According to the November 2023 General Compliance Program Guidance from the OIG, compliance oversight is within a Board of Directors’ (BOD) fiduciary duty of care and a “critical component of the Board’s compliance role.” Conversely, there is increased pressure from a variety of government agencies (SEC, OIG, DOJ) for boards to become active and engaged without becoming involved in operations. Finding the right balance can be challenging.
The board’s responsibility also includes understanding the organization’s risks. A strong process for identifying risk areas and managing the risk is one hallmark of an effective compliance program. Monitoring and auditing can pinpoint potential risk factors and the outcomes will either confirm effectiveness or identify deficiencies. The Board should ensure that the risk areas are consistently reviewed, and corrective action(s) are taken. It would be prudent for the Board to generally know or be informed of the trends in the industry that add gravity to the risk areas such as:
- The use of data analytics and artificial intelligence, which has introduced both positive and negative consequences.
- The complexity of laws and regulations, somewhat designed to combat fraud, can be a more lucrative form of crime.
- The abundance of protected health information (PHI) and personal identifiable information (PII) retained in anything electronic.
- The growth of cybersecurity data breaches, ransomware attacks, and phishing scams are costly to prevent but can be devasting when they occur.
Everyone enterprise-wide is responsible for compliance, and the Board should encourage compliance accountability. The General Compliance Program Guidance issued by the OIG has become the topic of conversation within the compliance industry. I thought it would be interesting to obtain viewpoints from seasoned professionals in the compliance field on what they believe the BODs should consider now and in the future:
- “The November 2023 OIG General Compliance Program Guidance document mentions compliance officers 146 times, the board 120 times and the general counsel once. The board should probably know how important the OIG thinks their compliance role is.”
— Roy Snell, Co-Founder and Former CEO, HCCA/SCCE
- “Compliance is more than a legalistic view of the DOJ Evaluation of Corporate Compliance Programs (ECCP) guidelines, DOJ Corporate Enforcement Policy (CEP) and the GCPC aggregation of ‘voluntary,’ ‘non-binding’ guidance. In the past many applied their inner lawyer approach to them, by hanging their hat on terms like ‘guidance,’ ‘voluntary,’ ‘non-binding,’ etc. Currently many missed the spirit of the OIG’s and DOJ’s intent for corporate and board fiduciary duties. Now they suffer the very real consequences of judgment when they have to explain how the Board or company did not consider them in their operation risks when under a review, self-report or settlement that is often raising the specter of a false claim. In the future you will not be able to ignore the spirit of the ‘four horsemen’ (ECCP, CEP, GCPC, and the Qui Tam’s sword under the False Claims Act ‘should have known/deliberate ignorance standard’) because you may be accused in judgment to have been informed of the compliance risks, knowingly ignored applying resources to them and being without the easy excuse from blinders of legalism to their requirements to you personally. Simply said, you would be a penny wise and a pound foolish to ignore them as actual requirements in the future.”
– Brian Flood, Partner, Husch Blackwell
- “Governance leaders need to be continuously ‘upping their game’ and expertise as regulators and other key stakeholders are increasing expectations and oversight of board performance. This includes ensuring we are looking 2-3 years ahead (same as we require of management) and being proactive in what skillsets are needed on the board to demonstrate we are meeting our fiduciary duty and have the scope and depth to ask the right questions of management. Additionally, for boards that are compensated, we need to ensure we have processes in place to both measure board effectiveness and individual performance, similar to how we measure and compensate CEOs and the C-suite.”
–Jenny O’Brien, JD, MS, CHC, President and Principal at BlackBridge Advisors
- “In the coming years we may see boards look to their Chief Compliance Officer (CCO) to not only provide reports around the status of the compliance program and compliance risk areas but to also serve as an advisor on a broader range of topics as part of an enterprise risk management strategy. CCOs should educate themselves and develop the skills they will need as boards lean into ensuring all risks are prioritized and managed as part of corporate decision-making processes.”
– Cindy Matson, MBA, CHC, CHPC, Vice President, Compliance & Audit Services, Sanford Health
- “I think a top priority for healthcare Boards of Directors is to ensure someone on the board has healthcare compliance expertise. Many healthcare boards already seek out individuals with specific areas of expertise such as financial, audit, clinical, patient safety, or some other subject matter expertise. Compliance should be added to that list. Some OIG corporate integrity agreements (CIAs) already require this. But for organizations who want to be forward-thinking instead of reactive when it comes to their compliance programs, they should proactively seek out individuals who have compliance expertise to serve on their board. Such an individual would be able to provide leadership and training in how a board should fulfill its compliance program oversight duties. Some of these duties might include engaging experts to perform periodic compliance program effectiveness reviews or approval of compliance risk assessments and annual work plans. Having someone on the board with compliance expertise would aid the board in asking the right questions of executive management and the compliance officer in regard to the compliance program.”
– C.J. Wolf, MD, CPC, CPC-I
- “The rapid proliferation of artificial intelligence (AI) software tools available to healthcare companies is outpacing existing regulatory frameworks, leading to both known and unknown compliance risks. Our company survey revealed that fewer than 11% of U.S. healthcare companies have an AI compliance policy or even a registry of AI-utilizing software. As the evolution of AI mirrors the fast-paced digital revolutions of the 1990s, boards of directors and management often lack a clear understanding of the associated risks. Proactive Board governance is essential to ensure that innovation is paired with rigorous oversight, in an effort to effectively mitigate future regulatory and reputational risks.”
–Jim Rough, CFE, CHC, CCEP, President SunHawk Consulting, LLC
- “Future Board compliance strategies rely completely on the Board understanding compliance risks and obligations. Compliance Officers should present training and reports in a manner that helps ensure Board members understand the compliance risk. Assume your organization made a self-disclosure to correct a billing issue which, if not remedied, could have been considered a false claim. Reporting the self-disclosure to the Board and providing some background on the issue is expected, but does the Board know or understand the reason the self-disclosure needed to be done versus just refunding the overpayment? Does the Board understand what the False Claims Act is and the implications of a False Claims action? Compliance Officers can better prepare the Board for future discussions about compliance strategies if the Board has received an annual refresher training on the core laws and regulations that impact the organization. To help emphasize the importance and to help guide the strategy discussion, use settlements or first-hand examples to show how the laws and regulations are being enforced or interpreted. This will help ensure compliance strategy discussions are built on a common understanding of the rules and risks.”
–Darrell Contreras, JD, CHC-F, CHPC, CHRC, Chief Compliance Officer at Millennium Health
- “As Compliance Programs continue to evolve and mature, Board’s commitment needs to foster a culture of integrity and be visible by the entire organization.”
—Debbie Troklus, President, Troklus Compliance Consulting
- “I think with the OIG’s updated General Compliance Program Guidance (GCPG), there will be an increased concern about private equity firms that are financially backing healthcare organizations. More specifically, private equity investments in healthcare can raise unique compliance challenges due to potential conflicts of interest, billing/coding, and fraud and abuse. To guard against this, I think healthcare boards will need to make sure due diligence is done before entering into any partnerships with private-equity backed firms. Also, ensuring the private equity-backed firm has a robust compliance program in place that integrates with the healthcare organization’s own compliance program. Lastly, making sure that typical compliance activities, such as auditing, monitoring, education, and training, include that relationship with a private equity-backed firm.”
–Jay Anstine, President, Bluebird Healthlaw Partners
- “I hope the top priority for any healthcare Board of Directors will be the well-being of their workforce and workplace! We need standardized best practices to prevent burnout, detect culture and correct toxic cultures if we want happy and healthy staff who are ethical and compliant to provide quality and safe care!”
—Maeve O’Neill, MEd, LPC-S, CHC, CDTLF
The role of a BODs is multi-faceted, and compliance is one program area of oversight responsibility. Regardless of whether it is paid or unpaid, serving can be both rewarding and daunting at the same time, especially if you want to do the job well and make a difference. It takes considerable time and effort to review and digest the web of information involved with decision-making, developing strategy and fulfilling oversight responsibilities.
Whether you are new to the field or a seasoned professional, hopefully the viewpoints above offer insight that can influence your BOD’s understanding of their oversight responsibility for the compliance program.
Shawn DeGroot, CHC-F, CCEP, CHRC, CHPC is president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. She served on the faculty of the HCCA Privacy Academy and served five years on Board of Directors for St. Charles Health System, Bend, OR. Shawn’s area of expertise is also Corporate Integrity Agreements to include experience in seven CIA’s with the first CIA pertaining to Stark and Anti-kickback. She also is a past president of HCCA/SCCE and serves on an advisory group to the HCCA/SCCE Board of Directors.
Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management
Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.
Get the latest from healthcare compliance experts
Never miss an article by Shawn DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.