Recently the New York State Office of the Medicaid Inspector General (OMIG) released a Compliance Program Review Guidance (“Guidance”)¹ which provides concrete examples of how organizations can demonstrate the existence of their compliance programs through documentation. In this Compliance Watch article, we describe each of the seven compliance program elements and provide some tips from the Guidance on ways to demonstrate implementation of each element.

Proving Element 1: Designation of a Compliance Officer

The designation of a single person to accept responsibility for the compliance program and manage its day-to-day operations is critical to ensuring that the compliance program remains visible, active, and accountable. The compliance officer typically reports directly to the chief executive or other senior administrator, as well as periodically reporting to the Board of Directors.

An organization may demonstrate the implementation of this element through:

• Documentation of vesting an employee with responsibility for the compliance program through the following types of documents:
  • Board meeting minutes or a Board resolution reflecting the appointment of a compliance officer with compliance-related duties and responsibilities
  • A letter of appointment for the compliance officer
  • A job description and/or performance plan that includes day-to-day operational responsibility and management of the compliance program
  • An organizational chart reflecting the reporting structure of the compliance officer to the chief executive or other senior administrator as well as to the governing board
  • An announcement or communications about the compliance officer to all individuals covered by the compliance program
  • A compliance plan document or other policies and procedures that describe compliance-related duties and responsibilities
• Documentation that the compliance responsibilities are satisfactorily carried out with evidence such as:
  • A compliance work plan and resulting logs, reports and risk analysis
  • Annual self-assessment of the compliance program and related policies and procedures and risk analyses
  • Initial and periodic compliance training for individuals affiliated with the organization
  • Completion of investigations, including implementation and monitoring of plans of correction for compliance issues
• Compliance program budgets reflecting sufficient resources dedicated to the compliance function
• Meeting minutes that reflect the compliance officer attends/leads meetings or receives reports viewed as having compliance program relevance 

Proving Element 2: Developing Written Standards and Procedures

The implementation of written standards and procedures ensures that expectations are clearly communicated to all individuals covered by the organization’s compliance program. Standards of conduct or a code of conduct express the commitment to ethical and legal behavior; describe the conflict of interest policy; and provide information on the compliance program and compliance reporting mechanisms. Written policies and procedures within an organization’s principal risk areas ensure that legal requirements are distilled into clear, workable directions.

An organization may demonstrate the implementation of this element through:

• Approval/adoption of the written standards and procedures by the appropriate governance or leadership group (resolution, meeting minutes, signature on the policy with an appropriate statement, etc.)
• Written policies and procedures including statements that:
  • All individuals covered by the compliance program will meet the requirements of the compliance program and related laws and regulations
  • Conduct contrary to expectations will be considered a violation of the compliance program and related policies and procedures
• Evidence that the compliance program policies and procedures have been distributed (by handing out a hard copy, making hard copies made available in a public area, or posting digital copies)
• Identifying an appropriate compliance employee to receive compliance communication:
  • If the written standards and procedures allow employees to report to supervisors and management, supervisors and management should be required to report issues to compliance
• Policies and procedures including a commitment to investigate and resolve potential compliance problems by:
  • Identifying an investigator, identifying the investigative steps (interviews, documentation reviews and root cause analyses), and requiring documentation of results
  • Implementing corrective action plans, reporting results to the chief executive and board, monitoring the effectiveness of corrective action plans, or updating, correcting or modifying policies, procedures and business practices

Proving Element 3 - Conducting Appropriate Training and Education

Training and education provide individuals covered by the compliance program with an understanding of the applicable legal requirements, written policies and procedures, and the compliance program elements. Compliance training should be part of orientation.  Thereafter, periodic training events create an important opportunity for the organization to convey its organizational values, including its commitment to ethical and legal conduct. Training topics should include the organization’s top compliance risk areas, expectations related to the compliance program and compliance program operation. Specific training should be provided to employees whose job functions raise significant risks for the organization, e.g., coding and billing staff, practitioners, and finance staff.

An organization may demonstrate the implementation of this element through:

• Policies and procedures outlining the training requirements for:
  • Orientation of newly affiliated individuals
  • Periodic training for all individuals
  • Documented follow-up process for affected individuals who miss trainings.
• Training materials evidencing all training subjects covered, including
  • Slides, handouts, syllabus or schedule
  • Sign-in sheets and/or signed acknowledgement of attendance
  • Pre- and post-training tests
  • Disciplinary action for compliance orientation/training absences that is consistent with discipline for failure to attend orientation or other work-related trainings. 

Proving Element 4 - Developing Open Lines of Communication

To facilitate detection of potential non-compliant conduct, individuals must feel comfortable in reporting compliance issues. Organizations should work to create an environment in which individuals do not have reason to fear retaliation for reporting compliance concerns and where they know that such reports will be taken seriously.  Developing anonymous and confidential reporting mechanisms can encourage the reporting of potential compliance issues. 

An organization may demonstrate the implementation of this element through:

• Developing at least one anonymous method of communication
  • According to the Guidance, the following may not be considered anonymous methods: telephone lines or hotlines with caller ID; email which can be reverse engineered to retrieve the sender’s address, suggestion boxes not exclusively controlled by compliance, or any method located in an area where there is camera surveillance activity
• Developing at least one confidential method of communication whereby the individual may request confidentiality and may have a reasonable expectation that the communication will be kept confidential
  • According to the Guidance, a hotline or compliance email inbox accessed by someone with no compliance responsibilities is not confidential
• Policies and procedures identifying the appropriate compliance personnel to receive the communication

Proving Element 5 - Conducting Internal Monitoring and Auditing

Monitoring is an ongoing process of reviewing the organization’s operations as they occur in the present. In contrast, auditing consists of conducting reviews of risk areas to determine compliance with legal requirements. An audit provides a “snapshot” of compliance at a specific point in time, often in the past.

An organization may demonstrate the implementation of this element through:

• A system for routine identification of compliance risk areas through monitoring and auditing, including the use a self-assessment tool to identify compliance risk areas or a compliance work plan to addresses the compliance risk areas
• A system for evaluating risk areas based on internal monitoring and auditing that includes documented results of self-evaluations, results of internal or external audits, and documented results of work plan activities
• Prioritizing risks may include identifying frequency of each risk, likelihood that negative outcome will result, impact on delivery of services, impact on other contracts and operations, and financial impact

Proving Element 6 - Responding Appropriately to Detected Offenses

For a compliance program to be effective, the compliance officer must ensure that the organization has taken steps to correct any potential or actual occurrences of non-compliance. As part of this process, a compliance officer (or his or her designee) should investigate credible allegations to determine their scope, causes, and seriousness. If possible, non-compliant conduct should be halted immediately and the effects of non-compliant conduct should be mitigated. Any corrective actions taken to address non-compliance should aim to reduce the likelihood of similar instances of non-compliance occurring in the future.

An organization may demonstrate the implementation of this element through:

• A system for responding to compliance issues as they are raised and as identified in the corresponding course of audits and self-evaluations.  Evidence of such a system includes:
  • Compliance reports to the CEO or Board on what corrective actions have been implemented and whether the compliance problem was corrected in a reasonable time
  • Corrective action plans, strategic initiatives, or work plans following root cause analysis activities associated with compliance problems and the length of time it took to put the action in place, as well as evidence of any follow-up to confirm the corrective action was effective
  • Meeting minutes for the compliance committee or other group that handles correcting compliance problems
• A system for refunding overpayments.  Evidence of such a system includes:
  • Self-disclosure history (CMS, OIG, MCOs, etc.), claim adjustments or claim voids 
• Written policies and procedures that:
  • Articulate expectations for reporting compliance issues, for correcting compliance problems promptly and for correcting compliance problems thoroughly

Proving Element 7 - Enforcing Disciplinary Standards through Well-Publicized Guidelines

Enforcing disciplinary standards gives the compliance program credibility as well as demonstrating organizational integrity, commitment to compliance and desire to prevent recurrence. Disciplinary standards should articulate expectations for reporting compliance issues and for assisting in the resolution of compliance.  In addition, the policy should outline sanctions for failing to report suspected problems, for participating in non-compliant behavior and for encouraging, directing, facilitating or permitting non-compliant behavior. 

An organization may demonstrate the implementation of this element through:

• Personnel files that include documentation that discipline has been taken based upon the policies
• Written policies and procedures that:
  • Set out expectations for reporting compliance issues and assisting in the resolution of compliance issues, including assisting in investigations
  • Require disciplinary action for failure to report suspected compliance issues
  • Outline discipline for participating in non-compliant behavior as well as for encouraging, directing, facilitating or permitting non-compliant behavior
  • Fair and firm enforcement of compliance-related discipline
• Training materials, employee handbook, compliance program, code of conduct and other written policies that include a description of disciplinary policies

Conclusion

Being able to provide concrete evidence that your health center has implemented a compliance program can be critical during an audit, when questioned by the Board or an employee, and when community members want assurances that your organization takes compliance seriously.  By developing documentation of each of the seven compliance program elements, your health center not only develops evidence that a compliance program has been implemented, it also builds a better compliance program.

1. Available at: https://omig.ny.gov/images/stories/compliance/compliance_program_review_guidance.pdf.