The Affordable Care Act of 2010 (a/k/a Healthcare Reform) has dramatically raised the profile of the compliance program. This article offers a brief explanation of what a compliance program is.
I. A Brief History of Compliance Programs.
Compliance programs emerged in the healthcare industry in the 1990’s as a systematic way for companies to detect and prevent misconduct. In prior decades, compliance programs had developed as a governmentally-imposed method of preventing a recurrence of corrupt practice of large corporations that had been discovered and prosecuted.
In 1991, the Federal Sentencing Guidelines formally defined the components of a compliance program in order to enable courts to consider the adoption of a compliance program as a mitigating factor in sentencing. In a nutshell, the Guidelines defined a compliance program as a set of internal organizational standards that, if adopted and enforced to prevent and detect violations of law, would justify reduction of penalties when wrongdoing occurred.
The past two decades have seen compliance programs proliferate in the healthcare industry. Since the mid-1990’s, the Office of the Inspector General (OIG), which investigates Medicare fraud, has required compliance programs as part of negotiated settlements with providers known as Corporate Integrity Agreements (CIA’s). Over time, large institutional health care providers – such as health systems, hospitals, and drug manufacturers – began to respond to the encouragement of OIG and other government agencies and voluntarily adopted compliance plans proactively.
II. A Brief View of the Future of Compliance Programs
The Affordable Care Act represents a significant step forward for compliance programs. The law establishes a mandate that, by 2012 certain healthcare providers -namely, skilled nursing facilities – are all required to adopt compliance programs as a condition of participation in federal health programs. (ACA, Section 6102.) Elsewhere, the law requires that the government promulgate compliance programs for all types of health care providers.(ACA, Section 6401.)
This means that, whether you are a physician, a DME supplier, an ambulance company, a home health agency, hospice, or any other kind of health care provider, in the near future, you will be legally required to have your own compliance program.
II. So what’s involved in a compliance programs?
Although the government will be issuing specific regulations to define the specific requirements of compliance programs for each industry, the general goal of a compliance program is to (1) communicate specific expectations to the workforce of standards of integrity in reporting inappropriate conduct, fraudulent activities, and abusive behavior; and (2) create a transparent process to “operationalize” regulatory requirements and to monitor performance against standards. The key elements of compliance programs typically include:
Adopting a code of ethical conduct and written policies and procedures (and controls) to ensure that the organization complies with federal and state law;
Designating a compliance officer and a committee accountable for enforcement of the compliance program and compliance and ethics oversight;
Due diligence to avoid delegation of authority to unethical individuals;
Training the workforce and taking corrective action when rules are violated;
Consistent enforcement and discipline of violations and appropriate response; and
Monitoring and auditing to assess the quality of compliance.
The annual OIG work plan offers a good starting point of the issues upon which the government is focusing for compliance purposes. Ultimately, however, a good compliance program will also encompass the particular issues that you discern as points of vulnerability in your own business.
III. Is There Anything I Should Be Doing About Compliance Now?
Although the broad requirement for a compliance program is still ahead in the not too distant future, most providers are unaware that they are actually required by law to have a limited compliance program as a result of HIPAA. HIPAA requires all of the above steps in a limited fashion relating to protected health information and how it is stored and disseminated. What lies ahead is a broadening of the requirements to all aspects of provider operations.
If you are unsure what your current obligations are and what obligations lie ahead, please feel free to contact us. There is no time like the present to get into compliance with legal requirements. Some of the key steps in the compliance process – like designating an internal compliance officer to ensure the practice is following the rules, adopting policies and procedures, and commencing workforce training – will lay the groundwork for a broader compliance requirements ahead. Moreover, early adoption holds out the promise of reduced risk. Designing and implementing compliance programs presents a terrific opportunity to review the myriad risk management issues in and to find ways to protect yourself from liability and violations of regulatory requirements.