Healthcare Compliance is Everyone’s Business: Legal, Internal Audit, Human Resources and Quality

compliance is everyone's business in healthcare - sharon parsley

Build relationships across risk assurance functions.

Sharon Parsley, JD, MBA, CHC, CHRC contributes a regular post on compliance officer effectiveness for the YouCompli blog. In this article she discusses relationships and collaboration with other key risk assurance functions.  

What does it really take to ensure that an organization has a mature, well-integrated, and high-performing Compliance function? In my experience, the effectiveness and perception of your compliance program directly correlates to how you build and sustain relationships with others. In a previous article, I discussed relationships with operational areas such as Nursing Revenue Cycle, and IT. In this piece, I will focus on relationships and collaboration with other risk assurance areas.  

Here are suggestions on how to effectively build relationships and collaborate with Legal, Internal Audit, Human Resources, and Quality. Every organization approaches these functions a bit differently, so you’ll want to apply your own situation to my suggestions.  


Your Legal team advises the enterprise on matters of legal and regulatory risk and, when necessary, defends the organization. The essential objective of a Compliance program is to prevent, detect, and resolve misconduct. On the surface, those have always struck me as very bright line distinctions. In reality, the lines often blur. Collaboration between your two groups is critical, but collaboration is very different than blurred lines. When the two teams don’t know what they own versus where they need to collaborate, interdepartmental cooperation and your outcomes will suffer.  

Related: Jay Anstine on playing productive politics (and avoiding destructive politics)

collaboration in healthcare compliance

So, what do we do about that? The first step may be having a clear, concise, enterprise-specific charter for Legal and Compliance. That charter will be unique to your organization, but it should set forth very clear expectations for cooperation between these two essential risk assurance functions. Here are some questions to consider in the charter: Do you need Legal buy-in to engage an independent subject matter expert? Can you engage outside counsel without input from your internal Legal team?  

Let me give you an example. Physician contracting is an area of considerable risk for most hospitals and health systems. As a result, role clarity is imperative. Hopefully, both Compliance and Legal are involved in your contract approval processes. Within that collaboration, who examines financial relationships to ensure conformity with self-referral and anti-kickback regulations? Who has the duty to look at aggregate compensation to ensure it is within fair market value when a provider or group has multiple contracts?  

Use topics like physician contracting to facilitate discussion about your charter. You and your colleagues in Legal should evaluate the charter periodically. When you update it, present it to your board or board committee for approval.  

I have typically found it effective to schedule a recurring meeting between Compliance and Legal leadership. Using that time to brief Legal about key Compliance issues and proposed corrective action plans has always been beneficial. It’s incredibly helpful to establish a constructive working relationship with Legal during calm times, so we can work together better when the sky is falling.  

Internal Audit

The Department of Justice (DOJ) emphasizes the importance of the relationship between Compliance and Internal Audit (IA) throughout its guidance on corporate compliance program effectiveness. Specifically, when the DOJ makes charging decisions and determines the need for monitoring, the examiners consider whether adequate control testing was done to identify areas of misconduct. 

Key areas to consider here are whether Compliance is routinely informed about material findings from IA control testing. IA often assesses what is happening in practice against what a policy or procedure says should be happening. That intersection of policy non-adherence and internal control deficiency should be of interest to Compliance. There may be instances when it makes sense for Compliance to partner with IA to develop corrective action plans to address such findings.  

IA may perform operational, financial, and information technology audits enterprise wide. This team is typically charged with ensuring that financial records are fair and accurate. They also examine key processes and systems to improve productivity and efficiency. Lastly, IA may audit operating systems, databases, and IT infrastructure. 

compliance culture oig's seven elements

I once worked with an IA team that completed an operational audit of research billing processes. That audit identified several material process issues. I collaborated with IA and various operational teams to develop a suitable corrective action plan (CAP). We ended up having to hold all billing for encounters involving research-related services while the CAP was implemented. We further identified overpayments and developed a plan to refund. Then we crafted a multi-phase monitoring and testing plan to ensure the CAP had addressed all the findings. The process and outcomes of this audit and CAP illustrate the close, collaborative work the DOJ wants to see when evaluating compliance program effectiveness.  

Human Resources 

Human Resources (HR) is a natural partner for Compliance. Both departments care deeply about sustaining organizational culture and shaping a climate of ethical conduct. HR very likely interfaces with every employee and contractor throughout the employment life cycle. Put in the time now to talk through how you’ll work together to help the organization hire compliance-minded employees, train them throughout their tenure, and offboard them when it’s time for them to leave. Here are some areas you can focus on in your conversations:  

  • Pre-employment screening: Who is doing your sanction checks? What happens when a possible match is identified? Who makes decisions about exceptions in the hiring process? 
  • Interviewing: How do you communicate your compliance culture in the interview process? How do you ensure you’re hiring compliance-minded people, especially at the leadership level? 
  • Compensation: How is compensation for newly employed providers determined and how is fair market value (FMV) established and documented?  
  • Onboarding: How does HR embed compliance and Ethics in the onboarding process? Does Compliance have an opportunity to speak with every onboarded employee? How are new hires trained on the Code of Conduct and how to report concerns?  
  • Training and Education: Is Compliance training embedded in ongoing training and education? How often is your training curriculum refreshed?
  • Annual reviews and compensation: How are instances of non-compliance considered in the annual review process? If a leader has ongoing compliance issues occurring within another department, does that affect that leader’s review and compensation? How is FMV considered in ongoing provider compensation? (Related: Shawn DeGroot on recent DOJ guidance for compliance-related incentives
  • Investigations: How do you collaborate on investigations of reported concerns that apply to HR and Compliance? Who makes recommendations and decisions about disciplinary action arising from substantiated compliance violations? How are investigative materials archived? Do certain issues carry over into an employee’s HR file?  
  • Exits: How do you ensure timely cutoff of systems access? What conversations do you have with people to see how the culture affected their decision to leave? When leaders leave, how do you ensure their compliance-focused work is ready to transition to their successor? 

I worked in one organization where an IA audit found that IT systems access for exiting employees was not being terminated in a timely manner. Obviously, this was a considerable risk for that enterprise. In fact, some former employees had access to sensitive and proprietary corporate data and patient-specific information. I worked with HR, IT, and other needed stakeholders to mitigate that risk. We developed automation to disable each exiting employee’s access rights at midnight on his/her last day of employment. If IA had been operating in a vacuum or tried to solve the problem on its own, we wouldn’t have had such an elegant solution, and the risk would have remained. 


The central mission of Quality is to standardize systems and processes, so the organization delivers repeatable and efficient outcomes and the highest quality patient care. Compliance also routinely measures standardization and adherence to existing policy and process. At this fundamental level, there is tremendous synergy between the two functions.  

Acute care hospitals are required to participate in the Hospital Inpatient Quality Reporting (IQR) program. Quality is typically involved in the gathering, synthesis, and reporting of those required IQR process and outcome measures. When the reporting of any quality measure directly affects how your organization delivers a high-quality patient experience and gets paid, Compliance needs to be attuned. 

Compliance can, of course, play a key role in ensuring that IQR program data is accurately reported. You can accomplish this through ongoing or periodic reviews of the processes through which Quality gathers and reports IQR measures. IQR outcomes affect governmental reimbursements, so issues identified in IQR measure reporting can result in overpayment liability.  

Care is delivered by humans. At times, things go wrong. When a care event results in patient harm, Compliance can also be a key partner to Quality and others in mitigating possible legal and reputational risks to the enterprise. Compliance can verify whether internal policies and procedures were followed. Compliance can also take steps to ensure that any necessary external reporting is accurate and timely. Lastly, Compliance can ensure that care which directly results in patient harm is not billed.  

Building and Maintaining Relationships Across Healthcare Departments 

The most successful and respected Compliance officers I know have been great at building and maintaining relationships with others. No program can be effective in a vacuum. The more you invest in learning about the top priorities of other risk assurance leaders, the more you increase your understanding of your organization. An amazing byproduct of that is that other risk assurance leaders will become ambassadors for Compliance, thus expanding your reach into all levels of the enterprise.  

Related: “Healthcare Compliance is Everybody’s Business: Clinical, Revenue Cycle, IT, Sales and Marketing – Build relationships with key clinical and operational areas” 

Sharon Parsley, JD, MBA, CHC, CHRC, is a health law attorney, compliance officer, author, speaker, investigator, and problem solver. She currently serves as the president and managing director of Quest Advisory Group, LLC. She has nearly 20 years of healthcare compliance and legal leadership experience, and she believes that mentorship and on-the-job training are critical to compliance professional success. 

How YouCompli can help

Use YouCompli to give yourself time back to focus on relationships and listening. Build a scalable, repeatable change management process to enable your team and colleagues to focus on their expertise rather than the minutia of monitoring and reading regs.  

Never miss an article about compliance officer effectiveness – register to receive emails from YouCompli.

Get a 15-minute strategic overview of YouCompli