The HHS Office of Inspector General has published new guidance for compliance programs in the healthcare industry. Compliance author and CCI columnist Mary Shirley shares her insights into how the guidance is instructive, not just in the healthcare and life sciences industries but beyond.
Corporate Ethics and Compliance Week, which was Nov. 5-11 this year, is basically the holiday season for the ethics and compliance community — our festive season of cheer, celebration and community. So it is perhaps fitting (and definitely super cute) of the U.S. Department of Health and Human Services Office of Inspector General (OIG) to gift Team Compliance (that’s us) with their latest advice, “General Compliance Program Guidance,” to kick off our week of fun, frolic, education and outreach. Best gift ever!
General observations about the guidance
Weighing in at 91 pages, the OIG’s guidance is comprehensive. It is unlikely, dear reader, that I will be able to do the guidance justice in one summary article. Therefore, I’ve reviewed the document in its entirety and am focusing on the angle I found most compelling from the standpoint of relevant content that will likely cause many compliance leads to think about whether they need to adjust the status quo.
While we’re on this point, I think the level of care the OIG has put into making this a practical, user-friendly document is wonderful. They’ve taken care to lay out the pages so the content isn’t hard on the eye, given an overview of the U.S. healthcare laws, included useful questions to ask of yourself (like the DOJ’s “Evaluation of Corporate Compliance Programs” guidance) and even offered learning aids of examples to demonstrate their points. It also tells you what to do if you need help or how to submit feedback. I’m going to go out on a limb here and say this is a gold standard guidance document.
Another thing I ought to note is that this guidance is released for the “health care compliance community and other health care stakeholders,” per an OIG email notifying subscribers of the release of the new resource. This statement is also included on Page 2 of the document and captures many organizations falling under the life sciences areas as well, so I’ll also share my views on what this guidance means for compliance professionals outside the targeted industries.
Thirdly, a “User’s Guide” section on how to use the guidance emphasizes that it is voluntary, nonbinding and highlights the use of “should” throughout the document to make clear that the document is of a recommendatory nature only. This makes sense given it’s called “guidance” and not “rules,” though even with this in mind, I think we can agree that practitioners take guidance seriously and consider it to be pretty darn instructive, largely because it sets out what appear to be the government’s preferences and expectations, even if room is being left for them not to apply in every single situation.
The OIG has highlighted certain passages in bold, which suggests to me that while the guidance is voluntary, the government really wants us to consider implementing the highlighted policies or procedures if we haven’t already.
Compliance officer independence and empowerment
The first section of the guidance focuses on substantive healthcare compliance, which sets out good foundational understanding and tips and then moves onto the seven elements of an effective compliance program, where I think there were some thought provoking takeaways for leadership and compliance officers.
I therefore take a deep dive into those areas, starting at Page 39 (note passages OIG highlighted in bold):
“To fulfill their duties, the compliance officer should be empowered, and independent of other duties to the entity that might impair their ability, to identify and raise compliance risks and advise on how to mitigate risks, achieve and maintain compliance with Federal health care program requirements, and succeed as a compliant entity. Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles.
“To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care items and services or billing, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance.”
There’s a lot to unpack here. The OIG emphasizes that the standard is an independent and empowered compliance officer. The guidance also suggests that, where possible, the CO should be dedicated solely to compliance, but in any event should not be part of legal or finance in particular and also should not carry out the traditional role of legal and finance staff.
So organizations that have compliance reporting into legal ought to reconsider their structure in light of the guidance and what this may mean for general counsel who hold the chief compliance officer mantle as well. Now, of course, with the guidance being nonbinding, some companies may consider keeping their structures if they are comfortable the CO is otherwise empowered and independent and thereby they are achieving the spirit of the guidance. This could apply, for example, to a CCO who reports into the GC/legal and also has a dotted line into the CEO.
However, given this is one of the instances where the OIG has chosen to highlight recommendations with bold text, I think companies that don’t already have wholly independent reporting lines for compliance should consider it incumbent on them to think carefully about this point and whether there would be any harm in separating the functions formally.
Tale as old as time … well, quite some time, anyway
I have always interpreted this approach as being the preferred one of the OIG, given the requirement for separate legal and compliance functions in many corporate integrity agreements (CIAs), but I think this is the first time the advice has been stated in broader guidance. That means for organizations that may have previously brushed off this approach, justifying the disregard on the basis that they were not in trouble and subject to a CIA will likely need to reconsider their position.
Making a clear distinction between legal and compliance is not a new concept when looking more broadly beyond CIAs. Ethics and compliance thought leader Donna Boehme has long been a proponent for legal and compliance being separate, even winning an award from the Society of Corporate Compliance and Ethics for her campaigning work in this area in 2015.
As a side note, I would point out that at Page 86 of the guidance, the OIG considers that CIAs “can serve as a resource when a health care entity reviews its compliance program’s structure and operations,” so they’re clear on the fact that we should consider CIAs as instructive regardless of whether we’re a company in a compliance crisis or not.
Compliance officers don’t need to be qualified lawyers
Of course, this makes sense, not only when it comes to independence but also when we consider the other messaging the OIG is giving in the aforementioned passage from the guidance — that compliance officers shouldn’t be giving legal advice. So, while it has not been expressly recommended in the guidance, I think the inclusion of this detail should give companies that require that their compliance team consist of (often) U.S.-qualified attorneys and make every role in the team a “counsel” position consider that perhaps they’re taking too legal an approach to a function that is not actually a legal function.
On Page 38, the OIG runs through compliance officer responsibilities. None of them require a law degree, and I note that the OIG does not recommend that the compliance officer be a U.S.-qualified lawyer with admission to one state bar in good standing. I can find no reference to legal education being the preferred background for compliance roles by any other authority or this being a recommendation in any other guidance either. So why do so many companies continue to insist on this as a requirement? Compliance is its own field with its own responsibilities that are simply not the same as and sometimes are in conflict with what traditional members of a legal function would be doing.
Impact on compliance programs more broadly
In my view, this section of the guidance has earth-shattering consequences for many companies because it challenges the status quo of many organizational structures, and anecdotally I would suggest that compliance reporting into the GC or the compliance officer being the GC reflects the majority of reporting structures outside of healthcare and life sciences. This brings me to the question: What does this mean, if anything, for companies operating outside of the intended scope of the guidance because they’re not healthcare or life science entities?
Well, obviously, it’s not mandatory for even companies in the relevant target markets to follow the guidance to the letter. However, I would suggest that even for companies outside healthcare and life sciences, it could be considered best practice for their organizations. Guidance from various jurisdictions on effective compliance programs does not wholly overlap, but they all seem to be within the same spirit of each other, and the OIG references the DOJ “Evaluation of Corporate Compliance Programs” and U.S. Sentencing Commission guidelines documents as resources within its guidance, indicating support for other guidance within the same context.
The DOJ’s corporate compliance guidance makes reference to compliance programs being “adequately resourced and empowered to function effectively.” While we are yet to see lower-level examples and suggestions of what this might mean in practice from the DOJ and what would not be considered adequately resourced and empowered (for example, opining on whether appointing a lawyer from the legal department as CCO without a compliance background would meet this expectation), it is not outside the realm of possibility that if they were to expound upon that expectation, certain similar elements or themes to what the OIG has recommended, might be proposed by the DOJ also. So DOJ, if you’re reading, that’s a section we’d love to hear a representative do a speech about soon!
Summary
While the guidance is not binding, the OIG appears to have come out loud and clear with messaging around recommending that legal and compliance departments be separate and compliance officers focus on “compliance-ing,” not lawyering or other activities that belong to the scope of other departments.
This guidance will ask many organizations that in some way combine legal and compliance to take a careful and serious look at the status quo of their reporting lines and wider place within the organization, a continuous monitoring and improvement exercise that will no doubt have some folks indignant, others wringing their hands and still others embracing an opportunity for change.