Question

What elements would you recommend to the chief compliance officer to be included in an overall compliance plan and in a more specific coding compliance plan?

Answer 1

Element 1: Written Policies/Code of Conduct

Written policies should outline compliance program expectations. They are usually embedded in a code of conduct or code of ethics that is broadly applicable to all individuals who are employed by, interact with or serve on the board of the organization.

In addition, there should be a second document that details the operation and implementation of the compliance program, providing guidance around governance, organizational structure and processes for dealing with compliance issues. Some organizations choose to address governance and structure across multiple documents. For purposes of responding to an audit or request from a government agency, however, it is preferable to consolidate this information into a single document. Having the information in one document also simplifies the annual review of policies and procedures and helps ensure that compliance programs are evaluated and updated regularly.

We recommend that compliance plans and related documents be approved by the organization’s governing body and senior management, with that approval recorded through a resolution, meeting minutes or signatures on the policy. Policies and procedures should be reviewed and revised each year, with past versions archived.

In addition, it’s important to remember that, for policies to be effective, they must be easily available to staff—not simply stuck in the compliance officer’s binder or posted to a SharePoint site that not everyone can access. At minimum, the compliance program and code of conduct should be posted on an external website, as well as on an Intranet location that all staff can easily find.

Element 2: Compliance Officer and Oversight

The compliance officer should be a senior role with an appropriate level of autonomy. The best practice is for the compliance officer to report directly to the CEO or the board of directors. He or she should not report to the general counsel—or through operations or finance, where there could be perceived conflicts of interest.

It is critical for the board of directors to review the compliance officer and his or her functions annually and update the job description to reflect added responsibilities. Organizations that have decided to outsource their compliance functions should consider the rationale for that decision—and define how they will maintain active oversight of the compliance officer role.

In addition, the compliance officer should be supported by a compliance committee. The committee should be multidisciplinary and have a charter that details set responsibilities. Compliance committees should meet at least twice a year and ensure that all members are actively involved and accountable. Activities such as quality reporting and grievance monitoring should be reported to the committee, demonstrating that the organization is actively auditing operational activities to ensure compliance. The compliance committee should keep minutes as evidence of its activities.

As was defined in In re Caremark,1 the governing board also has responsibilities for ensuring compliance. In the 1996 case, the shareholders of Caremark International Inc. brought a derivative action alleging that directors breached their duty of care by failing to put in place adequate internal controls. As a result, the company’s employees were able to commit criminal offenses resulting in substantial fines and civil penalties.

Ultimately the court did not find that the board violated its duty of care, but this case set forth how to determine if the board has exercised its duty of care appropriately:

It’s important that the board exercises good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operation, so it may satisfy its responsibility.

The Business Judgment Rule—the presumption that in making a business decision, the directors of a corporation acted on an informed basis, in good faith and with the honest belief that the action taken was in the best interest of the company—governs the level of detail appropriate for an organization’s information systems. Directors are entitled to rely on their officers, employees and consultants—but have a duty to make reasonable inquiries when facts warrant gathering further information.

The role of the board is general oversight over the compliance program activities. This can be delegated to a subcommittee, but ultimately it is the board’s responsibility. For multientity organizations, it’s key that the governing entity of the subsidiary, as well as the parent board, receive reports on compliance. The board should receive regular updates from the chief compliance officer, annually assess compliance effectiveness, receive reports on audits and investigations, discuss corrective actions, and approve any changes to compliance programs.

Element 3: Training/Education

Educational programs should include training in general compliance issues; fraud, waste and abuse; the Anti-Kickback Statute (AKS); and the False Claims Act, as well as inappropriate gifts and relationships with referral sources that could put the company at risk for noncompliance. The training should be documented, including pre- and post-tests. To create a culture of compliance, training should be part of the onboarding process, as well as held annually—and be supported with monthly email blasts and in-person road shows that reinforce best practices. Compliance training and education should not just be an annual “check the box” activity.

Element 4: Reporting Hotline

It is critical to have a hotline that enables confidential and truly anonymous reporting of compliance issues. The organization may publicize reporting options, such as email, toll-free numbers and mailbox addresses, including information on the kinds of issues to report. To help publicize the hotline, the number can be placed on the email signature lines of employees, external-facing websites and posters in lunchrooms.

Element 5: Monitoring, Auditing and Internal Reporting

It is important to perform an annual risk assessment that is specific to an organization. The assessment should go beyond looking at the OIG, Centers for Medicare & Medicaid Services (CMS) and Department of Justice (DOJ) areas of focus. It should incorporate interviews with key staff to identify each organization’s particular risks, as well as look at any compliance challenges over the past 12 months and consider internal controls and accountability. Results should be presented to senior leadership and the board, with a strategy developed to determine how findings fit with other risk assessments and enterprisewide approaches. The annual risk assessment should be continuously revisited throughout the year to ensure it remains accurate in light of changes facing the organization.

As a best practice, leverage the risk assessment to create an annual monitoring and auditing internal reporting program. The assessment can be used to identify trends, support quality reviews and other operational activities, determine where expertise is lacking and third parties should be engaged, evaluate vendors, and track compliance hotline calls.

The annual compliance work plan may be broader than just auditing and monitoring. It may involve creating new policies and procedures, as well as potentially setting up ad hoc committees to look deeper into possible compliance issues. Similar to the risk assessment, the work plan is a living document and may change over the year. Any changes or updates should be documented and justified.

Element 6: Nonretaliation and Nonintimidation

Nonretaliation and nonintimidation are crucial elements of effective compliance programs. People will not participate if they fear they will lose their jobs for reporting potential issues. The compliance officer should partner with human resources to ensure the nonretaliation and nonintimidation policies are strictly enforced.

Element 7: Investigations and Remediation

It is critical to respond quickly and thoroughly to compliance issues, because the clock starts ticking the day an organization acknowledges that it has received a potential overpayment. (If a company doesn’t act within 60 days of an overpayment being identified, it can face an FCA case. See part 1 of our series for more information.)

Investigations should be performed by qualified individuals and scoped to determine the “who, what, when and how” of the issue. It is critical that investigations identify root causes, as well as uncover and correct any areas of system vulnerability to ensure there is no further risk of overpayment. Corrective actions should be tracked to confirm that they have been effective.

Element 8: Disciplinary Policies

Clear disciplinary policies must be in place for anyone who has engaged in unlawful or unethical actions. The policies should apply consistently across all levels and positions, including employees, board members and vendors. Board members should be removed and vendors and employees terminated if any misconduct is identified. We strongly recommend that creating a culture of compliance be a performance review metric. It also is important that incentive compensation programs support a culture of ethics and compliance and don’t inadvertently encourage noncompliant behavior.

Building Successful Compliance Programs

To ensure compliance programs are effective, it is critical to:

• Develop a culture of accountability from the top levels of the organization.
• Hire a credible compliance officer and ensure he or she has adequate resources and direct access to the board and executive team.
• Require that concerns be reported.
• Build compliance into operations, including active monitoring and internal auditing—and consider using predictive modeling techniques, particularly in high-risk areas.
• Address issues and document all information, including inquiries, complaints and repayments.
• Evaluate all efforts.