Fiduciary Duties

Compliance: Practical Tips for Effective Board Oversight

Part 1 of a two-part series delving into how the board can impact organizational compliance and culture

By Flo Di Benedetto

Governing boards have oversight responsibility for many functions — finance, strategy, the quality of clinical care and others. In exercising that oversight, board members have a duty of due care, which requires directors to act in good faith and make decisions that are in the best interest of the organization. Board members must exercise a reasonable level of prudence in doing so, including being adequately informed about the matters before them.

But few functions are as complex and nuanced as compliance. In the health care industry, we naturally think of compliance as “compliance with laws,” particularly those that fall under the broad rubric of “fraud and abuse.” Most board members know that the organization must have a formal compliance program including seven specifically required elements. Is the board’s oversight responsibility limited to ensuring the existence of a written compliance plan containing the required elements? Definitely not. The various government agencies charged with enforcing the laws expect the board to take reasonable, good faith steps to ensure that the compliance program is effective, meaning one that identifies and mitigates risk.

The Compliance Plan

Without detailing each of the required elements, let’s start with the plan itself. Did the board actually review and approve the plan and, if so, how long ago? Have board members meaningfully reviewed the policies and procedures or the training materials, and do they know the lines of communication and whether they are, in fact, effective? Signing off on the organization’s compliance program should not be a check the box activity, and certainly not a consent agenda item. The board should engage in a robust analysis of the plan and ask pertinent and penetrating questions to pressure test the plan and its elements. Furthermore, the plan should be reviewed periodically throughout the year, both in response to significant events and to consider emerging areas, like artificial intelligence and climate disclosure. And, if your organization has multiple affiliates or subsidiary organizations, the bylaws of those other organizations should preclude them from varying from the compliance program without the approval of the parent board.

Is the Compliance Plan Effective?

The government expects board members to receive regular reports on the status of the compliance activities and the issues or events that occur. However, what the committee hears about is largely what management decides to share. In an effort to avoid information overload, management naturally limits the information presented. This can leave board members not knowing what they don’t know and not knowing what they should be asking. Recruiting a director or a third-party consultant with real time compliance expertise can help the board understand what it should be receiving from, or asking of, management.

Not Just What, But Why and How

Typically, the compliance officer reports on problems that have arisen, the status of pending investigations or lawsuits and what is being done in response. The what is important, but the board should also be asking the why and how these things occurred. Was it a failure of policy or an internal control or was a red flag missed or is there a gap in training? Did an individual disregard policy or ignore warnings or cautions from legal or compliance personnel? These why and how questions can uncover important information about circumstances in the organization that are undermining the organization’s ability to be a truly compliant organization. The information can also be used to create plans designed to avoid future problems.

Accountability as a Compliance Pillar

When an adverse event occurs, board members should also be asking what steps are being taken to deal with the individuals who were involved in the incident. Often, management and the board default to policy revisions or structural realignment to try to address the problem rather than deal with an individual’s performance. Holding people accountable is never easy, but we do a disservice to individuals and the organization when we fail to do so. Avoiding the tough conversations is a failure of leadership which both enables the underlying behavior and increases the chances of a recurrence.

Reviewing Internal and External Trend Data

Reliable data can illuminate festering concerns before they become compliance problems. In that regard, the board should be asking about trend data from the compliance hotline — what is being reported by employees, clinicians and others who have access to the hotline? Are there any themes or hot spots? What are other similarly situated organizations experiencing? For example, if a neighboring health system is defending wage and hour litigation, the board can expect that the plaintiff’s trial bar will get around to focusing on your organization for the same litigation. How can the organization avoid that same fate, either by changing policies and practices OR by identifying problems and resolving them with employees early, before a plaintiff’s lawyer gets involved? Ignoring red flags, dismissing non-compliance as a risk of doing business or hoping that it never happens to your organization are not viable strategies.

Executive Sessions with Key Senior Leaders

Every board relies on information presented by management and may not be aware of other information that could be useful to the board in discharging its oversight responsibility. One way to supplement the information provided in the open board or committee session is for the board or committee to have private, individual, executive sessions with key senior leaders — e.g., the chief compliance officer, chief financial officer and the chief legal officer. We like to think that senior leaders will speak up in an open board or committee meeting, but in reality, that does not always occur. Even senior leaders may be reluctant to raise issues outside of the planned agenda. Executive sessions can be a valuable and safe forum for board members to candidly converse with key leaders.

Is An External Review Warranted?

Despite their good faith efforts, if board members still have questions and/or want an additional level of assurance, consider commissioning an external review of the effectiveness of the compliance program. An external review done periodically can give the board an additional level of assurance on which the board can rely. Reliance on an external review can also afford some protection for the board in the event of a third party (think government) inquiry. Generally, the most valuable reviews are done by people or organizations who have no existing relationship (i.e., they are not existing consultants or vendors) and have no personal or professional relationship with anyone in management. The more practical reviews are done by someone who has actual “in the trenches” experience managing compliance programs in health care organizations. Unless you have been on the ground actually running or managing a compliance program, you cannot fully appreciate the challenges of operationalizing an effective compliance program and know the traps that might exist to derail the program. The board should consult with the organization’s legal counsel to determine the pros and cons of conducting the external review under the protection of attorney-client privilege.

Elevating the Importance of Compliance

Sometimes employees assess whether something is really important by looking at who is involved in the matter. Is compliance a function that belongs to the chief compliance officer, or is it a real commitment — a mindset — with active board and leadership engagement? Annual employee compliance training is required in health care organizations and board member participation in the training is a powerful way to convey importance. Encourage management to include the chief compliance officer as a presenter at employee forums to increase the visibility of this individual and to show support for his or her role. Visible board engagement at town halls and employee symposiums can go a long way in reassuring the workforce about the importance of compliance and the board’s commitment to it.

The scope of compliance changes constantly as new technologies and capabilities and threats emerge. Evolving fields such as artificial intelligence and increasingly sophisticated threats such as cybersecurity challenge both management and governing boards. Staying ahead of the cresting wave of new developments takes commitment, resources and active board engagement and support.

Flo Di Benedetto, Esq., (fdibenedetto@dibenedettosolutions.com) is the President and CEO of Di Benedetto Solutions, Inc. based in Roseville, Calif. She served as the senior vice president and general counsel for Sutter Health from 2009-2023.

Please note that the views of authors do not always reflect the views of AHA.