From the Contributor’s Corner: Outsourcing the Compliance Program

One of the most significant trends in business over the last decade has been the movement to outsourcing as many functions as possible not directly involved in the core business activities. There have been a number of studies citing the benefits of outsourcing, but without doubt, the two most prevalent motivations for outsourcing are cost savings and expertise on the part of the vendor.

This trend has long since reached corporate compliance programs.  The best evidence of this has been the dramatic trend to outsource employee hotlines.  Virtually any organization that has done a cost benefit analysis between having a hotline staffed internally versus outsourcing to a specialized hotline vendor has concluded that not only is outsourcing the right decision cost-wise, but also in quality of service.   For many, the question is just how far does this outsourcing concept go with regards to compliance programs and might this include outsourcing the whole program?

Over the last few years, there has been growth in the use of interim and designated compliance officers. In most cases, these are outside consultants brought in to operate or manage an organization’s compliance program. Interim compliance officers (ICOs), as is implied in the name, are temporary compliance officers serving for a period of time while an organization seeks a qualified permanent replacement.  However, there has been also growth in health care organizations using Designated Compliance Officers (DCOs) that is in effect outsourcing the compliance program.

The DHHS OIG recognized the question of costs and expertise in connection with smaller organizations.    Its general Compliance Program Guidance states: “For those companies that have limited resources, the compliance function could be outsourced to an expert in compliance.” [1] Further, the OIG in its guidance on a “Compliance Program for Individual Physician and Small Group Practices”[2] suggests that one solution for ensuring compliance in a small entity would be to designate a staff person to serve as a liaison with an outsourced compliance officer.  The OIG noted that if the compliance officer responsibility is outsourced, it would be beneficial for the compliance officer to have sufficient interaction with the entity to be able to effectively understand its operations.  Therefore, there is a need for an internal liaison to keep the outside consultant informed of activities and to assist in implementing compliance actions.  Furthermore, the OIG and CMS some years ago co-sponsored a government-industry roundtable devoted to discussing compliance-related topics. One of the topics discussed was outsourcing compliance programs.

The use of DCOs may arise for a variety of reasons, but mostly comes from the realization that the organization just does not have the size to warrant having a full time compliance officer and using someone part-time as a secondary duty just does not work.  The decision to outsource the whole program to recognized experts has a lot of advantages:

  • The organization is not paying the loaded cost of a full-time W-2 employee;
  • DCOs have knowledge and experience working with executive leadership and boards;
  • DCOs are more efficient and are not subject to a learning curve with respect to compliance;
  • DCOs bring experience and detailed knowledge of federal and state laws/regulations;
  • An outside party shows independence and objectivity without investment in prior decisions and actions ;
  • DCOs have experience in dealing with a wide range of compliance issues;
  • There is a reduced cost of recruiting, supporting full-time compliance staff and benefits;
  • The company can expect full regulatory compliance and reporting;
  • Better risk protection;
  • Lower fixed costs and reduced staff workload;
  • No redundant operations;
  • Executive-level reports on all compliance functions;
  • Senior executive and shareholder confidence;
  • Accurate compliance budgeting;
  • Risk assessments and claims analysis; and
  • HIPAA/HITECH privacy and security compliance.

If there is a decision to outsource the compliance activities, it is critical that the party engaged to perform this service be properly qualified with a wide range of compliance experience over a number of years that includes program development, implementation, management, and evaluation. A highly experienced consultant should be more efficient in carrying out the duties on a part-time basis.

The limitations on using a DCO are the size and complexity of an organization.  The larger the organization, the less attractive is the idea of outsourcing the entire program to a DCO. Conversely, the smaller the organizations, the more likely that the DCO concept may be the right answer, although the organization may not necessarily need to engage a full-time DCO.

For larger organizations, where outsourcing is not the answer, there still is the question of whether portions of the program could be outsourced, along the lines of a hotline vendor.   In subsequent articles, I intend to export the option of outsourcing and co-outsourcing portions of the compliance program.

[1]  See  for example Federal Register Volume 63, Number 243

[2]   65 Federal Register 59435

Richard P. Kusserow was the DHHS Inspector General for over eleven years.  He is the author of nine books related to compliance.  He is the founder and CEO of Strategic Management, a firm that has been providing specialized compliance advisory services since 1992 to 2,000 clients. The firm has been providing Interim and Designated Compliance Officers to organizations for many years. For more information, contact him at

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2013 Strategic Management Services, LLC.  Published with permission.