Lessons Learned – How compliance officers can better protect their organizations (Part 2)


This is the second installment in a series of bulletins discussing some of the challenges compliance officers face and offers best practices to show how health care providers and their compliance officers can work cooperatively to establish and maintain effective compliance programs and avoid False Claims Act whistleblower lawsuits.

In the first installment, we discussed some of the challenges compliance officers face and highlighted challenges brought to light by the Halifax case.

Any organization can have a few compliance policies and a code of conduct they have copied from the internet and say they have a compliance program. But what can you do to make sure you have an effective compliance program – one that prevents and detects compliance issues?

Using the OIG’s compliance program guidance for hospitals as the starting point, we have put together some tips and suggestions on how to turn a plain-vanilla, off-the-shelf compliance program into a dynamic, effective compliance program that will work for your organization.

Formal Commitment to Compliance by the Organization’s Governing Body

Formal commitment to compliance by the governing body – the Board of Directors of the organization – is essential to an effective compliance program. This means the Board is involved in authorizing the compliance program, hears regular compliance reports and provides input and feedback, and is involved in major decisions related to the compliance program. If the Board sets expectations for the organization that show that compliance is important, that sense of importance will trickle down through the organization.

But it takes more than Board approval to have an effective compliance program. While the commitment starts at the top, organizations should strive to develop a culture that values compliance from the top down and fosters compliance from the bottom up. Evidence of commitment should include active involvement of the organizational leadership, allocation of adequate resources, a reasonable timetable for implementation of compliance measures, and the identification of a compliance officer and compliance committee vested with sufficient autonomy, authority, and accountability to implement and enforce appropriate compliance measures. An organization’s leadership should foster an organizational culture that values, and even rewards, the prevention, detection, and resolution of compliance problems even though doing so may be costly to the organization. This includes organizations ensuring that policies and procedures, including, for example, compensation structures, do not create undue pressure to pursue profit over compliance.

Getting true formal commitment to compliance is probably the biggest point of vulnerability in most organizations’ compliance programs. It is relatively easy to give lip service to compliance – the organization can have a compliance officer, have a compliance plan, have compliance policies, participate in compliance week, etc. In other words, have everything done correctly on paper. But without a culture of compliance instilled in all employees from the very top of the organizational chart, the compliance program will not be worth the paper it is written on. If an organization’s leadership does not value compliance and does not deem it to be an important part of running the organization, then decisions may be made that run contrary to what is compliant with applicable laws. And when employees, agents, contractors, consultants, and others perceive that compliance is not valued by an organization’s leadership, those same people are less likely to report compliance concerns internally because they perceive that their concerns will be ignored or not given the priority they deserve. When that happens, as it did with Ms. Baklid-Kunz in the Halifax case, we see those same people become whistleblowers to correct the wrong they have identified.

Regular Review of Compliance Program Effectiveness

Compliance programs should be living and breathing things, fluid and changing with the times. They are not “one and done.” As an organization grows, changes, adds service lines, adds employees, or adds new facilities and programs, the organization’s policies and procedures should be reviewed to ensure that they address the needs and risk areas of those new parts of the organization. In addition, the makeup of the compliance committee should be periodically reviewed to ensure that all of the relevant stakeholders and risk areas are included on the committee.

Health care providers should regularly review the implementation and execution of their compliance program elements. Some factors that compliance officers may wish to consider in their evaluation include the following:

  • Does the compliance department have a clear, well-crafted mission?
  • Is the compliance department properly organized? Is staffing appropriately assigned based on the risk areas of the organization?
  • Does the compliance department have sufficient resources (staff and budget), training, authority, and autonomy to carry out its mission? If compliance issues have come up since the last time the program was reviewed, consider what compliance activities might have prevented or detected the issues and consider making changes accordingly.
  • Is the relationship between the compliance function and the general counsel function appropriate to achieve the purpose of each? The OIG strongly recommends separation between compliance and the general counsel’s office, but in reality that does not always happen. Recognizing that this is not always possible, ensure that the compliance officer has the authority (actual, not just apparent) to go around the general counsel when needed to raise a concern related to compliance.
  • Does the compliance officer have direct access to the governing body, the president or CEO, all senior management, and legal counsel? Is this access genuinely available to the compliance officer such that the compliance officer would not hesitate to seek that access if necessary?
  • Does the compliance officer have a good working relationship with other key operational areas, including internal audit, coding, billing, revenue cycle, marketing, customer service/patient relations, human resources, and clinical departments? Not all compliance reports will come through the compliance hotline or some other direct compliance report. The personnel in these departments have access to critical information to help in the detection and prevention of compliance issues. Regular meetings to discuss initiatives in these departments will help keep compliance at the forefront of the minds of personnel in these other areas as they encounter issues and challenges, and it will prevent duplication of efforts across departments. Individuals from each of these areas should be included on the compliance committee as well.
  • Does the compliance officer make regular reports to the Board and other organization management concerning different aspects of the organization's compliance program? Does the Compliance Officer get periodic opportunities to speak to the Board in closed sessions?
  • Are internal compliance audit results and corrective actions reported to the Board and other leaders? What other information is regularly shared? Do the Board members and leaders ask questions and seem engaged in the compliance activities? If not, how can you engage them?

In the next installment, we'll continue our discussion on best practices.


  1. The initial compliance program guidance can be found at 63 FR 8987 and on the OIG website. The supplemental compliance guidance can be found at 70 FR 4858 and on the OIG website.

Industries & Practices

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.