Here’s news sure to leave healthcare compliance officers feeling good: the guidance released last week on healthcare compliance programs expressly says that compliance officers should not be the general counsel or the CFO, and should directly report to the CEO or the board.
An eagle-eyed compliance officer noticed that directive on Page 39 of the guidance, published by the Office of the Inspector General (OIG) at the Department of Health and Human Services. Said compliance officer relayed their discovery to me with “holy [expletive]!” at the top of the message, and deservedly so. This is a big deal.
On that Page 39, the OIG guidance first talks about the importance of compliance officers being “independent of other duties to the entity that might impair their ability to identify and raise compliance risks and advise on how to mitigate risks.” Then comes this passage, and in bold-faced type to boot:
Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board.
Before you march past the general counsel to say hello to your new boss in the corner office — the guidance goes even further! The very next paragraph also stresses that the compliance officer shouldn’t be responsible either directly or indirectly for healthcare delivery, nor for administrative functions such as billing, coding, claims submission, contracting, or administrative appeals.
And in cases where the compliance officer also holds the role of chief privacy officer, senior management should assure that the compliance officer “has sufficient staff and resources to perform the additional duties associated with that expanded role.”
Basically, the guidance says, “Whenever possible, the compliance officer’s sole responsibility should be compliance.”
How’s that for a shot in the arm?
OIG’s Bold Step Forward
This declaration of independence from OIG is so startling because it actually goes farther than even what the Justice Department, grand poobah of all regulators, says about compliance officer independence.
The Justice Department generally does prefer that chief compliance officers have autonomy and independence, but its guidelines for effective corporate compliance programs never expressly say that the chief compliance officer role should be separate from the general counsel or anyone else. Instead, the guidelines only instruct prosecutors to consider how a company structures its compliance officer role. For example:
Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? What are the reasons for the structural choices the company has made?
Those are all good questions, but they are (1) meant to help federal prosecutors understand the logic of a company’s compliance function; and (2) intended for companies already under investigation for a compliance violation.
That’s very different from OIG issuing guidance for all healthcare companies, including the vast majority not under any particular investigation right now, and expressly declaring what the CCO should or should not be doing. These are clear, precise instructions telling organizations in the healthcare world what OIG would like them to do.
The move isn’t entirely surprising, because the Department of Health & Human Services has long emphasized the importance of CCO independence when investigating Medicare and Medicaid fraud cases. Still, this message is a move forward: from demanding independent CCOs as part of a settlement, to recommending independent CCOs as a standard practice for all companies.
It makes me wonder whether other regulators will follow suit with similar new guidance sometime in the future.
So What Does a Healthcare CCO Do?
The OIG guidance had plenty to say about that question, too. Overall, OIG wants chief compliance officers to do lots of overseeing, advising, investigating, and reporting.
- Overseeing and monitoring the implementation and operation of the compliance program;
- Advising the CEO, board, and other senior leaders on compliance risks facing the business, compliance risks related to strategic and operational decisions the company makes, and the general operation of the compliance program;
- Reporting to the board on the implementation, operation, and needs of the compliance program, the compliance risks the company faces, and how the company is addressing those risks;
- Coordinating with the HR team to assure that all senior executives, employees, contractors, and medical staff are screened as necessary against Medicare and Medicaid exclusion lists, both before the person is hired and then monthly thereafter;
- Independently investigating and acting on reports of compliance infractions, including the flexibility to design and coordinate internal investigations and to recommend policy or procedure changes and corrective actions.
That’s a lot of responsibility, especially at larger healthcare businesses with extensive operations. You can see why OIG is therefore a stickler for compliance officers not holding other titles or doing other work. First, those dual roles could create conflicts of interest — but more fundamentally, there’s only so much work one person can do. Given the importance of the legal and finance functions, it’s easy to imagine that compliance duties would get short shrift if management shoehorns all that work into a single role.
Of course, all this attention on precisely what role the CCO should have does raise an intriguing question: If the compliance officer isn’t part of the legal function and isn’t offering legal advice, does that person truly need to have a law degree?
From those duties described by OIG, I don’t see any reason why the compliance officer needs to be a lawyer. Obviously a law degree and legal experience would help — but show me where it’s necessary. I don’t see it.
The only wrinkle I can see in the OIG’s message about compliance officer independence is how to apply that standard at small organizations. The guidance does say that when your company is too small to warrant a dedicated compliance officer, you should then designate a “compliance contact.” Even then, however…
This person should not have any responsibility for the performance or supervision of legal services to the entity and, whenever possible, should not be involved in the billing, coding, or submission of claims.
If we’re ruling out compliance officers who also work in legal, billing, coding, or submission of claims, I’m not sure what other role the compliance contact can have, although head of internal audit or (shudder) HR might be plausible candidates.
Regardless, that’s another instance of OIG saying compliance and legal should not mix. If that’s the case, then does the compliance officer really need to be a law school grad? Looks unlikely to me.