Staying on the right side of federal and state laws and regulations is an increasing challenge for hospitals. For boards, compliance is not only a legal and fiduciary duty, it is an area of growing personal liability: Health & Human Services, the Office of Inspector General and the Department of Justice hold trustees accountable for ensuring that the hospital has an ongoing, effective compliance program.

Corporate compliance, stated simply, addresses legal and ethical issues that could lead to fraud and abuse. It demonstrates an organization's commitment to federal and state government laws and regulations, as well as regulatory, licensing and accreditation agencies. A compliance program establishes a culture that promotes an ethical and proper way of conducting business practices and to prevent, detect and resolve potential or actual nonconformity with the law. It is formal confirmation of the high ethical and legal standards under which the hospital operates.

The fiduciary duty of care requires board members to exercise reasonable care that an ordinarily prudent person would use in similar circumstances. Board oversight of compliance is acting in good faith to determine with reasonable certainty that the program, policies and procedures comply with governing laws and regulations.

This article reviews the key elements of corporate compliance and sets the stage for further discussion with your organization's compliance officer and other executive management staff.

Why Board Oversight?

Board oversight is a fiduciary and legal duty. Boards can be held accountable for neglecting this oversight duty should there be occurrences of noncompliance and there were signs to indicate the compliance program was not implemented and maintained effectively. In addition, the Internal Revenue Service Form 990 requires certain declarations relating to compliance activities and board review of this document.

To demonstrate a commitment to a culture of ethical practices and to comply with federal and state laws, health care organizations adopt and implement compliance programs designed to incorporate the standards outlined in the Federal Sentencing Guidelines and the OIG compliance program guidance to ensure program effectiveness (see sidebar). Both the FSG and the OIG program guidance address the board's role in oversight of the compliance program. A culture of ethical conduct and commitment to compliance is top-down according to the OIG guidance, which notes that every effective compliance program begins with a formal commitment by the hospital's governing body. The FSG manual also states that the governing body must be knowledgeable about the compliance program, both content and operations, and conduct reasonable oversight of the program effectiveness.

HHS Inspector General Daniel Levinson addressed the board oversight role in a 2010 Trustee article, noting, "Every hospital should have an effective compliance plan as well as a compliance officer on staff. Trustee leadership is critical for both." He added, "The federal government is increasingly linking hospital payments of Medicare and Medicaid bills to the quality of patient care, both in terms of monetary rewards and penalties." He also emphasized two key FSG points: the compliance officer should have a direct reporting line to the board and be separate from the hospital's legal counsel.

Begin with Education

The most significant aspect of the board's role in compliance program oversight is education. Having engaged, knowledgeable trustees begins with the board orientation. In addition to learning about the hospital's mission, strategic plan, operational plan, quality plan and financial statements, board members should be informed of the corporate compliance program.

The starting point is a working knowledge of the foundational government documents outlining the elements of an effective compliance program and the major laws governing health care operations. A general understanding of this content enables trustees to ask necessary questions and engage in appropriate dialogue to assure reasonable compliance processes are in place.

Board members should be aware of the organization's annual compliance work plan, how it is influenced by the OIG Work Plan, internal and external audits, and the annual risk assessment done in conjunction with the internal auditors to establish priority focus areas. There is an extensive list of compliance laws but the following are key regulations that require trustee understanding: Deficit Reduction Act; False Claims Act; Stark Law; Anti-kickback Statute; Fraud Enforcement and Recovery Act; Affordable Care Act; Emergency Medical Treatment & Labor Act; Health Insurance Portability and Accountability Act; and Health Information Technology for Economic and Clinical Health Act.

The compliance officer also should provide these resources at orientation:

  • Glossary of compliance terminology
  • Code of conduct, which OIG program guidance describes as the general ethical and compliance principles that are the foundation for a culture of compliance
  • Conflict of interest policy and disclosure form
  • List of compliance program policies with access to full documents for board member reference
  • Compliance program assessment methods to ensure effectiveness
  • Overview of federal and state fraud and abuse recovery initiatives

Trustees may feel that becoming familiar with this content is a daunting task. However, the board needs to have overview-level knowledge and the compliance committee a more in-depth understanding to execute the oversight obligation properly.

Board Structure and Reporting

The primary responsibility of compliance oversight can be delegated to a board committee. It is important to have a clear committee charter that outlines the committee purpose, details the authorities and responsibilities, and describes the membership criteria. Should there be a routine government audit or investigation of alleged noncompliance, it is important to have a documented structure showing how board oversight of the compliance program is conducted.

Membership composition requires particular attention. The committee should comprise board members with core competencies relating to the key compliance risk areas, such as legal expertise and/or reimbursement knowledge. Given the recent focus on electronic health records, security of data, meaningful use and requirements of the HITECH Act, it is prudent to have a committee member with information technology expertise, a core competency rarely represented in the past.

A dashboard format is an efficient method for the compliance officer to present essential but low-risk reports. A report card format also may be used for routine internal audit findings and government fraud and abuse recovery audits with negative findings.

The hospital's annual compliance work plan combines action items identified as high priority after completion of the annual risk assessment, program effectiveness gap analysis and review of the OIG Work Plan. It should be reviewed and approved by the compliance committee. Throughout the year, updates on the completion status of key deliverables can be presented in a spreadsheet format, highlighting relevant information.

Using clear, concise, yet comprehensive report cards allows the committee meeting agenda to be built around issues that have been prioritized by importance and level of impact to the organization. Committee discussion then can center on the known high-risk priorities or items previously unidentified but discovered through internal monitoring and auditing or a government investigation. A plan of action, outlining corrective processes and future preventive measures, should accompany all reports by the compliance officer.

Constant vigilance to safeguard the privacy and security of data as required by HIPAA and HITECH, and current industry emphasis on development of EHRs, suggests at least an annual report from the privacy officer (if separate from the compliance officer), and the information security officer. Board oversight of the compliance program includes having reasonable assurance that appropriate processes are in place to protect against a data breach and the potential resulting government sanctions. Committee members should be assured by privacy and security officials that the organization has adequate encryption processes, policies and procedures on the use of passwords, restricted authorization to access patient health information and audit trails.

Having a standing education agenda item will keep committee members up-to-date on regulatory expansion and changes, and meet the OIG effectiveness element of education and training.

Distributing the compliance committee meeting minutes and the committee chair reports to the full board informs all trustees of the committee's oversight activities. This contributes to each board member's understanding of the compliance program and their ability to assess the oversight obligation.

Resources available to compliance officers indicate that government scrutiny of compliance programs is shifting to demonstrating effectiveness, in addition to having appropriate policies and procedures in place. Given this focus, an annual year-end report from the compliance officer provides a significant tool to meet the board oversight responsibility. This overview summarizes program initiatives and enhancements, including but not limited to:

  • compliance work plan deliverables;
  • new or updated compliance plan policies;
  • compliance program assessments and measures of effectiveness;
  • gap analysis or risk assessment summary specific to information system security measures;
  • education and training programs conducted for all employees and trustees;
  • documented initiatives to enhance compliance in such high-risk departments as the revenue cycle functions;
  • activities to meet the OIG program guidance;
  • internal audit summaries.

Champions of Compliance

As organization stewards, proactive and knowledgeable trustees are key to an ethical organizational culture in today's complex health system. Trustees will continue to see compliance and quality linked, and the impact of both on the hospital's financial health. By effectively executing compliance oversight, they are top-down champions of a culture of compliance throughout all aspects of hospital operations.

H. Rebecca Ness ( has 25 years of senior management experience in health care and higher education with specific expertise in governance and compliance. She lives in South Portland, Maine.

Sidebar - The Foundation of Compliance

Sidebar - Recommended reading: