Guiding Your Organization to Compliance Health and Keeping your Healthcare Data Private and Secure
What Healthcare Organizations Need to Know About Educating and Training Their Boards of Directors
Compliagent CEO was recently featured as a guest writer in Corporate Compliance Insights. For more information, visit the feature here.
Board members of healthcare organizations are under more scrutiny than ever before. As a result of the unique compliance requirements in the healthcare industry, as well as increased regulatory enforcement and third-party lawsuits, healthcare corporate directors arguably have greater responsibility – as well as liability – than many of their peers in non-healthcare sectors for the oversight of their organizations’ corporate compliance programs.
In this environment, it is crucial for healthcare entities – typically through an organization’s chief compliance officer (CCO) – to educate and train effectively members of the board of directors with respect to their fiduciary duties, as well as the structure and operations of the entity’s compliance program. This process should commence well before the CCO’s first formal board presentation or the CCO’s preparation of compliance oversight metrics. Rather, an in-depth training program for corporate directors should be an ongoing process for new and veteran corporate directors alike, and should be fully integrated with the overall obligations of the corporate board.
The following is an outline for a model educational program for directors that may be implemented by healthcare organization CCO’s and compliance personnel.
Fiduciary Duties and Relevant Regulations
At the most basic level, director training should inform and educate directors as to their various fiduciary duties in connection with the compliance function, as well as the primary regulations that relate to organizational compliance. While a full summary with respect to the fiduciary obligations of corporate directors and relevant healthcare regulations is well beyond the scope of this article, at a minimum, directors should be advised as to their duties of care and good faith dealings, including the duty of reasonable inquiry, the Caremark decision standards, and the business judgment rule. Additionally, directors should have an awareness of relevant regulations, such as the False Claims Act, Stark/and Anti-Kickback laws, exclusion screening requirements, HIPAA and other privacy laws, as well as applicable state laws.
Policies and Procedures and Code of Conduct
Written policies and procedures are a roadmap for healthcare organizations that help then mitigate day-to-day compliance risks. The policies and procedures should address all details of the compliance function from reimbursement to quality issues. Like all guidebooks, an organization’s policies and procedures should be in a constant process of revision in response to changing laws and regulations, as well as compliance concerns. Members of the board should be familiar with both the substance of their organization’s policies and procedures, as well as the mechanism by which the policies and procedures are revised and kept current.
Additionally, an organizational code of conduct articulates to staff, patients, and management the healthcare entity’s commitment to the ethics and values underlying corporate compliance. Similar to an organization’s policies and procedures, the code of conduct should be periodically updated for relevance and applicability. Moreover, all decisions of management and the corporate board should be consistent with the organization’s code of conduct. The code of conduct, as well as its process of revision, therefore, should be meaningfully communicated to the board of directors and throughout the organization.
The Structure of the Corporate Compliance Program
Directors should be made aware of the structure of their organization’s compliance program. All directors should be familiar with the key employees responsible for the program’s operation, the functioning of the program, how the board is to receive information and monitor their organization’s compliance program and compliance issues that may arise, and what metrics are available to assess the efficacy of the current compliance infrastructure. Board members should know what, when, and how relevant compliance-related information will be received and understand what tools they will have to assist in the board’s decision making.
Importantly, board members should have access to benchmarks and other information regarding how the healthcare organization has handled compliance issues in the past, how current performance compares to prior performance, current and past enforcement actions and lawsuits, and the procedures for self-reporting when wrongful conduct is uncovered.
Members of the board should also be knowledgeable as to their organization’s risk profile, how it was determined, and what resources – both financial and human – are available to the organization to address compliance needs.
Last, directors should understand what their organization – and specifically the CCO – is doing in connection with prospective compliance planning. Compliance is never a static function and organizations’ future compliance programming should be responsive to both governmental enforcement priorities and entities’ fluid risk profiles.
The Function of the Compliance Program
The overall function of an organization’s compliance program is perhaps the most challenging aspect of board education and training. It is unrealistic to assume that directors will become expert in all areas and in all details of compliance infrastructure. That said, it is important that members of the board be sufficiently familiar with the following areas of the operation of their organization’s compliance programming:
Delegation of authority and areas of accountability with respect to the compliance program and its implementation, as well as the separation of powers and responsibilities among the CCO, general counsel, human resources, senior management, the board of directors, and any compliance subcommittees of the board or management.
The level and mechanism for compliance training across the organization and the enforcement of entity training and knowledge standards, including the documentation of such training and audits of personnel knowledge.
The mechanisms and systems in place for compliance program flexibility in light of regulatory or industry change.
The day-to-day operations and details of areas within the organization where significant compliance risk has been identified and the timeline for remediation of those risks.
The mechanisms in place for detection of possible compliance violations, including the compliance hotline, internal compliance surveys, compliance incident reports, and staff self-reporting. Most crucially, directors should be aware of possible violations pending resolution and related timelines, and the going forward planning designed to avoid future violations.
Whistleblower and employee protection controls and the appropriate use of inside and outside legal counsel, as well as the functioning of attorney-client confidentiality and attorney work product protections.
The operation of the organization’s quality improvement program, including relevant entity metrics and areas of accountability for key personnel.
As demonstrated above, effective education of healthcare entity boards is a formidable challenge, but an important one. An effective corporate director training program requires a significant investment in time and resources, but is crucial to overall compliance oversight and organizational health. Although there is no such thing as a “one-size-fits-all” board training program, the foregoing is a useful topical model for use by CCO’s and their staffs. There are also many written products available on the market addressing issues of director responsibilities and education, as well as independent consulting firms providing useful programming in this area. At bottom, a robust training program for corporate directors of healthcare organizations will empower directors to discharge their oversight obligations regarding corporate compliance and minimize overall legal and governmental enforcement risk.
 Office of Inspector General, U.S. Dept. of Health & Human Services and the American Health Lawyers Association, Corporate Responsibility and Corporate Compliance: A Resource For Health Care Boards of Directors (2003), available at: http://oig.hhs.gov/fraud/docs/complianceguidance/040203corpresprsceguide.pdf.
 Hooper, Lundy & Bookman, PC and California Hospital Association, 2014 California Hospital Compliance Manual, 5th Ed., Sacramento, California , 2014.
 Office of Inspector General, U.S. Dept. of Health & Human Services and the American Health Lawyers Association, An Integrated Approach to Corporate Compliance: A Resource For Health Care Boards of Directors (2004), available at: http://oig.hhs.gov/fraud/docs/complianceguidance/Tab%204E%20Appendx-Final.pdf.
 Office of Inspector General, U.S. Dept. of Health & Human Services and the American Health Lawyers Association, Corporate Responsibility and Healthcare Quality: A Resource For Health Care Boards of Directors (2007), available at: https://oig.hhs.gov/fraud/docs/complianceguidance/CorporateResponsibilityFinal%209-4-07.pdf.