Risk Managers Valued in Compliance Program Guidance from OIG
EXECUTIVE SUMMARY
New compliance program guidance from the Office of Inspector General (OIG) underscores the value of risk managers. The guidance clarifies OIG’s expectations of healthcare organizations.
- Compliance programs must be customized to the healthcare organization.
- OIG expects entities to search for new risks, not just address known risks.
- The report increases the value of risk managers to their employers.
The Department of Health and Human Services Office of Inspector General (OIG) recently issued its new General Compliance Program Guidance (GCPG), the first of a series of compliance guidelines expected from the OIG, providing guidance, tools, and references addressed to federal healthcare program providers and suppliers. OIG makes clear that risk managers are an integral part of the effort.
This guidance and future releases will replace the existing 1998 Compliance Program Guidance for Hospitals. (The GCPG is available online at: https://oig.hhs.gov/documents/....)
The guidance includes discussions of the key laws in healthcare fraud enforcement and helpful references and resources for compliance professionals. Information that was scattered through past guidance and resources is available in a more focused and accessible one-stop format, says Judith A. Waltz, JD, partner with Foley & Lardner in San Francisco.
There is not that much that is completely new in the guidance, at least for someone who has been reading the OIG tea leaves for years, Waltz says. But the new guidance is useful in that it compiles so much important information in a readily accessible format.
“They put it in a really nice desk reference so that you can find information in one place and not have to go on their website, search around, and remember that it’s there. It’s a very user-friendly document that is 91 pages or so long. It’s very handy to have close by,” Waltz says. “The biggest difference is that they’re making clear again that they are hoping to get away from a kind of check-the-box approach where you have those seven elements you go through to something that’s more focused on actual risks that have been identified.”
OIG also is switching a lot of responsibility from compliance officers to compliance committees, Waltz says. OIG is recommending that the compliance committee perform a risk assessment every year, she says.
In the old compliance guidance, OIG listed several issues they saw as high risk. Waltz says that is a good place to start with assessing compliance. That should identify any specific weak points in the organization, and those are things that will need further attention.
Waltz recently negotiated a Corporate Integrity Agreement (CIA) with OIG. According to the agreement, if the healthcare organization did well with auditing of identified problem areas, OIG then wanted it to conduct a risk assessment. Then, OIG would figure out where to look specifically. Waltz and her client pushed back because the required risk assessment seemed so undefined, leaving them not knowing what they would be measured against.
“OIG was saying they don’t want people wasting time on auditing the same problem if it’s already been addressed and performance is good. They want this to be a fluid process where you identify your risks and figure out how you’re doing on those, and then move on to your next set of risks,” Waltz says. “It’s not brand new in the OIG world, but I think it’s a real shift in terms of the expectations for compliance plans that they be fluid and they be personalized. One compliance plan is not going to fit everybody.”
Must Be Proactive
The GCPG makes clear that OIG wants healthcare organizations to be proactive about compliance, says Natasha Sumner, JD, senior counsel with Husch Blackwell in Oakland, CA. OIG also wants a compliance program to evolve and keep up with the growth of the entity.
“They want to see that as you grow, your compliance program is maturing. Even your big risk last year is still a risk. Are there other risks that you now need to incorporate into your compliance program?” Sumner asks. “I think the OIG wants to stress that compliance isn’t stagnant. Even if the regulations don’t necessarily change — your program might need to evolve to keep pace.”
In the past, there was a more reactionary approach to compliance, but the guidance speaks to the value of incentivizing employees to comply with the policies and procedures.
“That’s kind of new. I think this goes with that enterprise risk management focus. It’s really like a top-down cultural approach to compliance,” Sumner says. “Employees wonder how they can comply with whatever policies and procedures the company has in place, and having incentives is a really important piece of that.”
Risk Managers Crucial
The GCPG specifically mentions risk managers, who might want to increase their participation in some of the evaluation of compliance risks, says Josi Wergin, JD, FASHRM, an attorney with Husch Blackwell in Madison, WI. OIG expects sophisticated compliance programs to be more integrated, holistic, proactive, and suffused throughout the culture.
Some of the instances where the GCPG mentions risk managers indicate that they might be involved in coordinating work and sharing information with the compliance officer and other leaders, serving on the compliance committee, conducting joint risk assessments with compliance audit and quality function, and breaking down silos.
“There is an increased emphasis on formal risk assessments, and it specifically mentions enterprise risk management. It says that although conducting formal risk assessments may be new to many compliance programs, risk assessments are an integral part of the fiscal internal control process and to enterprise risk management,” Wergin explains.
The guidance points to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) enterprise risk management framework. Another specific COSO resource explains how to apply an enterprise risk management framework to compliance risk.
This all points to more involvement in these key compliance activities by the risk manager, Wergin says. OIG has told healthcare organizations that risk managers play a key role in any compliance program.
“You may already be involved in your compliance program at your organization, but your value to your organization has just increased,” Wergin notes. “It’s a good opportunity for them to point to this report and say, ‘Hey, we really can help — not just with medical malpractice.’ That’s sort of been our traditional area of expertise, but really, risk managers have been doing more than just medical malpractice and board complaints and insurance for a very long time,” Wergin says. “This is important, especially for organizations that haven’t really recognized risk managers as having sort of this broader impact. This is a good opportunity to say, ‘This very important government organization is saying that we are valuable, that the enterprise risk management approach is valuable.’”
Sumner notes that healthcare organizations often ask if their general counsel also can act as their compliance officer, and there is no clear legal mandate saying they cannot. But the language in the GCPG says that those should be two separate roles held by different people.
Wergin notes that there is a new emphasis on patient safety in the new OIG guidance, looking for more integration among patient safety, quality, and compliance.
“It’s not just whether you are looking at possible materially substandard care in relation to fraud and abuse violations. The compliance program guidance certainly is concerned with fraud and abuse, but it’s also looking at medical necessity, HIPAA, information blocking, and EMTALA,” Wergin says. “Look at your patient safety data not only for the sake of patient safety, but also to see if it raises any of these other compliance concerns or other risks. The enterprise risk management framework is very broad, and we are trying to look at risk from a holistic integrated perspective.”
SOURCES
- Natasha Sumner, JD, Senior Counsel, Husch Blackwell, Oakland, CA. Phone: (510) 768-0637. Email: [email protected].
- Judith A. Waltz, JD, Partner, Foley & Lardner, San Francisco. Phone: (415) 438-6412. Email: [email protected].
- Josi Wergin, JD, FASHRM, Husch Blackwell, Madison, WI. Phone: (608) 258-7132. Email: [email protected].
The Department of Health and Human Services Office of Inspector General recently issued its new General Compliance Program Guidance, the first of a series of compliance guidelines expected from the OIG, providing guidance, tools, and references addressed to federal healthcare program providers and suppliers. OIG makes clear that risk managers are an integral part of the effort.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.