Deeper Than the Headlines: A CIA's "Ownership" Requirement

This week, let’s dive deeper into the requirements of a recent corporate integrity agreement and what your organization can learn from it.

A few weeks ago, we posted a link about a $2.4 million settlement involving a radiology practice. Though the hefty settlement may have been painful, the burden didn’t end when they wrote the check. The practice agreed to a five-year corporate integrity agreement (CIA) with the OIG. It’s one of the most recently available CIAs on the OIG website. You can read the CIA here.

Though CIAs are only binding of the organization which has entered the agreement, all compliance programs can learn a lot from publicly available CIAs. The HHS Inspector General (Daniel Levinson) stated, “There are many CIAs with settling companies that will provide incredible detail to you on how to craft the best possible compliance program for your own enterprise.”

The Three Parts of an "Ownership" Requirement

With that said, let’s take a deeper look at the radiology practice’s CIA over the next few weeks, in a series of blog posts, and see if your organization’s current compliance program could stand up against some of the requirements.

This week, let’s examine the first requirement: Having a compliance officer, committee and management certifications. I like to call these the “ownership” requirements, because they help others feel ownership for the compliance program.

The Compliance Officer Requirement

It may seem obvious, but let’s check this anyway. Has your organization named a chief compliance officer (CCO)? In this CIA, the OIG required the CCO to be “an employee and a member of senior management.” Though there are times when it may be appropriate to outsource some compliance activities, there always needs to be eyes and ears within the organization. An organization cannot just make the compliance burden go away by hiring it out. The organization must own it and though there is flexibility in the approach, ownership has to be acknowledged and felt. The CCO should also be a senior level position with authority to act.

The CCO also “shall report directly to the Chief Executive Officer… and shall not be or be subordinate to the General Counsel or Chief Financial Officer or have any responsibilities that involve acting in any capacity as legal counsel or supervising legal counsel functions.” The CCO needs independence and reporting structure within the organization matters. Are there conflicts with how and to whom your current compliance officer reports within the organization? Do they have the necessary independence to function appropriately?

Does the compliance officer have the time to devote to compliance activities? Though it is appropriate for the compliance officer to wear different hats (especially in smaller organizations with fewer resources), the compliance officer title shouldn’t just be “window dressing” placed on an employee with multiple other titles. This CIA states, “Any noncompliance job responsibilities of the Compliance Officer shall be limited and must not interfere with the Compliance Officer’s ability to perform the duties outlined in this CIA.”

The Compliance Committee Requirement

Your organization should also have a Compliance Committee. Many organizations think that if they hire a CCO, he or she can “take care” of compliance for the organization. The CCO runs the day-to-day operations of the compliance program, but the compliance program still belongs to, and is owned by, the organization. Every person in the organization is the compliance program. Having a committee of executive owners can help all members of the organization feel that ownership. This CIA stated, the “Compliance Committee shall, at a minimum, include the Compliance Officer and other members of senior management necessary to meet the requirements of this CIA (e.g., senior executives of relevant departments, such as billing, clinical, human resources, audit, and operations). The Compliance Officer shall chair the Compliance Committee and the Committee shall support the Compliance Officer in fulfilling his/her responsibilities (e.g., shall assist in the analysis of…risk areas and shall oversee monitoring of internal and external audits and investigations).”

Additionally, the committee should be meaningful, and again, not just “window dressing.” It should meet regularly and maintain documentation. In the words of the CIA, “The Compliance Committee shall meet at least quarterly. The minutes of the Compliance Committee meetings shall be made available to OIG upon request.”

The Management Certifications Requirement

As previously stated, the CCO is responsible for running the day-to-day activities of the compliance program, but the organization as a whole is responsible for making sure compliance is a part of the culture. Management certifications is one way to help in this. A process should be developed for opportunities for key leadership within the organization to reflect and either certify compliance or correct non-compliance. The CIA required certain leaders within the organization “to monitor and oversee activities within their areas of authority and shall annually certify that the applicable department is in compliance with applicable Federal health care program requirements.”

Individuals who certify or attest may vary at your organization, but at the radiology practice which agreed to the CIA it included the following individuals at a minimum:

• Chief Executive Officer
• Chief Operating Officer
• Chief Financial Officer
• Vice President of Billing
• Vice President of Operations
• All other members of senior management and the leaders of all business units, divisions or departments with operations that relate to the Federal healthcare programs.

Your organization may develop its own language, but the CIA provided the certification statement they wanted these individuals to attest to or an explanation why they could not attest to the language:

“I have been trained on and understand the compliance requirements and responsibilities as they relate to [insert name of department], an area under my supervision. My job responsibilities include ensuring compliance with regard to the [insert name of department] with all applicable Federal health care program requirements, obligations of the Corporate Integrity Agreement, and [insert name of organization] policies, and I have taken steps to promote such compliance. To the best of my knowledge, the [insert name of department] is in compliance with all applicable Federal health care program requirements and the obligations of the Corporate Integrity Agreement. I understand that this certification is being provided to and relied upon by the United States.”

Summary

In summary, the (1) naming of a compliance officer, (2) establishment of a compliance committee and (3) requiring some sort of leadership certification can all help the organization feel the responsibility and ownership for the compliance program.

Next week we will look at some of the CIA requirements surrounding written standards and policies, training and education and auditing and monitoring.

Love diving deeper into the headlines? Check out these posts: 

Deeper Than The Headlines: Impossible Days

Deeper Than The Headlines: 2017 HHS OIG Work Plan Highlights

Questions, Comments? Put them in the comments section below.