- Establish written compliance and ethics standards, policies, and procedures that “are reasonably capable of reducing the likelihood of criminal, civil, and administrative violations” while also promoting the quality of care. Facilities must establish an appropriate program contact to whom individuals may report suspected violations, and must provide a method of anonymously reporting suspected violations without fear of retribution.
- Assign specific “high-level personnel” within the operating organization with the responsibility for overseeing the compliance and ethics program standards, policies and procedures.
- Provide “sufficient resources and authority to the specific individuals” referred to above to assure compliance.
- Exercise “due care not to delegate substantial discretionary authority to individuals who the operating organization knew, or should have known had a propensity to engage in criminal, civil, and administrative violations under the Social Security Act.”
- Implement steps to communicate effectively the compliance and ethics standards, policies and procedures to the entire staff as well as agents and volunteers, consistent with the volunteers' roles. Facilities must communicate their policies and procedures through a training program or some other “practical manner.”
- Institute monitoring and auditing systems “focused on detecting criminal, civil and administrative violations” and publicize a reporting system allowing violations to be reported anonymously without fear of retribution.
- Consistently enforce appropriate disciplinary actions, including a failure to detect and report a violation to the compliance and ethics program.
- Respond appropriately to a reported violation and prevent further similar violations. Modifications to the compliance and ethics program must be implemented whenever necessary.
Additional requirements for organizations with five or more facilities
According to the CMS Final Rule, organizations with five or more facilities must include all of the above elements and the following additional ones:
- Mandatory annual training regarding the operating organization's compliance and ethics program.
- A designated compliance officer whose primary responsibility is devoted to the organization's compliance and ethics program. Additionally, the compliance officer must report directly to the organization's governing body and not be subordinate to the general counsel, chief financial officer or chief operating officer, although he or she could be subordinate to the CEO.
- Designated “compliance liaisons” located at each of the operating organization's facilities.
CMS notes that the “compliance liaisons” are not compliance officers. While not defining the term “compliance liaisons” in the regulation, CMS states that an organization required to have site liaisons “will develop its own definition for the position ‘designated compliance liaison’ and determine the qualification, duties and responsibilities for the individuals in this position.”