"We are *no longer giving Adequate Healthcare to these patients."
— Dr. Catherine O'Neal American Medical Association Office of the Chief Records Officer for the US Government and Infectious Diseases Society of America Centers for Disease Control and Prevention expert
Jolee Bollinger, EVP General Counsel FMOLHS
*^Jolee balances
operational aspects IHS
corporate integrity
commitment mission
serving in need
Thank you, Jolee, for *ensuring we continually operate at the highest level of professionalism and compassion.
*Dr. Catherine O'Neal:
"We are *no longer giving ADEQUATE CARE to these patients"
chief medical officer, infectious disease expert
*Daryl Allen, CHC, CHPC
Healthcare Compliance Privacy Officer
FMOLHS
*no longer giving Adequate Healthcare to these patients.
^ensuring we continually operate at the highest level of professionalism and compassion
CORPORATE RESPONSIBILITY AND CORPORATE COMPLIANCE: A Resource for Health Care Boards of Directors THE OFFICE OF INSPECTOR GENERAL OF THE U S DEPARTMENT OF HEALTH AND HUMAN SERVICES AND THE AMERICAN HEALTH LAWYERS ASSOCIATION
Daryl Allen, CHC, CHPC
Franciscan Missionaries of Our Lady Health System
Director, Compliance and Privacy Officer
March 2014 - Present (7 years 10 months)
Louisiana State University
Bachelor of Science, Finance · (2000)
Director, Compliance and Privacy Officer
March 2014 - Present (7 years 10 months)
Louisiana State University
Bachelor of Science, Finance · (2000)
CORPORATE RESPONSIBILITY AND CORPORATE COMPLIANCE
I INTRODUCTION
As corporate responsibility issues fill the headlines, corpo rate directors are coming under greater scrutiny.
The Sarbanes-Oxley Act, state legislation, agency pronouncements, court cases and scholarly writings offer a myriad of rules, regulations, prohibitions, and interpretations in this area.
While all Boards of Directors must address these issues, directors of health care organizations also have important responsibilities that need to be met relating to corporate compliance requirements unique to the health care industry.
The expansion of health care regulatory enforcement and compliance activities and the height attention being given to the responsibilities of corpo directors are critically important to all health care organizations.
In this context, enhanced oversight of cor compliance programs is widely viewed as consistent with and essential to ongoing federal and state corporate responsibility initiatives.
Our complex health care system needs dedicated and knowledgeable directors at the helm of both for-profit and non-profit corporations.
This educational resource, co sponsored by the Office of Inspector General (OIG) of the U S Department of Health and Human Services and the American Health Lawyers Association, the leading health law educational organization, seeks to assist directors of health care organizations in carrying out their important oversight responsibilities in the current chal lenging health care environment.Improving the knowledge base and effectiveness of those serving on health care organization boards will help to achieve the important goal of continuously improving the U S health care system.
Fiduciary Responsibilities The fiduciary duties of directors reflect the expectation of corporate stakeholders regarding oversight of corporate affairs.
The basic fiduciary duty of care principle, which requires a director to act in good faith with the care an ordinarily prudent person would exercise under similar circumstances, is being tested in the current corporate climate.
Personal liability for directors, including removal, civil damages, and tax liability, as well as damage to reputa tion, appears not so far from reality as once widely believed.
Accordingly, a basic understanding of the director’s fiduciary obligations and how the duty of care may be exercised in overseeing the company’s compliance systems has become essential.
Embedded within the duty of care is the concept of reasonable inquiry.
In other words, directors should make inquiries to management to obtain information necessary to satisfy their duty of care.
V
SUGGESTED QUESTIONS FOR DIRECTORS
Periodic consideration of the following questions and commentary may be helpful to a health care organiza tion’s Board of Directors.
The structural questions explore the Board’s understanding of the scope of the organiz’s compliance program.
The remaining questions, addressing operational issues, are directed to the operations of the compliance program and may facilitate the Board’s understanding of the vitality of its compliance program.
STRUCTURAL QUESTIONS
1.
How is the compliance program structured and who are the key employees responsible for its implementation and operation?
How is the Board structured to oversee compliance issues?
The success of a compliance program relies upon assigning high-level personnel to oversee its implementation and operations.
The Board may wish as well to establish a com mittee or other subset of the Board to monitor compliance program operations and regularly report to the Board. 2.
How does the organization’s compliance reporting system work?
How frequently does the Board receive reports about compliance issues?
Although the frequency of reports on the status of the com pliance program will depend on many circumstances, health care organization Boards should receive reports on a regular basis.
Issues that are frequently addressed include (1) what the organization has done in the past with respect to the program and (2) what steps are planned for the future and why those steps are being taken. 3.
What are the goals of the organization’s compli ance program?
What are the inherent limita tions in the compliance program?
How does the organization address these limitations?
The adoption of a corporate compliance program by an organization creates standards and processes that it should be able to rely upon and against which it may be held accountable.
A solid understanding of the rationale and objectives of the compliance program, as well as its goals and inherent limitations, is essential if the Board is to eval uate the reasonableness of its design and the effectiveness of its operation.
If the Board has unrealistic expectations of its compliance program, it may place undue reliance 4 on its ability to detect vulnerabilities.
Furthermore, com pliance programs will not prevent all wrongful conduct and the Board should be satisfied that there are mechanisms to ensure timely reporting of suspected violations and to evaluate and implement remedial measures.
4.
Does the compliance program address the significant risks of the organization?
How were those risks determined and how are new compliance risks identified and incorporated into the program?
Health care organizations operate in a highly regulated industry and must address various standards, government program conditions of participation and reimbursement, and other standards applicable to corporate citizens irre spective of industry.
A comprehensive ongoing process of compliance risk assessment is important to the Board’s awareness of new challenges to the organization and its evaluation of management’s priorities and program resource allocation.
5.
What will be the level of resources necessary to implement the compliance program as envisioned by the Board?
How has management determined the adequacy of the resources dedicated to implementing and sustaining the compliance program?
From the outset, it is important to have a realistic under- standing of the resources necessary to implement and sus tain the compliance program as adopted by the Board.
The initial investment in establishing a compliance infra structure and training the organization’s employees can be significant.
With the adoption of a compliance program, the organization is making a long term commitment of resources because effective compliance systems are not static programs but instead embrace continuous improve ment.
Quantifying the organization’s investment in com pliance efforts gives the Board the ability to consider the feasibility of implementation plans against compliance program goals.
Such investment may include annual budgetary commitments as well as direct and indirect human resources dedicated to compliance.
To help ensure that the organization is realizing a return on its compliance investment, the Board also should consider how management intends to measure the effectiveness of its compliance program.
One measure of effectiveness may be the Board’s heightened sensitivity to compliance risk areas.OPERATIONAL QUESTIONS The following questions are suggested to assist the Board in its periodic evaluation of the effectiveness of the organi zation’s compliance program and the sufficiency of its reporting systems.
A Code of Conduct How has the Code of Conduct or its equivalent been incorporated into corporate policies across the organiza tion?
How do we know that the Code is understood and accepted across the organization?
Has management taken affirmative steps to publicize the importance of the Code to all of its employees?
Regardless of its title, a Code of Conduct is fundamental to a successful compliance program because it articulates the organization’s commitment to ethical behavior.
The Code should function in the same way as a constitution, i e , as a document that details the fundamental principles, values, and framework for action within the organization.
The Code of Conduct helps define the organization’s cul ture; all relevant operating policies are derivative of its prin ciples.
As such, codes are of real benefit only if meaningfully communicated and accepted throughout the organization.
B Policies and Procedures Has the organization implemented policies and procedures that address compliance risk areas and established internal controls to counter those vulnerabilities?
If the Code of Conduct reflects the organization’s ethical philosophy, then its policies and procedures represent the organization’s response to the day-to-day risks that it con- fronts while operating in the current health care system.
These policies and procedures help reduce the prospect of erroneous claims, as well as fraudulent activity by identi fying and responding to risk areas.
Because compliance risk areas evolve with the changing reimbursement rules and enforcement climate, the organization’s policies and procedures also need periodic review and, where appropriate, revision.
4 Regular consultation with counsel, including reports to the Board, can assist the Board in its oversight responsibilities in this changing environment.
4 There are a variety of materials available to assist health care organizations in this regard.
For example, both sponsoring organizations of this educational resource offer various materials and guidance, accessible through their web sites.5 CORPORATE RESPONSIBILITY AND CORPORATE COMPLIANCE
C
Compliance Infrastructure
1.
Does the Compliance Officer have sufficient authority to implement the compliance program?
Has management provided the Compliance Officer with the autonomy and sufficient resources necessary to perform assessments and respond appropriately to misconduct?
Designating and delegating appropriate authority to a com pliance officer is essential to the success of the organiza tion’s compliance program.
For example, the Compliance Officer must have the authority to review all documents and other information that are relevant to compliance activities.
Boards should ensure that lines of reporting within man agement and to the Board, and from the Compliance Officer and consultants, are sufficient to ensure timely and candid reports for those responsible for the compliance program.
In addition, the Compliance Officer must have sufficient personnel and financial resources to implement fully all aspects of the compliance program. 2.
Have compliance-related responsibilities been assigned across the appropriate levels of the organization?
Are employees held accountable for meeting these compliance-related objectives during performance reviews?The successful implementation of a compliance program requires the distribution throughout the organization of compliance-related responsibilities.
The Board should satisfy itself that management has developed a system that establishes accountability for proper implementation of the compliance program.
The experience of many organi zations is that program implementation lags where there is poor distribution of responsibility, authority and accountability beyond the Compliance Officer.
D Measures to Prevent Violations 1.
What is the scope of compliance-related education and training across the organization?
Has the effectiveness of such training been assessed?
What policies/measures have been developed to enforce training requirements and to provide remedial training as warranted?
A critical element of an effective compliance program is a system of effective organization-wide training on compli ance standards and procedures.
In addition, there should be specific training on identified risk areas, such as claims development and submission, and marketing practices.
Because it can represent a significant commitment of resources, the Board should understand the scope and effectiveness of the educational program to assess the return on that investment.
2.
How is the Board kept apprised of significant regulatory and industry developments affecting the organization’s risk?
How is the compliance program structured to address such risks?
The Board’s oversight of its compliance program occurs in the context of significant regulatory and industry devel opments that impact the organization not only as a health care organization but more broadly as a corporate entity.
Without such information, it cannot reasonably assess the steps being taken by management to mitigate such risks and reasonably rely on management’s judgment.
3.
How are “at risk” operations assessed from a compliance perspective?
Is conformance with the organization’s compliance program periodically evaluated?
Does the organization periodically evalu ate the effectiveness of the compliance program?
Compliance risk is further mitigated through internal review processes.
Monitoring and auditing provide early identification of program or operational weaknesses and may substantially reduce exposure to government or whistleblower claims.
Although many assessment techniques are available, one effective tool is the performance of regular, periodic compliance audits by internal or exter nal auditors.
In addition to evaluating the organization’s conformance with reimbursement or other regulatory rules, or the legality of its business arrangements, an effec tive compliance program periodically reviews whether the compliance program’s elements have been satisfied.
4.
What processes are in place to ensure that appropriate remedial measures are taken in response to identified weaknesses?
Responding appropriately to deficiencies or suspected non-compliance is essential.
Failure to comply with the organization’s compliance program, or violation of appli cable laws and other types of misconduct, can threaten the organization’s status as a reliable and trustworthy provider of health care.
Moreover, failure to respond to a known deficiency may be considered an aggravating cir cumstance in evaluating the organization’s potential liabil ity for the underlying problem.
6
E Measures to Respond to Violations
1.
What is the process by which the organization evaluates and responds to suspected compliance violations?
How are reporting systems, such as the compliance hotline, monitored to verify appropriate resolution of reported matters?
Compliance issues may range from simple overpayments to be returned to the payor to possible criminal violations.
The Board’s duty of care requires that it explore whether procedures are in place to respond to credible allegations of misconduct and whether management promptly initi ates corrective measures.Many organizations take disciplinary actions when a responsible employee’s conduct vio lates the organization’s Code of Conduct and policies.
Disciplinary measures should be enforced consistently.
2.
Does the organization have policies that address the appropriate protection of “whistleblowers” and those accused of misconduct?
For a compliance program to work, employees must be able to ask questions and report problems.
In its fulfill ment of its duty of care, the Board should determine that the organization has a process in place to encourage such constructive communication.
3.
What is the process by which the organization evaluates and responds to suspected compliance violations?
What policies address the protection of employees and the preservation of relevant documents and information?
Legal risk may exist based not only on the conduct under scrutiny, but also on the actions taken by the organization in response to the investigation.In addition to a potential obstruction of a government investigation, the organiza tion may face charges by employees that it has unlawfully retaliated or otherwise violated employee rights.It is important, therefore, that organizations respond appropriately to a suspected compliance violation and, more critically, to a government investigation without damaging the corporation or the individuals involved.
The Board should confirm that processes and policies for such responses have been developed in consultation with legal counsel and are well communicated and understood across the organization.
4.
What guidelines have been established for reporting compliance violations to the Board?
As discussed, the Board should fully understand management’s process for evaluating and responding to identified violations of the organization’s policies, as well as applica ble federal and state laws.
In addition, the Board should receive sufficient information to evaluate the appropriate ness of the organization’s response.
5.
What policies govern the reporting to government authorities of probable violations of law?
Different organizations will have various policies for investigating probable violations of law.
Federal law encourages organizations to self-disclose wrongdoing to the federal government.
Health care organizations and their counsel have taken varied approaches to making such disclosures.
Boards may want to inquire as to whether the organiza tion has developed a policy on when to consider such disclosures.
VI.
Conclusion
The corporate director, whether voluntary or compensat ed, is a bedrock of the health care delivery system.
The oversight activities provided by the director help form the corporate vision, and at the same time promote an environ ment of corporate responsibility that protects the mission of the corporation and the health care consumers it serves.
Even in this “corporate responsibility” environment, the health care corporate director who is mindful of his/her fundamental duties and obligations, and sensitive to the premises of corporate responsibility, should be confident in the knowledge that he/she can pursue governance service without needless concern about personal liability for breach of fiduciary duty and without creating an adver sarial relationship with management.
The perspectives shared in this educational resource are intended to assist the health care director in performing the important and necessary service of oversight of the corporate compliance program.
In so doing, it is hoped that fiduciary service will appear less daunting, and pro- vide a greater opportunity to “make a difference” in the delivery of health care.
CORPORATE RESPONSIBILITY AND CORPORATE COMPLIANCE
II.
DUTY OF CARE
Of the principal fiduciary obligations/duties owed by directors to their corporations, the one duty specifically implicated by corporate compliance programs is the duty of care.
1
As the name implies, the duty of care refers to the obligation of corporate directors to exercise the proper amount of care in their decision-making process.
State statutes that create the duty of care and court cases that interpret it usually are identical for both for-profit and non-profit corporations.
In most states, duty of care involves determining whether the directors acted (1) in “good faith,” (2) with that level of care that an ordinarily prudent person would exercise in like circumstances, and (3) in a manner that they reasonably believe is in the best interest of the corporation.
In analyzing whether directors have complied with this duty, it is necessary to address each of these elements separately.
The “good faith” analysis usually focuses upon whether the matter or transaction at hand involves any improper financial benefit to an individual, and/or whether any intent exists to take advantage of the corporation (a corol lary to the duty of loyalty).
The “reasonable inquiry” test asks whether the directors conducted the appropriate level of due diligence to allow them to make an informed decision.
In other words, directors must be aware of what is going on about them in the corporate business and must in appropriate circumstances make such reasonable inquiry, as would an ordinarily prudent person under similar circum stances.
And, finally, directors are obligated to act in a man ner that they reasonably believe to be in the best interests of the corporation.
This normally relates to the directors state of mind with respect to the issues at hand.
In considering directors fiduciary obligations, it is impor tant to recognize that the appropriate standard of care is not “perfection.”
Directors are not required to know every- thing about a topic they are asked to consider.
They may, where justified, rely on the advice of management and of outside advisors.
Furthermore, many courts apply the “business judgment rule” to determine whether a director’s duty of care has been met with respect to corporate decisions.
The rule provides, in essence, that a director will not be held liable for a decision made in good faith, where the director is disinterested, reasonably informed under the circum stances, and rationally believes the decision to be in the best interest of the corporation.
Director obligations with respect to the duty of care arise in two distinct contexts:
• The decision-making function:
The application of duty of care principles to a specific decision or a particular board action; and
• The oversight function:
The application of duty of care principles with respect to the general activity of the board in overseeing the day-to-day business operations of the corporation; i e , the exercise of reasonable care to assure that corporate executives carry out their man agement responsibilities and comply with the law.
Directors obligations with respect to corporate compliance programs arise within the context of that oversight func tion.
The leading case in this area, viewed as applicable to all health care organizations, provides that a director has two principal obligations with respect to the oversight func tion.
A director has a duty to attempt in good faith to assure that (1) a corporate information and reporting system exists, and (2) this reporting system is adequate to assure the board that appropriate information as to compliance with applicable laws will come to its attention in a timely manner as a matter of ordinary operations.2 In Caremark, the court addressed the circumstances in which corporate directors may be held liable for breach of the duty of care by failing to adequately supervise corporate employees whose mis conduct caused the corporation to violate the law.
In its opinion, the Caremark court observed that the level of detail that is appropriate for such an information system is a matter of business judgment.
The court also acknowledged that no rationally designed information and report ing system will remove the possibility that the corporation will violate applicable laws or otherwise fail to identify cor porate acts potentially inconsistent with relevant law.
Under these circumstances, a director’s failure to reason- ably oversee the implementation of a compliance pro- gram may put the organization at risk and, under extraor dinary circumstances, expose individual directors to per sonal liability for losses caused by the corporate non- 1 The other two core fiduciary duty principals are the duty of loyalty and the duty of obedience to purpose. 2 In re Caremark International Inc.
Derivative Litigation, 698 A 2d 959 (Del.
Ch. 1996).
A shareholder sued the Board of Directors of Caremark for breach of the fiduciary duty of care.
The lawsuit followed a multi-million dollar civil settlement and criminal plea relating to the payment of kickbacks to physicians and improper billing to federal health care programs. 2 compliance.3 Of course, crucial to the oversight function is the fundamental principle that a director is entitled to rely, in good faith, on officers and employees as well as corporate professional experts/advisors in whom the director believes such confidence is merited.
A director, however, may be viewed as not acting in good faith if he/she is aware of facts suggesting that such reliance is unwarranted.
In addition, the duty of care test involving reasonable inquiry has not been interpreted to require the director to exercise “proactive vigilance” or to “ferret out” corporate wrongdoing absent a particular warning or a “red flag.”
Rather, the duty to make reasonable inquiry increases when “suspicions are aroused or should be aroused;” that is, when the director is presented with extraordinary facts or circumstances of a material nature (e g , indications of financial improprieties, self-dealing, or fraud) or a major governmental investigation.
Absent the presence of suspi cious conduct or events, directors are entitled to rely on the senior leadership team in the performance of its duties.
Directors are not otherwise obligated to anticipate future problems of the corporation.
Thus, in exercising his/her duty of care, the director is obligated to exercise general supervision and control with respect to corporate officers.
However, once presented (through the compliance program or otherwise) with information that causes (or should cause) concerns to be aroused, the director is then obligated to make further inquiry until such time as his/her concerns are satisfacto rily addressed and favorably resolved.
Thus, while the cor porate director is not expected to serve as a compliance officer, he/she is expected to oversee senior manage ment’s operation of the compliance program.
III.
THE UNIQUE CHALLENGES OF HEALTH CARE ORGANIZATION DIRECTORS The health
care industry operates in a heavily regulated environment with a variety
of identifiable risk areas.
An effective compliance program helps mitigate those risks.
In addition to the challenges associated with patient care, health care providers are subject to voluminous and some- times complex sets of rules governing the coverage and reimbursement of medical services.
Because federal and state-sponsored health care programs play such a signifcant role in paying for health care, material non-compliance with these rules can present substantial risks to the health care provider.
In addition to recoupment of improper payments, the Medicare, Medicaid and other government health care programs can impose a range of sanctions against health care businesses that engage in fraudulent practices.
Particularly given the current “corporate responsibility” environment, health care organization directors should be concerned with the manner in which they carry out their duty to oversee corporate compliance programs.
Depending upon the nature of the corporation, there are a variety of parties that might in extreme circumstances seek to hold corporate directors personally liable for allegedly breaching the duty of oversight with respect to corporate compliance.
With respect to for-profit corporations, the most likely individuals to bring a case against the directors are corporate shareholders in a derivative suit, or to a limited degree, a regulatory agency such as the Securities and Exchange Commission.
With respect to non-profit corporations, the most likely person to initiate such action is the state attorney general, who may seek equitable relief against the director (e g removal) or damages.
It is also possible (depending upon state law) that a dissenting director, or the corporate member, could assert a derivative-type action against the directors allegedly respon sible for the “inattention,” seeking removal or damages.
Over the last decade, the risks associated with non-compliance have grown dramatically.
The government has dedicated substantial resources, including the addition of criminal investigators and prosecutors, to respond to health care fraud and abuse.
In addition to government investigators and auditors, private whistleblowers play an important role in identifying allegedly fraudulent billing schemes and other abusive practices.
Health care providers can be found liable for submitting claims for reimbursement in reckless disregard or deliberate igno rance of the truth, as well as for intentional fraud.
Because the False Claims Act authorizes the imposition of damages of up to three times the amount of the fraud and civil monetary penalties of $11,000 per false claim, record level fines and penalties have been imposed against individuals and health care organizations that have violated the law.