Corporate Compliance: Covering the Bases

Corporate compliance is a concept that broadly applies to a range of corporate entities and refers to the processes these organizations follow to adhere to regulations and ethical standards. In healthcare, corporate compliance refers to an organization’s commitment to, and procedures for, detecting and preventing violations of state and federal laws, establishing expectations for ethical business practices, and setting appropriate standards for patient care and services. In short, corporate compliance is a commitment to do the right thing — both legally and ethically.

The notion of corporate compliance in healthcare is not new. For years, the U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) has encouraged healthcare providers to adopt corporate compliance initiatives. In doing so, HHS-OIG has supported seven fundamental elements of a corporate compliance plan:

1. Written policies and procedures
2. Compliance leadership and oversight
3. Training and education
4. Effective lines of communication with the compliance officer (CO) and disclosure program
5. Enforcing standards: consequences and incentives
6. Risk assessment, auditing, and monitoring
7. Responding to detected offenses and developing corrective action initiatives¹

With the implementation of the Patient Protection and Affordable Care Act (ACA) in 2010, compliance plans went from voluntary efforts to mandatory programs. Section 6401 of the ACA stipulates that healthcare providers must establish compliance programs as a condition of enrollment in Medicare, Medicaid, or the Children’s Health Insurance Program (CHIP).²

Whether developing a new compliance program or auditing an existing one, healthcare organizations should consider their specific risks. Just as no two healthcare practices or organizations are exactly the same, compliance programs also are not “one size fits all.” Organizations should tailor their compliance plans to meet their particular needs.

Areas that might benefit from review include:

• Business operation policies and procedures
• Billing and coding processes and review of claims submissions, including availability and adequacy of documentation, reasonable and necessary services, and accurate payment
• Health record documentation standards
• Health record retention policies and procedures
• Appropriate use of federal and state forms and documents
• Adherence to federal fraud and abuse laws (i.e., the Anti-Kickback Statute, the Physician Self-Referral Law, the False Claims Act, the Exclusion Authorities, and the Civil Monetary Penalties Law)
• Compliance with federal and state safety codes, regulations, and standards (e.g., OSHA standards, HIPAA, EMTALA, CMS Conditions of Participation, CDC guidelines, FDA standards, etc.)
• Organizational roles and responsibilities, including following licensing and scope of practice regulations, prescription authority rules, and professional standards
• Patient care standards and compliance with specialty protocols/guidelines
• Patient satisfaction and resulting corrective action plans
• Processes or functions that have been problematic in the past
• Training and education (e.g., fulfillment of required continuing education, training for new technologies or equipment, HIPAA training, etc.)

For further details about developing a corporate compliance program and policy, visit the HHS-OIG website and the CMS Medicare Learning Network Provider Compliance webpage. For tools and resources related to Medicaid fraud, waste, and abuse, see the CMS webpage on Medicaid Integrity Program — Educational Resources.

Endnotes

¹ U.S. Department of Health and Human Services, Office of Inspector General. (2023, November). General compliance program guidance. Retrieved from https://oig.hhs.gov/compliance/general-compliance-program-guidance/

² Patient Protection and Affordable Care Act, 42 U.S.C. § 18001 et seq. (2010).

---

Prevention & Education Center home