“Compliance in a Box” for Small Healthcare Organizations
Key Points:
- Absent a program increases enforcement encounters, liabilities & penalties
- The challenge is how to afford an effective Compliance Program
- Engaging an expert to build a “compliance program in a box”
- Outsourcing is less costly than hiring a Compliance Officer
- Dozen tips on selecting an outsourced compliance expert
All healthcare organizations, large and small, are expected to have a compliance program that meets the seven standard elements. Large healthcare organizations can develop and implement their Compliance Programs with full-time Compliance Officers and supporting staff, something smaller organizations cannot afford. However, not having an effective compliance program increases the likelihood of enforcement agency action and increases penalties for those found in violation of the law. In fact, most government enforcement actions involve smaller organizations such as physician practices, clinics, home health agencies, and hospices, among others. Almost without exception, these organizations were unable to evidence a functioning compliance program. Typically, these types of organizations do not operate on a scale to afford even one full-time person as their Compliance Officer, and having someone perform the duties as a secondary responsibility is a formula for a bad result. The OIG has long acknowledged the challenge to smaller organizations. Going back to their 2000 Compliance Program Guidance for Individual and Small Group Practices, and again with the 2023 General Compliance Program Guidance, they noted, “For those companies that have limited resources, the compliance function could be outsourced to an expert in compliance who can be a part time alternative to a W-2 employee Compliance Officer”. In short, it would be a matter of “buying a Compliance Program in a box.” A Designated Compliance Officer (DCO) expert could be engaged part-time to develop and manage both the compliance and privacy programs; however, they must report directly to the owner or CEO and not have any other program responsibilities or legal services. An experienced DCO consultant’s “Toolbox” should include (a) an understanding of the current regulatory environment and expectations; (b) proper scaling of the program; (c) the development of written compliance guidance (code, policies, internal controls); (d) compliance risk identification and mitigation; (e) addressing issues, incidents, and data breaches; and (f) assisting with encounters with government agencies.
A DCO consultant would work part-time, being paid only for hours worked. Costs for recruitment, training, and overhead (e.g., FICA, leave, benefits, etc.) for a W-2 employee would be avoided.
The following are tips for selecting a DCO to build a “Compliance Program in a Box”:
- Estimate the number of hours per month for the service.
- Determine the hourly rate and overall cost of the proposed services.
- Check consultant expertise (credentials, publications, presentations).
- Consider the length of experience as a consultant and/or compliance officer.
- Choose a firm focused on healthcare compliance, not generalized across all industries.
- Obtain references for providing similar types of services.
- Interview proposed consultants to assess whether they would fit into the entity’s culture.
- Check the firm’s staff credentials (e.g., JD, PhD, CPA, MBA, MPH, CPC, CCEP, CHC, CHPC, CHPS, PMP, HIM, RN, COC, CCNA, CDIP, etc.)
- Require professional indemnity insurance (at least $3 million coverage).
- Include provisions in the agreement to be available at any time needed.
- Have a clause in the agreement to enable termination with simple written notice.
See also https://www.compliance.com/services/interim-outsourced-compliance-staffing/
You can also keep up-to-date with Strategic Management Services by following us on LinkedIn.
