Grading Your Facility Compliance Plan


Grading your facility compliance plan

Your corporate compliance plan takes time and effort. Is it worthwhile? Is it really protective? Here’s a checkup list

Just as an annual checkup enables an individual to receive an evaluation of his/her physical condition, a compliance program assessment (CPA), preferably by an independent consultant, enables healthcare organizations to evaluate the effectiveness of their compliance programs. In these days of regulatory and legal exposure, this is no small matter. In an article published last year (“Symptoms of an Ailing Compliance Plan,” November 2003), we discussed how to structure a workable plan. In this article we offer a checklist that, when administered periodically, will show how effective the plan continues to be.

The CPA consists of three major phases:

    Phase 1: A compliance committee retreat
    Phase 2: Private interviews with key persons within the healthcare organization
    Phase 3: Review of pertinent documentation supporting the compliance program

After each phase, the organization will be given a report card. This requires that a grading system be agreed upon by the organization and consultant-for example, setting the maximum number of points attainable for each phase of the program and the percentage of those points actually achieved, with a grading scale of 95 to 100% being excellent; 90 to 94%, good; 80 to 89%, above average; 70 to 79%, average; and below 70%, needs improvement.

Compliance Committee Retreat
The primary objective of the compliance committee retreat is for the committee members to complete a scorecard evaluating 20 key areas of the compliance program. They grade each area using a point scale of 1 to 10, with 10 being the highest and 1 the lowest. Among the areas evaluated:

Other areas can be added as necessary. The scores are tabulated for each area and a composite score is calculated.

The retreat also offers an opportunity to perform a risk assessment, if the compliance committee hasn’t recently conducted one. Once again, using a scale of 1 to 10, the committee members have the opportunity to evaluate the degree of risk the facility has in areas such as:

  • Quality of care
  • Resident rights
  • Employee screening
  • Vendor relationships
  • Billing
  • Providing medically unnecessary services
  • Upcoding
  • Inappropriate unbundling
  • Billing for services not rendered
  • Duplicate billings
  • Incorrect claims submissions
  • Failure to refund credit balances
  • Problems with waivers of deductibles or coinsurance
  • Provision of free services
  • Provision of discounts
  • Dispensing gifts and gratuities
  • Cost-reporting problems
  • Antikickback statute violations
  • Stark self-referral issues
  • Tax issues
  • Employment issues
  • Antitrust issues

Once again, other areas can be added to the risk assessment. The purposes of the assessment are to enable the committee members to evaluate the specific risks that they perceive might affect their organization, to develop a work plan to audit these areas of risk, and to take corrective action.

Finally, a brainstorming session can be conducted, as a constructive way to identify opportunities for improvement. Committee members are asked to nominate areas needing improvement and offer remedies. This so-called SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) can be a good team-building exercise.

Private Interviews
Typically, private interviews with key individuals are scheduled after the compliance committee retreat. The compliance officer and each compliance committee member are interviewed using a series of yes or no questions, such as the following:

  • Does the board support the compliance program?
  • Does senior management support the compliance program?
  • Are the compliance meetings productive?
  • Are the compliance meetings conducted as scheduled?
  • Has the organization followed the compliance program?
  • Was a risk assessment performed?
  • Were the risk areas audited?
  • Were compliance complaints received and resolved?
  • Was the compliance training satisfactory?
  • Were employees and other parties disciplined when necessary?
  • Are the organization’s policies and procedures current and easy to understand?

In addition to the compliance committee members, key persons in the organization are also interviewed, including executives, managers, physicians, and board members. Although the questions would be by and large similar to those asked of the compliance committee members, some would be different, such as:

  • Does your organization have a compliance program that you recognize as such?
  • Do you understand the purpose of the compliance program?
  • Have you read the compliance plan and organizational code of conduct?
  • Do you know who the compliance officer is?
  • Do you know how to report complaints?
  • Is the process to report complaints effective?
  • Is your organization serious about compliance?
  • Has your compliance program improved during the past 12 months?

At the end of each of these interviews, each positive response receives one point and each negative response receives no points. The score is calculated by dividing the total points earned by the total maximum points. For example, 297 positives of a possible 300 would be a score of 99%, or excellent.

Final Grade Card
(Documentation Review)

The last phase of the CPA is the completion of the final grade card. Ideally, the grade card is completed by independent third-party consultants working with the organization on compliance. The grade card is a composite score of the individual phase scores and scoring for the seven major elements of the compliance program (see November 2003 article). To recap, the following seven areas are graded by the consulting team:

1. General. The consultants review compliance committee minutes, job descriptions, organizational charts, the compliance plan, and other relevant documentation. One point is awarded for each positive response the organization has earned. For example, if the committee met as required by the compliance plan, the organization receives one point. If minutes were maintained for each meeting, the organization also receives one point. If the compliance officer and committee members were evaluated, the organization receives one point. If the compliance plan was reviewed and revised as necessary, the organization receives one point. This process is followed for each item to be graded. In our report card process, a score is calculated on a maximum of 15 points. Twelve positives on this scale would compute as a score of 80%, or above average. Similar scoring is done for the remaining major elements.

2. Auditing and monitoring. The organization is evaluated for its process of monitoring and auditing the risk areas identified in its work plan. Again, the organization receives one point for each positive response it has earned. The consultant determines if a risk assessment was prepared, if a work plan was prepared, and if the work plan was followed. The consultant also determines if the Department of Health and Human Services’ Office of Inspector General’s (OIG) guidance, along with other regulatory guidance, was considered in the development of the work plan. (The OIG guidance is available at Internal and external audits are reviewed, along with supporting documentation and accompanying audit reports. The documentation includes both the workpapers and a narrative report that describes the scope of the audit, findings, corrective actions, etc.

3. Complaint report process. The hotline and other mechanisms available to report complaints are reviewed. The documentation supporting hotline call utilization and the process used to publicize the hotline and other reporting mechanisms also are reviewed. Complaints received are reviewed to determine if they were processed in a timely manner and according to the compliance plan, and whether the complaints were resolved. If exit interviews were conducted, the pertinent documentation is reviewed to determine if it shows the reason for the employee’s departure, if any compliance problems existed in connection with it, etc.

4. Policies and procedures. It is a fairly common weakness for organizations to not have all policies and procedures in writing. Sometimes the written policies and procedures are not current or difficult for employees to understand. Employees might contend that they didn’t understand their job responsibilities or the policies of their department. They might contend that they operated as they did because they thought they were told to do so by their supervisor or they had misinterpreted the policies. Some organizational policies are inconsistent. For example, a policy on gifts and gratuities in the compliance plan might not be consistent with the policy presented in the employee handbook.

After the consultant reviews the policies and procedures in terms of relevance, clarity, and consistency, a score is calculated.

5. Education and training. Some organizations conduct inadequate training, others do not fully document the training received, and others do not coordinate or monitor the training of their employees. Because every organization approaches its training and education programs differently, it is necessary to first determine how the organization trains its employees and who the responsible persons are for conducting, coordinating, and documenting the training.

Usually, training includes both competency and compliance instruction. It is important to determine if there are different persons responsible for each of these training aspects. Typically, new employees are oriented on the compliance program when they are hired and existing employees are trained at least annually on the compliance plan. Beyond that, though, the compliance training could either be the responsibility of the education department, the human resources department, or both. In any event, it is important to focus on orienting new employees to the compliance program and providing documentation showing that this was conducted properly.

It is important to review the written acknowledgements employees have signed as evidence that they have read the compliance plan and code of conduct. If pre- and post-tests were given on compliance, or if employees were surveyed on their compliance education needs, that documentation also is reviewed. Since training not only frontline staff, but the board of directors, compliance committee members, and the medical staff is important, a review of the documentation regarding the training of all these individuals should be performed.

6. Background checks. Background checks should be conducted as part of the compliance program. Many organizations have different background check policies. For example, some organizations only conduct background checks of employees hired subsequent to the creation of the compliance program. Other organizations require every employee to undergo a background check, regardless of time of hire. Some organizations conduct background checks of their independent contractors, or at least selected ones. Organizations should check the OIG Web site of Medicare-excluded individuals and entities as part of the background check.

In compiling this section of the grade card, a review of the documentation showing the level of background checks that was conducted for employees, independent contractors and physicians is performed. A review of the relevant documentation is conducted to determine if the background checks were conducted on all employees, selected contractors, agency employees and physicians who are subject to this policy, and if the employment application was screened for felony arrests, if reference checks were conducted, and if prior employment was checked.

7. Disciplinary actions. Last but not least, every organization needs to have a disciplinary policy that applies to compliance violations. Some organizations have a separate disciplinary policy for compliance violations, while others rely on their general disciplinary policy to cover all offenses. The primary concerns are if the punishment fits the crime and if disciplinary actions are applied consistently throughout the organization.

Documentation should indicate how the policy was communicated to all employees, whether employees were disciplined when required by the policy, and the types of disciplinary actions that were taken. If physicians and contractors were subject to a disciplinary policy, a review of the relevant documentation also should be conducted. In addition, if human resources reported disciplinary actions to the compliance officer, the related documentation should be reviewed.

In some cases, the compliance officer will participate in the disciplinary action along with human resources and key members of management. In other cases, the compliance officer is merely informed of the need for disciplinary action and the type of action that was taken.

In implementing the CPA as an annual exercise, the organization has created an ongoing measuring tool to evaluate the performance of its compliance program. Although this article raises numerous points that should be considered in any such reevaluation, and should be useful to that extent, we would strongly recommend use of a third-party consultant for the formal process. This quantitative and objective process will show management and external agencies that the organization is serious about compliance, that it has made attempts to improve, and that it has objectively improved, as documented by its scores over the years. And the CPA will demonstrate to the organization that all the time and effort it has put into its compliance activities have been worthwhile.

Lawrence A. Fogel, principal, and Joseph M. Watt, partner, are members of BKD Health Care Group, LLP, in Kansas City, Missouri, one of the 10 largest CPA and advisory firms in the country. The firm has 27 offices in Arkansas, Colorado, Illinois, Indiana, Kansas, Kentucky, Missouri, Nebraska, Ohio, Oklahoma, and Texas. For further information, contact Fogel at or Watt at, or phone (816) 221-6300 or visit To comment on this article, please send e-mail to For reprints in quantities of 100 or more, call (866) 377-6454.

Topics: Articles , Facility management , Regulatory Compliance , Risk Management