This article was written by Rebecca Renna, Consulting Manager, Fox Pointe Solutions – a Division of The Bonadio Group
The purpose of a Compliance Program in any industry is to ensure that an organization is following all applicable laws, regulations, and ethical practices. The laws and regulations governing compliance are ever-changing and becoming more complex, so how does a Compliance Officer know if the Compliance Program that their organization has implemented is meeting all those regulatory requirements? More importantly, how does a Compliance Officer know if that program is effective?
The answer to both questions can be found by evaluating the Compliance Program via a Compliance Program Effectiveness Review. Taking a deep dive into assessing an organization’s Compliance Program provides evidence that the organization is not “willfully ignorant”[1] of violations against the Compliance Program. In 2023, the New York State Office of the Medicaid Inspector General began requiring organizations receiving Medicaid funding to complete an annual review assessing the effectiveness of their Compliance Program. It is no longer enough to meet all the regulations at face value – now, organizations need to prove the Compliance Program is working. Even if an organization is not currently required to assess the effectiveness of its Compliance Program, there is no better way to mitigate risks and identify opportunities for improvement.
Compliance Programs are required to have seven elements which include:
- Implementing written policies, procedures, and standards of conduct
- A Designated Compliance Officer and Compliance Committee
- Effective training and education
- Effective lines of communication
- Internal auditing and monitoring
- Enforcement of compliance standards through well-publicized disciplinary guidelines
- Prompt response to detected offenses and undertaking corrective action
How does an organization assess its Compliance Program? The first thing to remember is to keep it simple. You can determine if your Compliance Program is working without specialty software, statisticians, Excel spreadsheets, or pages and pages of audit questions. For each of the seven required elements of the Compliance Program, you need to answer four questions. All four questions are yes or no and there is no partial credit for having some but not all requirements.
For each of the seven required elements of the Compliance Program, you need to answer four questions:
- Is there a Compliance Plan and supporting policies and procedures to address the element?
- Have the policies and procedures that describe the organization’s method of complying with the element been implemented?
- Does the workforce understand the Compliance Plan and supporting policies and procedures as they relate to this element?
- Do the policies and procedures achieve the desired outcome?
The first two questions can be answered with a simple “yes” or “no” while the last two questions require requires communication and input from the organization’s workforce. Administering a survey or conducting interviews to determine the respondent’s understanding of the Compliance Program can be very helpful in answering the third question. The fourth question can be answered by testing your policies to determine if they have been implemented appropriately and if so, do they achieve the intended outcome.
Once you have answered the four questions for all seven elements, you should determine your overall effectiveness. If you answered “no” to 25% or more of the questions, the Compliance Program is likely not effective and requires revisions. Regardless of the overall effectiveness, elements where you answered “no” to any of the four questions require corrective actions and monitoring to determine if those corrective actions have had the desired impact.
While the process is not a difficult one, completing a thorough evaluation of an organization’s Compliance Program can be time-consuming and pull important resources away from operational necessities. One option is to engage a consultant who has expertise in conducting Compliance Program Effectiveness Reviews. An outside reviewer has the benefit of being unbiased and able to objectively look at your program while freeing you up to focus on the day-to-day needs of maintaining your Compliance Program.
Regardless of whether you are required to complete a Compliance Program Effectiveness Review, they are an excellent tool in determining where your risks may be and how you can improve your organization’s program. Just remember, do not overthink it, and be sure to make it a manageable process that adds value for your organization.
The Compliance Solutions team at FoxPointe Solutions, a division of The Bonadio Group, has been providing Outsourced Compliance Program Services for more than 20 years. If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
Rebecca Renna, CHC is a Consulting Manager of Compliance with FoxPointe Solutions, a division of The Bonadio Group. She has over 20 years of experience in healthcare and not-for-profit settings. Rebecca has held the positions of Corporate Compliance and Privacy Officer, Vice President of Quality and Compliance, and Director of Quality Assurance for organizations regulated by local, state, and federal laws. She also has a certification in Lean Six Sigma and brings extensive experience in Quality Management and Compliance, HIPAA/Privacy, and process improvement. Rebecca is a member of the Health Care Compliance Association and is Certified in Healthcare Compliance (CHC).
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal, or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.
[1] Federal Sentencing Guidelines: 2018 Chapter 8 – Sentencing of an Organization §8C2.5