CMS Final Rule: Compliance and ethics programs

Compliance programs in skilled nursing facilities (SNFs) have been around for years. The Health and Human Services (HHS) Office of the Inspector General (OIG) published Compliance Program Guidance for Nursing Facilities in 2000 and its Supplemental Compliance Program Guidance for Nursing Facilities in 2008. The Department of Justice released its Evaluation of Corporate Compliance Programs in February 2017 to provide specific guidance on how to assess the “effectiveness” of compliance programs.

In the past, compliance programs in long-term care have been optional. But Section 6102 of the Affordable Care Act mandated that all nursing facilities must have a compliance and ethics program. The Centers for Medicare and Medicaid Services (CMS) promulgated a new regulation regarding compliance and ethics programs in its Final Rule published in October 2016, making compliance programs a requirement at all CMS-reimbursed facilities.

An effective compliance program not only promotes quality care, but also may prevent enforcement issues based on alleged survey deficiencies and allegations of fraud, which can result in multi-million-dollar jury verdicts and settlements.

Elements of an effective compliance program

The CMS Final Rule requires nursing facilities that participate in Medicare and Medicaid to develop, implement and maintain effective compliance and ethics programs that include—at the very least—the eight discrete elements below:

  • Establish written compliance and ethics standards, policies, and procedures that “are reasonably capable of reducing the likelihood of criminal, civil, and administrative violations” while also promoting the quality of care. Facilities must establish an appropriate program contact to whom individuals may report suspected violations, and must provide a method of anonymously reporting suspected violations without fear of retribution.
  • Assign specific “high-level personnel” within the operating organization with the responsibility for overseeing the compliance and ethics program standards, policies and procedures.
  • Provide “sufficient resources and authority to the specific individuals” referred to above to assure compliance.
  • Exercise “due care not to delegate substantial discretionary authority to individuals who the operating organization knew, or should have known had a propensity to engage in criminal, civil, and administrative violations under the Social Security Act.”
  • Implement steps to communicate effectively the compliance and ethics standards, policies and procedures to the entire staff as well as agents and volunteers, consistent with the volunteers' roles. Facilities must communicate their policies and procedures through a training program or some other “practical manner.”
  • Institute monitoring and auditing systems “focused on detecting criminal, civil and administrative violations” and publicize a reporting system allowing violations to be reported anonymously without fear of retribution.
  • Consistently enforce appropriate disciplinary actions, including a failure to detect and report a violation to the compliance and ethics program.
  • Respond appropriately to a reported violation and prevent further similar violations. Modifications to the compliance and ethics program must be implemented whenever necessary.

Additional requirements for organizations with five or more facilities

According to the CMS Final Rule, organizations with five or more facilities must include all of the above elements and the following additional ones:

  • Mandatory annual training regarding the operating organization's compliance and ethics program.
  • A designated compliance officer whose primary responsibility is devoted to the organization's compliance and ethics program. Additionally, the compliance officer must report directly to the organization's governing body and not be subordinate to the general counsel, chief financial officer or chief operating officer, although he or she could be subordinate to the CEO.
  • Designated “compliance liaisons” located at each of the operating organization's facilities.

CMS notes that the “compliance liaisons” are not compliance officers. While not defining the term “compliance liaisons” in the regulation, CMS states that an organization required to have site liaisons “will develop its own definition for the position ‘designated compliance liaison’ and determine the qualification, duties and responsibilities for the individuals in this position.”

Most organizations have some form of compliance program in place, notes Donna Thiel, Chief Compliance Officer, Provider Trust. “Some [programs] are very sophisticated while others are just beginning. Customize your program to meet the uniqueness of your center, staff and residents,” she suggests. Recognizing the current and future deadlines for compliance programs is important from a strategic planning perspective. “Get started sooner rather than later,” she advises. “A strong compliance program is a valuable tool in your quality toolkit, so why wait to improve your program?”

Recent Guidance

How will SNFs know if their compliance programs are effective? The OIG met with a group of compliance professionals in January 2017 to discuss various methods for determining the effectiveness of compliance programs. In March, the OIG and the Health Care Compliance Association (HCCA) published Measuring Compliance Program Effectiveness: A Resource Guide. The Guide contains many metrics to help providers measure the various aspects of a compliance program, but the publication makes a point of noting it is not a “checklist.” As has been often repeated about compliance programs, there is no “one size fits all” approach. Each facility and organization will have to design, implement and revise as needed the specific compliance program required to meet its unique needs.

“In order to be effective, a compliance program can’t be a dusty binder sitting on a shelf,” says Teri Salamon, Vice President and Deputy General Counsel, Genesis HealthCare. “It needs to be a living, breathing, highly interactive and interdisciplinary approach [and] must have buy-in from the top down.”

Introducing employees to the chief compliance officer and any site liaisons is key to the success of the program, Salamon adds. “The true test to determine if your compliance plan is working is the satisfaction with the process from those in the field to those in the C-suite.”

Proactive steps

Apart from quality of care concerns and CMS enforcement actions, there is another compelling reason to ensure that organizations have effective compliance and ethics programs. In its 2017 Work Plan, the OIG states it will review documentation to assess a nursing facility’s compliance with the specific resource utilization group (RUG) requirements. OIG previously determined that many nursing facilities billed for higher levels of therapy than were provided or were reasonable or necessary, which frequently led to multi-million dollar settlements. An effective compliance and ethics program can eliminate or at least mitigate the likelihood of being on the wrong end of an OIG investigation.

The 2017 OIG Work Plan provides a window into the enforcement priorities that OIG will pursue in 2017. Providers can take a proactive approach by becoming familiar with the Work Plan and identifying vulnerable areas in their compliance program, lessening the risk of harsh enforcement actions.

Providers may find they are meeting some of the requirements already. Lyn Bentley, MSW, Vice President, Quality & Regulatory Affairs, the American Health Care Association (AHCA), notes, “It is important for providers to review the expectations of their compliance program and the rule, and determine what they are already doing that meets the requirements. Determine a process to combine these activities into a formalized program that meets the elements of the rule. The next step is to identify the gap areas and develop a plan for how to fill those gaps.”

Over the years, the key operational modifier used to describe compliance programs has been the word “effective.” To be effective, it is essential that compliance and ethics programs are given full and robust support from the board of directors. Anything less would be counterproductive and ineffective.

Alan C. Horowitz, Esq., RN, is a partner at Arnall Golden Gregory. He is a former assistant regional counsel, Office of the General Counsel, U.S. Department of Health and Human Services. He also has clinical healthcare experience as a registered respiratory therapist and registered nurse. He can be reached at


Topics: Alan C. Horowitz , Executive Leadership , Medicare/Medicaid , Regulatory Compliance , Risk Management