Mandatory Compliance Programs for Health Care Providers
Compliance programs were made mandatory for all providers as a condition of participation in the Medicare program under the patient protection and affordable care act of 2010. With the recent Supreme Court decision upholding the affordable care act, any uncertainty as to whether the mandatory compliance programs will become a reality has been lifted.
The affordable care act also required the CMS to promulgate regulations that establish the core elements for providers and suppliers to meet with respect to the mandatory compliance programs. CMS is authorized to determine the timing and core elements of the required compliance programs. The first industry segment that are required to adopt compliance programs are nursing facilities which must comply with mandatory compliance program requirements by March 23, 2013. However, CMS missed it statutory deadline (March 23, 2012) for promulgating detailed regulations to guide nursing facilities in the creation of compliance programs. It is expected that these regulations as well as the requirements for other providers will be forthcoming soon now that the Supreme Court has upheld the Affordable Care Act.
The Office of Inspector General has in the past issue compliance program guidance for various industry segments. We can expect at least some of these requirements to be part of the regulatory clarification coming from CMS under its authority to enforce mandatory compliance programs. We can also expect additional requirements to be added based upon a parallel recent promulgation from CMS that is applicable to Medicare advantage managed-care plans and prescription drug part D plan entities. Although not directly applicable to organizations other than Medicare Advantage Programs and Part D prescription drug programs, the regulatory proposals are instructive of the current thinking of CMS with respect to required elements of compliance programs.
Some key elements of the recent regulatory proposal which were not included in previous OIG compliance program guidance include:
- A strong recommendation that there be standardized process for the governing body to review the compliance program documents at least annually. Current guidance is much more permissive and only suggests periodic reviews. The new regulations would require a complete effectiveness review and a detailed “gap analysis” to the Board of Directors on an at least an annual basis.
- More details concerning distribution of standards of conduct and policies and procedures to new employees. The new proposed regulations required distribution of these materials within 90 days of initial hire and at least annually thereafter. Distribution of policies and procedures will be an “obligation” rather than simply a “suggestion” once the new proposed regulations are finalized.
- The proposed regulations contain the clearest statement to date from CMS that “dual role” compliance officers, where the compliance officer is also the CFO, CEO or General Counsel, present a built-in conflict of interest and are not permitted. This has been a controversial topic in the past as many organizations still maintain their general counsel as their compliance officer. If the recent proposed regulations are any indication, many “dual role” compliance officers will be the way of the past. It appears that it will still be permissible for divisional managers, such as quality assurance managers, to act in a dual role. However, operational management will not be permitted to act in his rules. This clearly includes CFOs, COOs and General Counsel who are specifically mentioned in the proposed regulations
There are many additional details that are contained in the most recent proposed regulations. There’s every indication that these proposed regulations are a foreshadowing of the eventual requirements that CMS will release under the mandatory compliance program authority that will be applicable to other providers such as nursing homes, physician groups, hospice, DME providers and other health care providers.
In view of these pending requirements and in light of the apparent expansion of compliance program requirements that is being hinted at by CMS, providers should conduct an effectiveness review of their compliance programs now and begin the ongoing process of conducting such reviews on an at least an annual basis. Reviews should be conducted with the requirements of the new proposed regulations in mind.
Small organizations, such as physician practices and smaller healthcare organizations should begin immediately to implement scalable compliance program structures that are focused on the specific risk areas that affect their organizations and begin to create an infrastructure for an effective compliance program.
Organizations who still have their General Counsel, CFO, or COO acting as their compliance officer should begin to set the stage to undo that structure. A separate office of Chief Compliance Officer should be created and separately budgeted. The CCO should have autonomy from other operational offices and should have direct access to the Board of Directors, a Compliance Committee and the CEO. This issue can be politically difficult within an organization and should be addressed soon rather than later. Ultimately, this is an issue that must be firmly addressed by the Board of Directors under its responsibility to oversee the compliance program.