For the better part of a decade, the U.S. Justice Department has led the way on calls for a strong, independent corporate compliance function – until recently, that is. Then the Department of Health and Human Services leaped to the cutting edge of that conversation.
Specifically, the department’s Office of the Inspector General (OIG) released long-awaited guidelines on effective compliance programs for the healthcare sector. Tucked away on Page 39 of that guidance, OIG stressed that compliance officers should be “independent of other duties to the entity that might impair their ability to identify and raise compliance risks and advise on how to mitigate risks.”
Then came this passage, and in bold-faced type to boot:
“Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board.”
The very next paragraph also stressed that the compliance officer shouldn’t be responsible either directly or indirectly for healthcare delivery, nor for administrative functions such as billing, coding, claims submission, contracting, or administrative appeals.
“Whenever possible,” the OIG said, “the compliance officer’s sole responsibility should be compliance.”
That’s quite the declaration about independence.
Recommended reading: New Healthcare Compliance Guidance
What does this mean for compliance officers?
This new endorsement of independence can mean a few things for healthcare compliance officers, and not necessarily all of them good.
Let’s first understand the bigger picture here. With these new guidelines (which, we should stress, are voluntary only), OIG is clearly sending the message that corporate compliance should not be subordinate to some other business function such as legal, coding, finance, or anything else. OIG wants corporate compliance to be an important business function unto itself, co-equal to those other functions.
That is good news. Compliance officers (both inside and outside healthcare) have been fighting for years to be taken seriously by the rest of the enterprise. Even to this day, too many companies still view compliance as a second-tier business function that can be bolted on to some other “real” department, such as the legal team.
OIG’s guidelines want to change that paradigm. The ideal should be a compliance officer who (1) manages the actual program of policies, procedures, investigations, controls, and the like; and (2) serves as a counselor to the CEO and board about compliance risks. The more that OIG will support that goal, the better.
All that said, not everyone in the C-suite will relish the chief compliance officer rising to be a fellow senior executive. For example, one general counsel recently said to me, “I thought my role was to protect the CCO, who needs to periodically deliver the pure unvarnished truth to the board, even when it leads to significant repayments or other uncomfortable actions.”
My general counsel friend raises two good points. First, some boards won’t rush to welcome the chief compliance officer into the inner sanctum. They’re not likely to say that aloud, of course, but the plain truth is that some boards and CEOs still don’t see the compliance officer as someone worthy of that higher status. The OIG guidelines will help you argue your case for that status, but you still might need to argue long and hard before getting the respect you deserve.
Second, those newly elevated and independent compliance officers would need to finesse their relationship with the general counsel. Rather than protecting the CCO when you need to deliver bad news (as my general counsel friend described), the GC would serve more of a supporting role, backing you up after you’ve delivered the bad news.
Do you have that relationship with your general counsel now? Could you foster such a relationship in the future? What if you have a great relationship with your GC today, but someone new arrives next year and the relationship becomes more tense? How would you get that person to support you during tough boardroom conversations then?
Those aren’t new questions for most compliance officers, really – but the new OIG emphasis on independence could make those questions more important to you in the future.
What about CCOs outside healthcare?
Contrary to what one might assume, the Justice Department’s guidance for effective corporate compliance programs does not expressly say that the chief compliance officer role should be separate from the general counsel or anyone else. The guidance does instruct prosecutors to consider the autonomy of the compliance officer, and we’ve seen numerous enforcement actions over the years where an independent CCO was part of the resolution – but that’s not the same as OIG’s declaration that all CCOs should be independent as a standard practice.
So, compliance officers outside the healthcare sector could point to the OIG guidelines as yet more evidence that a senior-level, independent CCO is what regulators want to see. Your boards, CEOs, and general counsels, however, might not assign as much weight to that statement as those in the healthcare sector would.
And really, while every proclamation from regulators helps, compliance officers ultimately succeed by demonstrating their value to the enterprise no matter what regulators say. That means pushing your compliance program’s capabilities forward every day so that you can help the business achieve its objectives in an ethical, risk-aware manner.
Do that, and all the endorsements from regulators will just be icing on the cake.
For more information on how NAVEX serves the healthcare industry, visit: