Previously published in Corporate Compliance Insights.

For companies operating in the healthcare industry today, it is not a question of if, but when, they will face a government inquiry. Complex regulations, the rising costs of healthcare programs as part of the federal budget and ever-increasing enforcement resources have combined to increase the number of healthcare investigations and enforcement actions.

There are, however, ways for healthcare providers to reduce their risks. The 10 strategies discussed below can help healthcare providers avoid the violations that result in government inquiries, effectively respond to those inquiries when they arise, and resolve resulting conflicts in the most favorable way possible.

1. Assess the Risks Actually Faced by the Company

While the best way to avoid a government investigation is to prevent legal and regulatory violations, this is not always possible. Given the myriad laws and regulations governing healthcare providers, it is likely that a violation will occur at some point. This likelihood requires companies to have a way to detect and address violations in their infancy.

The best practice is to implement a corporate compliance program aimed at educating employees about relevant legal guidelines and applicable company policies, while encouraging and providing guidance about reporting compliance concerns.

The particulars of a corporate compliance program will vary depending on company size, the breadth of its operations and healthcare sector in which it operates. However, every program should begin with a thorough and candid risk assessment. This must be carried out in a manner that allows the healthcare provider to identify the who, what, where, when and how of the intersections between the company's activities and applicable guidelines.

Skipping the assessment stage of the process often results in a shotgun approach to compliance initiatives. Worse yet, some providers simply adopt "cookie cutter" compliance programs – an approach that is not only ineffective but harmful.

Government investigators will review the company's compliance program early in the investigation. A "cut and paste" program – adopted without regard for the provider's particular structure and operations – is unlikely to reflect a genuine commitment to compliance. Rather, investigators will view such a program as little more than window dressing.

To avoid this problem, providers must tailor their compliance programs to their own operations and the unique risks posed by those operations. This can only be accomplished through a thorough risk assessment aimed at understanding the regulations governing the company's core operations. Certain basic principles – such establishing medical necessity, billing appropriately for services rendered, maintaining adequate documentation – apply across the industry spectrum, but each sector of the healthcare industry exists in its own regulatory environment.

The risk assessment should identify the ways in which the company's operations intersect with applicable rules, and the employees involved in those operations, targeting the greatest attention to the areas of greatest risk. The risk assessment should also anticipate where the company is headed.

For example, future plans might include expansion into new services and/or regions. Tailoring the compliance program on an ongoing basis requires a provider to address areas of need without wasting resources and to operate efficiently without unnecessary exposure to risk.

2. Take Heed of Compliance Program Guidance Published By the Government

The Department of Health and Human Services Office of Inspector General (HHS-OIG) publishes compliance program "guidance" for various sectors of the health care industry. While this assistance covers a range of providers (including hospitals, nursing facilities, hospices and ambulance suppliers), the core tenets remain consistent. These include:

  1. Development and distribution of written standards of conduct;
  2. Designation of a compliance officer charged with developing, operating, and monitoring the program, who reports to the board or the CEO;
  3. Development and implementation of regular, effective education and training programs for all affected employees;
  4. Creation and maintenance of an effective line of communication between the compliance officer and all employees, including a means for employees to report potential violations anonymously without the threat of retaliation;
  5. Use of audits and other techniques to monitor compliance, identify problem areas and correct identified problems;
  6. Development of policies and procedures to prohibit the employment of excluded individuals who have violated corporate or compliance policies, applicable statutes and regulations; and
  7. Development of policies and procedures to investigate potential violations and to promptly correct any violations uncovered by the investigation.

At a minimum, an effective compliance program must contain each of these elements. Healthcare providers in particular industries should also take advantage of any industry-specific guidance published by HHS-OIG. Companies who disregard the HHS-OIG guidance do so at their peril.

3. Be Proactive in Investigating and Resolving Potential Compliance Violations

When the government begins an investigation of a healthcare company, it is seeking to determine whether the facts require government intervention and sanctions as a means of punishing violations of law and preventing future conduct. In essence, the government regulators attempt to determine whether the number and nature of violations are such that, absent intervention, greater harm will result in the future.

To counteract those concerns, healthcare companies need to be able to demonstrate that they are committed to uncovering and addressing these issues on their own, and to preventing violations from occurring in the future.

To make this showing, companies should implement three basic strategies:

  1. Actively seek out potential violations, including encouraging reporting by employees;
  2. Adopt investigatory protocols to ensure that potential violations are scrutinized in an appropriate and consistent manner; and
  3. Impose disciplinary measures that reflect a genuine commitment to deter future violations.

Even in the smallest companies, monitoring the broad range of activities by all employees represents a substantial undertaking. By encouraging employee reporting of potential violations, the company effectively leverages its observational capacities. Providing for anonymous reporting and protection against retaliation is key to ensuring that employees provide this essential compliance function.

Healthcare providers must also investigate potential violations in an appropriate manner. Providers should have procedures in place governing the conduct of any internal investigation to ensure consistency.

Such procedures should include promptly securing relevant evidence, conducting thorough witness interviews and providing the accused party the opportunity to respond. Finally, if the internal investigation uncovers a violation, the provider must impose corrective measures, including appropriate discipline, to prevent such violations from re-occurring in the future.

4. Identify and Capture Evidence of "Systemic Success"

Healthcare providers should also seek to identify and track evidence of "systemic success," i.e., those instances where the compliance program operates as intended. These successes can include those occasions where:

  • The company turned down an attractive financial opportunity that could have resulted in a violation;
  • The company's audits uncovered potential violations that, while not at a level triggering self-disclosure, resulted in improvements to compliance going forward; or
  • The company acted on whistleblower concerns that, while not actually amounting to violations of law, revealed a heightened risk of future harm.

The ability to provide concrete examples of a compliance program operating effectively can provide tremendous value in responding to a government inquiry. By demonstrating a pattern of robust compliance efforts, healthcare providers can credibly demonstrate not only an authentic commitment to compliance in the abstract, but also in practice.

5. Recognize that Compliance Strategies Cannot Remain Static

By examining its compliance program at regular intervals, a healthcare company can do more than simply satisfy the government's expectations. These reviews can improve not only the program's effectiveness, but also its efficiency.

HHS-OIG guidance contemplates that periodic reviews will serve as a springboard for the company to expand its compliance program to those areas that are not being addressed adequately. To be deemed effective, a compliance program must be dynamic and, over time, must adapt to the changes in operational and regulatory environment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.