On April 20, 2015, the HHS Office of Inspector General (OIG) published guidance for health care governing boards, articulating general features of effective compliance oversight and highlighting specific practical approaches available to boards.

The guidance encourages organizations to draw functional boundaries in organizational documents between the compliance, legal, and internal audit functions, while also “setting an expectation of cooperation and collaboration” among those functions. In emphasizing the importance of maintaining compliance as a function separate and not subordinate to the legal department, the guidance echoes statements in OIG guidance to boards published in 2004 (which, together with separate guidance published in 2003, has been a key resource for health care boards for the past decade).

Additionally, the guidance stresses the importance of the governing board receiving regular compliance-related reports from a variety of key players within the organization. It cites the potential use of “dashboard” products at board meetings to summarize compliance-related metrics. Further, OIG notes that holding regular executive sessions that exclude senior management may foster more open communication from compliance, legal, and internal audit leadership, while avoiding mistrust that may arise when senior management is excluded on an ad hoc basis. Boards should also closely examine compliance systems and processes to confirm that employees feel comfortable raising compliance concerns without fear of retaliation.

The OIG encourages governing boards to use resources such as the OIG’s voluntary compliance program documents as baseline tools in evaluating the strength of the organization’s compliance program. While boards have an ongoing duty to identify and monitor potential risk areas, OIG’s guidance emphasizes staying attuned to industry trends and legal developments, noting, for example, the newly-available information now available to boards (and the public) under the Sunshine Rule.

OIG also cites “multiple incentives,” including the statutory obligation to report and return overpayments within 60 days of identification, to build compliance programs that “encourage self-identification of compliance failures and to voluntarily disclose such failures to the Government.” OIG’s guidance indicates that final regulations implementing the statute “should provide additional guidance and clarity as to what it means to ‘identify’ an overpayment.”

Finally, the guidance emphasizes compliance as “an enterprise-wide responsibility,” and not solely the domain of the compliance and legal functions. It notes that organizations can assess individual performance in achieving compliance outcomes, and withhold incentives or provide bonuses accordingly.