you do to identify compliance risks in your department, and some of the things that you do to mitigate them?”  

Often, operational leaders are already doing the first-line compliance activities. Sharing the model serves as a concrete example of how and why to do it. 

Using the model is also a coaching opportunity for explaining differences between financial, enterprise, operational, and compliance risks. Part of compliance officers’ job is explaining the various risk categories, and the model gives a framework for these discussions.  

Healthcare compliance officer presents metrics

Meld the model with additional best practices to show Compliance’s impact  

The model works best when melded with the OIG’s seven elements for compliance program effectiveness, which spell out the government’s guidance on roles and responsibilities around compliance. The seven elements complement the Three Lines Model as you work to explain and clarify roles.  

Another way to integrate the Three Lines Model is by establishing operational compliance committees. Made up of director-level individuals from operational areas, an operational compliance committee provides a venue for discussing compliance issues across the organization. It’s a working group, with individuals serving as liaisons between their respective departments and Compliance.   

All of these best practices emphasize how partnership is at the heart of delivering an effective compliance program. And it starts showing why a collaborative approach best supports the business.      

The Three Lines Model, melded with the OIG’s seven elements and operational compliance committees, drives home the importance of sharing responsibilities across the organization. Implementing these best practices can help elevate Compliance as a strategic business partner and enable you to effectively demonstrate how you add value to the organization. 

Ken Zeko, JD, CHC Principal Advisor at Hall Render Advisory Services

An Attorney Consultant with more than 25 years of regulatory compliance experience, Ken Zeko leads Hall Render Advisory Services’ Compliance Program and Coding Compliance service lines. Ken’s national practice consists of serving as an outsourced compliance advisor and assisting clients with compliance program assessments, risk assessments, investigations, coding compliance engagements, self-disclosures, physician arrangements reviews, Independent Review Organization (IRO) engagements and Corporate Integrity Agreement- related (CIA) engagements.

Ken is Certified in Healthcare Compliance and is an active member of the Health Care Compliance Association (HCCA). He chairs the HCCA’s Southwest Regional Conference Planning Committee and serves as faculty for the HCCA Compliance Academies. Additionally, he has chaired a site-based decision-making committee at a Dallas elementary school for more than 10 years.

Download the Three Lines Model (PDF)

Read The Opportunity for Compliance to Create Value for Healthcare: Best practices for demonstrating how Compliance makes an impact!

Ken discussed ways to earn recognition across your stakeholders as a value creator in healthcare as a speaker on the HCCA webinar “How Compliance Creates Value for the Healthcare Organization” on Nov. 29, 2022. For more insight, read the white paper “The Opportunity for Compliance to Create Value for Healthcare,” which summarizes the webinar.  

Download "Five Areas Where Compliance Creates Value for Healthcare Organizations"
Get a 15-minute strategic overview of YouCompli