iProtean—Compliance in a Health Reform Environment

What is a hospital/health system board’s accountability standard for compliance in the current health reform environment?  The board’s oversight responsibility remains the same, said Monte Dube, Esq., at the recent iProtean Symposium.  Directors still have two principal obligations with respect to oversight:  a duty to attempt in good faith to assure that 1) a corporate information and reporting system exists, and 2) the reporting system ensures that the board receives timely and appropriate information as to compliance.


But the Affordable Care Act (ACA) has added specific twists on current regulations that should be noted at the board level:

  • The law makes it easier for whistleblowers to initiate lawsuits;
  • The False Claims Act and Anti Kickback Statute have been changed:  it is no longer necessary to prove that the offender knew his/her action was illegal;
  • When a provider is overpaid by CMS, the provider must pay back the overpayment within 60 days from the time the provider recognizes the overpayment;
  • HHS can withhold future payments based on credible allegations of fraud; and
  • An additional $350 million has been allocated to Office of the Inspector General (OIG) for fraud investigations/enforcement.


The new compliance regulations added by ACA as well as the existing regulations may cause concern for board members.  Mr. Dube suggested using the following format for assessing your organization’s actions:

  • Is it legal?
  • Is it right?
  • What do your stakeholders expect?
  • What do the regulators expect?
  • What does the market expect?
  • How it will read in the paper?
  • What’s coming down the pike?


Boards also are on the receiving end of an alert mechanism from the OIG—it publishes its work plan annually and gives hospital/health system leaders a detailed view of the enforcement activities planned by the OIG for the coming year.  (See iProtean blog OIG Issues FY 2013 Work Plan, October 9, 2012)


Case Study

Mr. Dube provided an example of a compliance problem from several years ago. A hospital management company fired a CFO at one of its hospitals, and the then-former CFO filed a wrongful termination suite.  During the deposition, he discovered that the hospital management company had “reserve Medicare cost reports” that its hospitals would use when the government challenged the cost report that a particular hospital had submitted.  The rationale was that because cost reporting is complicated, hospitals would file in good faith, but would also have these reserve cost reports in case the government disagreed with them.  That discovery resulted in the former CFO bringing a whistleblower lawsuit against the management company, which the Justice Department joined.  The lawsuit was settled against the hospital management company for $85 million, and ultimately led to its sale.


Mr. Dube noted that there will always be whistleblowers and ultimately wrongdoing will be discovered.  What might have alerted the board to this hospital management company’s practice?  The audit committee of the board, the compliance department, the internal auditor or even general counsel may have picked this up.  Certainly the external auditor should have raised a red flag.  The board was not reprimanded for “not knowing” about this practice because ultimately board members can’t control how well their auditors are doing their job.  However, they should make it a practice to check their compliance process oversight and from time to time make it a point to ask the right questions.


Resource for Healthcare Board Members  on Corporate Responsibility and Corporate Compliance

Board members should consider a serious of questions to guide them in their oversight responsibilities.  These questions appear in Corporate Responsibility and Corporate Compliance, a joint publication by the Office of the Inspector General (Department of Health & Human Services) and the American Health Lawyers Association in 2003.  The questions remain relevant to hospital/health system boards today (for the full publication, click here):


  1. How is the compliance program structured and who are the key employees responsible for its implementation and operation?  How is the board structured to oversee compliance issues?
  2. How does the organization’s compliance reporting system work?  How frequently does the board receive reports about compliance issues?
  3. What are the goals of the organization’s compliance program?  What are the inherent limitations in the compliance program?  How does the organization address these limitations?
  4. Does the compliance program address the significant risks of the organization?  How were those risks determined and how are new compliance risks identified and incorporated into the program?
  5. What will be the level of resources necessary to implement the compliance program as envisioned by the board?  How has management determined the adequacy of the resources dedicated to implementing and sustaining the compliance program?
  6. How has the Code of Conduct or its equivalent been incorporated into corporate policies across the organization?  How do we know that the Code is understood and accepted across the organization?  Has management taken affirmative steps to publicize the importance of the Code to all of its employees?
  7. Has the organization implemented policies and procedures that address compliance risk areas and established internal controls to counter those vulnerabilities?
  8. Does the compliance officer have sufficient authority to implement the compliance program?  Has management provided the compliance officer with the autonomy and sufficient resources necessary to perform assessments and respond appropriately to misconduct?
  9. Have compliance-related responsibilities been assigned across the appropriate levels of the organization?  Are employees held accountable for meeting these compliance-related objectives during performance reviews?
  10. What is the scope of compliance-related education and training across the organization  Has the effectiveness of such training been assessed?  What policies/measures have been developed to enforce training requirements and to provide remedial training as warranted?
  11. How is the board kept apprised of significant regulatory and industry developments affecting the organization’s risk?  How is the compliance program structured to address such risks?
  12. How are “at risk” operations assessed from a compliance perspective?  Is conformance with the organization’s compliance  program periodically evaluated?  Does the organization periodically evaluate the effectiveness of the compliance program?
  13. What processes are in place to ensure that appropriate remedial measures are taken in response to identified weaknesses?
  14. What is the process by which the organization evaluates and responds to suspected compliance violations?  How are reporting systems, such as the compliance hotline, monitored to verify appropriate resolution of reported matters?
  15. Does the organization have policies that address the appropriate protection of “whistleblowers” and those accused of misconduct?
  16. What is the process by which the organization evaluates and responds to suspected compliance violations?  What policies address the protection of employees and the preservation of relevant documents and information?
  17. What guidelines have been established for reporting compliance violations to the board?
  18. What policies govern the reporting to government authorities of probable violations of law?



Monte Dube appears in three new iProtean courses:  Affiliations & Partnerships, Physicians and Governance and Competency-based Succession Panning.  Look for these courses in the upcoming months.  iProtean subscribers will earn advanced certification upon successful completion of these courses.




For a complete list of iProtean courses, click here.


For more information about iProtean, click here.