Skip to Content

Five Big Things That Have Changed Since You Adopted Your Compliance Program

on Monday, 8 February 2016 in Health Law Alert: Erin E. Busch, Editor

Vintage clothes, vintage wine and vintage cars are all great, but not vintage compliance policies. So what has changed that makes it vital for compliance policies and activities to be updated now?

Updates to Compliance Guidance. The original compliance program guidance document was published in 1998 for hospitals, followed closely that same year by guidance for clinical laboratories. The OIG has been rolling out additional guidance ever since for a variety of provider and supplier types. The guidance for hospitals and nursing facilities was supplemented in 2005 and 2008 respectively. In addition, the OIG speaks through its Open Letters, Fraud Alerts, Special Advisory Bulletins, Advisory Opinions and the annually published OIG Work Plan. All are available under “Compliance,” “Fraud” and “Publications” selections on the OIG’s website The letters, alerts, bulletins and work plans identify specific areas of concern, auditing and investigation.

The various forms of guidance and OIG communications have all more recently been emphasizing assessment of compliance risk, increased board education and involvement and evaluation of the compliance program itself.

Dramatically Raised Expectations for Governing Boards. The recently published Practical Guidance for Health Care Governing Boards on Compliance Oversight (April 20, 2016), was developed by the OIG in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association and the Health Care Compliance Association. This publication emphasized an active role of the governing board in compliance more strongly than ever before. The Guidance states expectations of boards to be questioning and well-informed about compliance; seeking specific reports from management and the compliance, audit and legal functions as well as actively evaluating the compliance program. With its probable origins in the Caremark case’s director duty of care discussion, the Guidance is representative of other developments—increased investigation and prosecution of individuals for their role in health care fraud and abuse, and the recent initiation of oversight requirements and certifications from governing boards in corporate integrity agreements.

The Risk of Being Audited and Investigated Has Increased Significantly as More Resources are Dedicated to Auditing and Enforcement. Starting with HIPAA (increased compliance funding) and the Deficit Reduction Act in 2005 (Medicaid Integrity) and continuing through the Affordable Care Act, significant new financial resources have been directed to detection and prosecution of health care fraud and abuse. A new generation of audit contractors are actively investigating healthcare fraud in both the Medicare and the Medicaid programs. Fueled by information obtained in part from electronic billing, various government agencies now regularly use “big data” to detect not only outliers, but also to monitor potentially suspicious patterns of billing activity.

Establishment of Public/Private Coalitions and Communication. Older compliance policies and procedures tend to emphasize compliance with federal payers’ billing and rules. However, more recently, a growing number of commercial payers have established “integrity” programs to address non-compliance and potential fraud. The Affordable Care Act established pathways of federal and commercial payers to cooperate and communicate in detecting and investigating billing non-compliance and fraud. Updated compliance policies and procedures need to address relationships with all payers.

Old Compliance Infrastructure May Be Outdated or Ineffective. The trend has been for regulators to expect compliance systems and the related infrastructure to become increasingly sophisticated and robust. For example, when evaluating compliance programs for purposes of determining whether or not a corporate integrity agreement will be required, the OIG expects: (i) reporting lines to be truly anonymous which generally means using a third party vendor; (ii) larger organizations are expected to have a written plan for the interaction and coordination of legal, audit and compliance functions; (iii) human resources functions need to be incorporated into the compliance model and (iv) all employees need to be sufficiently educated to be able to respond to questions about the compliance program posed by auditors or investigators.

Convergence Between Quality and Compliance. Quality and reimbursement, thus compliance, are being linked in ever-expanding ways. So also, the quality impact of compliance issues should be addressed in investigations and corrective actions. Policies and procedures must connect quality with compliance in meaningful ways.

All of this means that your compliance officer and committee should be carefully reviewing the current compliance policy and procedures and considering significant updates for the new generation of compliance expectations.

Julie A. Knutson

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design