What Compliance Officers Need To Do To Address Compliance High-Risk Areas

The biggest challenge for compliance officers is addressing compliance high-risk areas through ongoing monitoring and independent auditing. Ongoing monitoring is the responsibility of program managers who must stay abreast of rules and regulations, ensure that any changes are incorporated in policies and procedures, train their staff on those changes, and verify staff adherence to the new updated policies and procedures. On the other hand, ongoing auditing must be conducted by parties outside the operational areas under review, and may be conducted by a variety of internal and external resources, including the Compliance Office and Internal Audit.  External reviewers can be consultant experts or operational auditors. Operational high-risk auditing has two primary objectives: (1) verifying that managers meet their obligations for ongoing monitoring; and (2) validating that the process achieves desired outcomes. High-risk areas are numerous; the OIG compliance guidance for hospitals identified over 40 areas and more are being added every year.

Compliance Officer Best Practice Tips

1. Work with management to identify and make a list of high-risk compliance areas related to their operational practices, beginning with the OIG Work Plans, Fraud Alerts, Advisory Opinions, audits, and enforcement priorities, along with Medicare contractor activities (e.g., RACs, ZPICs, etc.), industry news, PERM reports, and PEPPER data, among others.

2. Ensure that each high-risk area is assessed in terms of level of risk, probability of risk exposure, and impact or damage from a risk area.

3. Develop and implement a monitoring plan that addresses all risk areas and details how compliance risks can be tested and reviewed on an ongoing basis.

4. Calculate the potential damage for a risk failure, including the possible scale of direct and indirect financial consequences (i.e., liability or penalties). Consider using statistical techniques to do this.

5. Determine the adequacy of ongoing monitoring by program managers.

6. Establish the likelihood of a risk event, taking into consideration whether the area is a current enforcement priority (e.g., improper physician arrangements).

7. Determine adequacy of the internal controls (e.g., policies and procedures) that are currently in place that could mitigate risks and reduce the chance that an unwanted risk event will occur.

8. Create a compliance audit plan based on risk assessment results, with the highest priority given to areas of highest risk.

9. Ensure there are specialized training programs based on risk assessment results.

10. Institute a corrective action plan for all deficiencies found within a risk area and verify that it works as intended.

11. Include results of monitoring and auditing as regular agenda items for both the management and Board level compliance committees.

12. Engage compliance experts to independently evaluate the effectiveness of a compliance program as called for by the OIG, but place special emphasis on the scope of work on reviewing high-risk areas.