Strengthen Your Compliance Program with Effective Disciplinary Actions

The U.S. Health and Human Services Office of Inspector General (HHS OIG) has written, “For a compliance program to be effective, the organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance.”1 

Sometimes, this means individuals must be disciplined for action, or inaction, which resulted in non-compliance with the organization’s policies and procedures and/or with laws and regulations. The intent of disciplinary should be correction of behavior to prevent future non-compliance. 


Before disciplinary action can be taken, the standards to which an individual is held must be known or the individual had a responsibility to know. Compliance programs accomplish this in many ways. Two are discussed below. 

First, the organization should establish policies and procedures that define what is and is not acceptable behavior. For example, the institution likely has policies to help individuals comply with HIPAA, coding and reimbursement rules, and financial relationships between providers and referral sources. The policies should not only outline how to comply but should clearly explain the consequences of non-compliance, which should include the appropriate level of disciplinary action. In some cases, written policies will be more detailed and granular while in other cases, what is written may describe more general standards and principles. A code of conduct might describe expectations of honesty and integrity rather than try to list all possible ways somebody could be dishonest. In contrast, a billing policy specific to a unique coding and reimbursement issue might include detailed criteria required to maintain compliance. These might include the codes one can use, the medical record documentation requirements, and reconciliation with a third-party payor’s policy. In all these scenarios, disciplinary action should be described for non-compliant behavior. 

Second, compliance programs should have an effective education, training, and communication plan. This plan outlines the materials and approaches used to inform individuals about specific risks and compliance topics. These training materials should also include references to disciplinary action. As appropriate, compliance communications can include explanations of disciplinary action taken.  

For example, if a training module about HIPAA is shared, cumulative data about observed non-compliance and the resulting disciplinary action taken might be shared. This may look like, “‘X’ number of instances of inappropriate access to a patient’s medical record occurred during the last year. It was the first offense for ‘Y’ number of individuals and no harm was done to patient or institution, so they were required to do ‘Z.’ It was the second or more offence for ‘A’ number of individuals. No patient or institutional harm occurred, and all these individuals were disciplined by ‘B.’ In some instances, ‘C’ number of employees were terminated as patient or institutional harm occurred.” 

When evaluating the effectiveness of a compliance program, the U.S. Department of Justice (US DOJ) suggests prosecutors ask the following questions about this principle: 

  • What has senior management done to let employees know the company’s position concerning misconduct?  
  • What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?2 

By way of example, prosecutors may consider whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects.3 

Escalating Discipline 

As outlined in the HIPAA example above, it may be appropriate to establish escalating levels of discipline and describe them in policies and procedures. If an occurrence of non-compliance was the first time an individual did not comply, it was not significant and did not result in serious consequences, remedial action such as further education and training might be all that is needed.  

On the other hand, if the instance is a repeat of prior non-compliance, is serious, intentional, and significant, the individual might need to be severely disciplined. Additional levels of discipline in between these two examples might also be appropriate to establish. 

Other types of discipline might include reduced bonuses or compensation. The US DOJ suggests the following questions be asked: 

  • What disciplinary actions did the company take in response to the misconduct and were they timely?  
  • Were managers held accountable for misconduct that occurred under their supervision?  
  • Did the company consider disciplinary actions for failures in supervision? 
  • What is the company’s record (e.g., number and types of disciplinary actions) on employee discipline relating to the types of conduct at issue? 
  • Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue?  
  • Did the company take any actions to recoup or reduce compensation for responsible employees to the extent practicable and available under applicable law?4 

Fair and Equitable 

Discipline should be applied in a fair and equitable manner. HHS OIG writes, “The entity should include in its guidance and compliance communications its commitment to take disciplinary action or impose other, remedial consequences on a fair and equitable basis.”5 

Managers should understand they have a responsibility to impose consequences for noncompliant behavior in an appropriate and consistent manner. The discipline should be consistently applied and enforced. Individuals should be disciplined in a similar way regardless of their employment level. Executive management and those charged with care for patients should also be disciplined when appropriate. “OIG believes that corporate officers, managers, supervisors, health care professionals, and medical staff should be held accountable for failing to comply with, or for the foreseeable failure of their subordinates to adhere to, the applicable standards, laws, policies, and procedures.”6 

The U.S. DOJ also emphasizes the importance of consistency in disciplinary action. Again, they encourage prosecutors to ask: 

  • Have disciplinary actions and incentives been fairly and consistently applied across the organization?  
  • Does the compliance function monitor its investigations and resulting discipline to ensure consistency?  
  • Are there similar instances of misconduct that were treated disparately, and if so, why?  
  • What metrics does the company apply to ensure consistency of disciplinary measures across all geographies, operating units, and levels of the organization?7 


Discipline may not be a compliance officer’s favorite activity. It can be hard. Prevention of non-compliance is always preferred. However, there are times when discipline is necessary. Making sure the disciplinary consequences were clearly outlined in policy and procedure is the first step. Establishing escalating levels of discipline is a way to demonstrate the differences between intentional or unintentional noncompliance or first time vs. repeat offences. Lastly, discipline needs to be applied in a fair, consistent, and equitable manner.


[1] Pg. 53, HHS OIG General Compliance Program Guidance, November 2023.  

[2] Pg. 5, U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated March 2023).

[3] Pg. 12, U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated March 2023). 

[4] Pg. 20, U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated March 2023). 

[5] Pg. 53, HHS OIG General Compliance Program Guidance, November 2023.  

[6] Pg. 53, HHS OIG General Compliance Program Guidance, November 2023. 

[7] Pg. 14, U.S. Department of Justice Evaluation of Corporate Compliance Programs (Updated March 2023). 


To download this blog post as a pdf, click the button below.

Download Here

Questions or Comments?