Breaking Compliance News Blog

Your Board is responsible for compliance failures. And, board members can be held personally liable for financial losses caused by those compliance failures.

In other words, your Board is ultimately responsible for your compliance program.

Does your Board know this?

Board Responsibility

The OIG has said: “every Board is responsible for ensuring that its organization complies with relevant Federal, State, and local laws.” 

And, the OIG Compliance Program Guidance for Nursing Facilities, Footnote 4, explains that corporate directors can be personally liable for compliance failures: “Recent case law suggests that the failure of a corporate director to attempt in good faith to institute a compliance program in certain situations may be a breach of a director’s fiduciary obligation. See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Ct. Chanc. Del. 1996).”

The Caremark lawsuit established that the Board has:

A duty to attempt in good faith to assure that a corporate information and reporting system,

• which the Board concludes is adequate, exists,
• and that failure to do so under some circumstances, may...render a director liable for losses caused by non-compliance with applicable legal standards

Keeping Your Board Informed

The Board has a big job with respect to compliance. This means that on-going board training and education should be on every Compliance Officer’s task list as a standing item. Annual training is not enough and can be accomplished with MPA put together an outline of what this might look like:

Need Help? MPA Can:

• Train your board by Zoom
• Provide written education for your board
• Do you need training topics? Purchase a subscription to MPA’s Compliance Newsletter. Once a month, MPA provides a summary of OIG, DOG, FBI and OCR enforcement updates as well as recent compliance and HIPAA news stories. You can read a sample report here. 

I

n 2016, Uber suffered a data breach affecting the personal information of 57 million drivers and customers. Uber did not announce the breach until November 2017. In August 2020, the United States Department of Justice (DOJ) filed a criminal complaint against Joseph Sullivan, Uber’s Chief Security Officer at the time of the breach. The DOJ has charged Sullivan with obstruction of justice and misprision of a felon for his alleged role in concealing the 2016 breach.

In April 2018, the Society of Corporate Compliance and Ethics and the Health Care Compliance Association released a report: The Relationship between the Board of Directors and the Compliance and Ethics Officer. 

This report includes (among others) the following compliance officer survey findings:

• About half of compliance officers report to the board
• 46% of compliance officers believe the board “values compliance a great deal”

I don’t know if the boards that receive regular compliance reports are the same boards that value compliance a great deal. - that wasn't part of this survey. But it’s a good guess that they are. Do the boards who receive regular compliance reports value compliance more? Maybe. I’ll go out on a limb and opine that it’s highly likely.

How can a board value compliance if it isn’t aware of compliance activity?

How can a board appreciate the role of compliance if it doesn’t hear about compliance successes?

How can a board lead and be responsible for a compliance program if it isn’t informed on compliance?

It can’t.

Is your organization part of the 50% where compliance doesn’t report to the board – or the 50% that does?

If the compliance officer does report to the board, how often? According to the HCCA & SCCE report, 35% of compliance officers report to the board four times a year, and another 29% report five or more times a year. If reporting is new in your organization, quarterly reports will bring you in line with many others in the industry.

The former CEO of American Senior Communities (ASC) was sentenced to nine and a half years in prison. ASC manages 70 Indiana nursing homes.

The CEO pleaded guilty to conspiracy to commit fraud, conspiracy to violate the anti-kickback statute, and money laundering. A second executive, the former COO, also pleaded guilty and was sentenced to 57 months in prison.

Both sentences involve a $19.4 million fraud and kickback scheme lasting six years. Here is how the scheme worked:

• The CEO asked vendors to inflate their bills and paid the excess to himself and to other defendants
• The CEO created shell companies who submitted phony bills to ASC
• The CEO asked vendors for kickbacks in exchange for ASC's business
• The CEO took kickbacks in exchange for referring patients to a particular home health or hospice company

As a result of these arrangements, the CEO took home an extra $600,000 a year (on top of his $1,000,000 salary), which enabled him to spend millions on private jets, trips to Vegas, diamonds and gold bars, lakefront property, and political contributions.

In 2015, the CEO asked a vendor to increase its bill by 30% and pay the excess to one of his shell companies. Instead, the vendor went to the authorities.

The DOJ is serious about holding individuals criminally responsible for fraud and kickback schemes. This raises the stakes for individuals running healthcare organizations. When is the last time your executives and board members were trained on compliance? Do they understand kickbacks, and the potential civil and criminal liability attached?

Just a few years ago, if you had asked me to name the primary functions of the governing body, I would have said there are four:

1. Quality of Services
2. Strategy
3. Finance
4. Policy

I see these primary functions as equally important. The leadership challenge for the CEO and Board is to keep the organization balanced by not focusing on one function to the detriment of another. To be sure, there is a lot of room regarding what could be included under each function; that, too, presents a leadership challenge and requires balance. We all have a natural tendency to reinforce existing strengths and not develop things that we know will require a lot of work but will ultimately make the organization stronger.

Some people would argue for Oversight as a fifth primary function, but I would counter that no managerial endeavor is really any good without oversight. In other words, you can’t say you are responsible for something and then not confirm that you did it. Whether we review something monthly, quarterly, semi-annually or annually, we need some basis for proving that we did indeed carry out our mission. Better yet, we made changes to become more effective.

The Fifth Function

Today, I would add a fifth primary function: Compliance.

Compliance dashboards convey performance data in a concise, visual format, showing progress over time. This paints a "big picture" for your Compliance Officer, Compliance Committee, and Board/executives. With Compliance Committee minutes, written board reports, live board reports, and a million other compliance tasks to check off the list, some may ask: Why bother?

1. Compliance needs a seat at the table.

Many organizations already use dashboards to convey information to the top and track company performance. Data such as profits and employee retention might be tracked. If compliance is missing, what does that say about the organization's priorities? What message does this send to regulators? To be part of the conversation, compliance needs more than lip service--it needs to be part of the performance data and the big picture of your organization's decision making process.

2. Your leaders are worried.

A recent poll conducted by Protiviti and North Carolina State University found that the majority of board members and top executives identified their organization's #1 risk as "regulatory change and heightened regulatory scrutiny." Leaders are worried about compliance, and knowledge is power. Dashboards can convey this knowledge very efficiently.

3. Compliance dashboards require us to set goals.

It's impossible to make a compliance dashboard without setting goals. Let's say your dashboard measures the % of employees who completed compliance training in 2015. Anyone reviewing that dashboard is going to ask: What's our goal? 100%? If that goal isn't met, the next question is, obviously: How can we improve? That's the first step to improvement.

4. Everyone needs a big picture.

Dashboards show a big picture over time. This big picture helps us keep our eyes on the prize, rather than running from fire to fire (which is easy to do in the field of compliance!). Compliance dashboards force us to assess our priority metrics, whether these are claims error rates, readmissions rates, unresolved audit findings, or quality indicators. By looking at the "big picture" on a quarterly or monthly basis, we can see if we are meeting our compliance goals - or if underperforming areas are falling through the cracks.

This week, the OIG collaborated with the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA) to issue new guidance for health care directors: Practical Guidance for Health Care Governing Boards on Compliance Oversight.

This publication is the ninth compliance resource the OIG has published specifically for health care boards of directors, and focuses on structure, communication and accountability. This new guidance addresses:

• Using Corporate Integrity Agreements to design compliance programs
• Expectations of complex vs. small organizations
• Steps boards can take to stay informed of compliance activity and issues
• Including someone with compliance expertise on the board
• Roles of and interplay between compliance, legal, audit, HR and quality improvement
• Use of executive sessions to increase communication
• Strategies for identifying and auditing compliance risks
• Emerging risks, such as quality and new forms of reimbursement
• Employee accountability

This new guidance can help Compliance Officers work with their boards to make sure the communication, education and oversight in place are contributing to a culture of compliance.