As health care organizations grapple with changes in care delivery and payment and the ever- expanding rules and regulations associated with them, their boards will need to focus more on an area of governance responsibility that traditionally has received less attention: compliance oversight, an obligation that flows from the board’s fiduciary duty of care.

Several factors are driving the need for boards of both for-profit and nonprofit organizations to devote more attention and resources to their compliance oversight responsibilities. According to an April article in Deloitte’s Risk & Compliance Journal, boards recognize that ethics and compliance risks are among the most critical concerns confronting their organizations. State and federal laws, recent case law and the U.S. Federal Sentencing Guidelines have expanded the expectations of governing boards, the article notes, and contribute to a lower tolerance for boards that fail to live up to their fiduciary duties.

The Medicare Conditions of Participation and the Affordable Care Act further underscore the board’s obligations, says Monte Dube, partner and member of the health care department at Proskauer, Chicago. “Health care organization management cannot avoid sharing compliance risks and problems with their boards, because the buck stops with the governing body on these issues,” he says.

With clear and increasing focus on board accountability for compliance oversight, data indicating that only about half of hospital boards have audit and compliance committees, and that these committees may meet less frequently than other board committees, could raise questions about how or how well health care boards are discharging this governance responsibility.

These questions “touch a nerve,” says Virginia Evans, general counsel and corporate compliance officer of Centra Health, Lynchburg, Va., especially if board members are not aware that they may face full board and personal liability if compliance responsibilities are overlooked.

These and other issues facing the system recently prompted Centra Health to strengthen its board’s focus on compliance oversight.

“Centra Health had grown organically over the years through mergers and affiliations from its original footprint to cover a larger geographic area roughly the size of the state of New Jersey,” Evans says. “Centra outgrew its early board structure. The role of the compliance officer reporting to the board and the importance of an effective compliance program were not clearly outlined.”

The system took several steps to remedy the situation: It reorganized and reduced the size of its board; sought members with certain competencies; drafted charters for all board committees, including the audit and compliance committee; and endeavored to match board member competencies to committee work.

“We now have a certified public accountant on our board who chairs the audit and compliance committee,” Evans says. “I work with the committee chair to orient new committee members to their roles and responsibilities, with the chief executive and chief financial officers in attendance. We also conduct regular lunch-and-learn sessions for board members on current compliance topics and recent cases involving hospital compliance issues and board liability.”

Working with outside counsel, Centra Health developed templates to enhance oversight of compensation arrangements with physicians. The templates provide guidance on terms and conditions that should be addressed in contracts with employed physicians and professional service agreements, including set ranges of compensation within fair market value, recruitment agreements, income guarantees, medical directorships and other medical/administrative duties.

“The board’s audit and compliance committee reviews all such physician arrangements against these templates,” Evans says. “Any changes to the template require prior approval from the general counsel and the audit and compliance committee before they are sent to the full board.”

The overall message the system tries to convey is that effective compliance oversight can be a money-saver if an organization invests up front in building institutional knowledge and has the infrastructure to support it, she says.

Drivers of Effective Oversight

In its January 2005 supplemental compliance program guidance for hospitals, the Office of Inspector General emphasizes the importance of board involvement in compliance efforts: “ … the OIG strongly encourages the participation and involvement of the hospital’s board of directors, officers (including the chief executive officer (CEO)), members of senior management, representatives from the medical staff and clinical staffs, and other personnel from various levels of the organizational structure in the development of all aspects of the compliance program … .”

Capable oversight of compliance activities depends on trustees’ having a basic understanding of what makes hospital compliance programs effective [see OIG Recommendations for Compliance Programs]. Further, in its February 1998 compliance program guidance for hospitals, the OIG states “that every effective compliance program must begin with a formal commitment by the hospital’s governing body to include all of these elements that are applicable.”

Yet, when it comes to effectiveness, Dube notes, form is secondary to function. “Any organization can have a state-of-the-art compliance program or plan that merely gathers dust,” he says. “The key is for the plan to be effectively implemented. Boards need to ask what processes their organizations have in place to ensure that the compliance program is being properly executed.”

In general, he says, compliance effectiveness is directly related to an organization’s resources and commitment at the top. Large organizations tend to have more robust infrastructure in place, but that alone does not equate to effectiveness. The challenge for smaller organizations, he says, is to proactively engage in compliance efforts when their more limited time, smaller staff and other resources are typically focused on the ongoing need to generate more revenue.

“Hospitals that fail to focus sufficiently on compliance responsibilities because they don’t generate revenue are executing an enterprise mismanagement strategy,” Dube says. “Just like efforts that foster healthy behaviors and wellness, effective compliance oversight is preventive medicine.”

The following governance and leadership practices can help to foster effective compliance efforts [for additional examples, see 14 Board Compliance Best Practices].

Top-level commitment and support. Dube says that CEOs must make a commitment to compliance as the bedrock of their organization’s culture. They also need support from the full board and chair to implement a robust compliance program, which includes the board’s being willing to fulfill its fiduciary duties. “These efforts can’t be approached as a checklist exercise, but must be viewed as central to the organization’s mission,” he says.

Board and committee structure. Right-sized boards (typically nine to 15 members) with directors who have compliance-related expertise (such as finance, accounting, audit and risk management skills) may be better equipped to oversee compliance activities, Evans says. Because boards frequently rely on their committees to more deeply review and tee up issues for the full board, an audit and compliance committee can help to focus board governance and oversight of compliance efforts. A staff-level corporate compliance committee also can do a spot check for issues and support effective information flow between the organization and the board. This fosters more comprehensive and coordinated oversight.

However, the jury is out on what should be the most effective board committee structure for compliance and risk oversight. Overseeing all risk-related activities, including elements of the compliance program, as well as internal and external audit activities, might be too much for a committee that meets only two to four times a year. This realization is prompting some boards to establish separate risk management committees.

Dube sees the benefit of this approach. “Compliance and audit oversight are two related, but very different responsibilities — one risk-focused, the other legal,” he says. “If these functions resided in two separate committees, the committee focused on risk and compliance issues could assist all other board committees with their compliance and risk-related work and act as an early warning mechanism about emerging risks and compliance deficiencies. The compliance officer and general counsel then could work with this committee and bring more time and attention to this board oversight function. Having a separate compliance/risk management board committee also sends a strong message to the organization that the board and management value this function, take it seriously and are willing to devote sufficient resources to it.”

Transparency. “[CEOs] sometimes worry that compliance problems will reflect negatively on the organization, so they are reluctant to share them with the board,” Dube says. “However, [they] can’t afford to think this way. Boards know that their organizations are not perfect and that continuous improvement is the framework within which they should view the hospital’s performance.”

This same commitment to candid communication applies to the relationship between the chief compliance officer and the board. “Organizations can impede direct access between the chief compliance officer and the board, and this can become a big issue for hospitals,” he says. “The CCO’s job depends on having that access, and the federal sentencing guidelines make it clear that unimpeded access is paramount.”

Likewise, trustees don’t have the luxury of putting their heads in the sand when it comes to compliance deficiencies. Dube says that boards should be asking constructive, probing questions such as these:

• How do I know if our organization is compliant with applicable laws and regulations?

• How do I know if we provide adequate quality of care?

• How do I know if our organization delivers unnecessary care?

• How do I know if our readmission rates are reasonable?

• How do I know if our organization ensures the privacy of patient information and other protected data?

• How do I know if we have in place and use performance dashboards throughout our organization?

“Knowing” is an important aspect of compliance oversight, Dube says. “Boards may delegate to management, the medical staff and outside advisers, but they may not abdicate their responsibilities,” he says, “and not knowing is not a defense.”

Incentives. Should the board provide incentives for management to identify areas where compliance falls short? Take quality performance as an example, Dube says. “Many boards now base CEO performance incentives in part on improving performance related to identified quality problems,” he says. “All health care boards could consider using incentives based on CEO performance criteria, focused on closing the gap between compliance best practice and performance on the ground. We know incentive compensation works.”

Issues and Challenges

Current areas of compliance risk include oversight of physician contracts and relationships, quality and safety performance, compliance with the Stark Law, False Claims Act, Anti-Kickback Statute, Criminal Health Care Fraud Statute and other fraud and abuse laws, and hospital billing and coding practices.

Regarding physician arrangements, Dube suggests that hospitals have a protocol for governing contracts with referral sources. It should: address who can enter into such contracts; specify use of a form outlining terms and provisions; and require that the general counsel sign off that the form was used to establish the contract, and that the protocol for entering into the contract was adhered to, he says. The board should be aware that the protocol exists and is being followed.

“Health care organizations inherently operate in a gray zone, due to the dynamic regulatory environment,” Dube says. “Boards need to provide direction about where in that zone they are willing to have the organization operate. Without this guidance, how can management know it is operating appropriately? It is the board’s responsibility to understand and ensure compliance with standards and regulations governing hospital practices and be able to defend its decisions.”

Dube adds that data security breaches are an ongoing risk, as are concerns about antitrust violations associated with mergers and hospital-physician affiliations and networks.

“Boards also should evaluate new compliance risks their organizations face as they move away from traditional approaches to care delivery and payment toward a value-based, population-focused system involving new models of care delivery and payment, which entail new relationships and partnerships,” Evans says.

She cautions boards to pay particular attention to the duty to investigate potential issues. “Board members of nonprofit organizations have been fined or restricted from further board service because they failed to ensure that compliance problems were fully investigated,” Evans says [see Compliance Investigations: What the Board Needs to Know].

“Health care boards would be well-served to ensure that compliance issues are a standing item at least quarterly on board meeting agendas,” Dube says. “Building this topic regularly into board meeting agendas will signal its importance and bring it into the board meeting planning process. Being able to demonstrate the board’s continuous focus on compliance and risk also can be helpful in responding to a whistleblower complaint or lawsuit.”

Heightened Sense of Duty

Properly discharging fiduciary and other oversight obligations requires trustees to understand and ensure compliance with the laws, regulations and other requirements their organizations must meet. As transformational change gives rise to new and shifting standards and requirements, governing with knowledge and vigilance regarding compliance issues and risks is an important way boards can contribute greater value to the organizations and those they serve. T

Mary K. Totten ( is director of content for AHA’s Center for Healthcare Governance, Chicago.

OIG Recommendations for Compliance Programs

The Office of Inspector General suggests that hospitals consider adopting the following seven elements common to effective compliance programs.

1. Designate a compliance officer and compliance committee. This corporate officer should be a member of senior management and have direct access to the board and chief executive, all senior management and legal counsel. He or she should report regularly to the board and be supported by an organizational compliance committee comprising people with various responsibilities in the organization (finance, audit, human resources and others) and managers of key operating units.

2. Develop compliance policies and procedures, including standards of conduct. These policies, procedures and the hospital’s code of conduct typically identify areas of risk for the organization. They should establish rules that help employees to comply with federal health care program requirements while advancing the hospital’s mission and objectives. Standards of conduct should be distributed to all directors, officers, managers, employees, contractors, and medical and clinical staff members.

3. Develop open lines of communication. These can include such vehicles as a newsletter, compliance intranet website and an anonymous hotline for reporting potential compliance issues. All potential issues of fraud and abuse should be investigated and results reported to the governing board, which should be actively engaged in pursuing remedies for recurring problems.

4. Provide appropriate training and education. A hospital’s governing body, employees, contractors and others who act on the hospital’s behalf should be trained to comply with rules, regulations and standards. Knowledge of fraud and abuse laws is particularly important for boards.

5. Monitor and audit internally. While overall compliance efforts, such as regular audits and risk assessments, should help to identify and reduce areas of potential concern across the organization, special attention should be given to reviewing billing and claims processing.

6. Respond to detected deficiencies. Consistently and promptly responding to and correcting compliance deficiencies can help to mitigate losses for hospitals. Having a response team of audit, compliance and other staff may help to assess identified deficiencies quickly. Deficiencies that have been identified but not corrected can negatively affect a hospital’s mission, reputation and legal status.

7. Enforce disciplinary standards. These standards should be communicated extensively, made readily available to all hospital personnel and enforced consistently across the organization. These actions help to reinforce an organizational culture that emphasizes ethical behavior.

Sources: Office of Inspector General’s Supplemental Compliance Program Guidance for Hospitals, 2005, and Compliance Program Guidance for Hospitals, 1998

14 Board Compliance Best Practices

1. Ensure that the organization’s compliance program incorporates the elements cited by the OIG [see sidebar, Page 18).

2. Provide adequate resources for compliance efforts to support best practice performance.

3. Establish a direct reporting relationship for the corporate compliance officer with the organization’s chief executive and board chair.

4. Consider separating the general counsel and corporate compliance officer roles to ensure that the compliance officer is completely independent.

5. Ensure that the organization’s corporate compliance committee reports up through the legal and compliance functions and to the board audit and compliance committee as needed.

6. Establish written policies and procedures, including a code of conduct, that promote consistent behaviors organizationwide.

7. Ensure that the board committee charged with compliance oversight has a clear charter specifying its roles and responsibilities and an annual work plan. For a sample committee charter for an audit and compliance committee, visit

8. Consider creating a board-level compliance committee that does not have audit oversight responsibilities.

9. Provide an orientation to the board compliance committee’s roles and responsibilities for all committee members.

10. Consider asking board members with compliance- and risk management-related competencies to serve on the board’s compliance committee.

11. Provide education at least annually for the full board on current and emerging laws, areas of regulatory focus, and other compliance issues and risks.

12. Consider conducting an annual board review of the organization’s policies and procedures.

13. Conduct a risk assessment at least annually and create a work plan to address deficiencies. Share results with the board.

14. Consider making compliance a standing agenda item for every board meeting.

Compliance Investigations: What the Board Needs to Know

Virginia Evans, general counsel and corporate compliance officer of Centra Health, suggests that boards use the following questions to start a conversation with the compliance officer and general counsel.

• Are there processes in place to ensure that complaints and allegations are fully investigated?

• Are those processes being followed by the individuals required to investigate?

• Does our organization have mechanisms in place to cause appropriate reaction to and remediation of any wrongdoing?

• Does our organization have processes to ensure that the board will have adequate notice about developments?