A compliance program is generally defined as a company’s set of internal policies and procedures established to comply with laws, rules, and regulations. Effective compliance programs are essential in mitigating risk and avoiding penalties associated with regulatory requirements. As risk factors increase and the regulatory landscape continues to shift, maintaining an effective compliance program has become more important than ever and the consequences of not following it more serious than ever. Not only can there be significant monetary implications, but even criminal charges depending on the severity of the offense.
An Increased Need for Effective Compliance Programs
One development highlighting the increased need for effective compliance programs is government audits of provider relief funds. Provider relief funds are any kind of funding provided by the government to hospitals and other health care providers to compensate for revenue loss and higher costs associated with the pandemic – as well as other COVID-19 Federal stimulus acts and programs. These include the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the Coronavirus Response and Consolidated Appropriations Act and the American Rescue Plan Act (ARPA). To prevent fraud, waste and abuse, Federal agencies are now performing audits, investigating claims of fraud, and prosecuting funding recipients accordingly. As a result, organizations must have effective compliance programs in place to ensure they are closely following all regulations associated with stimulus funding.
Other recent developments underscoring the importance of effective compliance programs include regulatory compliance updates. For example, in New York State, the Office of Medicaid Inspector General (OMIG) recently updated the 18 NYCRR Part 521 regulations in order to meet the amendments of the New York State Social Service Law Section 363-D.
The updated compliance regulations were finalized on December 28, 2022. Enforcement of these updated regulations began on March 28, 2023 – 90 days after they became effective. These revisions resulted in several key compliance program regulatory updates, requiring providers to understand and implement these updates to avoid noncompliance penalties.
That’s where a comprehensive compliance program comes in. The government expects that all applicable organizations impacted by regulations have a clear plan for implementing and maintaining an effective compliance program.
While compliance program requirements will vary according to factors such as industry and location, best practices for developing, implementing, and maintaining an effective compliance program are as follows:
How to Develop an Effective Compliance Program
The first step in developing an effective compliance program is educating yourself and your team on the key components of a fully developed and implemented compliance program. According to the Office of Inspector General (OIG), the seven elements of an effective compliance program, include:
1.) Written Policies, Procedures and Standards of Conduct
A good place to start in developing an effective compliance program is establishing and documenting your organization’s policies, procedures, and standards of conduct. These written materials should then be made available to all employees within an organization. In addition, these policies and procedures should be periodically reviewed and revised.
2.) Compliance Program Oversight
To ensure appropriate oversight of your compliance program, your organization must designate a compliance officer. A compliance officer is responsible for the day-to-day operations of an organization’s compliance program. This includes developing, implementing, and monitoring the compliance program. Compliance officers will report, and should have direct access to, an organization’s governing body. Additionally, a compliance committee should also be appointed to work alongside the compliance officer and support the management of the organization’s compliance program.
3.) Compliance Education and Training
Proper training and education are critical to creating a culture of compliance and ensuring your organization abides by the relevant laws, rules and regulations. As a result, educational training programs should be administered across your organization. This training should address topics such as risk areas, policies, procedures and standards of conduct, the role of the compliance officer and compliance committee, methods of reporting compliance concerns, disciplinary standards and more. Three basic elements of an effective compliance training program should include the sharing of job-specific compliance knowledge based on need, clear communication of regulatory responsibilities based on the role of the employee, and assessments to hold employees accountable.
Because it’s easy for employees to be consumed by day-to-day tasks and forget compliance training best practices, training should be conducted not only as part of the employee onboarding process but held at least annually thereafter. At these times, employees should be reassessed to ensure the information is resonating.
4.) Effective, Confidential Communication
Another essential element of an effective compliance program is a direct line of communication between the organization’s employees and compliance officer/committee. This line of communication will allow employees to confidentially report any noncompliance issues. Organizations should work to ensure the anonymity of complaints and protect whistleblowers from any potential retaliation. From there, employees should be provided with pre-determined guidance on next steps and the noncompliance issue should be addressed as soon as possible.
5.) Enforcement of Compliance Standards
All members of the company, all the way down to the interns, must acknowledge and support your organization’s compliance program. Active participation and commitment to the compliance program is key to ensuring effectiveness. Disciplinary actions should be taken to address offenses to your organization’s policies, procedures, and standards of conduct.
Arguably the most important buy-in to the compliance program is that of the organization’s senior management team. They are the mouthpiece of influence for the organization to ensure that the policies put forth by the compliance officer are fully embraced. One way to demonstrate the support of leadership is to have c-suite executives sign a Management Commitment Statement once the program is rolled out to lead by example and showcase the importance of adhering to the proposed practices. The Chief Executive Officer, President, or another senior executive should also make their support for the program known through positively reinforcing compliant practices and condemning risky behaviors.
6.) Internal Auditing and Monitoring
Organizations should employ a process that routinely monitors and identifies compliance risks. This should include deploying internal audits with a focus on the effectiveness of the compliance program. Organizations should focus on the risk areas identified within the regulations and share the results of all audits, both internal and external, with the compliance committee and governing body. Furthermore, these results and risk areas should be incorporated in the compliance program.
For added protections and due diligence, it may be in the best interest of organizations to periodically commission an external audit of their organization as well to benefit from an unbiased, third-party viewpoint. These audits can provide validation to your program or identify new risks your internal committee may have missed that need to be addressed.
7.) Detection, Resolution and Response
Continuously monitoring for compliance offenses is essential to compliance program effectiveness. Just as critical, however, is investigating and responding to identified and reported issues. This can be done through coordinated risk assessments. These include identifying the most vulnerable areas of the organization to non-compliance and building extra safeguards to control these risks.
How to Assess Compliance Program Effectiveness
Once your compliance program has been developed and is in place, it is important to determine the effectiveness of the program. A compliance program is deemed effective when it is fully rooted into all aspects of an organization and supported by all staff. To determine the effectiveness of a compliance program, an organization should evaluate their program on a periodic basis, review and update its policies and procedures, survey its culture of compliance and conduct testing to confirm that established controls are working and any corrective plans implemented have been successful.
Another way to assess your compliance program’s effectiveness is through rigorous recordkeeping practices. This not only provides material items to be reviewed and assessed for performance, but also creates a helpful paper trail should your organization be audited. Essentially, it is a way to demonstrate that due diligence and proper steps were taken to remain compliant, even if you make a misstep.
Most importantly, don’t get over-confident. The biggest mistake that an organization can make is assuming that your compliance program is fool proof, and not being prepared to take corrective action when an incidence of noncompliance is discovered can make matters worse. Every compliance program should have clear guidelines surrounding what actions to take if they believe they have discovered an incidence of non-compliance. Early detection and fast resolution to non-compliance can minimize the organization’s exposure to consequences and risk.
If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.