​Compliance Oversight for Health Care Boards of Directors

Boards of health care entities have always had a tall task – active entity oversight to ensure compliance in one of America's most heavily regulated industries. Regular and robust compliance reporting to and engagement by boards of directors of health care businesses are absolute necessities.

On April 20, 2015, the Office of Inspector General of the Department of Health and Human Services (OIG), the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA), and the Health Care Compliance Association (HCCA) released "Practical Guidance for Health Care Governing Boards on Compliance Oversight," joint guidance supplementing earlier collaborative guidance issued by OIG and AHLA some years ago. The new guidance (available here) does not contain any surprises, but it is helpful and easy to digest.

Here are some of the essential take-aways from the new guidance.

• The Board Must Regularly Focus On Compliance. Ensuring regulatory compliance is one of the key responsibilities of every health care board. Compliance program design is not a "one size fits all" issue, but it is universally true that boards must establish and actively maintain effective compliance program oversight. That requires, among other things, (1) review of the roles and relationships between and among the organization's audit, compliance and legal personnel, (2) review of the systems for ensuring issue-reporting within the organization, (3) review of existing and emerging regulatory risks and the methods for identifying them and (4) encouragement of enterprise-wide accountability for compliance. Available resources include the Federal Sentencing Guidelines, the OIG's voluntary compliance program guidance documents, and existing Corporate Integrity Agreements (CIAs).
• The Board Must Oversee the Independence of Key Functions Related to Compliance. The guidance reminds us of the need for balance between audit, compliance, legal, and quality improvement functions, especially in a smaller organization with limited resources. Organizations that do not have the resources to separate these functions should enable individuals serving in multiple roles to execute each function in an independent manner. It is the board's job to periodically evaluate whether reporting structures (to the board and to management) optimize the performance and independence of these functions. Additionally, the board should ensure that everyone works together to: (a) identify compliance risks; (b) investigate compliance risks while avoiding duplication of effort; (c) identify and implement appropriate corrective actions and decision-making; and (d) communicate between the various functions throughout the process.
• Reporting to the Board. Boards should set and enforce expectations for receiving timely and appropriate risk mitigation and compliance-related information from management and should hold management accountable for meeting such expectations. For example, the board may make clear that it expects to be informed of all internal and external investigations, serious issues raised during audits, hotline call activity, allegations of material fraud or of senior management misconduct, and all exceptions to or violations of the organization's code of conduct. One challenge for boards will be finding a balance between too much and too little information. To that end, boards may consider establishing risk-based criteria for triggering reporting obligations or using tools such as dashboards - containing key financial, operational and compliance information. Conducting regular "executive sessions" of the board with compliance personnel (excluding senior management) should be considered.
• Identifying and Auditing Potential Risk Areas. Some compliance areas are more vulnerable to fraud and other regulatory violations than others. These areas include, but are not limited to, arrangements with referral sources, billing (e.g., upcoding, submitting claims for services not rendered and/or medically unnecessary services), privacy breaches, and quality-related events. However, this list is not exhaustive, and it is critical that boards have processes in place to identify other potential risk areas. These processes may include the collection of information from internal sources (e.g., employee reports or audits) or external sources (e.g., OIG-issued guidance). Problems arising in other organizations can also help boards proactively identify potential risk areas. Additionally, boards should also be mindful of emerging trends in the health care industry (e.g., value-based purchasing, bundling of services for a single payment, increased consolidation between hospitals and physicians), as these trends can create unique and unforeseen compliance risks.
• Encouraging Accountability and Compliance. Boards should cultivate an environment in which compliance is viewed as a "way of life." This can be done in a variety of ways. One way is to make participation in annual incentive programs contingent on meeting compliance goals. Another way is to offer incentives that encourage self-identification of compliance failures. The recent guidance encourages boards to voluntarily disclose compliance failures to the Government. The primary goal is to make compliance an "enterprise-wide" responsibility.

For more information on this resource or if you have any questions, please contact Sarah E. Coyne at (608) 283-2435 / sarah.coyne@quarles.com, Jon R. Kammerzelt at (608) 283-2438 / jon.kammerzelt@quarles.com, Alyce C. Katayama at (414) 277-5823 / alyce.katayama@quarles.com, Joseph D. Masterson at (414) 277-5169 / joseph.masterson@quarles.com, or your Quarles & Brady attorney.