Log in

BY: JAMES F. GUNN, EVAN R. GOLDFARB, and J. STUART SHOWALTER

Catholic healthcare organizations are committed to fulfilling their mission of providing high-quality service with honesty and integrity. By adopting and implementing an effective corporate compliance program, a Catholic healthcare organization can reinforce this commitment and maximize the organization's protection from criminal and civil liability.

This article defines "corporate compliance program," identifies the seven elements of an effective program, and summarizes the steps an organization must take to implement a corporate compliance program.

What Is a Corporate Compliance Program?
A corporate compliance program is a systematic effort to prevent, detect, and report violations of law throughout the organization. Compliance programs are designed to ensure that the organization's employees and agents conduct themselves in conformance with all applicable legal requirements.

Because ethical behavior is a core component of a Catholic organization's mission, adopting a compliance program should not necessitate significant changes in the behavior of its employees and agents. For many Catholic organizations, implementation of a compliance program involves centralizing already-existing efforts throughout the organization. However, the organization will need to adopt an administrative policy and a code of conduct and ensure that its detailed policies and procedures are adequate.

The administrative policy institutes the program's structural aspects (e.g., allocates responsibility for program oversight, establishes mechanisms for reporting and investigating violations, describes education requirements).

The code of conduct usually includes a general summary of the major legal requirements applicable to the organization and summarizes the obligation of employees and agents to conduct themselves ethically and in accordance with legal requirements applicable to the organization's operations.

The organization's detailed policies and procedures provide specific guidance to employees and agents who are directly responsible for compliance with legal requirements.

Corporate compliance programs are most commonly discussed in the context of Medicare fraud and abuse. But a truly effective program will assure compliance in all areas that represent significant legal exposure for the organization (e.g., antitrust, employment, environmental, fraud and abuse, intellectual property, occupational safety and health, patient protection, and tax).

Rise of Corporate Compliance Programs
In 1991 the U.S. Sentencing Commission — an agency established to promote greater consistency in federal criminal punishments — adopted the Federal Sentencing Guidelines, which deal with sentencing organizations that have been convicted of crimes such as fraud or racketeering.¹ This development went largely unnoticed in healthcare until the mid-1990s, when the government estimated that Medicare overpaid healthcare providers by more than $23 billion in 1996 and began an all-out effort to reduce fraud in healthcare.² This effort includes extensive audits of billing practices, aggressive criminal and civil prosecutions, and exclusions of offenders from the Medicare and Medicaid programs. Recent legislation passed by Congress has increased the government's ability to conduct this "war" on healthcare fraud.³

The U.S. Department of Justice's (DOJ's) 1997 "Health Care Fraud Report" reflects the government's commitment to enforcement in this area:

• FBI investigations in healthcare increased by more than 300 percent between 1992 and 1996.
• Convictions for healthcare fraud increased from 90 in 1992 to 307 in 1996.
• Civil healthcare fraud investigations increased from 270 in 1992 to 2,488 in 1996.⁴

The government also announced that the U.S. Department of Health and Human Services, the FBI, and the DOJ have targeted more than 75 percent of the nation's hospitals for Medicare fraud and abuse investigations. As a result of these efforts, the government has entered into settlement agreements with several major healthcare providers, including a $161 million settlement with Caremark, Inc., and a $379 million settlement with National Medical Enterprises, Inc.⁵

Coinciding with the government's increased enforcement activities has been a dramatic increase in the number of qui tam, or "whistle blower," lawsuits filed against healthcare organizations for Medicare and Medicaid false claims.⁶ Given these developments in government and private enforcement, many healthcare organizations have begun to police themselves to prevent fraud and other types of civil and criminal violations.

Importance of Compliance Programs
It is important for Catholic organizations to implement corporate compliance programs. Their mission demands it. These programs help reduce civil and criminal violations within the organization, reducing the amount of litigation filed against the organization.

If a violation of law does occur, the organization with an effective compliance program is in a better position to respond to a government investigation and benefits from criminal monetary penalty reductions of up to 95 percent. Without an effective program, a convicted organization faces much stiffer penalties and possibly a court-imposed compliance program with standards more severe than those established under the Federal Sentencing Guidelines.

Finally, it has become clear that the government expects hospitals to adopt corporate compliance programs. In February the federal government released "The Office of Inspector General's Program Guidance for Hospitals" ("OIG Hospital Model").⁷ Although the "OIG Hospital Model" states that the document is designed to promote "voluntarily developed" compliance programs, it contains more than 30 pages of detailed information concerning what the government expects in a hospital's program. The government's issuance of this document is a strong indication that failure to adopt a compliance program can have serious negative consequences for a hospital.

Seven Elements of a Compliance Program
The Federal Sentencing Guidelines identify seven elements of an effective corporate compliance program:

1. The organization's compliance standards are reasonably capable of reducing the prospect of criminal and civil violations. The first step in satisfying this element is to conduct a comprehensive risk assessment, or legal audit, of the organization's operations. The risk assessment identifies the major legal requirements applicable to the organization, determines whether detailed policies and procedures exist that maximize compliance with these legal requirements, and identifies areas of vulnerability that require further investigation and improvement. It may not be necessary to conduct a retrospective examination (along the lines of a financial audit) of all the organization's records and practices. Rather, a "concurrent" review that focuses on the adequacy of the organization's policies (i.e., determining whether satisfactory policies have been adopted and, if so, testing whether such policies are carried out in practice) should allow for development and implementation of an effective program. To maximize protection by the attorney-client privilege, the organization should retain legal counsel to oversee the risk assessment process. Most organizations will need to retain a billing consultant to assist with the billing compliance portion of the risk assessment.
2. "High-level personnel" oversee the corporate compliance program. The board of directors should designate a "corporate compliance committee" to supervise the program's operation. The organization's board or management staff should designate a corporate compliance officer responsible for monitoring the program's implementation and its day-to-day operation. The corporate compliance officer should have direct access to the organization's board and the chief executive officer. Many healthcare executives are surprised that the "OIG Hospital Model" indicates that there is some risk in delegating corporate compliance responsibilities to an individual who is subordinate to the hospital's general counsel or chief financial officer.
3. The organization ensures that substantial discretionary authority is not delegated to individuals who the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities. This element requires background screening checks for potential employees who will hold significant discretionary authority. The "OIG Hospital Model" identifies a number of federal databases that should be consulted for this purpose.⁸
4. The organization communicates effectively its compliance standards to all employees and agents. A critical (and time-consuming) step is the establishment of mandatory educational programs. These sessions assure that employees and agents with whom the organization conducts significant business, including medical staff members, understand the program's components and the legal requirements relevant to their job responsibilities.
   
   General educational sessions should cover the administrative policy and the code of conduct. Specialized sessions on specific legal requirements (e.g., fraud and abuse, environmental, tax) will need to be conducted for appropriate groups.
   
   Communication efforts should be handled carefully so that the program is received appropriately. Employees need to understand that managers intend to monitor and enforce the program uniformly. However, the material should be presented in a nonthreatening way that does not negatively affect employee morale or relationships with managers.
5. The organization takes reasonable steps to establish reporting and monitoring procedures. The organization will need to identify a number of alternative ways for employees, agents, and others to report any suspected misconduct that may violate law or the organization's policies. One or more anonymous methods should be offered so that employees do not fear retaliation.
   
   The organization also must establish an ongoing monitoring procedure. This need not entail a full-blown risk assessment every year, but requires a process to ensure that the reporting mechanisms, investigative procedures, educational programs, and other components of the program are functioning appropriately.
6. The organization enforces the standards through consistent disciplinary actions. A violation of the program must be met with appropriate disciplinary responses consistent with the organization's human resources policies and any other applicable organizational policies such as medical staff bylaws, rules, and regulations.
7. The organization establishes reasonable steps to respond if offenses are detected and to prevent future offenses. The program should establish a process for reporting violations of law to the government (following the advice of legal counsel) and for evaluating whether the organization should modify its existing administrative policy, code of conduct, or detailed policies and procedures to prevent future violations.

Six Steps to Adopt a Compliance Program
To develop a corporate compliance program that satisfies these seven elements, organizations should take the following steps:

• Adopt a board resolution. The organization's board needs to adopt a resolution to authorize the creation of a corporate compliance program; state the organization's commitment to preventing, detecting, and reporting violations of law; and approve the retention of experienced legal counsel to maximize availability of the attorney-client privilege for the program design process.
• Designate a corporate compliance committee and officer. As noted, to ensure high-level oversight of the program, it will be necessary to appoint a corporate compliance committee and a corporate compliance officer.
• Conduct a risk assessment. After the board has identified the corporate compliance committee and officer, the risk assessment should be conducted.
• Develop an organization-specific program. Using the results of the risk assessment, the organization needs to adopt an administrative policy, develop a code of conduct specific to the organization's operations, and adopt detailed policies and procedures.
• Conduct educational programs. After the organization has completed the program's written documents, it can begin educational programs for employees and agents.
• Implement the program. Once the previous steps have been completed, the organization will be ready to put in place all the structural components of the program detailed in the administrative policy (e.g., reporting mechanisms, investigation procedures, monitoring process).

NOTES

1. United States Sentencing Commission Guidelines for Sentencing of Organizations, 56 Fed. Reg. 22, 762, May 16, 1991.
2. Serb, "Comply Route," Hospitals & Health Networks, September 5, 1997.
3. Both the Health Insurance Portability and Accountability Act of 1996 (Public Law No. 104-191) and the Balanced Budget Act of 1997 (Public Law No. 105-33) empowered the federal government to expand its healthcare fraud enforcement activity.
4. "Investigations, Prosecutions Up; Recoveries Top $274 Million, DOJ Says," BNA Health Reporter, August 21, 1997.
5. "Fraud and Abuse," BNA Medicare Report, August 16, 1996.
6. Under the False Claims Act, private individuals can file a lawsuit on behalf of the government against a healthcare provider for fraudulent billing practices and the plaintiff is entitled to receive 15 percent to 30 percent of the amount recovered by the government. These lawsuits are known as "whistle blower" or qui tam lawsuits. In the past 10 years, qui tam suits have resulted in recovery of more than $1.80 billion by the government. Healthcare fraud cases accounted for 54 percent of the qui tam suits filed in 1997. (See Taxpayers Against Fraud, False Claims Act Legal Center at www.taf.org/taf.)
7. This is a "must" document for anyone developing a hospital corporate compliance program and can be obtained at the Department of Health and Human Services' website at www.dhhs.gov/progorg/oig.
8. The "Cumulative Sanctions Report" is available at www.dhhs.gov/proorg/oig. The General Services Administration monthly listing of debarred contractors is available at www.arnet.gov/epls.

Mr. Gunn and Ms. Goldfarb are partners at The Stolar Partnership law firm, St. Louis. Mr. Showalter, a former Stolar partner, is director of corporate compliance, Orlando Regional Healthcare System, Orlando, FL.

Copyright © 1998 by the Catholic Health Association of the United States
For reprint permission, contact Betty Crosby or call (314) 253-3477.