Sir Winston Churchill once said, “Success is the ability to go from failure to failure without losing your enthusiasm.” No insight more appropriately describes a highly functioning compliance program. The very objective of a compliance program is to look for failures. Since health care companies are burdened with volumes of regulations, they are usually pretty easy to find.

The complexity of the regulations and the multiple ways a health care entity can stumble pose special burdens on governing boards. In 2015, an appellate court affirmed a Pennsylvania jury’s $2.25 million verdict against 15 board members of a nonprofit health care entity, finding that their lack of oversight on regulatory matters breached fiduciary duties owed to the corporation. Surprisingly, the action did not involve a whistleblower; it was a lawsuit brought by creditors of the nonprofit corporation.

Regulatory noncompliance can form the basis of lawsuits from patients, state governments, the federal government, disgruntled employees under whistleblower provisions and, apparently, now creditors of health care entities. The old saying that “just because you’re paranoid, doesn’t mean everyone is not out to get you” comes to mind.

Whether your organization calls its governing board a “board of directors” or a “board of trustees,” the obligations imposed on board members are the same. Board members have a duty of care and oversight and a duty of loyalty. These duties have been widely discussed in other articles. What has been discussed less frequently is how oversight of the entity’s compliance program can fulfill both duties.

Practical tips

Here are six compliance-specific recommendations to protect a health care organization, and its board, from the perils of regulatory noncompliance.

  1. Attend compliance training required of employees. The board is expected to show leadership on compliance, and attending compliance training sets the right tone. It also provides firsthand knowledge of the substance and effectiveness of the training offered. Most organizations provide compliance program training at new-hire orientation. Has the training material been presented to the board? If asked by a prosecutor whether you attended compliance training, wouldn’t you like to be able to say “yes”?
  2. Insist on periodic reports from the compliance officer. In performing its oversight function, a board is like a conductor: It should lead the orchestra, not play the instruments. Implementation of compliance efforts should be left to the compliance officer. The board is expected to be informed of risks to the organization and knowledgeable about activities to protect against them, but it is not expected to handle implementation. Getting periodic reports from the compliance officer (documented in the minutes) will satisfy these expectations while respecting roles and responsibilities.
  3. Ensure that a process exists (and is utilized) for dealing with concerns of noncompliance. The modern health care industry is complex. Smart and dedicated employees may misunderstand the various (and often contradictory) regulations. Even judges struggle, as evident by the lamentations of respected jurist Samuel J. Ervin III, former chief judge of the Fourth Circuit: “There can be no doubt but that the statutes … of Medicare and Medicaid are among the most completely impenetrable texts within human experience. Indeed, one approaches them at the level of specificity herein demanded with dread, for not only are they dense reading of the most tortuous kind, but Congress also revisits the area frequently, generously cutting and pruning in the process and making any solid grasp of the matters addressed merely a passing phase.”

Laws change. Budgets for continuing education are limited. While it is a goal of all compliance programs to prevent mistakes, they will happen. Accordingly, it is critical for boards to ensure that a process exists for dealing with reports of noncompliance and that the process is followed when the need arises.

  1. Review the OIG video segment “Guidance for Health Care Boards.” The federal government increased its visibility in fighting health care fraud with a special team called the Health Care Fraud Prevention and Enforcement Action Team, or HEAT. As part of that effort, in 2011, the Health & Human Services’ Office of Inspector General produced short instructional videos promoting compliance. One video was prepared specifically for health care board members; I recommend it be shown at a board meeting and documented in the minutes.
  2. Read the publication “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” In April 2015, the OIG and several health care trade groups published the handbook “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” Notably, it recommends that boards include at least one member with legal experience or periodically consult with an experienced legal professional.
  3. Obtain an external review of the compliance program from legal counsel engaged by the board. In 2005, the U.S. Sentencing Commission recommended greater responsibility be placed on boards for compliance. Shortly thereafter, the OIG recommended obtaining external validation of the effectiveness of an entity’s compliance program.

Just as an external validation of financial accounting practices ensures that information provided by management is reliable, so will an independent verification of compliance efforts. Having the review conducted by legal counsel also will afford you the protection of the attorney-client privilege, which permits complete candor and allows for a careful analysis of areas of potential noncompliance by someone who is able to appreciate the risks without prematurely jumping to conclusions.

Many government investigations have been fueled by loose language used by non-lawyers. A consultant may be cheaper, but it cannot offer the protection of a privileged engagement. An external assessment from a qualified reviewer offers the best protection to board members and promotes the entity’s mission. It is unimpeachable evidence of the board’s oversight. Furthermore, it can prove that prerequisites for directors’ and officers’ liability coverage have been fulfilled.


An effective compliance program is critical to the success of a health care entity, and board oversight of the compliance program is expected. Six compliance-specific recommendations can be taken to demonstrate a board’s oversight and protect its members from claims of personal liability. Implementing each of the recommendations will reflect oversight performed competently and successfully by the board. Despite Winston Churchill’s insight on the usefulness of failures, true success comes from tasks done well. 

Donna P. Bergeson ( is a partner and attorney at Alston & Bird, Atlanta, and a member of the board of directors of Emory Saint Joseph’s Hospital, Atlanta.