Symptoms of an Ailing Compliance Plan

Symptoms of an Ailing Compliance Plan

When it comes to regulatory compliance, some organizations say one thing and do another-and end up wishing they hadn’t


Let’s start with the following true-or-false statement: “The mere existence of a regulatory compliance plan does not provide an organization with any assurance that its compliance program is effective.”
The answer: true. In fact, a poorly written compliance plan is probably more damaging than having no compliance plan at all. Why? An organization makes commitments and promises in its compliance plan that it is expected to fulfill. These commitments may establish even higher standards, and they are expected to be met. If it appears an organization is not serious about its compliance program, government and private agencies will have serious doubts about its credibility and integrity.

Consider this hypothetical: The typical compliance plan states that it will be reviewed and revised annually-but your compliance plan hasn’t been modified in the five years since it was written. What message does that send?

The Department of Health and Human Services’ Office of Inspector General (OIG) published the “OIG Compliance Program Guidance for Clinical Laboratories” on March 3, 1997, in the Federal Register. Since then, OIG has published a series of compliance program guidances for other healthcare organizations. These guidances explain to the healthcare industry the OIG’s expectations of compliance programs. The OIG’s principal guidance is based on the seven elements of The Federal Sentencing Guidelines Manual. Compliance programs must satisfactorily address these seven elements, at a minimum:

1. Compliance Officer and Committee
Some organizations either have no job descriptions for the compliance officer and committee, or the job descriptions are ambiguous and inaccurate. If the compliance officer, for example, does not have a job description, how can his or her performance be evaluated?

In addition, what if the job description for the compliance officer does not correspond with the duties contained in the compliance plan? In some situations, the compliance officer’s job description is all-inclusive when, in fact, the compliance officer does not perform all of the listed duties. Often, the compliance officer is too busy with other job responsibilities to effectively manage the compliance program. The same ambiguity applies to the compliance committee. Members of compliance committees sometimes say that they don’t know what their specific functions are or what is expected of them. Government agencies are not sympathetic, however. If an organization has a compliance program, it is expected to devote the necessary resources and time to make it effective.

Another common issue is the frequency of compliance committee meetings. Usually, the compliance plan will specify how often the meetings are to be conducted. Although the compliance plan might specify that meetings are to be held monthly, perhaps the compliance committee has met only four times during the last 12 months. Again, what message does this send, not only to the outside world, but also to the compliance committee members themselves?

Let’s go one step further and assume that the committee did not keep minutes, or that the minutes were maintained in a very sketchy format. How can anyone know what progress was made during the compliance committee meetings? Sometimes the meetings are, indeed, unproductive and stagnant; committee members say that they spin their wheels and don’t make any progress because they discuss the same issues over and over. This sort of performance raises questions about the seriousness of the committee’s efforts and the effectiveness of the compliance officer. Too often, organizations do not evaluate the compliance officer or the committee members on their performance.

Generally, compliance plans require periodic reporting to the board of directors; however, in many cases there is no evidence that such reports have been made.

2. Standards of Conduct/Policies and Procedures
A compliance plan should either include the organization’s standards of conduct, or these standards of conduct should be issued as a separate document. Regardless, they should be clearly written and disseminated to all employees and other affected persons. This, however, does not always occur. Often, people are confused in distinguishing between the compliance plan and the standards of conduct. Many employees mistakenly believe the standards of conduct are the organization’s compliance plan. Every employee and other affected person should sign an acknowledgment form that they have received and read the standards of conduct, as well as the compliance plan.

Organizations should be careful that the standards of conduct do not conflict with other policies. For example, the standards of conduct may say one thing and administrative or personnel policies may say something totally different, which can pose serious problems.

Policies and procedures also should be written and current. If policies and procedures are not presented in written format, employees may allege that they were told to do something by their supervisors that cannot be supported by written policies and procedures. Written policies and procedures provide clear guidance to employees, especially when new employees are hired. Policies and procedures should be updated regularly and accurately reflect the manner in which each department operates.

Frequently, the compliance plan specifies that each departmental policy should contain compliance guidance language. Frequently, however, departmental policies contain no such thing. This is cause for concern, because the overall organizational compliance plan is nothing more than a master blueprint. The real nuts-and-bolts work is performed at the departmental level, and the specific policies of each department need to contain compliance guidance relevant to its employees.

3. Education and Training
Education and training are major compliance concerns. Some compliance plans specify that the compliance officer shall ensure that all employees are properly trained. In reality, the compliance officer may not do any of the training. Other compliance plans state the compliance officer shall develop all training programs although, in reality, he or she does not.

It is very difficult, if not impossible, to separate compliance training from competency training; these two types of training programs go hand in hand. Yet, employees who have a tendency to be involved in risky situations frequently report that they see no concern from management about providing them with regular and effective training in job performance and error avoidance.

Another related concern is the lack of documentation or coordination relating to the compliance training. Typically, compliance plans specify that the documentation should be maintained in a centralized location. Furthermore, someone in the organization is normally responsible for coordinating staff education. Yet, much of the education may be fragmented among the departments, meaning that no one is centrally monitoring or documenting the amount of compliance training that employees are receiving. In view of this, how can there be any assurance that the employees who need the specialized compliance training are actually receiving it?

4. Hotline and Reporting Complaints
Organizations should maintain a hotline and other mechanisms to receive complaints. This process should protect the anonymity of persons filing complaints and protect them from retaliation. However, in some situations, the names of the complainants have been openly discussed among members of management and even among the compliance committee members. In addition, the compliance officer does not always investigate all complaints to the extent necessary to make a conclusion about the complaint. If the compliance officer believes that the complaints are frivolous or without merit, they are sometimes dismissed without investigation or with minimal questioning.

All complaints should be taken seriously and investigated to the extent necessary. The documentation should tell the entire story relative to a particular complaint, including how it was resolved. Sometimes, though, the documentation for the hotline calls and other complaints is inadequate.

Organizations may have a difficult time deciphering the difference between a complaint and a question. If the question is expressed as a concern, it should be investigated and documented like any other complaint.

Typically, very few hotline complaints are recorded, which raises questions about the hotline or complaint process, its operating effectiveness, and whether the employees and other designated persons are aware and trusting of the process. In these circumstances, we often find that there have been more complaints than are documented on the hotline log, but they have been resolved or dismissed before being documented.

5. Responding to Allegations and Disciplinary Action
Organizations should have a procedure for responding to allegations of improper or illegal activities. A protocol that designates whom to contact when an improper or illegal act might have occurred should be established. Sometimes this involves immediately contacting the compliance officer about the improper act, and sometimes it involves contacting legal counsel. This protocol, though, isn’t always followed. Occasionally the department supervisor or manager will initiate an investigation but not communicate his or her efforts to the compliance officer. Other times, organizations have discovered improper or illegal activities and not acted on them properly. Again, the documentation relating to the nature of the act, the investigation, and the resolution of the relevant issues is frequently inadequate to describe the relevant facts and details.

Some compliance plans specify that investigations should start within a specified number of days after a problem is identified and be completed within a specific time frame. Yet, some investigations either go on indefinitely or are never truly resolved. If the compliance plan requires that the investigations be started and completed within a certain time frame, the organization should take every measure to ensure that these requirements are met.

If any illegal or improper acts are discovered, the employee(s) involved should be disciplined appropriately. One common problem, however, is that the “punishment does not fit the crime.” Discipline for a serious offense may be miniscule or nonexistent. Some employees may not be punished as severely as others for committing the same type of act-sending another negative message about the seriousness of the compliance effort.

Some organizations rely on their personnel policies for determining the type of disciplinary action to be taken. Others lay out specific disciplinary actions relating to compliance violations. In either case, the compliance officer should be consulted by human resources to evaluate disciplinary action relating to a compliance matter.

6. Auditing and Monitoring
The “OIG Model Compliance Guidance for Long Term Care Facilities” recommends establishing monitoring and reporting mechanisms as a component of an organization’s compliance plan. Some plans accomplish this by defining their processes in general terms; others are more specific. Problems arise when an organization does not follow what it has outlined in the plan.

One way to effectively monitor compliance is to perform periodic random audits. These audits may be performed internally, or at other times external auditors or consultants should be used. For effective audits, a risk assessment should be performed to identify the areas that have the highest degree of risk in the organization. A work plan should be prepared that identifies areas to be audited and when the audits will be conducted. Some organizations either do not follow their work plans or do not complete all their assigned tasks. Even when an audit is conducted, its documentation is frequently insufficient. For example, there may not be any work papers or sufficient details allowing monitors to follow the trail of the work performed, or even a report to explain the nature of the findings and corrective action that was taken. Documentation for the audit should tell the whole story of the incident, what was found, and what corrective actions were taken.

Sometimes the investigations reveal systemic problems within an organization that require corrective actions, yet there is no change in policies and procedures. Sometimes self-reporting to a government or private agency monitoring for violations is required, but the disclosures aren’t made. Concealment of this type is considered a very serious offense and always should be avoided. Sometimes honest mistakes are made, requiring employee training on proper performance of duties and close monitoring of employees’ future work. If the organization either dismisses or ignores such problems, its commitment to compliance will again be called into question.

7. Background Checks
Organizations should have policies for conducting background checks of newly hired employees. Some background checks don’t include, however, searching the OIG Web site ( for Medicare-excluded individuals and entities. Sometimes physicians and other practitioners are not checked through the National Practitioner Database. In other cases, organizations may not include, as part of their background checks, reference checks or contacting previous employers. Background checks are important if organizations are to avoid delegating a high degree of authority and trust to individuals who have been convicted of serious offenses.

If your compliance plan says you will do something in a certain manner, you are expected to do it that way. The board and senior management should be committed to compliance. The board should be educated and informed on the initiatives of the compliance program. The compliance officer should communicate regularly with the person to whom he/she reports. The compliance officer and the compliance committee should take their jobs seriously, and devote sufficient time and resources to performing their duties. Department managers should supervise and train their employees to follow the laws, regulations, and policies to which they are subjected. Compliance should be part of each organization’s culture and engrained in every employee, person, and entity doing business with the organization. NH

Lawrence A. Fogel, principal, and Joseph M. Watt, partner, are members of BKD Health Care Group in Kansas City, Missouri. BKD is one of the 10 largest CPA and advisory firms in the country, with nearly 200 partners located in 26 offices in Arkansas, Colorado, Illinois, Indiana, Kansas, Kentucky, Missouri, Nebraska, Ohio, Oklahoma, and Texas. BKD Health Care Group includes more than 200 strategic planners, reimbursement consultants, professionals with intermediary or clinical experience, healthcare auditors, systems managers, employee benefits and human resources consultants, operations improvement managers, and tax professionals. For further information, e-mail Lawrence Fogel at or Joseph Watt at, phone (816) 221-6300, or visit To comment on this article, please send e-mail to

Topics: Articles , Facility management , Regulatory Compliance