Kusserow on Compliance: New OIG guidance on the roles and relationships for compliance, internal audit, legal, human resources, and quality assurance

At the Health Care Compliance Association (HCCA) conference on April 20, 2015, Dan Levinson, the HHS Inspector General announced the issuance of a new tool for health care boards, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” This was jointly developed with the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA) and the HCCA. The guidance’s purpose is to assist governing boards of health care organizations carry out their compliance oversight obligations. It supplements previous guidance, which has consistently emphasized the need for boards to be fully engaged in their oversight responsibility. A key part of this report focused on clarifying the role of internal auditors, lawyers, and compliance officers. The underlying reasons for focusing on this topic has been the continuing concern that these functions do not always operate with independence in reporting problems, issues, and other matters of importance to an organization’s board. In short, the board often has its independence compromised by the way it has been organized and operated.

For many years the Office of the Inspector General (OIG) has expressed concern about having the compliance office being part of or subordinate to legal counsel. It has found on many occasions that there has been compromising of the independence of the compliance function when this has occurred. It is commonplace to have the respective roles of legal and compliance being blurred, leading to practices inhibiting the free flow of compliance information; in some cases compromising independence and interfering with how the function is carried out; and by blocking critical compliance issues from surfacing. The OIG guidance underscores the important of ensuring the compliance office remains independent of and not subordinate to legal counsel. Similarly, the OIG has found instances where the role of internal audit as an independent fact gatherer has been inhibited by its reporting relationship. The guidance provides suggestions to boards and their compliance and audit committees on how to avoid problems of confusion of roles that take away from independent operation of the activities of the organization’s audit, compliance, and legal departments. This includes respective roles in regulatory risk assessment, how they report findings, and ways to achieve compliance goals and objectives through cooperation.

The guidance stresses the importance of defining the interrelationship of the audit, compliance, and legal functions to eliminate confusion of roles, impairment of independence, and other problems. It stresses the importance of boards ensuring the audit, compliance, and legal functions are defined in charters, policies, and other organizational documents that will assure independence of roles and professional obligations. The report goes on to state boards should have ongoing evaluations of adequacy of resources for these functions, their independence, and performance. This includes defining the place for each function within the structure of the organization, reporting relationships, and their interaction, as well as with other functions, such as quality assurance, risk management, and human resources. Specific duties and responsibilities that draw functional boundaries should be defined, while also setting an expectation of cooperation and collaboration among those functions. Suggestions are offered about how roles can be differentiated and defined as noted below.

The compliance function promotes the prevention, detection, and resolution of actions that do not conform to legal, policy, or business standards. This includes the obligation to develop policies and procedures that provide employees guidance, the creation of incentives to promote employee compliance, the development of plans to improve or sustain compliance, the development of metrics to measure execution (particularly by management) of the program and implementation of corrective actions, and the development of reports and dashboards that help management and the board evaluate the effectiveness of the program.

The legal function provides advice on the legal and regulatory risks of its business strategies, providing counsel to management and the Board about relevant laws and regulations that govern, relate to, or impact the organization. The function also defends the organization in legal proceedings and initiates legal proceedings against other parties if such action is warranted

The internal audit function provides an objective evaluation of the existing risk and internal control systems and framework within an organization. Internal audits ensure monitoring functions are working as intended and identify where management monitoring and/or additional board oversight may be required. Internal audit helps management (and the compliance function) develop actions to enhance internal controls, reduce risk to the organization, and promote more effective and efficient use of resources. Internal audit can fulfill the auditing requirements of the guidelines.

The human resources function manages the recruiting, screening, and hiring of employees; coordinates employee benefits; and provides employee training and development opportunities.

The quality improvement function promotes consistent, safe, and high quality practices within health care organizations. This function improves efficiency and health outcomes by measuring and reporting on quality outcomes and recommends necessary changes to clinical processes to management and the board. Quality improvement is critical to maintaining patient-centered care and helping the organization minimize risk of patient harm.

For many compliance officers the advice related to defined roles and responsibilities will be welcomed, in that it will provide support for assisting them in making their role more independent and effective.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.