Getting compliance just right

Recognizing that there are heightened expectations for board oversight of compliance and ethics and that the CCO has a unique role to play in support, it is unsurprising the topic continues to garner significant attention. Government scrutiny remains intense, and the accountability of the board, hospital or health care provider, and CCO continue to expand.

All indicators show that striking the right balance for compliance program oversight is critical. Often it may seem like a maddening game of creating the “just right” bowl of porridge with a growing list of ingredients.

First principles

Over the years, there has been no shortage of case law, agency pronouncements and memos, and other guidance on board governance, duties and oversight responsibilities. For governing boards of health care organizations, the Office of Inspector General of the U.S. Department of Health and Human Services issued guidance in April 2015 relating to board oversight and review of compliance program functions, continuing more than a decade of direction in the area. Key precepts in the OIG's guidance, arguably representing best practices, involve:

  • Defining the interrelationship of organization functions and departments (e.g., delineating the boundaries of the compliance, legal and audit functions).
  • Assessing the level of communication at the management level (e.g., reinforcing the expectation that compliance is an enterprise responsibility).
  • Holding executive sessions with leadership from different organizational departments (e.g., human resources, clinical services and information technology).
  • Receiving board reports with established regularity. (There is no one-size-fits-all, so what is “just right” for the company?)
  • Ensuring auditing and monitoring processes are in place to identify risks.
  • Encouraging accountability in meaningful and practical ways (e.g., clawbacks, recoupments and incentives for hitting compliance goals).

The OIG continues to use corporate integrity agreements to drive home the idea of compliance as a top-down effort beginning at the board level. CIAs provide important guidance on what the OIG believe to be effective board oversight and operational controls for health care organizations. Over time, we have seen the OIG modify and enhance CIAs to increase oversight and accountability, including new requirements for both executives and boards. CIAs increasingly include certifications of compliance.

Whistleblower retaliation

In October 2015, a federal court held in Wadler v. Bio-Rad Laboratories that members of a company’s board of directors can be held individually liable under the Sarbanes-Oxley and Dodd-Frank acts for whistleblower retaliation. The complaint also named the individual board members of Bio-Rad Laboratories, alleging wrongful termination in retaliation for investigating and reporting to Bio-Rad’s upper-level management potential violations of the Foreign Corrupt Practices Act in China.

To the extent a plaintiff’s lawsuit makes claims that go beyond retaliation issues, the claims could implicate a company’s directors and officers liability insurance policy. The potential for these types of claims to trigger the D&O policy underscores the need to closely review the policy's terms and conditions.

Organizations should also review and update their whistleblower-compliance and related training programs to ensure that employees at all levels — and importantly, board members and leadership — understand best practices for responding to and investigating employee complaints.

What remains an important open question is whether courts will extend the Wadler holding to other federal laws such as the False Claims Act. Undoubtedly, the FCA remains one of the government’s most powerful tools. At a minimum, Wadler underscores the potential liability of board members for whistleblower retaliation and sends yet another potent reminder about the importance of compliance program oversight.

Regulatory malfunctions

In an environment where the actions or inactions of the board are likely to be highly scrutinized in the aftermath of any high-profile organizational misconduct, the level and manner of communication and reporting is critical. Here are a few practical tips and considerations for board oversight and CCO reporting:

  1. One critical line of inquiry from the board relates to the dedicated resources for the compliance program. Is the budget sufficient, and is it being appropriately adjusted each year?
  2. CCOs need to recognize that board time is precious and limited. Their board presentations require strategic planning to ensure that appropriate areas are sufficiently covered and that potential risks are clearly identified without overselling compliance successes. CCOs often make the mistake of overloading the board with extraneous information or information lacking sufficient context to adequately provide a picture of the corresponding risk. While statistics can be powerful objective indicators, in a vacuum and without proper context they can be nothing more than a set of numbers. Board members need context and data to elicit the right lines of questioning.
  3. CCOs need to have direct, unfiltered access to the board. Executive sessions, however, should not be limited to time with only the CCO. Boards should hold executive sessions with other functional leaders to obtain a fuller, deeper picture of their situation from other key organizational stakeholders.
  4. A seasoned CCO will coordinate and collaborate with other functions having ownership over compliance program parts to avoid silos and redundancy with board reporting.
  5. A CCO should focus on presenting a balanced scorecard that will allow the board to see current progress (or potential setbacks) in a more meaningful manner. Presenting the board with current snapshots is important, but also showing a trajectory over a period of time can provide key context to potential areas of traction and ongoing areas of risk. Again, there is a delicate balance between too much and too little with board reporting.
  6. Engagement of an independent expert, at the direction of counsel, to conduct an external review of the compliance program can serve as another useful tool and objective indicator of the program’s effectiveness. This is another way the board can show its oversight duty.

Ability to adapt

An engaged, skeptical and inquisitive board — coupled with a CCO who has unfiltered access to the board, and a collaborative management team that is collectively engaged in driving a commitment to compliance — are some of the key ingredients to getting it “just right” when it comes to compliance and ethics oversight.

Remember that the recipe for each organization will vary, and appetites and ingredients will change over time. The recipe will need to be modified occasionally to continue to strike the right balance for compliance program oversight. Nevertheless, the CCO’s role and relationship with the board is a critical element of program success, not only from a regulatory, enforcement perspective but also from the standpoint of credibility with the organization’s leadership team.

Jackie Baratian (Jacqueline.Baratian@alston.com) is a partner in law firm Alston & Bird’s Health Care Practice Group.