Medicare Compliance & Reimbursement

Find out which innovative approaches can boost compliance across your organization.

CJ Wolf, MD, M.Ed., CPC, COC, CHC, CHPC, CHRC, CIA, described the new voluntary compliance guidance released by the Office of Inspector General (OIG) during his presentation “Understanding the New OIG Compliance Program Guidance” at AAPC’s HEALTHCON Regional 2024.

Even if you’re already familiar with the seven elements of an effective compliance program, Wolf’s explanations of each aspect can take your organization’s compliance to the next level. Check RCI next month for the remaining four elements.

“This guidance is all voluntary, but they’re what the government is going to use if you get into trouble,” Wolf said. If your organization is found to be noncompliant and enforcement action(s) are brought against you, like having to sign a corporate integrity agreement (CIA), then your organization will have to follow this guidance:

1. Code of conduct and policy library: Workplace culture helps determine a lot of aspects of an organization, and a code of conduct that comes from leadership — not a compliance officer — can help set the tone for expected behavior for everyone. Executive-level commitment to compliance can help everyone to prevent, detect, and correct noncompliance, Wolf said. A code of conduct can also be a sort of safety measure for an organization. If an organization is found to be noncompliant, a demonstrated record of commitment to compliance across the organization can allow enforcement actions to focus on individual bad actors.

Plus, people usually want to comply. However, there are innumerable rules, regulations, policies, and procedures any healthcare employee needs to be familiar with and abide by — probably too many to remember. Organizations with policy libraries may keep such information accessible to employees on an internal internet site or in some other electronic manner. While some organizations may have a physical receptacle for their policies and procedures, it isn’t realistic that an organization with 1,000 employees is going to be well-served by a single binder in the human resources department. Another helpful possibility for organizations using or considering electronic libraries: the ability to track which policies employees are looking up, and maybe planning education around certain rules, regulations, or requirements if the numbers suggest a lot of people are seeking more information.

2. Chief compliance office stature: U.S. Department of Justice (DOJ) guidance released in September 2024 recommends that chief compliance officers (CCOs) should have sufficient stature within the entity to interact as an equal of other senior leaders, reporting either to the chief executive officer (CEO) — with “direct and independent access to the board” — or to the board directly.

They should also have a similar stature, within an organization, to executives. “I’ve seen some organizations where the receptionist is also the chief compliance officer. They just wanted to check a box. Nothing wrong with receptionists, but that might not meet the stature of what’s expected here, right? They should be comfortable rubbing shoulders with the C-suite in some form or fashion,” Wolf said.

It’s also important to remember that the CCO should be independent, or at least not leading or reporting to the legal department or the chief financial officer (CFO), because those organizational structures could cause potential conflicts of interest. The CCO shouldn’t provide the organization with any legal or financial advice, nor supervise anyone who does, Wolf said. He noted that a lot of people who work in compliance may have a background in law or be licensed in a certain state, and it’s acceptable for a licensed attorney to be a CCO, but they shouldn’t provide legal advice to the organization.

3. Compliance committee: Compliance committees might not always be necessary, Wolf said, depending on the size of the organization. But having a committee, rather than a single CCO, provides some strength in numbers, so the CCO doesn’t have to go into any potentially uncomfortable fights alone.

Depending on the organization, a compliance committee might include human resources, vice president(s), any managers responsible for overseeing others, legal departments, operations (because those are the people who need to take the compliance information available and put it into action), revenue, patient safety and quality, or the C-suite executives. Having multiple levels or specialty-focused committees or subcommittees might make sense, like an executive-level compliance committee or clinical research compliance or HIPAA compliance subcommittees or billing compliance subcommittees.

Getting a compliance committee up and running is one thing, but making sure it’s actually substantive is the ultimate goal, so the existence of the committee is not just checking a box. A compliance committee that is working is “having real discussions, active engagement by committee members, and demonstrations of authority and autonomy,” Wolf said.

Establishing and following a committee-specific charter can help lay the groundwork for an effective compliance committee. “I recommend a charter that says, ‘Look, the compliance committee can look at any data, they can look at any records in the organization. They can engage with outside counsel themselves — they don’t have to get approval from the board,’” Wolf said. He also recommended that a charter include language on accountability and follow-through of committee determinations, and a plan to run risk assessments and then develop robust and detailed work plans establishing priorities after seeing assessment results.

The DOJ guidance document says that the department would rather have an organization focused on its own priority risks, even if it means noncompliance in a lower priority risk, Wolf noted.

Remember to look here next month for more information on the remaining four elements.

Rachel Dorrell, MA, MS, CPC-A, CPPM, Development Editor, AAPC