Demonstrating an Effective Compliance Program

March 24, 2017 Marti Arvin

Why Senior Leadership and the Board Should Care

Most healthcare organizations today have a compliance program, but how many can say the program is effective and more importantly feel confident they could demonstrate effectiveness? It is not uncommon to hear, “I cannot define effectiveness but I know it when I see it.” Why is this important? All compliance professionals know having a paper compliance program (compliance plan that sits on the shelf along with well drafted but not implemented policies and procedures) is not effective. But as one assesses what an organization is doing as it relates to the seven elements of an effective compliance program based on the Federal Sentencing Guidelines and all the various OIG compliance program guidance documents, the process gets more convoluted. How much is enough, and do you just want to do “the bare minimum”?

The seven elements are the bedrock to an effective compliance program. Any compliance program that does not have activities and functions around each of these elements will have a difficult time demonstrating effectiveness. The way the different elements are addressed can and does vary among organizations but the need to address them all remains consistent.

DOJ Compliance Program Considerations

The recently released document from the Department of Justice (DOJ) Criminal Fraud Division, Evaluation of Corporate Compliance Programs outlines some of the considerations DOJ uses to assess the organization’s compliance program. It provides some insight that healthcare entities can use to self-assess their program, particularly as to the role senior leadership plays in compliance.

The document states “the existence and effectiveness of the corporation’s pre-existing compliance program and the corporation’s remedial efforts to implement an effective corporate compliance program or to improve an existing one” is a key factor in the investigative process. The outcome can determine if the organization is charged at all or whether a plea or other type of agreement would be offered. While the document is specific to the criminal division, it should be anticipated a similar approach would be used by the civil division in assessing whether to file a case, intervene in a qui tam case or what a settlement might look like.

Senior Leadership and Board of Directors

Compliance oversight is a responsibility of the senior leadership and the board of directors. One of the areas DOJ states it will evaluate is what actions senior leaders have taken to provide leadership as it relates to compliance. They might also assess how the company monitors the behavior of its senior leaders. Most compliance professionals know a strong effective compliance program must have the right “tone at the top”. To have an effective compliance program senior leaders must be a model for others in the organization. DOJ will assess whether there is evidence senior leadership supported the investigation of any misconduct and helped ensure appropriate remedial measures were taken.

DOJ is also going to look at the board of directors. Often expertise in compliance is not something board members inherently have. What measures have been taken to assure they are appropriately informed and have a sufficient understanding of the issues regarding a compliance concern? Has the board given the compliance professional an appropriate opportunity to present issues and concerns by holding executive or private sessions with the individual to permit a free and open exchange? Are there other actions the board or senior leaders have taken to examine their oversight role?

Compliance Resources and Roles

DOJ will also evaluate the resources dedicated to the compliance function along with the autonomy of the compliance role. Since senior leaders are the ones to approve the budget and resources of the program they need to understand what DOJ is looking for to demonstrate the program is appropriately resources to address the organization’s risk profile.

DOJ will also look to see if the compliance officer’s role is viewed in the organization as one of importance. They are comparing the compliance officer role to other senior leaders in terms of “statute, compensation levels, rank/title, reporting line, resources, and access to key decision-makers.” Senior leadership needs to assure the compliance function has a seat at the table for key meetings and discussions involving strategic and operational decisions.

Fiduciary Duties

The role of senior leadership in assuring an effective compliance program is critical. Without support at this level to assure appropriate authority and resources the desired culture of compliance will be difficult to achieve. Moreover, senior leadership and the board has a fiduciary duty to the organization. A compliance program that lacks sufficient oversight and support from senior leaders could be seen as a failure to fulfill this duty. In what is commonly known as the Yates memo, published in 2015, DOJ made it clear the pursuit of corporate officers and other responsible senior level individuals will be in increased focus of their enforcement actions. Boards and senior leaders beware and be prepared to demonstrate that your organization’s compliance program is effective!

About the Author

Marti Arvin

Marti Arvin, ExecutiveAdvisor for CynergisTek brings more than three decades of operational and executive leadership experience in the fields of compliance, research and regulatory oversight in academic medical and traditional hospital care settings to her position in CynergisTek. Arvin leads strategic business development around compliance services and utilizes her industry recognized expertise in health research to inform the development of privacy and security services to meet that communities underserved needs. She is a nationally recognized speaker and contributor to the thought leadership around healthcare compliance and research, and contributes to CynergisTek’s industry outreach and educational programs. Arvin has extensive experience in building and managing compliance and research programs. Arvin previously served as the Chief Compliance Officer for Regional Care Hospital Partners and the UCLA Health System and David Geffen School of Medicine. She has a legal background from obtaining her J.D. and holds CHC-F, CCEP-F, CHRC and the CHPC certifications. She is recognized as an expert on compliance and privacy issues from her published articles, lectures and presentations at national conferences. She was a board member to the Health Care Compliance Association between 2008 and 2011 and was on the Compliance Certification Advisory Board for over eight years. She also served on the certification committee for the CHC, CHC-F, CCEP, CCEP-F, CHRC and CHPC.

Follow on Linkedin Visit Website More Content by Marti Arvin
Previous Article
Why Would You Hire Someone to Attack Your Network?
Why Would You Hire Someone to Attack Your Network?

While researching future blog post topics, I discovered that many people are searching on Google in the hop...

Next Article
Privacy Issues Unique to Research and Research Institutions
Privacy Issues Unique to Research and Research Institutions

Covered entities deal with many complex privacy and information security issues, but institutions that cond...


Subscribe to Our Monthly Cyber Bulletins with the Latest News, Tips and More!

First Name
Last Name
Thank You!
Error - something went wrong!