On April 20, 2015, the Office of the Inspector General of the United States Department of Health and Human Services (“OIG”), in collaboration with the Association of Healthcare Internal Auditors, the American Health Lawyers Association and the Health Care Compliance Association, issued a new guidance document to assist governing boards of health care organizations carry out their oversight responsibilities. The document, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (“Guidance Manual”), updates and compliments prior guidance issued by the OIG since 2003.

While most of the recommendations have been included in prior OIG publications, the Guidance Manual does include a number of practical tips related to board oversight of compliance activities and is another valuable tool for compliance officers and legal counsel to consider as they review and update their organization’s compliance program. The Guidance Document may be found here.


As the government continues to dedicate substantial resources to combat fraud and abuse in the health care industry, and the number of private whistleblower suits continues to increase, the need for a robust compliance program with appropriate board-level oversight is greater than ever. As the Guidance Document highlights, the health care industry is constantly evolving and health care governing boards must stay abreast of the ever-changing regulatory landscape and operating environment. An effective compliance program helps board members meet this obligation and reduces the organization’s risk of sanctions associated with non-compliance, including criminal and civil monetary penalties.

In an effort to assist health care organizations and their board members with the task of assessing the scope and adequacy of the organization’s compliance program, the Guidance Manual addresses several issues, including the:

  1. roles of, and relationships between, the organization’s audit, compliance, and legal departments;
  2. mechanism and process for issue-reporting within an organization;
  3. approach to identifying regulatory risk; and
  4. methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.

While the OIG reiterates its expectation that health care governing boards put forth meaningful effort to review the adequacy of existing compliance systems and functions, it also recognizes that each organization is unique, and as a result, the compliance program should be structured to meet the specific needs of the organization. As the OIG states in the Guidance Manual, “while smaller or less complex organizations must demonstrate the same degree of commitment to ethical conduct and compliance as larger organizations, the Government recognizes that they may meet the Guidelines’ requirements with less formality and fewer resources than would be expected of larger and more complex organizations.”

Below are some of the key highlights from the Guidance Manual.

Summary of Guidance

1. Clear Identification of Compliance Roles and Relationships

In an organization, there are a number of key players, whose interaction and cooperation should be outlined in compliance policies and managed by the board. The board should review and consider the multiple relationships within its organization, being sure department roles and responsibilities have been adopted and documents are in place that outline the structure, reporting relationships and interactions of these departments and roles. As the Guidance Manual frequently repeats, compliance is an organization-wide function, not the function of a single department.

The Guidance Manual specifically discusses the interrelationship of the audit, compliance and legal functions within an organization. Recognizing that an organization’s exact structure may depend on its size and the resources available to it, the OIG repeats its long-standing position that the compliance and legal functions should be independent of each other. In addition, the Guidance Manual recommends that the board understand how management approaches conflict or disagreements with respect to the resolution of compliance issues and how management decides on the appropriate course of action.

2. Reporting to the Board

An effective compliance program should include a reporting structure that ensures that the board receives regular compliance and risk reports. Ideally, the OIG suggests that the board receive separate and independent reports from a variety of key individuals, including those responsible for audit, compliance, human resources, legal, quality and information technology. The compliance program should detail how the board receives compliance-related information from management. The Guidance Manual states that a board may want to request the development of “objective scorecards” that measure the effectiveness of management in executing and implementing a compliance program.

In addition, the Guidance Manual recommends that the board ensures there are appropriate mechanisms in place to require timely reporting of suspected violations and to evaluate and implement remedial measures. Many compliance issues in health care organizations, including the obligation to report and refund identified overpayments within 60 days of discovery, require the board to take action in a timely manner.

3. Identifying and Auditing Potential Risk Areas

A number of areas unique to the health industry require close monitoring, such as referral relationships and arrangements, billing issues, privacy breaches, and quality-related events. The board must ensure that processes, including the evaluation of both internal and external information, are put into place to identify such risks, such as the use of compliance hotlines and internal audits. External sources such as professional organization publications, OIG-issued guidance, and news reports regarding the health care industry should also be reviewed and evaluated often. The Guidance Manual specifically mentions the need for the board to monitor new areas of risk, taking into account the increasing emphasis on quality, changes in insurance coverage and reimbursement and new forms of reimbursement (including value-based purchasing and bundled and global payments).

4. Encouraging Accountability and Compliance

Everyone within the organization is responsible for executing the compliance program, not just employees serving in audit, compliance or legal roles. Thus, the OIG recommends that the board adopt “a system of defined compliance goals and objectives against which performance may be measured and incentivized” which communicates the message that everyone is responsible for compliance. The Guidance Manual provides specific examples of how an organization can work to meet this goal, including instituting employee and executive compensation claw-back/recoupment provisions if certain compliance metrics are not met and making participation in incentive programs contingent on meeting annual compliance-focused goals.

The OIG again discusses the important of organizations to self-identify compliance failures and to voluntarily disclose such failures to the Government in a timely manner and recommends that boards ask management how it handles the identification and report of probable violations.


Individually, and collectively with prior guidance issued by the OIG, the Guidance Manual is a valuable educational resource to assist board members of health care organizations to responsibly carry out their compliance plan oversight obligations under applicable law. Health care organizations, regardless of size, should use the Guidance Manual to help in developing, implementing or reviewing their compliance program.