Health care general counsel should review, and brief their internal clients on, the new Practical Guidance for Health Care Governing Boards on Compliance Oversight (Guidance), released on April 20, 2015. A joint effort by the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS), the Association of Healthcare Internal Auditors, the American Health Lawyers Association (AHLA) and the Health Care Compliance Association, the Guidance is an updated and condensed version of the three separate board compliance guidance resources published by the AHLA and HHS/OIG between 2003 and 2007. As such, the Guidance is a useful and timely resource for both the general counsel and the board. It should not be considered, nor is it intended to be, however, a comprehensive review of the complex issues associated with the health care board’s exercise of its compliance oversight obligations under the Caremark decision.
The Guidance addresses such important compliance program considerations as (1) the definition of the interrelationship between, and the roles of, the organization’s audit, compliance and legal functions; (2) mechanisms for effective and appropriate reporting of compliance issues within an organization; (3) methods for identifying regulatory risks; and (4) means of encouraging accountability for achievement of compliance goals and objectives throughout the organization. The Guidance also reflects OIG’s historical position that an organization’s legal and compliance functions should be separate and independent, yet recognizes the need to balance attorney-client privilege considerations in the coordination of those relationships.
Several aspects of the Guidance are particularly useful to the general counsel. For example, the Guidance underscores the important role that the internal auditor plays in the overall compliance effort. It also makes the very important point that the compliance program should be “right sized” for the organization; boards of organizations that have grown rapidly through merger or consolidation must constantly confirm that the compliance program meets the needs of the growing organization. There is a very useful emphasis on the board’s use of expert advice in order to stay abreast of current developments in the area. (This should be balanced, however, with attentiveness to the reasonableness of such reliance in individual circumstances.) In addition, the Guidance’s articulation of roles and relationships offers some clarity, at a time when the distinctions between the roles of the key participants in the compliance program are increasingly becoming blurred (e.g., on such key matters as advising the board on governance, leading internal investigations, assessing risk and developing risk assessment strategies, and providing advice on organizational ethics).
Because the Guidance understandably speaks to a broad array of health care providers (large and small), it is limited in its ability to focus on the more complex and challenging issues concerning board oversight. For that reason, the health care general counsel should note the following:
The board has a particular responsibility to ensure the most effective coordination between the various internal functions associated with corporate compliance, including legal, compliance, internal audit and human resources. The board must be attentive to the risk of dissonance or disharmony between these functions, and to the need for structures and procedures for minimizing that risk. It must also balance the need for a coordinated board reporting protocol with the individual abilities of the compliance officer and general counsel to access the board and compliance committee as need may require.
There is a need to ensure proper and reasonable “job descriptions” for the roles of compliance officer and general counsel, to prevent role confusion or interference between the two positions (and the Guidance provides some support for that task).
The OIG’s position in the Guidance on compliance officer independence from the general counsel is essentially the same view the agency has taken for the last 12 years. However, there is no law or regulation that prohibits a compliance-officer-to-general-counsel reporting relationship. Indeed, the Guidance makes it very clear that there is no “one size fits all” approach to compliance programs and protocols. That notwithstanding, organizational leadership should certainly be briefed on the OIG’s position, especially when the reporting relationship between the organization’s chief compliance officer (CCO) and general counsel differs from that preferred by the OIG.
The board has an obligation to establish a detailed, timely and effective reporting mechanism by which “line management” is required to report in a timely manner and in the proper context the compliance and other risk developments that “keep them awake at night” (i.e., a reporting relationship that goes beyond management reporting to the CCO and the general counsel, and that delivers the information to the board in a context it can understand and in a timeframe that allows it to act).
There is a clear need to ensure that board members with direct responsibility for compliance oversight (e.g., the members of the compliance, or audit and compliance committees) possess the proper qualifications and independence to exercise such oversight.
Where compliance oversight responsibility is subsumed within a board committee with dual responsibilities (e.g., the “Audit & Compliance Committee”), sufficient time must be allocated on the committee agenda for attention to purely compliance matters.
There is also an important need for extra diligence to be exercised by board and committee members (apart from the compliance committee function) in applying a proper level of constructive scrutiny and informed decision-making to business transactions with significant potential compliance risk.
The Guidance does not address in significant detail the board’s obligation to monitor the important connection between compliance and quality of care. However, this was the specific focus of the 2007 AHLA/OIG Compliance Resource whitepaper.
The OIG is not the only constituency concerned with the exercise of a board’s Caremark obligations; the U.S. Department of Justice (DOJ), state attorneys general and, in financial distress situations, the Committee of Unsecured Creditors, all have an interest in the extent to which the board has capably addressed matters of compliance oversight.
While the Guidance acknowledges the need to balance attorney-client privilege concerns with the desired independence of the compliance officer from the general counsel, the board should be aware that compliance investigations conducted by the compliance officer without any involvement of the general counsel (or outside counsel) are not protected by the attorney-client privilege. The board should consider whether it would be appropriate in certain situations for the compliance officer to conduct such investigations at the direction of the general counsel, or under the supervision of outside counsel, in order to preserve the privilege.
Leadership should be made aware of pending guidance from DOJ that reportedly will set forth with clarity DOJ’s expectations in terms of “corporate cooperation” in the context of investigations—e.g., how organizations may gain “cooperation credit” for exposing the malfeasance of their own employees. This forthcoming guidance will most certainly require the attention of the board and its audit committee, as well as increased coordination between the general counsel, the compliance officer and the internal auditor.
The Guidance hints at the interest of some constituencies in requiring that board/committee members be “certified” on compliance oversight, and in the use of compensation “clawbacks” or similar means to incentivize compliant behavior by corporate officers.
The publication of the Guidance provides an excellent opportunity for the board to familiarize itself with important new trends in public policy recognizing an expanding organizational role for the general counsel not only as technical legal expert, but also as a “wise counselor” with respect to organizational ethics and reputation, and as a valued business advisor (with attendant attorney-client privilege awareness). This is a very important consideration that is not discussed in the Guidance.
The publication of the Guidance should also prompt a discussion at the audit/compliance committee level about the “reporting up/reporting out” professional responsibility obligations of the general counsel, particularly in light of highly controversial current state court litigation concerning the proper scope of these obligations.
The Guidance reflects a commendable effort by the participating organizations. OIG’s ongoing interest in providing compliance guidance resources to the health care industry is particularly appreciated.
While the Guidance doesn’t break new ground, it serves as a valuable reminder of the board’s critical compliance oversight obligation. The Guidance also provides a useful opportunity for the health care general counsel to review with the board the effectiveness of its approach to compliance oversight.