Deeper Than the Headlines: Can a Compliance Officer be Part-Time Only?

One of the seven elements of an effective compliance program is establishing a compliance officer. But many smaller organizations or physician practices simply don’t have the financial resources to employ a full-time compliance officer. Is a full-time compliance officer required? Simply put, the answer is “no.” But if your organization or physician practice is not going to employ a full-time compliance officer, what are your options? How can you still follow best practices?

Speaking in the context of physician practices, the OIG has said, “In a formalized institutional compliance program there is a compliance officer who is responsible for overseeing the implementation and day-to-day operations of the compliance program. However, the resource constraints of physician practices make it so that it is often impossible to designate one person to be in charge of compliance functions. It is acceptable for a physician practice to designate more than one employee with compliance monitoring responsibility. In lieu of having a designated compliance officer, the physician practice could instead describe in its standards and procedures the compliance functions for which designated employees, known as ‘‘compliance contacts,’’ would be responsible.”

In practical terms, this might mean one employee is designated as the HIPAA Privacy and Security compliance contact while a different employee might be the billing and coding compliance contact. However, as a word of caution, just because the practice can’t employ a full-time compliance officer doesn’t mean certain risk areas should be ignored. Rather, every risk that one full-time compliance officer would oversee could be assigned out to different individuals, but every risk should still be covered.

One potential problem with assigning compliance duties to employees who have other duties is keeping those employees up-to-date on the latest compliance best practices. It might be analogous to hiring oneself to do your own dental work, you don’t have the expertise or skills to do so, even though you’d like to save a buck and not go to the dentist. If there are concerns about employees having the expertise to effectively handle some pretty complicated compliance regulations, another possible solution is to outsource some of the compliance work.

In this regard, the OIG has said this:

“Another possibility is that one individual could serve as compliance officer for more than one entity. In situations where staffing limitations mandate that the practice cannot afford to designate a person(s) to oversee compliance activities, the practice could outsource all or part of the functions of a compliance officer to a third party, such as a consultant, PPMC, MSO, IPA or third-party billing company.”

However, if this is decided, it’s important to recognize you can’t just outsource the compliance risk.The risk remains with the practice or organization. In order for the outsourcing of compliance to be effective, the organization still needs someone within the organization to see to it that the advice and recommendations made by the outsourced compliance expert are implemented.

To emphasize this caution, the OIG has stated, “However, if this role is outsourced, it is beneficial for the compliance officer to have sufficient interaction with the physician practice to be able to effectively understand the inner workings of the practice. For example, consultants that are not in close geographic proximity to a practice may not be effective compliance officers for the practice. One suggestion for how to maintain continual interaction is for the practice to designate someone to serve as a liaison with the outsourced compliance officer. This would help ensure a strong tie between the compliance officer and the practice’s daily operations. Outsourced compliance officers, who spend most of their time off site, have certain limitations that a physician practice should consider before making such a critical decision. These limitations can include lack of understanding as to the inner workings of the practice, accessibility and possible conflicts of interest when one compliance officer is serving several practices.”

Irrespective of the approach a small organization or practice takes to establish a compliance program, there are certain activities that need to be performed. The OIG suggest some of these include:

• Overseeing and monitoring the implementation of the compliance program
• Establishing methods, such as periodic audits, to improve the practice’s efficiency and quality of services, and to reduce the practice’s vulnerability to fraud and abuse;
• Periodically revising the compliance program in light of changes in the needs of the practice or changes in the law and in the standards and procedures of Government and private payor health plans;
• Developing, coordinating and participating in a training program that focuses on the components of the compliance program, and seeks to ensure that training materials are appropriate;
• Ensuring that the HHS–OIG’s List of Excluded Individuals and Entities, and the General Services Administration’s (GSA’s) List of Parties Debarred from Federal Programs have been checked with respect to all employees, medical staff and independent contractors; and
• Investigating any report or allegation concerning possible unethical or improper business practices, and monitoring subsequent corrective action and/or compliance.

Each physician practice needs to assess its own practice situation and determine what best suits that practice in terms of compliance oversight. If you need help in this regard, contact Healthicity as we do this for clients on a regular basis.