Compliance Program Assessment: What to Expect
Oct. 18, 2016
By Jerry E. Lear and Kenneth Zeko, J.D.
Having a compliance program in place within a healthcare organization is nonnegotiable. And having an effective compliance program is imperative – especially in the current environment of increased regulatory pressures and a renewed focus by the federal government on fraud, waste, and abuse in the healthcare industry. Today’s compliance programs must help organizations mitigate risk and improve organizational culture and attitude toward complying with healthcare laws and regulations.
How can an organization’s management tell if it has an effective compliance program in place?
If management cannot effectively and efficiently explain compliance activities throughout the organization, then it may be time to undergo a compliance program assessment. Such assessments work to determine the scope of compliance activities throughout the organization, the effectiveness of the compliance program, and to what extent the organization’s culture is conducive to compliance activities. An assessment can give the organization an idea of its compliance program’s strengths, weaknesses, and areas in which it can improve.
Healthcare is a fast-moving field, and, on top of that, each organization has its own unique structure and challenges. The approach to a compliance program assessment should be modified and customized to fit each organization.
However, every compliance program assessment should have a number of basic components in common. Here are some of the most pertinent elements an organization should expect when undergoing a compliance program assessment.
Document Review and Analysis
Whether the organization is conducting a self-assessment of its compliance program or hiring an outside organization to do it, the assessment should be comprehensive. This starts with a review of compliance-related documents in the organization.
During this part of the assessment, the assessors will ask to see documents that provide evidence that a compliance program exists at the organization. Examples of relevant documents that typically are collected and reviewed during an assessment include:
- Minutes from meetings of the compliance, board compliance, and audit committees (typically from the past six months)
- Charters of the compliance, board compliance, and audit committees
- Organizational charts of executive leadership and the compliance office
- Policies and procedures related to the compliance office or high-risk areas
- Information about sanction screening, credentialing, contracting, overpayments, joint ventures, etc.
- Examples of employee compliance training exercises and samples of communications made to employees about compliance code of conduct
- Samples of compliance monitoring and compliance work plans
- Previous compliance program assessments
- Compliance risk assessments and compliance risk assessment policies
- Information on reporting and hotline mechanisms in place at the organization
Interviews of Principal Staff Members
Assessors then use information gathered during the document review to conduct interviews of various personnel who are involved with compliance. Interviewing individuals throughout the organization is an important way to determine to what extent organizational leadership, management, and the board have an understanding of the compliance function and how to identify and mitigate risks.
Checking to make sure the organization is abiding by the most basic elements of a compliance program – the Office of Inspector General’s (OIG’s) “Health Care Compliance Program Tips,”1 including its “Seven Fundamental Elements of an Effective Compliance Program” – is just the basic level of assessment. It is not enough. Therefore, the interview questions should take a qualitative approach.
The aim of the interviews is to get an understanding of the organization’s culture, so questions should be more focused on engaging with the interviewees than about just checking off a box and confirming that X and Y are being done. A competent assessor will use the interview phase of the engagement not only to elicit information from employees and board members but also to provide “teachable moments” to the organization. Assessors should take this time to share information about the current state of compliance enforcement activities nationally, the importance of having a robust compliance program, and staff members’ roles in the organization’s overarching compliance program.
Depending on the size of the organization, anywhere from 20 to more than 100 employees could be interviewed. Individuals who might be interviewed include:
- Those with primary responsibility for day-to-day management of compliance activities
- Those whose functional responsibilities support specific compliance activities
- Those who are expected to provide oversight and support for compliance activities from business leadership, operational, and board perspectives
Another critical component of a compliance program assessment is the gap analysis and discussion. The assessor should provide a summary of findings revealed during the interviews and the document collection process. Then the organization has an opportunity to confirm the completeness and accuracy of the assessor’s understanding of its compliance program.
The summary findings should reveal existing compliance program trends within the organization, including program strengths and opportunities for improvement. In addition, the assessor should make recommendations to the organization based on best practices observed in leading organizations that are of a similar size and structure to the one being assessed.
At the conclusion of the assessment, a final report outlining the current state of compliance should be given to the organization. If compliance gaps are found, the report should include recommendations of ways to improve compliance in applicable areas of the organization. Depending on the final outcome, follow-up by the assessor may be required.
Keep an Eye on Best Practices
Organizations that haven’t yet taken formal action to verify that their compliance programs are effective or those that want to re-evaluate their programs should consider undergoing a compliance program assessment that is comprehensive, interview based, and not simply a review of the OIG’s seven elements.
In addition, they should keep an eye on the best practices of leading organizations and consider whether the organization can emulate what those leading organizations are doing in the compliance arena. Also, they should pay attention to the extent to which federal and state governments are active at prosecuting fraud in their state. If regulators are extremely active, the organization may need to consider taking its compliance program to the next level more quickly than previously thought.
1 “Health Care Compliance Program Tips,” Health Care Fraud Prevention and Enforcement Action Team, Office of Inspector General, https://oig.hhs.gov/compliance/provider-compliance-training/files/Compliance101tips508.pdf