The Health Care Director's Compliance Duties: A Continued Focus of

H e a l t h L a w y e r s ’ P u b l i c I n f o r m a t i o n S e r i e s

THE HEALTH CARE DIRECTOR’S COMPLIANCEDUTIES: A Continued Focus of Attention andEnforcementA Joint Publication from the Office of the Inspector General, U.S. Department of Health

and Human Services and the American Health Lawyers Association

“...to serve as a public resource on selected healthcare legal issues”

—From the Mission Statement of the American Health Lawyers Association

About the OrganizationsThe Health Care Director’s Compliance Duties: A Continued Focus of Attention and Enforcement is a compilation ofthree corporate compliance resources, originally issued in 2003, 2004, and 2007. Developed in collaborationbetween the American Health Lawyers Association(AHLA) and the Office of the Inspector General (OIG) ofthe United States Department of Health and Human Services (HHS), AHLA’s Corporate Responsibility Series

can assist directors of healthcare organizations carry out their oversight responsibilities.

The AHLA is the nation’s largest, nonpartisan, 501(c)(3) educational organization devoted to legal issuesin the healthcare field with more than 10,000 members. The OIG is the independent and objective over-sight unit of HHS, with a mission of promoting economy, efficiency, and effectiveness in the department’s

programs through the elimination of waste, abuse, and fraud.

Reissuance of the now consolidated corporate compliance guidebooks was made possible by the generous support of The Governance Institute. www.GovernanceInstitute.com

Contributing AuthorsJane Reister Conard, Senior Counsel, Intermountain Healthcare, Inc.

Douglas A. Hastings, Epstein Becker GreenMichael C. Hemsley, General Counsel & Vice President Corporate Compliance, Catholic Health East

Lewis Morris, Chief Counsel to the Inspector General, Office of Inspector General, U.S. Department of Health & Human Services

Michael W. Peregrine, McDermott Will & Emery

© Copyright 2010, 2011American Health Lawyers Association

All websites updated as of August 29, 2011.

This publication can be downloaded for free at www.healthlawyers.org/ComplianceDuties.Other resources in AHLA’s Public Information Series are available at

www.healthlawyers.org/PublicInterest.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise,without the express, written permission of the publisher. Provided, however, that this publication may bereproduced in part or in whole without permission from the publisher for non-commercial educationalpurposes designed to improve health in communities and increase access to healthcare or improve the

quality or maintain the cost of healthcare services. Any such community benefit distribution must be withoutcharge to recipients and must include an attribution to American Health Lawyers Association as follows:

“Copyright © 2010 by the American Health Lawyers Association and reproduced for the benefit of and topromote the health of the community served by the distributing organization.”

1620 Eye Street, NW, 6th FloorWashington, DC 20006-4010Telephone: (202) 833-1100

www.healthlawyers.org

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered.It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services.If legal advice or other expert assistance is required, the services of a competent professional person should be sought.

— from a declaration of the American Bar Association

Contents

The Health Care Director’s Compliance Duties: A Continued Focus ofAttention and Enforcement

Foreword ....................................................................1 IV. Considerations for Health Care Boards......15

synopsis ....................................................................2 V. summary Considerations..............................18

A. Where the General Counsel Serves asthe Chief Compliance Officer ..............18

Corporate Responsibility and B. Where the Chief Compliance Officer Corporate Compliance is Separate from the General Counsel,

but reports to the General Counsel......19I. Introduction........................................................4 C. Where the Compliance Officer is

A. Fiduciary Responsibilities ......................4 Separate from and Does Not Report B. Purpose of this Document......................4 to the General Counsel ........................19

VI. Conclusion ......................................................19II. Duty of Care ......................................................5

Appendix A – Survey Results, Conducted III. the Unique Challenges of Health Careby the American Health Layers Association organization Directors ....................................6and Health Care Compliance Association ..............20

IV. the Development of Compliance

Programs............................................................7Corporate Responsibility and Health

V. suggested Questions for Directors ..............7 Care Quality

A. Structural Questions ..............................7I. Introduction......................................................26

B. Operational Questions ............................8

1) Code of Conduct ................................9 II. Board Fiduciary Duty and Quality in the

2) Policies and Procedures ....................9 Health Care setting ........................................26

A. Duty of Care..........................................273) Compliance Infrastructure ..................9B. Duty of Obedience to Corporate 4) Measures to Prevent Violations..........9

Purpose and Mission............................285) Measures to Respond to

C. Summary ..............................................28Violations ..........................................10

III. Defining Quality of Care and the CriticalVI. Conclusion ......................................................11need to Implement Quality Initiatives..........29

An Integrated Approach to Corporate IV. the Government’s Role in enforcing

Health Care Quality ........................................31Compliance

V. Health Care Board Fiduciary Duty andI. Introduction......................................................12

Quality ..............................................................32

II. the Role of General Counsel........................13VI. suggested Questions for Directors ............33

III. An Integrated Response to CorporateVII. Conclusion ......................................................36

Compliance ......................................................14

FoReWoRD

Since the initial publication of the three corporateresponsibility resource guides by the AmericanHealth Lawyers Association (AHLA) and the Officeof the Inspector General (OIG), U.S. Departmentof Health and Human Services (HHS), interest inthe fiduciary duty of health care boards of direc-tors, as it relates to compliance and quality, hascontinued to increase. Quality, cost efficiency,waste, and fraud are issues that are even moremeaningful in light of the current health carereform debate.

In a recent survey1 of published articles ongoverning board functions and responsibilities, the findings showed a very large increase in sucharticles published this decade. In the early 2000s,however, only a small minority of these related toquality and safety. By the late 2000s, nearly halfrelated to quality and safety.

We note just a few specific examples of recentinterest in the role of health care boards andquality of care: The Joint Commission, in 2007,published Getting the Board on Board: What YourBoard Needs to Know about Quality and Patient Safety;the Institute for Healthcare Improvement, in 2006,published a white paper entitled Leadership Guide toPatient Safety; and the National Quality Forum, in2004, published Hospital Governing Boards andQuality of Care: A Call to Responsibility.

The three articles in this AHLA-OIG CorporateResponsibilities Series now being reissued by TheGovernance Institute progressed in a similar direction—from a focus on defining the board’sduty of care in the post-Sarbanes-Oxley and healthcare regulatory compliance context through acareful look at the roles of the general counsel andthe chief compliance officer, to a specific look atcorporate responsibility and health care quality.

Meanwhile, developments in corporate governance,fiduciary liability, non-profit organization oversight,and related areas continue to influence fiduciaryduty in the health care setting. Case law continuesto address standards of director conduct.2 The IRShas stepped up its activities in the non-profit arena,

both with the release of its more detailed Form 990and further guidance on corporate governance.The economic crisis of 2008–2009 has broughtrenewed scrutiny of boards of directors’ actions,including those of non-profit boards.3

State and federal enforcement agencies also aredemonstrating a growing recognition of the role ofhealth care boards in promoting quality of careand ensuring compliance with federal health careprogram rules. In a number of cases involving theprovision of substandard care to Medicare andMedicaid patients, the responsible medical profes-sional and the hospital have been held responsiblefor the failure to provide quality care. In a numberof recent fraud settlements, the OIG has imposedcorporate integrity agreements that require boardsto provide heightened scrutiny of their institu-tions’ compliance systems and to take responsi-bility for the effectiveness of internal controls. TheNew York State Office of Medicaid InspectorGeneral also has a specific focus on complianceoversight obligations of governing boards andstated its intention to pursue enforcement actionsin the appropriate cases.

The ongoing efforts to reform the nation’s health caresystem also implicate the boards of health careinstitutions. As part of the movement to improveoutcomes and reduce health care costs, Medicare andMedicaid are beginning to link hospital payments tothe quality of care. In addition to financially rewardinghospitals that improve care, Medicare and some otherpublic and private insurers also are starting to refusepayment for preventable errors. As the link betweenpayment and quality of care grows, boards will need tobe involved in the oversight of the care provided bytheir health care institutions.

In light of these developments, the three resourceguides in this AHLA-OIG Corporate ResponsibilitySeries are increasingly relevant for boards of healthcare organizations. We are grateful to TheGovernance Institute for its support and assistance inmaking this information available.

1 See William J. Oetgen, MD, MBA, The Governing Board’s Quality Agenda, An Overview, Prescriptions for Excellence in Healthcare,Jefferson School of Population Health and Lilly USA, LLC, Issue 5, Summer 2009.

2 See Lyondell Chemical Co. v. Ryan, C.A. No. 401, 2008 (Del. March 25, 2009) and In re Citigroup Inc. Shareholder DerivativeLitigation, 964 A.2d. 106 (Del. Ch. 2009).

3 See Lehman Board Faulted for Excessive Pay, Poor Governance Practices in Face of Crisis, BNA’s Corporate Accountability Reporter, Vol. 6, No. 40,October 10, 2008, and Carrie Coolidge, Blumenthal May Investigate Charities Ripped Off by Madoff, Forbes.com, December 22, 2008.

1

synoPsIs

The AHLA-OIG Corporate Responsibility Series(Series) consists of three corporate complianceguidance resources:

• Corporate Responsibility and Corporate Compliance (2003)

• An Integrated Approach to Corporate Compliance (2004)

• Corporate Responsibility and Health Care Quality (2007)

Individually and collectively, the components ofthis Series were intended as an educationalresource to assist governing board members ofhealth care organizations to more responsibly carryout their compliance plan oversight obligationsunder applicable law.

Given the increasing emphasis on corporatecompliance from legislative, regulatory, and publicpolicy perspectives, the need to provide board-levelcompliance guidance is greater than ever. For thesereasons, the Series is being reissued, with thegracious assistance of The Governance Institute.The following is an “executive briefing” synopsis ofeach of the three components of the Series.

Corporate Responsibility andCorporate Compliance

☑ Theme: The expansion of health care regulatoryenforcement and compliance activities and height-ened attention being given to the responsibilities ofhealth care directors are critically important to allhealth care organizations. It is thus appropriate toevaluate the health care board’s unique fiduciaryduty of compliance plan oversight and how thatduty may be satisfied.

☑ Key Points:• The duty of compliance plan oversight arises

from the director’s fundamental fiduciary dutyof care.

• Specifically, “[A] director’s obligations include aduty to attempt in good faith to assure that acorporate information and reporting system,which the board concludes is adequate, exists,and that failure to do so under some circum-stances, may, in theory at least, render a directorliable for losses caused by non-compliance withapplicable legal standards.” This is the so-calledCaremark standard.4

• The circumstances of each organization differand application of the duty of care and

consequent reasonable inquiry will need to be tailored to each specific set of facts andcircumstances.

☑ Practical Applications: While the opinion inCaremark established a board’s duty to oversee acompliance program, it did not enumerate a specificmethodology for doing so. This particular complianceresource is designed to assist health care directors inexercising that responsibility by offering a series ofsuggested questions for directors. Several “structural”questions explore the board’s understanding of thescope of the organization’s compliance program. Theremaining questions are directed to the operations ofthe compliance program and may facilitate theboard’s understanding of its compliance program.

☑ Why Still Relevant: Regulators and other thirdparties continue to evaluate the board’s exercise ofits compliance plan oversight duties. For example,the New York State Medicaid Inspector General hasmade it clear by regulation that directors may beheld accountable for ineffective oversight thatcontributes to compliance violations. Further, aseries of decisions of the influential Delawarecourts continue to apply the framework of theCaremark standard.

An Integrated Approach toCorporate Compliance

☑ Theme: The health care entity governing boardplays an important role in reconciling differing views(e.g., legislative, OIG, American Bar Association)regarding the proper role of the general counsel inhealth care compliance. The governing boardshould monitor the roles of the general counsel andthe chief compliance officer in supporting theboard’s compliance oversight responsibilities.

☑ Key Points:• Recent developments in the corporate and

securities world have refocused attention on effective corporate governance and the role ofthe general counsel in promoting ethicalconduct and compliance with the law.

• Consideration of the role of the generalcounsel in overseeing compliance programshas been ongoing.

• The OIG has historically perceived some riskwhere an otherwise independent compliancefunction is subordinate to the general counselor financial officer.

4 In re Caremark International Inc. Derivative Legislation, 698 A.2d 959 (Del. Cn. 1996).

2

synoPsIs

• The Code of Professional Responsibility inmany states requires lawyers to report “up theladder” violations of the law by officers,employees, or agents.

• The American Bar Association has taken theview that the general counsel should haveprimary responsibility for assuring the imple-mentation of an effective legal compliancesystem under the board’s oversight.

• A board member overseeing the compliance function should understand how the organiza-tion is addressing the issue of the role of thegeneral counsel and chief compliance officer inthe implementation of the organization’scompliance plan.

☑ Practical Applications: This particular complianceresource includes a series of suggested questions/areas of inquiry that directors should pursue toensure that (a) the board understands the role ofthe general counsel and the chief compliance officerin supporting the organization’s corporate compli-ance program, and (b) appropriate processes are inplace to assure the board that it receives appropriateinformation and candid assessments arising out ofthe compliance program in a timely manner. Thesesuggested questions and related commentary recognize that boards may consider a variety ofapproaches in addressing these issues.

☑ Why Still Relevant: The interplay between thegeneral counsel and the chief compliance officerremains of critical importance, especially as itrelates to the board’s ability to receive reports oncompliance in a coordinated, comprehensivemanner. Further, as recent Corporate IntegrityAgreements have noted, the OIG continues tobelieve that compliance “checks and balances” aremore effectively maintained when the compliancefunction is separated from management functions(e.g., the general counsel).

Corporate Responsibility andHealth Care Quality

☑ Theme: With a new era of focus on quality andpatient safety rapidly emerging, oversight of qualityis becoming more clearly recognized as a core fidu-ciary responsibility of health care organizationdirectors. Boards have distinct compliance-relatedresponsibilities in this area because quality of care

is perceived as an enforcement priority for healthcare regulators.

☑ Key Points:• Director obligations to monitor organizational

quality of care arise from three particular bases:1) the basic duty of care and the director’s obligation to oversee day-to-day corporate operations; 2) the related duty to oversee thecompliance program; and 3) the duty of obedience to corporate purpose/mission (e.g., conduct of the institution as a hospital).

• These duties are in addition to traditionalboard obligations with respect to supervisingmedical staff credentialing decisions.

• Many new financial relationships addressquality of care issues, e.g., pay-for-performanceprograms, gainsharing, and outcomes manage-ment arrangements, among others.

• Government enforcement authorities are increasingly focusing on the quality of careprovided to beneficiaries of federal and statehealth care programs and the organization’srelated legal liability profile.

☑ Practical Applications: This particular compli-ance resource seeks to help the health entity boardas it develops an understanding of relevant qualityand patient safety issues, and focuses on perform-ance goals that help the organization provide thebest quality and most efficient care. Accordingly,this resource includes a series of suggested ques-tions that may be helpful as the board examinesthe scope and operation of the organization’squality and safety initiatives.

☑ Why Still Relevant: Health care quality andpatient safety issues are at the forefront of multiplehealth care reform initiatives at both the federaland state level. Amendments to the False ClaimsAct increase the potential for substantial quality ofcare-based and similar enforcement actions relatedto quality of care concerns. Recent regulatoryinitiatives by the New York State Medicaid InspectorGeneral demonstrate how quality of care oversightcan be interpreted as a component part of an“effective” corporate compliance plan for a healthcare provider.

3

CORPORATE RESPONSIBILITy AND CORPORATE COMPLIANCE

I. Introduction

As corporate responsibility issues fill the headlines,corporate directors are coming under greaterscrutiny. The Sarbanes-Oxley Act, state legislation,agency pronouncements, court cases, and scholarlywritings offer a myriad of rules, regulations, prohi-bitions, and interpretations in this area. While allBoards of Directors must address these issues,directors of health care organizations also haveimportant responsibilities that need to be metrelating to corporate compliance requirementsunique to the health care industry. The expansionof health care regulatory enforcement and compli-ance activities and the heightened attention beinggiven to the responsibilities of corporate directorsare critically important to all health care organiza-tions. In this context, enhanced oversight of corpo-rate compliance programs is widely viewed asconsistent with and essential to ongoing federaland state corporate responsibility initiatives.

Our complex health care system needs dedicatedand knowledgeable directors at the helm of bothfor-profit and non-profit corporations. This educa-tional resource, co-sponsored by the Office ofInspector General (OIG) of the U.S. Department ofHealth and Human Services (HHS), and theAmerican Health Lawyers Association (AHLA), theleading health law educational organization, seeksto assist directors of health care organizations incarrying out their important oversight responsibili-ties in the current challenging health care environ-ment. Improving the knowledge base and effective-ness of those serving on health care organizationboards will help to achieve the important goal ofcontinuously improving the U.S. health care system.

A. Fiduciary Responsibilites

The fiduciary duties of directors reflect the expecta-tion of corporate stakeholders regarding oversightof corporate affairs. The basic fiduciary duty of careprinciple, which requires a director to act in goodfaith with the care an ordinarily prudent personwould exercise under similar circumstances, is beingtested in the current corporate climate. Personalliability for directors, including removal, civildamages, and tax liability, as well as damage to repu-tation, appears not so far from reality as once widelybelieved. Accordingly, a basic understanding of thedirector’s fiduciary obligations and how the duty ofcare may be exercised in overseeing the company’scompliance systems has become essential.

Embedded within the duty of care is the concept ofreasonable inquiry. In other words, directors shouldmake inquiries to management to obtain informationnecessary to satisfy their duty of care. Although in theCaremark case, also discussed later in this educationalresource, the court found that the Caremark boarddid not breach its fiduciary duty, the court’s opinionalso stated the following: “[A] director’s obligationincludes a duty to attempt in good faith to assure thata corporate information and reporting system, whichthe Board concludes is adequate, exists, and thatfailure to do so under some circumstances, may, intheory at least, render a director liable for lossescaused by non-compliance with applicable legal stan-dards.” Clearly, the organization may be at risk anddirectors, under extreme circumstances, also may beat risk if they fail to reasonably oversee the organiza-tion’s compliance program or act as mere passiverecipients of information.

On the other hand, courts traditionally have beenloath to second-guess Boards of Directors that havefollowed a careful and thoughtful process in theirdeliberations, even where ultimate outcomes forthe corporation have been negative. Similarly,courts have consistently upheld the distinctionbetween the duties of Boards of Directors and theduties of management. The responsibility of direc-tors is to provide oversight, not manage day-to-dayaffairs. It is the process the Board follows in estab-lishing that it had access to sufficient informationand that it has asked appropriate questions that ismost critical to meeting its duty of care.

B. Purpose of this Document

This educational resource is designed to helphealth care organization directors ask knowledge-able and appropriate questions related to healthcare corporate compliance. These questions arenot intended to set forth any specific standard ofcare. Rather, this resource will help corporate direc-tors to establish, and affirmatively demonstrate, thatthey have followed a reasonable compliance over-sight process.

Of course, the circumstances of each organizationdiffer and application of the duty of care andconsequent reasonable inquiry will need to betailored to each specific set of facts and circum-stances. However, compliance with the fraud andabuse laws and other federal and state regulatorylaws applicable to health care organizations isessential for the lawful behavior and corporatesuccess of such organizations. While these laws canbe complex, effective compliance is an asset for

4

both the organization and the health care deliverysystem. It is hoped that this educational resource isuseful to health care organization directors in exer-cising their oversight responsibilities and supportstheir ongoing efforts to promote effective corpo-rate compliance.

II. Duty of Care

Of the principal fiduciary obligations/duties owedby directors to their corporations, the one dutyspecifically implicated by corporate complianceprograms is the duty of care.1

As the name implies, the duty of care refers to theobligation of corporate directors to exercise theproper amount of care in their decision-makingprocess. State statutes that create the duty of careand court cases that interpret it usually are identicalfor both for-profit and non-profit corporations.

In most states, duty of care involves determiningwhether the directors acted (1) in “good faith,” (2) with that level of care that an ordinarily prudentperson would exercise in like circumstances, and(3) in a manner that they reasonably believe is inthe best interest of the corporation. In analyzingwhether directors have complied with this duty, it is necessary to address each of these elementsseparately.

The “good faith” analysis usually focuses uponwhether the matter or transaction at hand involvesany improper financial benefit to an individual,and/or whether any intent exists to take advantageof the corporation (a corollary to the duty ofloyalty). The “reasonable inquiry” test asks whetherthe directors conducted the appropriate level of due diligence to allow them to make an informeddecision. In other words, directors must be aware ofwhat is going on about them in the corporate busi-ness and must, in appropriate circumstances, makesuch reasonable inquiry as would an ordinarilyprudent person under similar circumstances. Finally,directors are obligated to act in a manner that theyreasonably believe to be in the best interests of thecorporation. This normally relates to the directors’state of mind with respect to the issues at hand.

In considering directors’ fiduciary obligations, it isimportant to recognize that the appropriate stan-

dard of care is not “perfection.” Directors are notrequired to know everything about a topic they areasked to consider. They may, where justified, relyon the advice of management and outside advisors.

Furthermore, many courts apply the “business judg-ment rule” to determine whether a director’s dutyof care has been met with respect to corporatedecisions. The rule provides, in essence, that adirector will not be held liable for a decision madein good faith, where the director is disinterested,reasonably informed under the circumstances, andrationally believes the decision to be in the bestinterest of the corporation.

Director obligations with respect to the duty of carearise in two distinct contexts:

• The Decision-Making Function: The applicationof duty of care principles to a specific decisionor a particular board action, and

• The Oversight Function: The application of dutyof care principles with respect to the generalactivity of the board in overseeing the day-to-day business operations of the corporation, i.e.,the exercise of reasonable care to assure thatcorporate executives carry out their manage-ment responsibilities and comply with the law.

Directors’ obligations with respect to corporatecompliance programs arise within the context ofthat oversight function. The leading case in thisarea, viewed as applicable to all health care organi-zations, provides that a director has two principalobligations with respect to the oversight function. A director has a duty to attempt in good faith toassure that (1) a corporate information andreporting system exists, and (2) this reportingsystem is adequate to assure the board that appro-priate information as to compliance with applicablelaws will come to its attention in a timely manner asa matter of ordinary operations.2 In Caremark, thecourt addressed the circumstances in which corpo-rate directors may be held liable for breach of theduty of care by failing to adequately supervisecorporate employees whose misconduct caused thecorporation to violate the law.

In its opinion, the Caremark court observed thatthe level of detail that is appropriate for such aninformation system is a matter of business judg-ment. The court also acknowledged that no

1 The other two core fiduciary duty principals are the duty of loyalty and the duty of obedience to purpose.2 In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). A shareholder sued the Board of Directors of

Caremark for breach of the fiduciary duty of care. The lawsuit followed a multi-million dollar civil settlement and criminal plearelating to the payment of kickbacks to physicians and improper billing to federal health care programs.

5

UnIQUe CHAllenGes

rationally designed information and reportingsystem will remove the possibility that the corpora-tion will violate applicable laws or otherwise fail toidentify corporate acts potentially inconsistent withrelevant law.

Under these circumstances, a director’s failure toreasonably oversee the implementation of acompliance program may put the organization atrisk and, under extraordinary circumstances,expose individual directors to personal liability forlosses caused by the corporate non-compliance.3Of course, crucial to the oversight function is thefundamental principle that a director is entitled torely, in good faith, on officers and employees aswell as corporate professional experts/advisors inwhom the director believes such confidence ismerited. A director, however, may be viewed as notacting in good faith if she is aware of factssuggesting that such reliance is unwarranted.

In addition, the duty of care test involving reason-able inquiry has not been interpreted to require thedirector to exercise “proactive vigilance” or to“ferret out” corporate wrongdoing absent a partic-ular warning or a “red flag.” Rather, the duty tomake reasonable inquiry increases when “suspicionsare aroused or should be aroused”—that is, when thedirector is presented with extraordinary facts orcircumstances of a material nature (e.g., indicationsof financial improprieties, self-dealing, or fraud), ora major governmental investigation. Absent thepresence of suspicious conduct or events, directorsare entitled to rely on the senior leadership team inthe performance of its duties. Directors are nototherwise obligated to anticipate future problems ofthe corporation.

Thus, in exercising her duty of care, the director isobligated to exercise general supervision andcontrol with respect to corporate officers. However,once presented (through the compliance programor otherwise) with information that causes (orshould cause) concerns to be aroused, the directoris then obligated to make further inquiry until suchtime as her concerns are satisfactorily addressedand favorably resolved. Thus, while the corporatedirector is not expected to serve as a complianceofficer, she is expected to oversee senior manage-ment’s operation of the compliance program.

III. The Unique Challenges ofHealth Care OrganizationDirectors

The health care industry operates in a heavily regu-lated environment with a variety of identifiable riskareas. An effective compliance program helps miti-gate those risks. In addition to the challenges asso-ciated with patient care, health care providers aresubject to voluminous and sometimes complex setsof rules governing the coverage and reimburse-ment of medical services. Because federal and state-sponsored health care programs play such a signifi-cant role in paying for health care, material non-compliance with these rules can present substantialrisks to the health care provider. In addition torecoupment of improper payments, the Medicare,Medicaid and other government health careprograms can impose a range of sanctions againsthealth care businesses that engage in fraudulentpractices.

Particularly given the current “corporate responsi-bility” environment, health care organizationdirectors should be concerned with the manner in which they carry out their duty to overseecorporate compliance programs. Depending uponthe nature of the corporation, there are a varietyof parties that might in extreme circumstancesseek to hold corporate directors personally liablefor allegedly breaching the duty of oversight withrespect to corporate compliance. With respect tofor-profit corporations, the most likely individualsto bring a case against the directors are corporateshareholders in a derivative suit, or to a limiteddegree, a regulatory agency such as the Securitiesand Exchange Commission. With respect to non-profit corporations, the most likely person toinitiate such action is the state attorney general,who may seek equitable relief against the director(e.g., removal) or damages. It is also possible(depending upon state law) that a dissentingdirector, or the corporate member, could assert aderivative-type action against the directorsallegedly responsible for the “inattention,” seekingremoval or damages.

Over the last decade, the risks associated with non-compliance have grown dramatically. The govern-ment has dedicated substantial resources, includingthe addition of criminal investigators and prosecu-tors, to respond to health care fraud and abuse. In

3 Law is not static, and different states will have different legal developments and standards. Standards may also vary depending onwhether an entity is for profit or non-profit. Boards of public health care entities may have additional statutory obligations andshould be aware of state and federal statutory requirements applicable to them.

6

addition to government investigators and auditors,private whistleblowers play an important role inidentifying allegedly fraudulent billing schemesand other abusive practices. Health care providerscan be found liable for submitting claims for reim-bursement in reckless disregard or deliberate igno-rance of the truth, as well as for intentional fraud.Because the False Claims Act authorizes the imposi-tion of damages of up to three times the amount ofthe fraud and civil monetary penalties of $11,000per false claim, record level fines and penaltieshave been imposed against individuals and healthcare organizations that have violated the law.

In addition to criminal and civil monetary penalties,health care providers that are found to havedefrauded the federal health care programs may beexcluded from participation in these programs. Theeffect of an exclusion can be profound becausethose excluded will not receive payment underMedicare, Medicaid or other federal health careprograms for items or services provided to programbeneficiaries. The authorities of the OIG provide formandatory exclusion for a minimum of five years fora conviction with respect to the delivery of a healthcare item or service. The presence of aggravatingcircumstances in a case can lead to a lengthierperiod of exclusion. Of perhaps equal concern toboard members, the OIG also has the discretion toexclude providers for certain conduct even absent acriminal conviction. Such conduct includes partici-pation in a fraud scheme, the payment or receipt ofkickbacks, and failing to provide services of a qualitythat meets professionally recognized standards. Inlieu of imposing exclusion in these instances, theOIG may require an organization to implement acomprehensive compliance program, requiringindependent audits, OIG oversight and annualreporting requirements, commonly referred to as aCorporate Integrity Agreement.

IV. The Development ofCompliance Programs

In light of the substantial adverse consequencesthat may befall an organization that has beenfound to have committed health care fraud, thehealth care industry has embraced efforts toimprove compliance with federal and state healthcare program requirements. As a result, manyhealth care providers have developed active compli-ance programs tailored to their particular circum-stances. A recent survey by the Health CareCompliance Association, for example, has foundthat in just three years, health care organizationswith active compliance programs have grown from

55 percent in 1999 to 87 percent in 2002. Insupport of these efforts, the OIG has developed aseries of provider-specific compliance guidances.These voluntary guidelines identify risk areas andoffer concrete suggestions to improve and enhancean organization’s internal controls so that its billingpractices and other business arrangements are incompliance with Medicare’s rules and regulations.

As compliance programs have matured and new chal-lenges have been identified, health care organizationboards of directors have sought ways to help theirorganization’s compliance program accomplish itsobjectives. Although health care organization direc-tors may come from diverse backgrounds and busi-ness experiences, an individual director can make avaluable contribution toward the compliance objec-tive by asking practical questions of management andcontributing her experiences from other industries.While the opinion in Caremark established a Board’sduty to oversee a compliance program, it did notenumerate a specific methodology for doing so. It istherefore important that directors participate in thedevelopment of this process. This educationalresource is designed to assist health care organizationdirectors in exercising that responsibility.

V. Suggested Questions forDirectors

Periodic consideration of the following questionsand commentary may be helpful to a health careorganization’s Board of Directors. The structuralquestions explore the Board’s understanding of thescope of the organization’s compliance program.The remaining questions, addressing operationalissues, are directed to the operations of the compli-ance program and may facilitate the Board’s under-standing of the vitality of its compliance program.

A. Structural Questions

1. How is the compliance program structuredand who are the key employees responsiblefor its implementation and operation? Howis the Board structured to oversee compli-ance issues?

The success of a compliance program reliesupon assigning high-level personnel tooversee its implementation and operations.The Board may wish as well to establish acommittee or other subset of the Board tomonitor compliance program operationsand regularly report to the Board.

7

sUGGesteD QUestIons

2. How does the organization’s compliancereporting system work? How frequently doesthe Board receive reports about complianceissues?

Although the frequency of reports on the statusof the compliance program will depend onmany circumstances, health care organizationBoards should receive reports on a regular basis.Issues that are frequently addressed include (1) what the organization has done in the pastwith respect to the program and (2) what stepsare planned for the future and why those stepsare being taken.

3. What are the goals of the organization’scompliance program? What are the inherentlimitations in the compliance program? How does the organization address theselimitations?

The adoption of a corporate complianceprogram by an organization creates standardsand processes that it should be able to relyupon and against which it may be heldaccountable. A solid understanding of therationale and objectives of the complianceprogram, as well as its goals and inherent limi-tations, is essential if the Board is to evaluatethe reasonableness of its design and the effec-tiveness of its operation. If the Board hasunrealistic expectations of its complianceprogram, it may place undue reliance on itsability to detect vulnerabilities. Furthermore,compliance programs will not prevent allwrongful conduct and the Board should besatisfied that there are mechanisms to ensuretimely reporting of suspected violations and toevaluate and implement remedial measures.

4. Does the compliance program address thesignificant risks of the organization? Howwere those risks determined and how arenew compliance risks identified and incorpo-rated into the program?

Health care organizations operate in a highlyregulated industry and must address variousstandards, government program conditionsof participation and reimbursement, andother standards applicable to corporate citi-zens irrespective of industry. A comprehen-sive ongoing process of compliance riskassessment is important to the Board’s aware-ness of new challenges to the organizationand its evaluation of management’s prioritiesand program resource allocation.

5. What will be the level of resources necessaryto implement the compliance program asenvisioned by the Board? How has manage-ment determined the adequacy of theresources dedicated to implementing andsustaining the compliance program?

From the outset, it is important to have arealistic understanding of the resourcesnecessary to implement and sustain thecompliance program as adopted by theBoard. The initial investment in establishinga compliance infrastructure and training theorganization’s employees can be significant.With the adoption of a compliance program,the organization is making a long termcommitment of resources because effectivecompliance systems are not static programsbut instead embrace continuous improve-ment. Quantifying the organization’s invest-ment in compliance efforts gives the Boardthe ability to consider the feasibility ofimplementation plans against complianceprogram goals. Such investment may includeannual budgetary commitments as well asdirect and indirect human resources dedi-cated to compliance. To help ensure that theorganization is realizing a return on itscompliance investment, the Board alsoshould consider how management intendsto measure the effectiveness of its compli-ance program. One measure of effectivenessmay be the Board’s heightened sensitivity tocompliance risk areas.

B. Operational Questions

The following questions are suggested to assist theBoard in its periodic evaluation of the effectivenessof the organization’s compliance program and thesufficiency of its reporting systems.

1. Code of Conduct—How has the Code ofConduct or its equivalent been incorporated intocorporate policies across the organization? Howdo we know that the Code is understood andaccepted across the organization? Has manage-ment taken affirmative steps to publicize theimportance of the Code to all of its employees?

Regardless of its title, a Code of Conduct isfundamental to a successful complianceprogram because it articulates the organiza-tion’s commitment to ethical behavior. TheCode should function in the same way as aconstitution, i.e., as a document that detailsthe fundamental principles, values, and

8

framework for action within the organiza-tion. The Code of Conduct helps define theorganization’s culture—all relevant oper-ating policies are derivative of its principles.As such, codes are of real benefit only ifmeaningfully communicated and acceptedthroughout the organization.

2. Policies and Procedures—Has the organiza-tion implemented policies and proceduresthat address compliance risk areas and established internal controls to counterthose vulnerabilities?

If the Code of Conduct reflects the organiza-tion’s ethical philosophy, then its policies andprocedures represent the organization’sresponse to the day-to-day risks that it confrontswhile operating in the current health caresystem. These policies and procedures helpreduce the prospect of erroneous claims, aswell as fraudulent activity by identifying andresponding to risk areas. Because compliancerisk areas evolve with the changing reimburse-ment rules and enforcement climate, the orga-nization’s policies and procedures also needperiodic review and, where appropriate, revi-sion.4 Regular consultation with counsel,including reports to the Board, can assist theBoard in its oversight responsibilities in thischanging environment.

3. Compliance Infrastructurea. Does the Compliance Officer have

sufficient authority to implement thecompliance program? Has managementprovided the Compliance Officer withthe autonomy and sufficient resourcesnecessary to perform assessments andrespond appropriately to misconduct?

Designating and delegating appropriateauthority to a compliance officer is essentialto the success of the organization’s compli-ance program. For example, the ComplianceOfficer must have the authority to review alldocuments and other information that arerelevant to compliance activities. Boardsshould ensure that lines of reporting withinmanagement and to the Board, and fromthe Compliance Officer and consultants, aresufficient to ensure timely and candidreports for those responsible for the compli-

ance program. In addition, the ComplianceOfficer must have sufficient personnel andfinancial resources to implement fully allaspects of the compliance program.

b. Have compliance-related responsibilitiesbeen assigned across the appropriatelevels of the organization? Are employeesheld accountable for meeting thesecompliance-related objectives duringperformance reviews?

The successful implementation of acompliance program requires the distri-bution throughout the organization ofcompliance-related responsibilities. The Board should satisfy itself thatmanagement has developed a system thatestablishes accountability for properimplementation of the complianceprogram. The experience of many organi-zations is that program implementationlags where there is poor distribution ofresponsibility, authority and accountabilitybeyond the Compliance Officer.

4. Measures to Prevent Violationsa. What is the scope of compliance-related

education and training across the organi-zation? Has the effectiveness of suchtraining been assessed? What policies/measures have been developed to enforcetraining requirements and to provideremedial training as warranted?

A critical element of an effective compli-ance program is a system of effectiveorganization-wide training on compliancestandards and procedures. In addition,there should be specific training on identi-fied risk areas, such as claims developmentand submission and marketing practices.Because it can represent a significantcommitment of resources, the Boardshould understand the scope and effective-ness of the educational program to assessthe return on that investment.

b. How is the Board kept apprised of signifi-cant regulatory and industry develop-ments affecting the organization’s risk?How is the compliance program struc-tured to address such risks?

4 There are a variety of materials available to assist health care organizations in this regard. For example, both sponsoring organizations of this educational resource offer various materials and guidance, accessible through their web sites, www.healthlawyers.org and www.oig.hhs.gov.

9

sUGGesteD QUestIons

The Board’s oversight of its complianceprogram occurs in the context of signifi-cant regulatory and industry developmentsthat impact the organization not only as ahealth care organization but more broadlyas a corporate entity. Without such infor-mation, it cannot reasonably assess thesteps being taken by management to mitigate such risks and reasonably rely onmanagement’s judgment.

c. How are “at risk” operations assessedfrom a compliance perspective? Is confor-mance with the organization’s complianceprogram periodically evaluated? Does theorganization periodically evaluate theeffectiveness of the compliance program?

Compliance risk is further mitigatedthrough internal review processes.Monitoring and auditing provide earlyidentification of program or operationalweaknesses and may substantially reduceexposure to government or whistleblowerclaims. Although many assessment tech-niques are available, one effective tool isthe performance of regular, periodiccompliance audits by internal or externalauditors. In addition to evaluating theorganization’s conformance with reim-bursement or other regulatory rules, orthe legality of its business arrangements,an effective compliance program periodi-cally reviews whether the complianceprogram’s elements have been satisfied.

d. What processes are in place to ensure thatappropriate remedial measures are takenin response to identified weaknesses?

Responding appropriately to deficienciesor suspected non-compliance is essential.Failure to comply with the organization’scompliance program, or violation ofapplicable laws and other types of miscon-duct, can threaten the organization’sstatus as a reliable and trustworthyprovider of health care. Moreover, failureto respond to a known deficiency may beconsidered an aggravating circumstancein evaluating the organization’s potentialliability for the underlying problem.

5. Measures to Respond to Violationsa. What is the process by which the organiza-

tion evaluates and responds to suspectedcompliance violations? How are reportingsystems, such as the compliance hotline,monitored to verify appropriate resolu-tion of reported matters?

Compliance issues may range from simpleoverpayments to be returned to the payorto possible criminal violations. The Board’sduty of care requires that it explore whetherprocedures are in place to respond to cred-ible allegations of misconduct and whethermanagement promptly initiates correctivemeasures. Many organizations take discipli-nary actions when a responsible employee’sconduct violates the organization’s Code ofConduct and policies. Disciplinary measuresshould be enforced consistently.

b. Does the organization have policies thataddress the appropriate protection of“whistleblowers” and those accused ofmisconduct?

For a compliance program to work,employees must be able to ask questionsand report problems. In its fulfillment ofits duty of care, the Board should deter-mine that the organization has a processin place to encourage such constructivecommunication.

c. What is the process by which the organiza-tion evaluates and responds to suspectedcompliance violations? What policiesaddress the protection of employees andthe preservation of relevant documentsand information?

Legal risk may exist based not only on theconduct under scrutiny, but also on theactions taken by the organization inresponse to the investigation. In additionto a potential obstruction of a governmentinvestigation, the organization may facecharges by employees that it has unlaw-fully retaliated or otherwise violatedemployee rights. It is important, therefore,that organizations respond appropriatelyto a suspected compliance violation and,more critically, to a government investiga-tion without damaging the corporation orthe individuals involved. The Boardshould confirm that processes and policies

10

for such responses have been developedin consultation with legal counsel and arewell communicated and understoodacross the organization.

d. What guidelines have been established forreporting compliance violations to theBoard?

As discussed, the Board should fullyunderstand management’s process forevaluating and responding to identifiedviolations of the organization’s policies, aswell as applicable federal and state laws.In addition, the Board should receivesufficient information to evaluate theappropriateness of the organization’sresponse.

e. What policies govern the reporting togovernment authorities of probable viola-tions of law?

Different organizations will have variouspolicies for investigating probable viola-tions of law. Federal law encouragesorganizations to self-disclose wrongdoingto the federal government. Health careorganizations and their counsel havetaken varied approaches to making suchdisclosures. Boards may want to inquire asto whether the organization has devel-oped a policy on when to consider suchdisclosures.

VI. Conclusion

The corporate director, whether voluntary orcompensated, is a bedrock of the health caredelivery system. The oversight activities provided bythe director help form the corporate vision, and atthe same time promo te an environment of corpo-rate responsibility that protects the mission of thecorporation and the health care consumers it serves.

Even in this “corporate responsibility” environ-ment, the health care corporate director who ismindful of her fundamental duties and obligations,and sensitive to the premises of corporate responsi-bility, should be confident in the knowledge thatshe can pursue governance service without need-less concern about personal liability for breach offiduciary duty and without creating an adversarialrelationship with management.

The perspectives shared in this educationalresource are intended to assist the health caredirector in performing the important and neces-sary service of oversight of the corporate compli-ance program. In so doing, it is hoped that fidu-ciary service will appear less daunting and providea greater opportunity to “make a difference” in thedelivery of health care.

11

AN INTEgRATED APPROACH TO CORPORATE COMPLIANCE

I. Introduction

As a supplement to the publication, CorporateResponsibility and Corporate Compliance,1 (CorporateCompliance), a joint educational effort of the Officeof Inspector General (OIG) of the U.S.Department of Health and Human Services (HHS)and the American Health Lawyers Association(AHLA), this document addresses the roles of thein-house corporate general counsel (GeneralCounsel) and an organization’s Chief ComplianceOfficer in supporting the compliance oversightfunction of health care organization governingboards (Boards of Directors or Boards). Thissupplemental educational resource addresses issuesraised by recent developments in the law withrespect to corporate responsibility and lawyers’professional ethics, the modifications to the U.S.Sentencing Commission’s Federal SentencingGuidelines for Organizations (SentencingGuidelines), and the recommendations of theAmerican Bar Association Task Force on CorporateResponsibility (ABA Task Force).2 It addresses theseissues in the unique context of health care compli-ance and health care law, particularly in light of theexpressed view of the OIG regarding the risk ofstructuring an organization’s compliance functionas subordinate to the General Counsel function.

Recent developments in the corporate and securi-ties world have refocused attention on effectivecorporate governance and the role of the GeneralCounsel in promoting ethical conduct and compli-ance with the law. The health care field hascertainly witnessed its share of high profile corpo-rate misconduct cases. While corporate complianceprograms are well established in most health careindustry segments, they continue to evolve inresponse to emerging “best practices” and changesin the business environment. All of this suggeststhat there is value in examining the interplay in theroles of the General Counsel and the ChiefCompliance Officer in supporting the Board’scompliance oversight responsibilities.Consideration of the role of the General Counselin overseeing compliance programs has beenongoing. In 1998, the OIG stated the following:

“The OIG believes that there is some riskto establishing an independent compliancefunction if that function is subordina[te]to the hospital’s [G]eneral [C]ounsel, orcomptroller or similar hospital financialofficer. Freestanding compliance functionshelp to ensure independent and objectivelegal reviews and financial analyses of theinstitution’s compliance efforts and activi-ties. By separating the compliance functionfrom the key management positions of[G]eneral [C]ounsel or chief hospitalfinancial officer (where the size and struc-ture of the hospital make this a feasibleoption), a system of checks and balances isestablished to more effectively achieve thegoals of the compliance program.”3

In a similar vein, in a September 5, 2003, letter toTenet Healthcare Corporation, United StatesSenator Charles Grassley (R-IA) observed:

“Apparently, neither Tenet nor (its GeneralCounsel) saw any conflict in her wearingtwo hats as Tenet’s General Counsel andChief Compliance Officer . . . . It doesn’ttake a pig farmer from Iowa to smell thestench of conflict in that arrangement.”4

On the other hand, when assessing the role of theGeneral Counsel in an organization’s corporategovernance program, the ABA Task Force recom-mends that:

“The [G]eneral [C]ounsel of a publiccorporation should have primary responsi-bility for assuring the implementation ofan effective legal compliance system underthe oversight of the board of directors.”5

So how do we reconcile these views? What roleshould the General Counsel play in health careorganization corporate compliance? To what extentshould Boards seek out and rely upon the organiza-tion’s Chief Compliance Officer? What should bethe relationship between the General Counsel andthe Chief Compliance Officer? What can a Boardexpect regarding interactions with company legalcounsel (both in-house and outside) in the newenvironment of corporate responsibility?

1 Corporate Responsibility and Corporate Compliance, Office of Inspector General, U.S. Dept. of Health & Human Services and theAmerican Health Lawyers Association, (2003), available at www.healthlawyers.org/CorporateCompliance.

2 James H. Cheek, III et al., Report of the American Bar Association, Task Force on Corporate Responsibility (March 31, 2003), available athttp://meetings.abanet.org/webupload/commupload/CL116000/otherlinks_files/ABA_CCMR-RecommendationsforReorganizingtheUSRegulatoryStructure.pdf (last visited Aug. 29, 2011).

3 OIG COMPLIANCE PROGRAM GUIDANCE FOR HOSPITALS, 63 Fed. Reg. 8987 (Feb. 23, 1998), available at http://www.oig.hhs.gov/authorities/docs/cpghosp.pdf (last visited Aug. 29, 2011).

4 See, Grassley Investigates Tenet Healthcare’s Use of Federal Tax Dollars, Sept. 8, 2003, available at http://grassley.senate.gov/releases/2003/p03r09-08.htm (last visited Aug. 29, 2011).

5 See supra note 2, at 32. The Task Force report affirms the application of its recommendations to non-public organizations as well. Id. at 31.

12

13

6 Id. at 21.7 The report suggests that if a corporation has no internal general counsel, it should identify and designate a lawyer or law firm to

act as generalcounsel. Id. at 63.8 See, supra note 2, at 77-89. The ABA Model Rules of Professional Conduct emphasize the lawyer’s responsibility “[a]s advisor [to]

provide a client with an informed understanding of the client’s legal rights and obligations and explain their practical implica-tions.” Id. at 21.

In light of the OIG position regarding the separa-tion of the compliance function from the GeneralCounsel, some health care organizations and advi-sors reportedly have taken a stringent view of thisconcept of separation, treating it more in thenature of a “requirement.” Some have even gone sfar as to view an otherwise independent compli-ance officer with a law degree as potentially under-cutting the effectiveness of the complianceprogram. On the other hand, in light of recentdevelopments in the area of lawyer professionalresponsibility, some may now believe that personsin the position of General Counsel are mandatedto assume responsibility in the compliance area.

In reality, a variety of structures for organizing thecompliance function is in place in health careorganizations. As reflected in the results of a surveyconducted by the American Health LawyersAssociation and the Health Care ComplianceAssociation, attached as Appendix A, some organi-zations operate with the same person serving asGeneral Counsel and Chief Compliance Officer,while others assign these functions to distinct indi-viduals and/or departments. Nevertheless, a boardmember overseeing the compliance functionshould understand how the organization isaddressing the issue of the roles of the GeneralCounsel and Chief Compliance Officer in theimplementation of the organization’s complianceprogram. This supplemental educational resourceis intended to provide the conscientious directorwith additional assistance in evaluating the organi-zation’s approach to this important question.

II. The Role of the generalCounsel

As discussed at length in Corporate Responsibility andCorporate Compliance, directors are entitled to rely,in good faith, on officers, employees, and corpo-rate advisors in fulfilling their duty to exerciseactive oversight and informed judgment on behalfof the corporation. Consequently, the GeneralCounsel, as well as outside lawyers, plays a criticalrole in the organizational reporting systems thatprovide information on compliance issues tomanagement and the Board. The contributionslawyers can make to corporate governance includethe role of counselor to the Board as it exercises itscritical oversight obligation. In this function,

o

lawyers assist the Board in understanding relevantlaws and regulations and in analyzing the associ-ated business risks.

As part of the effort to reinforce the role of lawyers inpromoting corporate responsibility and compliancewith the law, an ABA Task Force examined theprofessional conduct of lawyers in internal corporategovernance. On March 31, 2003, the Task Forceissued its report on corporate responsibility. Thereport called upon lawyers (specifically, the GeneralCounsel) to “assist in the design and maintenance ofthe corporation’s procedures for promoting legalcompliance.”6 The report also enumerated a series ofrecommended governance “best practices” consistentwith this emphasis on the role of lawyers inpromoting corporate responsibility and developingpractices designed to enhance lawyer/client commu-nication on compliance matters.7

These recommendations included assigning to theGeneral Counsel the primary responsibility forassuring an effective legal compliance system. Toprovide the Board with information and analysisnecessary to fulfill its oversight responsibilities, theABA Task Force recommended that the GeneralCounsel meet regularly and in executive session witha committee composed of independent directors toreview and communicate concerns with respect tolegal compliance matters faced by the corporation.Additionally, the report suggested the creation ofdirect lines of communication between outsidecounsel for the corporation and the GeneralCounsel to inform the General Counsel of potentialor ongoing violations of law by the corporation.

The ABA recommendations are provided in themidst of an increased focus on the professionalobligations of lawyers to serve the interests of theirorganizational clients. Simultaneous with the adop-tion of the corporate governance “best practices”recommendations, the ABA also approved revisionsto the Model Rules of Professional Conduct,designed in large part to address the proper role oflawyers in disclosing to internal and external thirdparties information concerning clients’ criminal orfraudulent conduct.8

Specifically, Model Rules 1.13, Organization asClient, and 1.6, Confidentiality of Information,attempt to deal more effectively with the extraordi-

IntRoDUCtIon

nary scenario in which a corporation may be threat-ened with the potential for substantial injury due toactual or potential action by a corporate employee.Revisions to Model Rule 1.13 are designed to clarifya lawyer’s obligation to communicate with, andreport wrongdoing to, a higher organizationalauthority. Revisions to Model Rule 1.6 are designedto permit disclosure of confidential client informa-tion to prevent substantial injury to the corpora-tion. While controversial, these revised Model Rulesreflect growing awareness of the role of lawyers inenhancing organizational commitment to corpo-rate responsibility.

III. An Integrated Response toCorporate Compliance

Given its focus on the General Counsel, the ABATask Force Report did not address specifically therole of the Chief Compliance Officer in promotingthe compliance oversight function of the Board. In some respects, the position of a ChiefCompliance Officer is unique within a corporateorganization. No other person has primary func-tional responsibility for the day-to-day operations ofthe compliance and ethics program. The breadthof the responsibilities and roles of a ChiefCompliance Officer will vary, but may include: 1) developing and implementing policies, proce-dures, and practices; 2) overseeing and monitoringthe implementation of the program; 3) updating andrevising the program, as appropriate; 4) developing,coordinating, and participating in a multi-facetedtraining and education program; 5) coordinatinginternal audits; 6) reviewing, responding to, andinvestigating reports of non-compliance; 7) serving asa resource across the organization on substantivecompliance questions and issues; and 8) reportingdirectly to the Board of Directors, CEO, and presidenton compliance matters. In that process, the ChiefCompliance Officer is expected to have a broadknowledge of the organization and operationalmatters and an awareness of applicable laws and regu-lations. Similarly, few individuals in the organizationhave the breadth of interaction with individuals at alllevels of the organization: board, management,employees, and third parties, including federal andstate government representatives.

The Chief Compliance Officer of a health care organ-ization may also bring a depth of experience to theposition. Even before the recent corporate scandals,the health care industry experienced a decade ofscrutiny by regulators and law enforcement agencies.Health care providers operate in a heavily-regulated

environment with rules that may carry significantpenalties for non-compliance. The government hascommitted substantial resources to identifying andsanctioning the individuals and entities that defraudand abuse federal and state health care programs.The net result is that the health care industry hasadvanced further than many other business sectors inestablishing compliance and ethics programs and“best practice” standards. This in turn suggests thatthe roles of the General Counsel and the ChiefCompliance Officer in supporting the Board’s compli-ance oversight function may be more complex in thehealth care industry than in other industry sectors.

Consider, for example, the significant degree towhich health care providers, ranging from highlycomplex health care systems to small physicianpractices, have implemented systems that promotecompliance with federal and state health careprogram requirements. These systems require adetailed knowledge of particularized health carereimbursement schemes, including Medicare andMedicaid regulations and interpretations and third-party payer rules and policies. In this environment,a multi-disciplinary compliance team is essential inassisting an organization’s General Counsel andChief Compliance Officer in gathering and inter-preting pertinent information.

The health care industry may also be distinguishedby obligations to disclose the adverse findings of aninternal audit or employee misconduct. When acompliance review identifies program violations thatresult in overpayments or a breach of a legal duty, theorganization may be compelled to take steps toensure that the matter is reported appropriately.While a corporation generally may not have a specificlegal duty to disclose a violation of the law, partici-pants in the Medicare and Medicaid programssubmit an increasing number of reports, certifying tocompliance with program requirements. A providerthat certifies compliance with program requirements,having knowledge of an undisclosed infraction, maycommit a new offense of making a false statement.Furthermore, there may be specific statutes or regula-tions that compel a health care provider to reportknown violations of law as a requirement of statelicensure or as a condition of program participation.Finally, a provider that is operating under aCorporate Integrity Agreement, as part of the settle-ment of a fraud case, agrees to disclose to the OIGsubstantial overpayments and probable violations ofcriminal, civil, or administrative laws applicable toany federal health care program for which penaltiesor exclusion may be authorized.

14

The failure to appropriately monitor compliancewith the complex health care regulatory require-ments can, in certain circumstances, lead to thesubmission of a false claim to a third-party payer orthe government. In addition, a health careprovider’s violation of the prohibitions againstcertain financial relationships with referral sourcesmay trigger criminal, civil, and administrativeliability. The consequences of these and other typesof violations range from the requirement to repayany improperly received reimbursement amountwith interest to the imposition of severe financialpenalties, criminal prosecution, and exclusion fromparticipation in any federal health care program. Inlight of the severe potential consequences that mayresult from a lack of adherence to applicable legalrequirements, it is essential for a health care organ-ization to have an independent compliance teamthat has a broad base in terms of training, back-ground, and expertise.

As part of the evolution of compliance programs,compliance officers have established themselves asan essential part of a health care provider’smanagement team. These professionals often havedemonstrated an expertise in technical health carereimbursement matters, internal controls, trou-bleshooting, and remedial measures, and may bethe point person for employee concerns about theorganization. While these attributes may makecompliance officers highly effective, they may alsocreate confusion with the respective roles to beplayed by the organization’s General Counsel andits Chief Compliance Officer. Ironically, the relativematurity of compliance programs within the healthcare industry may mean that role of the GeneralCounsel in overseeing compliance matters issubject to challenge within the organization.

In this regard, the recent changes to the SentencingGuidelines provide guidance on the roles andreporting relationships of particular categories ofpersonnel with respect to compliance programresponsibilities.9 The Sentencing Guidelines reaffirmthe key principle in Corporate Responsibility andCorporate Compliance — to have an effective compli-ance program, the organization’s governingauthority must be knowledgeable about the content

and operations of the compliance program andexercise reasonable oversight over it.10

The new Sentencing Guidelines also provide morespecific and exacting requirements for the staffingand operation of compliance and ethics programs.To be considered effective, a program must be theresponsibility of high-level personnel who havesubstantial control over the organization or whohave a substantial policy- making role within theorganization. While other individuals may beassigned day-to-day operational responsibilities forthe program, accountability for the complianceprogram must rest with upper management.11Recognizing the value of an independent voice,free of any potential filtering by senior organizationmanagers, the Sentencing Guidelines direct that,where operational responsibility for the complianceprogram is delegated, those individuals with day-to-day responsibility must have direct access to theBoard of Directors or an appropriate Boardcommittee. Further, reports from the individualsresponsible for the dayto-day operations of thecompliance program must be provided to theBoard at least annually.12 This admonition toprotect the independence of the compliance func-tion makes clear that whether responsibility for thecompliance program is assigned to the GeneralCounsel or to a distinct Chief Compliance Officer,individuals with day-to-day responsibilities musthave appropriate authority and direct access to theBoard of Directors.

IV. Considerations for HealthCare Boards

Corporate Responsibility and Corporate Compliancesuggested areas of inquiry that directors shouldpursue with management to ensure that the Boardunderstands the scope of its compliance programand challenges inherent in achieving programgoals. The following questions are suggested toensure that 1) the Board understands the roles ofthe General Counsel and the Chief ComplianceOfficer in supporting the Board’s oversight func-tion and the organization’s corporate complianceprogram; and 2) appropriate processes are in place

9 On April 13, 2004, the United States Sentencing Commission voted to amend the Sentencing Guidelines. The Commission madethe standards for a compliance and ethics program more rigorous and put greater responsibility on boards of directors and executives for the oversight and management of the compliance program. The amendments took effect November 1, 2004. The proposed amendments relating to compliance programs can be found at http://www.ussc.gov/Legal/Amendments/Official_Text/20040501_Amendments.pdf, at 75-90 (last visited Aug. 29, 2011). See also http://www.ussc.gov/Legislative_and_Public_Affairs/Newsroom/Press_Releases/20040413_Press_Release.htm (last visited Aug. 29, 2011).

10 U.S. SENTENCING COMM’N, ORGANIZATIONAL SENTENCING GUIDELINES § 8B2.1, available at http://www.ussc.gov/Legal/Amendments/Official_Text/20040501_Amendments.pdf, at 75-90 (last visited Aug. 29, 2011).

11 Id. § 8B2.1(b)(2), cmt. n. 3 (2004).12 Id.

15

An InteGRAteD ResPonse to CoRPoRAte ComPlIAnCe

to assure the Board that it receives appropriateinformation and candid assessments arising out ofthe compliance program in a timely manner. Thesesuggested questions and commentary recognizethat Boards may consider a variety of approaches inaddressing these issues.

A. To what extent is the general Counsel

utilized by the Board to provide relevant

advice regarding compliance matters?

Ultimately, the structure of operational responsibili-ties for the compliance program and the Board’srelationship with the General Counsel must assurethe Board that it receives appropriate and timelyinformation on organizational compliance withapplicable laws. The changes to the SentencingGuidelines give greater clarity to the responsibilitiesof corporate boards in this regard. Specifically, theBoard must not only be knowledgeable about thecorporate compliance program, but also be able toevaluate and recommend modifications to theprogram in light of ongoing organizational riskassessments. Thus, the Board needs to be knowl-edgeable of any major risks of unlawful conductfacing the organization to evaluate the adequacy ofits compliance program in mitigating those risks. Asrecognized by the ABA Task Force, the GeneralCounsel is an essential resource to the Board forunderstanding the organization’s legal risks andthe adequacy of the compliance program inaddressing those risks.

B. Where and how is the general Counsel

involved in each of the fundamental

elements of the compliance program?

Given the ABA Task Force’s recommended role forthe General Counsel in compliance and the OIG’sexpressed concerns regarding compliance officerindependence, the Board needs to be sure itunderstands and agrees with the role of its prin-cipal legal advisor in the compliance program’sdesign and operation.

The ABA Task Force suggests that a prudent corpo-rate governance program should utilize theGeneral Counsel to assist in the design and mainte-nance of the corporation’s procedures forpromoting legal compliance. In many health careorganizations, the Chief Compliance Officer hasprimary responsibility for the development, coordi-nation, and monitoring of the compliance andethics program. However, given the diversity ofChief Compliance Officer professional back-

grounds, the General Counsel can serve as a criti-cally important program resource. For example,the General Counsel can provide essential insightsinto government regulations and their policy impli-cations to the organization, and the potential legalconsequences of proposed courses of action. TheBoard’s oversight function is enhanced if it under-stands the complementary roles of the GeneralCounsel and the Chief Compliance Officer in theirsupport of the Board’s oversight responsibilities.

C. How does the general Counsel receive

notice of, and provide input on, the

organization’s response to identified or

suspected compliance failures?

One of the key features of a compliance program isthe appropriate organizational response to suspectedviolations of law. The nature of the response can havea significant impact on the organization internally, as well as on its relationship with federal and statehealth care programs and third-party payers. Theroles of Chief Compliance Officer and GeneralCounsel are no more acutely interwoven and inpotential tension than in this context.

Among the typical Chief Compliance Officer’sprimary responsibilities are the investigation andcoordination of an organization’s response to suchsuspected compliance failures. However, theGeneral Counsel also must play a pivotal role indirecting the organization’s response to suspectedcompliance failures, particularly when they maytrigger administrative, civil, or criminal liability.The Board needs to understand the distinction inthe roles and perspectives of the General Counseland the Chief Compliance Officer, especially whenthe Chief Compliance Officer is not a lawyer.Assuring the timely involvement of the GeneralCounsel in assessing the significance of potentialviolations of law, participating appropriately in theinvestigation, and evaluating options for resolutionwill help the Board respond appropriately to thesechallenges to the integrity of the organization.

D. What are the roles of the organization’s Chief

Compliance Officer and general Counsel in

operating the corporate compliance

program? Who has responsibility for reporting

to the Board on compliance matters?

The Chief Compliance Officer and the GeneralCounsel may have different, and yet ultimately comple-mentary, responsibilities in the operation of the organi-zation’s compliance program. The responsibilities of

16

the Chief Compliance Officer are detailed in the OIG’sCompliance Program Guidances.13 Although the ChiefCompliance Officer may have a legal background, typi-cally she is not acting in the capacity as counsel for theorganization.

The amendments to the Sentencing Guidelinesmake clear that, as part of an effective complianceprogram, the Chief Compliance Officer must peri-odically report to the Board on the status of thecompliance program, the resources required tomaintain its vitality, and the organization’s responseto identified compliance deficiencies. A directreporting relationship helps avoid any potentialfiltering or censoring influence of senior organiza-tion managers. As previously discussed, the OIGhas expressed concern about the wisdom of theChief Compliance Officer being subordinate to theGeneral Counsel or Chief Financial Officer. TheOIG believes that the independence and objectivityof legal and financial analyses of the corporation’sactivities are enhanced through a system of checksand balances, which includes separating thecompliance function from key management posi-tions, including the General Counsel.

As noted earlier, however, the ABA Task Forcesuggests that the active involvement of the GeneralCounsel in the compliance program is essential toprovide the Board with the information andanalysis needed for the directors to discharge theiroversight responsibilities. The Task Force alsosuggests that “counsel . . . should have primaryresponsibility for assuring the implementation ofan effective legal compliance system under theoversight of the [B]oard.”14

The General Counsel’s primary responsibility is torepresent the legal interests of the organization byacting as a legal counselor to the organization(through its board of directors, officers, and managers)on a wide variety of topics, including compliance withrelevant legal obligations. In the context of the compli-ance program, the General Counsel serves as an impor-tant resource to the compliance staff, as well as to theBoard in its exercise of oversight over the organiza-tion’s compliance systems.

It is the Board’s responsibility to reconcile thesepotentially conflicting views into a complementaryset of responsibilities and reporting relationships.Ultimately, the interaction between the GeneralCounsel and the Chief Compliance Officer must

support the Board in its oversight responsibilitiesby ensuring that the Board receives accurate infor-mation and candid advice.

E. How is the Board notified when there are

disagreements among management, the

Chief Compliance Officer and/or the

general Counsel relating to the organiza-

tional response to specific compliance

matters?

Significant disagreements among management, theGeneral Counsel, and the Chief Compliance Officermay arise as the organization considers how torespond to internal compliance evaluations thathave potential significant financial and legal conse-quences for the organization. For example, theremay be divergence of opinion regarding whether toreport to the government the adverse finding of aninternal audit. While such disagreements should notnecessarily be resolved at the board level, it is impor-tant for the Board to understand how managementapproaches such issues and receives a consensus ona course of action. Consideration should be given toestablishing policies that standardize reporting tothe Board on such investigations.

The OIG and the U.S. Sentencing Commissionrecommend that compliance officers have directaccess to the Board of Directors and ChiefExecutive Officer. The expressed concern is that areporting line through the General Counsel, ChiefFinancial Officer, or other senior manager mayinterject other operational concerns into compli-ance reviews and financial analyses performed bythe Chief Compliance Officer. In many organiza-tions, however, a number of practical and opera-tional reasons may support a Chief ComplianceOfficer reporting directly to a high-level manageror the General Counsel. If this is the case, it may bein the best interests of the program that theGeneral Counsel or other senior manager not bethe sole recipient of compliance reports.In pursuit of its oversight responsibilities for thecompliance program, the Board should reasonablyassure itself that the compliance function is appro-priately free of undue constraints and that theChief Compliance Officer is able to provide theBoard with objective information, analyses, andrecommendations. The concept of “checks andbalances” in the compliance reporting process isprudent, regardless of who has formal responsi-bility for the compliance program. Direct reportingto the Board and alternative reporting processes

13 See supra note 3.14 See, supra note 2, at 32.

17

ConsIDeRAtIons FoR HeAltH CARe BoARDs

may also promote the integrity of the complianceprogram, while respecting the operational prefer-ences of management.

F. Does the Board understand how the organ-

ization utilizes the attorney/client and work

product privileges when responding to

third party requests for information?

Investigations into suspected violations of law canhave profound implications for an organization. In this sensitive area, it is important that the Boardreceive timely and objective information and soundlegal advice on proposed courses of action. Judicially-recognized privileges exist to promote candid andconfidential communications between the client andits counsel, including the attorney/client andattorney work product privileges.15 While certainaspects of an attorney’s investigation into allegationsof misconduct may be protected from disclosure tothird parties, the organization’s responses to identi-fied material violations of law may involve reportingthe misconduct to the appropriate governmentagency. The cooperation expected from organiza-tions by the government in resolving such matterscan give rise to a tension between the sufficiency ofsuch disclosures and the appropriate assertion ofthese privileges.

From the government’s perspective, blanket orroutine assertions of the work product or attorney-client privilege in routine auditing and compliancemonitoring activities may undermine the vitality ofthe asserted privilege and diminish the credibilityof the compliance program and the organization. It is important, therefore, that the Board receivesound advice on the nature, utility, and limitationsof these privilege doctrines and the policies andpractices of management and General Counsel intheir application.

g. Are processes in place to enable the

general Counsel to bring issues of legal

compliance to the appropriate authorities

within the organization?

The extent of inside and outside counsels’ respon-sibility to report potential violations of law, abreach of duty to the corporation, and othersubstantial legal concerns is an issue of continuingdebate. With the enactment of Sarbanes-Oxley, theSEC has established minimum standards of profes-sional conduct for attorneys appearing and prac-ticing before the Commission, including a require-

ment to report evidence of material violations oflaw under certain circumstances “up the ladder”within an organization. Similar obligations arecontemplated by the revisions to ABA Model Rules1.13 and 1.6, which address the circumstancesunder which an attorney may be ethically obligatedto withdraw from the representation of a client.

Although the circumstances giving rise to such “upthe ladder” reporting should be extraordinary, it isimportant that the Board 1) understand theseparticular responsibilities of counsel to exerciseinformed professional judgment in determiningwhat steps are reasonably necessary in the best inter-ests of the organization, and 2) ensure that lines ofcommunication are established to enable theGeneral Counsel to report any concerns aboutsignificant compliance issues up to the highest levelsof authority within the organization. The Board maywish to consider various mechanisms, includingperiodic executive sessions between the GeneralCounsel and the Board, to ensure that criticalcompliance issues are brought to its attention.

V. Summary Considerations

Recognizing the important responsibilities of boththe General Counsel and the Chief ComplianceOfficer to every health care organization, thefollowing are certain summary considerations thatmight enhance a system of checks and balances tohelp meet the organization’s compliance programobjectives and program oversight.

A. Where the general Counsel Serves as the

Chief Compliance Officer

1. Consider the adoption of a recusal processby which the General Counsel may recuseherself from a compliance investigation, aswell as alternative reporting processes, if thematter may implicate the General Counsel.A substantial majority of respondents to theAHLA-HCCA survey reported utilizing suchprocesses.

2. Consider periodic Board initiated third-partyaudits or assessments of the complianceprogram, as suggested in the OIGCompliance Program Guidances.

3. Consider authorizing the Board Audit orCompliance Committee to retain outside counselor consultants with respect to selected mattersunder Board-approved criteria.

15 It is beyond the scope of this educational resource to address these privileges in any detail. Additional information on the privi-leges and their restrictions should be obtained from counsel.

18

B. Where the Chief Compliance Officer is

Separate from the general Counsel, but

Reports to the general Counsel

1. Consider formally establishing alternativereporting mechanisms to provide the ChiefCompliance Officer direct reporting toanother member of senior management ifthe Chief Compliance Officer deems suchreporting to be necessary. Such a mechanismprovides protections for the Board and theorganization against any real or perceivedobstruction.

2. Consider procedures to have someone otherthan the General Counsel authorize theChief Compliance Officer to pursue compli-ance investigations, including the right tohire outside counsel. Here, the authority toindependently initiate investigations shouldbe balanced by required notice and consulta-tion with the General Counsel.

3. Consider periodic direct reports from theChief Compliance Officer to the Board,balanced by the General Counsel’s priorreview and consultation so that both mayreport to and advise the Board consistentwith their responsibilities.

C. Where the Compliance Officer is Separate

from and Does Not Report to the general

Counsel

1. Consider the benefit of having the GeneralCounsel involved in 1) periodic risk assess-ments; 2) review of proposed policies andreports on compliance processes; 3) conducting investigations; and 4) devisingremedial measures to address violations oflaw.

2. Consider routine General Counsel reviews ofmatters being reported to the Board by theChief Compliance Officer.

3. Consider requiring notice to, and consulta-tion with, the General Counsel where thereis independent authority for the ChiefCompliance Officer to retain outside counseland consultants.

VI. Conclusion

The recent developments in corporate accounta-bility, stemming from a series of high profile corpo-rate misconduct cases, including such issues as “upthe ladder” reporting, have prompted organiza-

tions to refocus on how matters of potential oralleged corporate misconduct are brought to theattention of Boards of Directors. In the heavily-regulated field of health care, however, the roles ofthe General Counsel and the Chief ComplianceOfficer in corporate compliance have been a focusof attention for many years. Perhaps, in the end,the current attention being given to these roles byCongress, federal agencies, and the industry issimply an appropriate refocus on the basic prin-ciple of the ultimate duty of an attorney or a seniormanager to serve the client, which in the corporatecontext is the corporate organization under theleadership of its Board of Directors.

For health care organizations, the unique opera-tional environment and regulatory requirementsmandate coordination between the legal functionand the compliance function. As the AHLA-HCCAsurvey indicates, and as this educational resourcehas discussed, there are a variety of effectiveapproaches to such coordination, many of whichare a matter of current practice. This resource hasattempted to assist members of health care organi-zation Boards think through the issues related to 1) the critical role of the General Counsel insupport of the Board’s oversight responsibility forcorporate compliance, by informing the Boardabout potential problem areas, and advising theBoard about applicable legal requirements; 2) theessential part played by Chief Compliance Officers,whose breadth of responsibility, expertise, andexperience typically places them in a unique posi-tion to assist the Board in determining the effec-tiveness of the organization’s compliance program;and 3) the relationship between the GeneralCounsel and the Chief Compliance Officer, and thedevelopment of a system of checks and balancesthat enhances the ability of these two individuals tocontribute their knowledge and skills in a way thatfurthers the interests of the organization.

Ultimately, it is important that a Board receives asufficient flow of information to effectively conductits compliance oversight. Establishing and coordi-nating the roles and responsibilities of the GeneralCounsel and the Chief Compliance Officer withinhealth care organizations to best serve the organiza-tion and best assist the Board in its complianceoversight function is essential. It is the goal of thisdocument to be of assistance to health care Boardsin exercising this important responsibility.

19

survey included for at organizations where the counsel serves as the

The American. Health Lawyers Association (AHLA) Lu'"~"''"Rx officer; where the compliance officer and the Health Care Compliance A<>sodation reports to the general counsel; and where the

(HCCA) sent out a survey designed to explore the oft1cer does not to the

c•,nu->n:stuv between. general counsel and comt}ll~ counsel.

ance officer in different health care orga:ni.2cat:ior1s. AHIA sent the survey to l ,964 in-house counseL The responses to the survey provide Board

HCCA sent the survey to 2,490 many of CEOs, compliance oHicers, and

whom work as compliance officers in health care others interested in health care management with

organizations. 429 recipients responded to the into the different structures that health

survey, a response rate of9.6%. care organizations use to manage their compliance activities. The diversity of management

The survey included nine questions for aU respon structures and reporting relationships reinforce the

dents to answer. It then asked respondents to conclusion that effective Boards will receive

answer several questions applicable to their information and analysis on how their health care

ular and reporting stntcture. The organizations manage their compliance activities.

RESPONDENTS ANSWERED THE QUESTIONS IN SECTION.

Yes 84%

16% No

2. Does your in$houH nc.nJI\l!..~~ counHi or one of your in~houH ::attnr~"~"'"" also serve as the officer?

25%

60%

No, we don't have an 15%

o"~afiliZ2~tkl•n &:mp~oy an individual whoH nri;n~in~l C"fil~·.,.a·t,t~~ officer for the or<Jianiz~tio~\?

Yes 77%

23% No

Yes 36%

64% No

5. To wh('lm does the complian~e officef report?l

Chief Executive Officer 56%

Chief Financial Officer 8%

General Counsel 2û%

Board or Board Committee 34%

Others2 2û%

6. if YOWf compliance officer has other official responsibilities within the organization, what are they?

In-House Attorney 26%

Privacy Officer 45%

Human Resources Professional I 4%

Finance I 3%

Auditing Function 24%

Others3 38%

7. If your organization has a compliance officer and not an in..house counselor in-

hO\.lse attorney, does yo\.lr organizati()1'1 designate an outside lawyer as the organizati()n's general counsel?

Yes 42%

No 58%

Some responses to the survey have a greater than 100% response rate because individual respondents induded more than one response for particular questions.

2 Other positions named incliided VP Government Affairs; Chief Administrative Officer; Audit Committee; Chief Medical Officer; Chief Information Officer; Chief Technology Officer; Vice President Academic Mfairs; Dean, College ofl\ledicine; Chief Operatiiig Offìcer; VP for Qualiry; Chief Fiii auci al Offìcer; Risk Manager; and Compliance Advisory Committee.

3 Other responsibilities induded risk management; operations officer; public policy; mission effectiveness; securiry officer; information systems; patient and community relations; quality assurance; business practices; physician relations and contracting; outpatient services; conflict of interest oversight; regulatory affairs; privacy officer; salety officer; limited English proficiency coordinator; research administration; research integrity officer; human protections administrator; social services director; admiuistration; FOIA office.-; HIPAA otfìcer; labor relations; IRB; clinical services; and charge description master.

~ii!iimiii ~

S. Does your organization's Board require that it be informed any governmental investigation relatod t() an allegod violation of federal or state law?

64%Yes

Yes, but only if the amount at 12% issue reaches a certain threshold

13%No

11%Others Specified

9. Are internal investigations routinely carried out under the protection of the attorney-client

privilege as a matter of policy or practice?

Yes 60%

No 40%

IF THE ORGANIZATION HAS ITS IN-HOUSE GENERAL COUNSEL OR ATTORNEY SERVE AS THE COMPLIANCE OFFICER:

10. Does the orga.,.ii:ation have a form~lp()liCY to allow the in-house general cOl.ll"lsel or attorney responsible for compliance independent access to the Board of Directors on a compliance i$sueif the attorney believes it necessary?

Yes 73%

No 27%

11. Does the organization have a mechanism for the referral an investigation to an

alternative individual if the in.house general counselor attorney wants to recuse herself from a compliance investigation?

Yes 72%

No 28%

a an individual with issue or complaint bypass

implicate the general

Yes 79%

No 21%

13. Does the in-house general counseVattorney report to the Board on compliance issues on a regular basis?

Yes 78%

No 22%

IF THE ORGANIZATION HAS A SEPARATE COMPliANCE OFFICER WHO REPORTS THROUGH THE IN-HOUSE GENERAL COUNSEL:

14. H()w does the individ\.lal responsible for corporate compliance report through the

in..house general counsel?

Reports directly to the in-house 71% general counsel

to the in-ho.use sel by reportinCl 29%

anotner positioñ

15. Is the compliance officer authori~ed pwrsue compliance investigations without notice to or pri()r consultation with the general cOl.&l'1sel?

Yes 81%

19%No

16. Has the organization established. an alternative mechanism to provide the c.::omplianøe offiøer direct reporting to membet'S of senior I'l"laiiagement if the compliance officer feels S\.lch is neces$ary?

Yes 90%

No 10%

11. Is there a policy/protocol input on compliance or internal audit matters

Yes 73%

No 27%

1 S. organization have a in.house or

c.::oonsel to conduct/or

Yes 48%

No 52%

~11!11I11I ~

19. Does the compliance officer l'Outinely directly to the hard at Board meet-

on compliance

Yes 70%

No 30%

20. Does the compliance officer have independent authority to retain counselor other consultants, if he or she believes it necessary?

Yes 43%

No 57%

IF THE ORGANIZATION DOES NOT HAVE ITS COMPUANCE OFFICER REPORT THROUGH AN IN-HOUSE GENERAL COUNSEL OR ATTORNEY:

21. If the complianee offiCi!lr dees net report to the in-ho\.lse general counselor an inhouse attorney, to whom dOi!ls the corporate compliance officer directly report?

Chief Executive Officer 71%

Chief Operating Officer 7%

Vice President for 0%

Human Resources

Chief Financial Officer 10%

Others Named4 25%

22. organization consultationlreview/input between the compliance and an in-house genera! counselor attorney 01' an outside counsel prior to

a compliance investigation?

37%Yes

63%No

between the flag during an investigation?

60%Yes

40%No

4 Answers similar to those provided in footnote 1.

24. Do the compliance officer and tho genoral counsol/attorney moot formally or inf()rmally on a frEK;uent basis (meaning once a weok or more)?

55%Yes

45%No

the compliance ()ffi~er copy the general counsel/attorney on significant correspondence?

77%Yes

23%No

26. Does the compliance officer gonerally seek advice from the general counsel/attorney when asserting privilege?

Yes 85%

15%No

27. Does the complianco officer routinely report directly to the Board on complianco matters?

Yes 79"Ai

21%No

28. Is there a policy/prot()col providing counsel compliance or internal audit matters to be reported to the Board?

43%Yes

No 57%

have t() retain or other consult

52%Yes

48%No

CORPORATE RESPONSIBILITy AND HEALTH CARE QUALITy

I. Introduction

This educational resource is the third in a CorporateResponsibilities Series (Series) of co-sponsoreddocuments by the Office of Inspector General(OIG) of the U.S. Department of Health andHuman Services (HHS) and the American HealthLawyers Association (AHLA), the leading health laweducational organization.1 It seeks to assist directorsof health care organizations in carrying out theirimportant oversight responsibilities in the currentchallenging health care environment. Improving theknowledge base and effectiveness of those servingon health care organization boards will help toachieve the important goal of continuouslyimproving the U.S. health care system.

The prior publications in this Series addressed theunique fiduciary responsibilities of directors ofhealth care organizations in the corporate compli-ance context. With a new era of focus on quality andpatient safety rapidly emerging, oversight of qualityalso is becoming more clearly recognized as a corefiduciary responsibility of health care organizationdirectors. Health care organization boards havedistinct responsibilities in this area becausepromoting quality of care and preserving patientsafety are at the core of the health care industry andthe reputation of each health care organization. Theheightened attention being given to health carequality measurement and reporting obligations alsoincreasingly impacts the responsibilities of corporatedirectors. Indeed, quality is also emerging as anenforcement priority for health care regulators.

The fiduciary duties of directors reflect the expecta-tions of corporate stakeholders regarding oversightof corporate affairs. The basic fiduciary duty of careprinciple, which requires a director to act in goodfaith with the care an ordinarily prudent personwould exercise under similar circumstances, is beingtested in the current corporate climate. Embeddedwithin the duty of care is the concept of reasonableinquiry. In other words, directors are expected tomake inquiries to management to obtain the infor-mation necessary to satisfy their duty of care.

This educational resource is designed to helphealth care organization directors ask knowledge-able and appropriate questions related to healthcare quality requirements, measurement tools, and

reporting requirements. The questions raised inthis document are not intended to set forth anyspecific standard of care, nor to foreclose argu-ments for a change in judicial interpretation of thelaw or resolution of any conflicts in interpretationamong various courts. Rather, this resource willhelp corporate directors establish, and affirmativelydemonstrate, that they have followed a reasonablequality oversight process.

Of course, the circumstances of each organizationdiffer and application of the duty of care andconsequent reasonable inquiry by boards will needto be tailored to each specific set of facts andcircumstances. However, compliance with standardsand regulations applicable to the quality of servicesdelivered by health care organizations is essentialfor the lawful behavior and corporate success ofsuch organizations. While these evolving require-ments can be complex, effective compliance in thequality arena is an asset for both the organizationand the health care delivery system. It is hoped thatthis educational resource is useful to health careorganization directors in exercising their oversightresponsibilities and supports their ongoing effortsto promote effective corporate compliance as itrelates to health care quality.

II. Board Fiduciary Duty andQuality in the Health CareSetting

Governing boards of health care organizations increas-ingly are called to respond to important new develop-ments—clinical, operational and regulatory—associ-ated with quality of care. Important new policy issuesare arising with respect to how quality of care affectsmatters of reimbursement and payment, efficiency,cost controls, collaboration between organizationalproviders and individual and group practitioners.These new issues are so critical to the operation ofhealth care organizations that they require attentionand oversight, as a matter of fiduciary obligation, bythe governing board.

This oversight obligation is based upon the applica-tion of the fiduciary duty of care board membersowe the organization and, for non-profit organiza-tions, the duty of obedience to charitable mission.It is additive to the traditional duty of board

1 The other two co-sponsored documents in the series are Corporate Responsibility and Corporate Compliance, The Office of InspectorGeneral of the U.S. Department of Health and Human Services and The American Health Lawyers Association, 2003; and AnIntegrated Approach to Corporate Compliance, The Office of Inspector General of the U.S. Department of Health and HumanServices and The American Health Lawyers Association, 2004, both of which precede this chapter in this guidebook.

26

members in the hospital setting to be responsiblefor granting, restricting and revoking privileges ofmembership in the organized medical staff.

A. Duty of Care

The traditional and well-recognized duty of carerefers to the obligation of corporate directors toexercise the proper amount of care in their deci-sion-making process. State corporation laws, as wellas the common law, typically interpret the duty ofcare in an almost identical manner, whether theorganization is non-profit or for-profit.

In most jurisdictions, the duty of care requiresdirectors to act (1) in “good faith,” (2) with thecare an ordinarily prudent person would exercisein like circumstances, and (3) in a manner thatthey reasonably believe to be in the best interests ofthe corporation.2 In analyzing compliance with theduty of care, courts typically address each of theseelements individually. In addition, in recent years,the duty of care has taken on a richer meaning,requiring directors to actively inquire into aspectsof corporate operations where appropriate – the“reasonable inquiry” standard.

Thus, the “good faith” analysis normally focusesupon whether the matter or transaction at handinvolves any improper financial benefit to an indi-vidual and/or whether any intent exists to takeadvantage of the corporation. The “prudentperson” analysis focuses upon whether directorsconducted the appropriate level of due diligence toallow them to render an informed decision. Inother words, directors are expected to be aware ofwhat is going on around them in the corporatebusiness and must in appropriate circumstancesmake such reasonable inquiry as would an ordi-narily prudent person under similar circumstances.The final criterion focuses on whether directors actin a manner that they reasonably believe to be inthe best interests of the corporation. In this regard,courts typically evaluate the board member’s stateof mind with respect to the issues at hand.

When evaluating the fiduciary obligations of boardmembers, it is important to recognize that “perfec-tion” is not the required standard of care. Directorsare not required to know everything about a topicthey are asked to consider. They may, where justi-

fied, rely on the advice of executive leadership andoutside advisors.

In addition, many courts apply the “business judg-ment rule” to determine whether a director’s dutyof care has been met with respect to corporatedecisions. The rule provides, in essence, that adirector will not be held liable for a decision madein good faith, where the director is disinterested,reasonably informed under the circumstances, andrationally believes the decision to be in the bestinterests of the corporation. In other words, courtswill not “second guess” the board member’s decision when these criteria are met.

Director obligations with respect to quality of caremay arise in two distinct contexts: • The Decision-Making Function: The application

of duty of care principles as to a specific decision or a particular board action, and

• The Oversight Function: The application of dutyof care principles with respect to the generalactivity of the board in overseeing the opera-tions of the corporation (i.e., acting in goodfaith to assure that a reasonable informationand reporting system exists).3

Board members’ obligations with respect to super-vising medical staff credentialing decisions arisewithin the context of the decision-making function.These are discrete decisions periodically made bythe board and relate to specific recommendationsand a particular process.

The emerging quality of care issues discussed inthis resource arise in the context of the oversightfunction—the obligation of the director to “keep afinger on the pulse” of the activities of the organization.

The basic governance obligation to guide andsupport executive leadership in the maintenance ofquality of care and patient safety is an ongoingtask. Board members are increasingly expected toassess organizational performance on emergingquality of care concepts and arrangements as theyimplicate issues of patient safety, appropriate levelsof care, cost reduction, reimbursement, and collab-oration among providers and practitioners. Theseare all components of the oversight function.

2 American Bar Association, Section of Business Law, Revised Model Nonprofit Corporation Act, Section 8.30 (1987).3 In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).

27

BoARD FIDUCIARy DUty AnD QUAlIty In tHe HeAltH CARe settInG

This duty of care with respect to quality of care alsois implicated by the related duty to oversee thecompliance program.4 Many new financial relation-ships address quality of care issues, including pay-for-performance programs, gainsharing, andoutcomes management arrangements, amongothers. State and federal law closely regulate manyof these arrangements. Given that directors have anobligation to assure that the organization has an“effective” compliance program in place to detectand deter legal violations, they may fairly beregarded as having a concomitant duty to makereasonable inquiry regarding the emerging legaland compliance issues associated with quality ofcare initiatives, and to direct executive leadershipto address those issues. The board may direct exec-utive staff to provide periodic briefings to theboard with respect to quality of care developmentsso that the directors may establish a proper “tone atthe top” in terms of related legal compliance. Inother words, it is the role of the executive staff tobrief the board concerning new developments inthe law and related legal implications, and it shouldbe the ongoing obligation of the board to reason-ably inquire whether the organization’s complianceprogram and other legal control mechanisms are inplace to monitor the associated legal risks.

B. Duty of Obedience to Corporate

Purpose and Mission

Oversight obligations with respect to quality of careinitiatives also arise, for non-profit boards, in thecontext of what is generally referred to as the fidu-ciary duty of obedience to the corporate purposeand mission5 of health care organizations. Non-profit corporations are formed to achieve a specificgoal or objective (e.g., the promotion of health), asrecognized under state non-profit corporation laws.This is in contrast to the typical business corpora-tion, which often is formed to pursue a generalcorporate purpose. It is often said of non-profitsthat “the means and the mission are inseparable.”6

The fundamental nature of the duty of obedience tocorporate purpose is that the non-profit director ischarged with the obligation to further the purposesof the organization as set forth in its articles of incor-poration or bylaws.7 For example, the articles of

incorporation of a non-profit health care providermight describe its principal purpose as “the promo-tion of health through the provision of inpatient andoutpatient hospital and health care services to resi-dents in the community.” Given that the board isresponsible for reasonably inquiring whether thereare practices in place to address the quality ofpatient care, it is fair to state that the concept ofquality of care is inseparable from, and is essentiallysubsumed by, the mission of the organization.

In the hospital setting, various provisions of the lawdealing with the relationship to the medical staffalso provide a link to the duty of obedience tocorporate purpose. These include, for example,traditional provisions that confirm the responsibilityof the board for (a) the conduct of the hospital asan institution, (b) ensuring that the medical staff isaccountable to the governing board for the qualityof care provided to patients, and (c) the mainte-nance of standards of professional care within thefacility and requiring that the medical staff functioncompetently. The “duty of obedience” concept withrespect to assuring compliance with law also mightbe considered to incorporate a duty to assurecompliance with those state laws (and perhapsaccreditation principles as well) that require thegoverning board to assume ultimate responsibilityfor organizational performance, which includes thequality of the provider’s medical care.

C. Summary

In exercising her duty of care and, as appropriate,duty of obedience to corporate purpose andmission, the governing board member may beexpected to exercise general supervision and over-sight of quality of care and patient safety issues.This is likely to include (a) being sensitive to theemergence of quality of care issues, challenges andopportunities, (b) being attentive to the develop-ment of specific quality of care measurement andreporting requirements (including asking the exec-utive staff for periodic education), and (c)requesting periodic updates from the executivestaff on organizational quality of care initiatives andhow the organization intends to address legal issuesassociated with those initiatives. Board membersare expected to make reasonable further inquiry

4 Id.5 In some states, this duty is subsumed within the definition of the broader duty of loyalty.6 Daniel L. Kurtz, Board Liability: Guide for Nonprofit Directors 84 (Moyer Bell Limited, New York, 1988), citing Commonwealth

of Pennsylvania v. The Barnes Foundation, 398 Pa. 458, 159 A.2d 500, 505 (1960); In re Manhattan Eye, Ear & Throat Hosp., 715N.Y.S.2d 575 (1999).

7 Kurtz, supra.

28

when concerns are aroused or should be aroused.These expectations increasingly are becomingmore significant with the increased attention toquality of care issues from policy makers, providersand practitioners, payors and regulators. Boardmembers must be, and must be perceived as,responsive to this changing environment.

III. Defining Quality of Care andthe Critical Need toImplement Quality Initiatives

“The American health care delivery system isin need of fundamental change. Manypatients, doctors, nurses and health careleaders are concerned that the care deliveredis not, essentially, the care we should receive… Quality problems are everywhere affectingmany patients. Between the healthcare wehave and the care we could have lies not justa gap, but a chasm.”8

In Crossing the Quality Chasm, the Institute ofMedicine (IOM) provided a six-part definition ofhealth care quality that some view as the emergingstandard. According to the IOM, health careshould be: safe – avoiding injuries to patients fromthe care that is intended to help them; effective –providing services based on scientific knowledge toall who could benefit and refraining fromproviding services to those not likely to benefit(avoiding underuse and overuse, respectively);patient-centered – providing care that is respectful ofand responsive to individual patient preferences,needs, and values and ensuring that patient valuesguide all clinical decisions; timely – reducing waitsand sometimes harmful delays for both those whoreceive and those who give care; efficient – avoidingwaste, including waste of equipment, supplies,ideas, and energy; and equitable – providing carethat does not vary in quality because of personalcharacteristics such as gender, ethnicity, geographiclocation, and socio-economic status.9 Because thisdefinition of quality increasingly is being adoptedby payors, providers and regulators, health careorganizations and their boards will need to bemindful of its implications.

The U.S. health care system is at a challenging pointin its history. It is, for many important historical

reasons, a mixed public-private system, and there isno foreseeable dynamic on the horizon suggesting amajor change to this reality. The health care systemalso arguably is driving the U.S. economy. A recentfederal forecast predicts that over the next decade,U.S. health care spending will double from today’slevel to $4.1 trillion and will represent 20% of thegross domestic product.10 We have a health caresystem that is extraordinarily advanced, yet is ineffi-cient, uneven, and too often unsafe. A consensus isforming that improvement in the system will requirebetter collaboration and cooperation among inde-pendent providers, payors and purchasers, moreintegrated care, and better aligned incentives. Suchcollaboration and cooperation inevitably will raiselegal compliance issues that health care organiza-tion boards of directors will need to understand inexercising their oversight function.

A scorecard on the U.S. health care system devel-oped by the Commonwealth Fund in 2006 showedthe following results, among others:11• For 37 key indicators for five health care system

dimensions (quality, access, equity, outcomesand efficiencies), the overall U.S. score was 66out of a possible 100.

• Efficiency was the single worst score among thefive dimensions. For example, in 2000/2001,the U.S. ranked 16th out of 20 countries in useof electronic health records.

• The U.S. is the worldwide leader in costs.• The U.S. scored 15th out of 19 countries in

mortality attributable to health care services.• Basic tools (i.e., Health IT) are missing to track

patients through their lives.• We do poorly at transition stages —hospital

readmission rates from nursing homes arehigh; our reimbursement system encourages“churning.”

• Improving performance in key areas wouldsave 100,000 to 150,000 lives and $50 billion to$100 billion annually.

The report makes several key recommendations.The U.S. should expand health insurance coverage;implement major quality and safety improvements;work toward a more organized delivery system thatemphasizes primary and preventive care that ispatient-centered; increase transparency andreporting on quality and costs; reward performancefor quality and efficiency; expand the use of inter-

8 Crossing the Quality Chasm, Institute of Medicine, 2001, p.19 Id. at 6.10 “Health Care Spending Projected to Pass $4 Trillion Mark by 2016,” Health Affairs, February 21, 2007.11 The Commonwealth Fund Commission on a High Performance Health System, “Why Not the Best? Results from a National

Scorecard on U.S. Health System Performance,” The Commonwealth Fund, September 2006.

29

DeFInInG QUAlIty oF CARe

operable information technology; and encouragecollaboration among stakeholders.

In a similar vein, the IOM recently stated in one ofseveral follow-up reports to Crossing the QualityChasm that the Medicare payment system does notreward efficiency and provides few disincentives foroveruse, underuse or misuse of care.12 Furthermore,the IOM proposed that incentives should encouragedelivery of high-quality care efficiently, requireproviders to assume shared accountability for transi-tions between care settings and require coordina-tion of care for patients with chronic disease.

We are entering a new era of thinking about healthcare quality and collaboration among health careproviders. Numerous new measures of health carequality are becoming public every day. Purchasers,payors, state governments, the Joint Commissionand others are requiring reporting, particularly byhospitals, of outcomes pursuant to such measures.Pay-for-performance programs are becomingcommon among both public and private payors. Anew generation of “gainsharing” proposals anddemonstrations are emerging.13 In late February2007, HHS Secretary Mike Leavitt unveiled a newquality-improvement plan, called “ValueExchanges,” that would establish local quality-improvement collaborations with an eye toward anational link-up in a few years.14 All of this putsincreasing focus and scrutiny on health care organi-zations, and their boards of directors, in connec-tion with the quality issue. Indeed, the NationalQuality Forum, perhaps the most well knownsource of nationally approved quality measures, hasissued a paper entitled Hospital Governing Boardsand Quality of Care: A Call to Responsibility.15

Perhaps one of the most critical and often misun-derstood components of health care quality is therelationship between overall quality and cost efficiency. Increasingly, it is becoming more widelyunderstood that quality and efficiency are comple-mentary, not contradictory, elements of an effectivehealth care system. Efficiency, by definition, meansavoidance of unnecessary, and often harmful, care.As Don Berwick, a recognized national qualityexpert, stated in Health Affairs in 2005, “Right fromthe start it has been one of the great illusions in

the reign of quality that quality and cost go inopposite directions. There remains very littleevidence of that.”16

Because it is coming from the federal government,state government, and private purchasers andpayors, the emphasis on collaborative arrangementsand cooperation in care giving across independentproviders, aggregate payment pools and alignedincentives will require providers to look for legalways to collaborate and, indeed, align incentivesthrough new financial relationships. In particular,innovative hospital-physician financial relationships,including a variety of formal and informal part-nering arrangements, are critical to the achieve-ment of all six of the aims set forth in Crossing theQuality Chasm. Examples include pay-for-perform-ance demonstrations, gainsharing initiatives, elec-tronic health record implementation efforts, outpa-tient care centers, service line joint ventures, andmanagement and leasing arrangements.Evidence-based medicine reasonably can defineproper use and increasingly is relied upon to do so.It is expected that the public sector will continue toseek to balance its role as both purchaser and regu-lator in the search for quality improvement inhealth care. The private sector at times may have toinitiate change before the payment system and regu-lations catch up, but the rewards are potentially veryhigh—in terms of organizational success as well associal benefit. At the same time, however, legalcompliance issues likely will arise in connection withefforts to implement these changes. Health careorganizations with oversight by their boards ofdirectors will be required in this regard to bemindful of the anti-kickback statute, the physicianself-referral (Stark) law, civil money penalty statutes,the Health Insurance Portability and AccountabilityAct (HIPAA), federal tax-exemption standards andantitrust law, among other legal areas.

There is an opportunity for the best performers inthe industry to create profound change, and thenopen up these best practices through transparencyof data and the promotion of collaboration tospread change. Health care boards of directorshave the unique opportunity to take leadership inimplementing quality systems that will advancetheir organizations’ respective missions and the

12 Rewarding Provider Performance: Aligning Incentives in Medicine, Institute of Medicine, 2007.13 OIG reviews gainsharing and pay-for-performance programs on a case-by-case basis, and CMS’ position on applicability of the

Stark Law to such programs is still evolving.14 Press Release, U.S. Department of Health & Human Services, HHS Secretary Leavitt Unveils Plan for “Value Exchanges” to

Report on Health Care Quality and Cost at Local Level (February 28, 2007).15 “Hospital Governing Boards and Quality of Care: A Call to Responsibility,” The National Quality Forum, December 2, 2004.16 Robert Galvin, “‘A Deficiency of Will and Ambition’: A Conversation with Donald Berwick,” Health Affairs Web Exclusive,

January 12, 2005.

30

nation’s health. They also have the responsibility todo so in a legally compliant manner.

IV. The government’s Role inEnforcing Health CareQuality

An extensive federal and state regulatory schemegoverns the care delivered by health care providers.Designed to promote quality of care, these stan-dards provide a baseline for assessing the level ofcare provided to the patient and, as discussed previ-ously, increasingly determine the health careprovider’s reimbursement. For example, Medicareand Medicaid conditions of participation requirehospitals to monitor quality through credentialingof medical staff and maintaining effective qualityassessment and performance improvement programs.These conditions of participation specify that themedical staff is accountable to a hospital’s governingbody for the quality of care provided to patients. Longterm care providers must meet specific quality of carestandards, undergo state surveys, and pass state certifi-cations to participate in government programs. Theregulatory framework includes a range of progressiveadministrative sanctions, including heightened over-sight and monetary penalties that may be imposedagainst providers that fail to comply with the regulatoryrequirements.

In addition to these administrative remedies, thegovernment enforcement authorities are increasinglyfocusing on the quality of care provided to benefici-aries of the federal health care programs. The OIG,the U.S. Department of Justice, and state AttorneysGeneral are working collaboratively with the healthcare regulatory agencies to address the provision ofsubstandard care by individuals and institutions.Sanctions may range from monetary penalties toexclusion from federal and state health careprograms and even incarceration for the most seriousoffenses. For example, a health care provider can besubject to exclusion from the federal health careprograms if it provides medically unnecessary servicesor services that fail to meet professionally recognizedstandards of care. Even individuals who are not directcare providers, such as hospital administrators andnursing home owners, may be subject to exclusion ifthey cause others to provide substandard care.Consequently, all levels of a health care organization,from the direct caregiver to the governing body of aninstitutional provider, could face liability for failing tomeet the quality of care obligations applicable togovernment program providers.

As part of these enforcement efforts, authorities areclosely evaluating quality-reporting data. Forexample, government authorities are increasinglyscrutinizing quality data submitted by health careproviders to identify inconsistencies and evidence ofongoing quality problems that providers fail toaddress. Sources of quality-reporting data include,for example, the hospital quality data for the annualpayment updates, physician quality-reporting datareported to CMS, medical error and “sentinel event”data reported to the Joint Commission, and qualityreporting required under state law. The accuracy ofthe data submitted to government agencies andthird party payors is vital. In addition to relying onsuch information for monitoring quality and patientsafety issues, the federal health care programsincreasingly use this data for determining reimburse-ment, as in the case of the Minimum Data Set in thenursing home setting. Consequently, inaccuratereporting of quality data could result in the misrep-resentation of the status of patients and residents,the submission of false claims, and potential enforce-ment action. As authorities continue to scrutinizequality-reporting data, boards will benefit fromensuring that structures and processes exist withintheir institution to carefully review this data for accu-racy and address potential quality of care issues.To evaluate the potential risk to the organization, itis important that board members understand thetheories of liability relied upon by the government.The predominant criminal and civil fraud theories—medically unnecessary services and “failure ofcare”—rely on the submission of a claim for reim-bursement to the government to establish jurisdic-tion over the provider. Medicare and Medicaid onlycover costs that are reasonable and necessary for thediagnosis or treatment of illness or injury. Whenmedically unnecessary services are provided, thepatient is unnecessarily exposed to risks of a medicalprocedure and the federal health care programsincur needless costs. Hospitals have been subject toprosecution under this theory. For example, a grandjury indicted a Michigan hospital based on its failureto properly investigate medically unnecessary painmanagement procedures performed by a physicianon its medical staff. In another case, a Californiahospital recently paid $59.5 million to settle civilFalse Claims Act allegations that the hospital inade-quately performed credentialing and peer review ofcardiologists on its staff who performed medicallyunnecessary invasive cardiac procedures.The second theory of liability involves the provisionof care that is so deficient that it amounts to nocare at all. This theory derives from the conceptcommonly applied in the financial fraud context,which subjects providers to liability for billing

31

tHe GoVeRnment’s Role In enFoRCInG HeAltH CARe QUAlIty

government programs for services that were notactually rendered. These cases frequently involveproviders, such as nursing homes, that receive “perdiem” payments for providing all necessary treat-ment to patients. For example, a Colorado rehabili-tation center entered into a $1.9 million civil FalseClaims Act settlement to resolve allegations that itprovided worthless services to patients, resultingfrom systemic understaffing at the facility, wheredeficient services and abuse caused six patientdeaths. Federal prosecutors in Missouri charged along term care facility management company, itsCEO, and three nursing homes with conspiracyand health care fraud based on the contention thatthe defendants imposed budgetary constraints thatthey knew or should have known would preventfacilities from providing adequate care to residents.The CEO was sentenced to pay $29,000 in criminalfines and to serve an 18-month period of incarcera-tion. The management company and nursinghomes were each sentenced to pay $182,250 incriminal fines. In a related civil case, the defen-dants paid $1.25 million to resolve False Claims Actallegations, and agreed to be excluded fromfederal health care programs.

This fraud theory also is applied in cases involvingviolations of regulatory requirements related toquality of care. For example, a Pennsylvaniahospital entered into a $200,000 civil False ClaimsAct settlement to resolve substandard care allega-tions related to the improper use of restraints.

In addition to substantial civil penalties and crim-inal fines, health care providers that systematicallyfail to provide care of an acceptable quality can beexcluded from federal health care programs,meaning Medicare and Medicaid will not pay foritems or services furnished by the provider. Theprovision of care that fails to meet accepted stan-dards of care is an enforcement priority for OIG,which is actively pursuing these cases under admin-istrative sanction authorities that explicitly addressquality of care. OIG can impose exclusion from thefederal health care programs against anyone whofurnishes or causes to be furnished medicallyunnecessary services or services that fail to meetprofessionally recognized standards of health care.17Additionally, OIG is required by law to excludeanyone convicted of patient neglect or abuse.18

As part of global settlements of civil health carefraud matters, OIG may negotiate a waiver of the

permissive exclusion in exchange for a provider’sagreement to enter into a corporate integrity agree-ment (CIA). In cases involving substandard care,these agreements can involve comprehensive moni-toring provisions designed to assess the provider’sinternal quality improvement infrastructure. A list ofthe health care providers currently subject to CIAs(including nursing homes, psychiatric facilities, andregional and national chains) is found at the OIG’swebsite, http://oig.hhs.gov/fraud/cias.asp.

A CIA also might entail board-level obligations to helpensure that the organization embraces a commitmentto the delivery of quality care. For example, the TenetHealthcare Corporation board of directors has specificobligations under the organization’s current CIA. OIGhas required the board to (1) review and oversee theperformance of the compliance staff, (2) annuallyreview the effectiveness of the compliance program,(3) engage an independent compliance consultant toassist the board in its review and oversight of Tenet’scompliance activities, and (4) submit to OIG a resolu-tion summarizing its review of Tenet’s compliance withthe CIA and federal health care program require-ments. These obligations reflect a growing recognitionof the critical role that boards of directors play inensuring that their organizations promote quality,ensure patient safety, and are in compliance with theobligations of government health care programs.

V. Health Care Board FiduciaryDuty and Quality

Health care is unique in representing both a socialgood and an economic commodity. Boards ofdirectors of many health care organizations havebeen called upon to see that their organization’sapproach those realities in concert, not in competi-tion, with each other. These boards understandthat the quality of the products and services theirorganizations provide can have life or death impli-cations. Health care organizations generally viewthemselves as mission-driven and health carequality is a key component of that mission.Yet, the Institute of Medicine’s recognition in 1999that medical errors lead to as many as 100,000deaths per year served as a wake-up call. Evolvingevidence and research into best practices andoutcomes measures have provided the impetus totoday’s rapidly growing “quality movement,” whichis triggering a whole variety of mandatory andvoluntary activities by health care organizations toimprove quality and reduce costs.

17 42 U.S.C. § 1320a-7(b)(6)(B).18 42 U.S.C. § 1320a-7(a)(2).

32

These new programs and requirements raise thestakes for health care organizations, both finan-cially and legally. Poor quality and value, or thefailure to demonstrate good quality and value,increasingly may affect the viability of health careproviders, products manufacturers and others. Lawenforcement agencies are increasing their scrutinyof providers that deliver substandard care tofederal health care beneficiaries. On the otherhand, demonstrated quality and value likely willhave a positive mission as well as financial effect.Accurate measurement and reporting—indeed,effective compliance with an evolving set of obliga-tions—will be required.

Directors will need to understand this evolvingreality and, if they have not already done so, elevatequality as newly defined to the same level of focusthat financial viability and regulatory compliancecurrently command. The next section of thisresource provides directors with certain questionsthat may assist them in exercising their oversightresponsibilities in this increasingly important area.

VI. Suggested Questions forDirectors

Boards of Directors can play a critical role inadvancing the clinical improvement initiatives intheir organizations. To realize its full potential, aboard needs to develop an understanding of therelevant quality and patient safety issues and thenfocus on performance goals that drive the organiza-tion to provide the best quality and most efficientcare. The following series of suggested questionsmay be helpful as the board examines the scopeand operation of the organization’s quality andsafety initiatives.

A. What are the goals of the organization’s

quality improvement program? What

metrics and benchmarks are used to

measure progress towards each of these

performance goals? How is each goal

specifically linked to management

accountability?

There are a growing number of national public andprivate initiatives directed at promoting quality ofcare, patient safety, and the corresponding reductionin medical errors. These initiatives rely on clinicalcare benchmarks to facilitate oversight and promoteimproved quality outcomes. Such benchmarks, usedin conjunction with industry-wide reported data, can

provide a context for creating quality of care goals,aligning organizational incentives, and providing aframework for management’s reports to the board.Once these parameters are defined, the board canmore readily hold management accountable formeeting the organization’s quality performance goals.

B. How does the organization measure and

improve the quality of patient/resident

care? Who are the key management and

clinical leaders responsible for these

quality and safety programs?

As a threshold matter, the board may wish toconfirm its understanding of the structures andprocesses the organization relies upon to overseeand improve clinical quality and patient safety.Only after it has a complete understanding of howthe organization’s quality assurance functionsoperate can the board evaluate the breadth andeffectiveness of a quality improvement program.The organizational assessment also can provide acommon basis from which management and theboard can evaluate these processes against currentand emerging regulatory requirements.

C. How are the organization’s quality

assessment and improvement processes

integrated into overall corporate policies

and operations? Are clinical quality

standards supported by operational

policies? How does management implement

and enforce these policies? What internal

controls exist to monitor and report on

quality metrics?

Consistent with the fundamental fiduciary responsi-bility of oversight, the board has responsibility forinstitutional policies and procedures relative toquality of care. Increasingly, common law recog-nizes among a board’s non-delegable duties theduty to formulate, adopt, and enforce adequaterules and policies to ensure quality care for all ofthe organization’s patients and residents. Althoughboards appropriately may utilize the expertise ofthe medical staff and other professionals to addressprofessional competency and quality issues, theseprofessionals should work actively with the board toadvance the institution’s quality agenda, to identifysystemic deficiencies and to make appropriaterecommendations for action. Periodic reviews withmanagement of the quality of care provided topatients and evaluations of the adequacy of thesepolicies in light of evolving standards, clinical practices, and claims experience or trends areconsistent with board responsibilities.

33

sUGGesteD QUestIons FoR DIReCtoRs

D. Does the board have a formal orientation

and continuing education process that

helps members appreciate external quality

and patient safety requirements? Does the

board include members with expertise in

patient safety and quality improvement

issues?

In an era of increasing governance accountability,the boards of health care organizations areexpected to understand and be involved in theassessment of performance on quality and patientsafety initiatives of their organizations. An under-standing of clinical quality measurements, theability to read quality scorecards and spot red flags,and an appreciation of quality of care as a corpo-rate governance issue may be critical to an effectiveboard. Equally important, board members need ageneral understanding of national trends in healthcare quality. Collectively, these skills will enable theboard to appreciate the interrelationship of patientsafety, health care quality and performance meas-urement, as well as the business case for quality. Forthe same reasons a board has financial experts onits audit committee, health care organizations thatprovide or arrange for goods or services needmembers with competencies in quality and patientsafety issues. With such resources, the board isbetter positioned to call for and evaluate mean-ingful quality information using recognizedperformance metrics from which to evaluate theorganization’s clinical quality performance.

E. What information is essential to the board’s

ability to understand and evaluate the

organization’s quality assessment and

performance improvement programs?

Once these performance metrics and

benchmarks are established, how

frequently does the board receive reports

about the quality improvement efforts?

The board should consider the nature and level ofinformation it needs to oversee the quality of carein the organization. If there are too many qualityindicators, the data may become overwhelming andthe critical measures of success may be overlooked.The board may want to work with management andthe organization’s medical leadership to identify afocused number of vital indicators that are proba-tive of quality or indicative of changes in quality ofpatient care. In determining which performancemeasures to include in its “dashboard,” the boardmay want to consider the quality data reviewed by

government agencies, the information subject tomandatory reporting requirements, and relevantindustry benchmarks.

As part of its oversight of the quality of care deliv-ered by subsidiaries, parent or system boards mayhave different information needs. While agrounding in quality and patient safety initiativesremains important, the parent board appropriatelymay rely on local boards to oversee clinical qualityof the local facilities under its purview. In largehealth care systems, the parent board may exerciseits governance responsibilities by focusing on theeffectiveness of the local boards.

F. How are the organization’s quality assess-

ment and improvement processes coordi-

nated with its corporate compliance

program? How are quality of care and

patient safety issues addressed in the

organization’s risk assessment and correc-

tive action plans?

As discussed in Corporate Responsibility and CorporateCompliance,19 an effective corporate complianceprogram can be instrumental in the board’s exer-cise of its fiduciary duty of care. Increasingly, moni-toring quality and patient safety issues is recognizedas integral to promoting corporate compliance, aswell as to risk management and organizationalreputation. Use of regulatory compliance processesto continually assess the organization’s qualityperformance can assist in exposing deficiencypatterns, which if not recognized and addressed ina timely and effective manner, may expose theorganization to enforcement action. Accordingly, asquality improvement takes on increased signifi-cance in the organization’s compliance program,the board may want to assure itself that the compli-ance officer is collaborating with the organization’sclinical leadership.

g. What processes are in place to promote

the reporting of quality concerns and

medical errors and to protect those who

ask questions and report problems? What

guidelines exist for reporting quality and

patient safety concerns to the board?

A lack of transparency in the organization’sresponse to concerns about quality and patientsafety can contribute to a culture where problemsare not addressed and are therefore likely toreoccur. Improving the effectiveness and safety of

19 See supra note 1.

34

services and quality of care requires participationby clinical staff at all levels. In fulfilling its duty ofcare, the board should consider verifying that theorganization has a mechanism to encourageconstructive criticism and reporting of errors.Effective compliance programs are structured toaddress “whistleblower” reporting and protections,and the organization should consider incorpo-rating the reporting of quality and patient safetyconcerns into both existing compliance proceduresand general operating practices.

H. Are human and other resources adequate

to support patient safety and clinical

quality? How are proposed changes in

resource allocation evaluated from the

perspective of clinical quality and patient

care? Are systems in place to provide

adequate resources to account for differ-

ences in patient acuity and care needs?

Participation in the federal health care programsrequires that the health care organization delivercare of a quality that meets professionally recog-nized standards of care. When investigating allega-tions of substandard quality of care, the govern-ment will scrutinize whether the health careprovider devoted sufficient resources to ensure thatthe care provided to patients or residents met basicquality requirements. Inadequate levels of profes-sional and support staff, for example, may result ina pattern of substandard care. As part of its annualreview of the organization’s operating plans andbudget, the board should consider the impact ofthese resource allocation decisions on the quality ofcare and patient safety. For the same reason, theboard should ensure that management has assessedthe impact of staff reductions or other budgetconstraints on quality of care.

A companion area for oversight relates to approvalsof new services and significant technology acquisi-tions. Inquiry regarding the scientific basessupporting the efficacy and safety of new services andthe identification of supportive processes to ensurequality and safety of new technology and services mayserve to protect financial resources as well as patientsafety.

I. Do the organization’s competency assess-

ment and training, credentialing, and peer

review processes adequately recognize the

necessary focus on clinical quality and

patient safety issues?

Boards rely heavily on the expertise of theirmedical staff and the integrity and comprehensive-ness of its competency assessment and training,credentialing, and peer review processes to ensurethe competency of clinical staff. Alignment ofprofessional staff credentialing standards withquality data can advance a quality-driven model forthe professional staff and allows the organization totake appropriate action when significant qualitydeficiencies are identified.

J. How are “adverse patient events” and

other medical errors identified, analyzed,

reported, and incorporated into the

organization’s performance improvement

activities? How do management and the

board address quality deficiencies without

unnecessarily increasing the organization’s

liability exposure?

Providers operate under significant federal andstate requirements relating to quality reporting andimprovement. Hospitals, for example, are requiredto maintain an effective, data-driven quality assess-ment and improvement program as a condition ofparticipation in the Medicare program. Theseprograms must track quality indicators, includingadverse patient events, and set performanceimprovement priorities that focus on high-risk orproblem-prone areas. A growing number of stateshave mandatory reporting systems for at least someforms of adverse events occurring in acute carehospitals. For example, some states are mandatingthe reporting of “never events,” those errors inmedical care that are clearly identifiable, prevent-able and serious in their consequences for patients.Examples of “never events” include surgery on thewrong body part, a mismatched blood transfusion,and severe “pressure ulcers” acquired in thehospital. In addition, there are other reportingrequirements, including the peer review reportingprovisions of the Health Care Quality ImprovementAct, state peer review statutes, and the privilege andconfidentiality provisions of the Patient Safety and

35

sUGGesteD QUestIons FoR DIReCtoRs

Quality Improvement Act of 2005. Although theapplication of these statutes to medical staff creden-tialing, peer review, and broader quality reportingand improvement activities may be challenging,greater organizational risks may lie in the failure toaddress known or foreseeable quality deficiencies.

Obviously, corporate boards and managers need toevaluate and address quality and patient safetyissues but without unnecessarily increasing organi-zational exposure to liability resulting from theprovision of deficient care. It is therefore impor-tant for the board to understand the scope offederal and state statutory protections given certainquality-related activities and to make reasonableinquiry to assure that management and the medicalstaff effectively manage this issue. A discussion withlegal counsel on this topic may be helpful.

VII. Conclusion

Contemporary health care quality, patient safety,and cost efficiency initiatives provide an opportu-nity for health care organizations to make a posi-tive difference to society while promoting theirmissions and enhancing their financial success.However, health care boards of directors will needto exercise their oversight responsibilities in thisarea diligently and assure that their organizationsare pursuing these opportunities in compliancewith evolving legal requirements. The commentsand perspectives shared in this educationalresource will, it is hoped, assist health care organi-zation boards in exercising their duty of care as itrelates to health care quality effectively, efficiently,and in a manner that will help improve the nation’shealth care system.

36

1620 Eye Street, NW, 6th FloorWashington, DC 20006-4010(202) 833-1100 www.healthlawyers.org

Public Information Series

Educating our members, their clients and localcommunities on important health law issues

www.healthlawyers.org/PublicInterest

Documents

The Health Care Director's Compliance Duties: A Continued Focus of