Kusserow’s Corner: Developing and Structuring Compliance Policies and Procedures

Developing, implementing, and disseminating written compliance documents is a major foundation of any compliance program. Such documents include the Code of Conduct and a myriad of policy documents for both the management and operation of the compliance program, as well as compliance high-risk operational areas. These documents facilitate compliance with applicable laws, regulations, rules, and standards. The cost of developing a single policy averages about $5,000, and in many cases, much more. This high cost is regardless of whether the development is done through an outside contractor or law firm, internally by a committee, or any combination thereof. Consideration must be also given to the resources expended to properly review and approve policy document to ensure consistency with other related policies and all applicable laws and regulations. All of this can costly in terms of time and effort.

It is, therefore, not surprising that many turn to short cuts to reduce the cost of policy documents by using or adapting templates developed by other organizations. Some organizations even post many of their documents online, free to download. However, care must be taken when copying and pasting another organization’s documents, as there may be significant differences in the organization and how it manages its high-risk areas. There is also the question of whether the other organization correctly and consistently addressed applicable laws and regulations—if it didn’t, you will be bringing their mistakes into your own workplace. For more information and articles on how to find legitimate, tested, and certified policy templates, see the Policy Resource Center, where for the cost of one policy, an organization can obtain hundreds of tested templates. Whether you are developing policies in-house or using templates, the following will assist in understanding what is needed, why, and how to do it properly.

The HHS Office of Inspector General (OIG) has issued a number of compliance program guidance documents, all of which stress the importance of written compliance guidance for employees. The OIG notes that “At a minimum, comprehensive compliance programs should include . . . the development and distribution of written standards of conduct, as well as written policies and procedures that promote the [organization’s] commitment to compliance and that address specific areas of potential fraud, such as claims development and submission processes, code gaming, and financial relationships with physicians and other health care professionals.” The United States Sentencing Commission’s Federal Sentencing Guidelines notes that in order to “have an effective compliance and ethics program . . . , an organization shall . . . establish standards and procedures to prevent and detect criminal conduct.”

The failure to properly develop and disseminate compliance-related policies and procedures, and to train covered persons, can prove to be a huge mistake that can result in a variety of liabilities, including loss of revenue and reputation. The fact is that scores, if not hundreds, of policy documents are needed to be in compliance with regulatory and care standards. Compliance-related policy documents are needed to establish the structure and operation of the compliance program. These alone number in the dozens. Some are identified directly in compliance guidance documents, such as duty to report, non-retaliation, confidentiality, etc.

However, most of the needed compliance-related policies are operational in nature and relate to compliance high-risk areas. Those who have been working to revise and update code policies know how difficult, time consuming, and expensive it is to do this.

The challenge is how to identify and develop all the needed policies. Some of the types of compliance related policies include those that address the Anti-Kickback Statute, Claims Development & Submission, Clinical Research, Coding, Cost Reports, EMTALA, HIPAA, Human Resources Management, Laboratory Services, PATH, Quality of Care, Recovery Audit Contractors, Sarbanes Oxley Act, and Stark Law, among many others. The following are some tips for policy development:

  • Standardize polices in form and format to avoid confusion, as suggested below.
  • Ensure all policy statements are short, declarative, and specific to a single issue.
  • Write documents in the active voice.
  • Make documents user-friendly to those who have to live by them.
  • Make sure the policy does not conflict with other policy documents.
  • Cross-reference all policies to similar ones.
  • Define all key terms used.
  • Anchor documents in cited authority.

Compliance Policy Document Structure

Every HHS OIG compliance document stresses the importance of the development and distribution of written policies and procedures to ensure compliance with all applicable laws and regulations. There are many challenges in carrying this out. A good starting point is to ensure there is a formalized process for policy development. This includes the form, format, and process for development and implementation of new and revised policy documents.

In beginning the process, it is important to understand that a policy statement conveys officially-approved guiding principles or courses of action, and is a general description of a course of action serving as a guide toward accepted strategies and objectives. In contrast, procedures convey a means by which a policy can be accomplished, by defining and outlining officially-approved processes and standard practice instructions. In short, procedures provide a description of how a policy is to be carried out. Procedures define courses of action to meet planned objectives.

Developing a standardized policy template is very important, as it will prevent missing any key element of whatever policy is being developed. It has the added benefit of making the policies immediately recognizable to everyone. From our experience, the following general policy template and formatting has proved to be the most useful in developing all compliance-related policy and procedure documents:

  1. Header Block. The header block should include a number of things, including but not necessarily limited to (a) title; (b) identity of the department responsible for drafting, reviewing, and enforcement; (c) effective date; (d) policy number; (e) date of approval; (f) identity of approval authority; (g) whether it replaces or modifies an existing policy; and (h) number of pages inclusive in the document. The title should clearly identify the general topic of the policy and assist those who may be searching for guidance on the policy’s topic area, and should also indicate whether the policy is replacing an existing policy, as well as the last revision date. All of this information is critical to proper policy management. The effective dates of policies’ implementation and revisions must be maintained. If an issue arises, the date of applicable policy that applies is absolutely essential.
  1. Background. This explains the context by which the policy has been created, such as changes in law, regulations, standards, compliance guidance, etc. This can be used to introduce the context for the policy document. If the policy relates to a specific law, regulation or compliance standard, this section can explain how the policy document is designed to address that issue. It can also be used to relate and/or differentiate the particular policy document to other written guidance. This section should assist in understanding and following the policy. It is best to have this precede the statement of purpose.
  1. Purpose. Outlines what the policy document is designed to achieve. When developing or revising a policy, begin with a statement of purpose section that defines the intent and objectives of the policy. It should be relatively short and direct. It is suggested that it begin with an active verb such as, “to promote . . .,” “to comply . . .,” “to ensure . . .,” etc.
  1. Definitions. In many cases, documents will use terminology that requires understanding and clarification in order to meet the policy’s intention. These may be of a legal nature, or something specific to the organization. It is advisable to cite authority for the definitions being used.
  1. Scope. Explains the range of applications of the document in terms of covered persons, facilities, sites, etc.
  1. Policy Statements. Reflects the basic objectives of the organization and is a description of the general guiding principles or rules.
  1. Procedures. Provides detailed procedural requirements, methods, and guidance on how covered persons are expected to act in accordance with the policy.
  1. Related Policies. It is important that policies addressing similar or related issues be linked to ensure that they are consistent. There is nothing worse than having issues or incidents arise only to find the written guidance on the subject is in conflict.
  1. References/Citations. This section can be used for legal and regulatory citations, as well as that of the organization. If the policy document was in response to legal or regulatory authority, that authority should be noted along with a list of supporting and source documentation used to validate the policy and procedure. This can also be used to reference other policy related policy documents.

This article only touches on the subject and there is far more involved in how you ensure each element is adequately addressed. Furthermore, the process to be followed in developing compliance-related policies is a whole other area of consideration. For more information and details concerning type of compliance policies, as well as development and management can be found at the Policy Resource Center.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow’s Corner Newsletter

Copyright © 2014 Strategic Management Services, LLC. Published with permission.