+1443 776-2705 panelessays@gmail.com

due in 20 hours



Compliance Indicators and Personal Application

Review the Health Care Compliance Association’s Evaluating and Improving a Compliance Program (Links to an external site.)
. Choose and discuss one of the indicators presented in the HCCA reading in relation to an organization or agency that you have worked for or are familiar with.

· How did your agency’s compliance program support this specific indicator?

· What could have been done to improve your agency’s compliance efforts?

Self-Evaluation and Personal Goal Setting

· Do you think some (or all) of these indicators could be used as a method for self-evaluation for individuals involved in healthcare compliance? Why or why not?

· How could you evaluate yourself as an individual in relation to these indicators, in whatever field you work presently (or even as a student)? Are there some indicators that are more applicable to you than others?

· How do you think you could use these indicators as a tool for personal goal setting in- and outside the field of healthcare compliance?

Your journal entry may be informally written in first person and should consist of approximately 350-500 words.

Evaluating and Improving A Compliance Program

Enclosed for reference is a sample compliance document developed in
2003 by a Task Force assigned by the Health Care Compliance Association.
It was developed as a resource for evaluating and improving a compliance
program for Health Care Executives and Compliance Officers.

The Society of Corporate Compliance & Ethics


5780 Lincoln Drive · Suite 120 · Minneapolis, MN 55436 · 888/580-8373 · www.hcca-info.org

January 24, 2003

Dear HCCA Colleagues:

On behalf of the HCCA Board of Directors and the many volunteers from across the country who served on the
HCCA Compliance Performance Measurement Initiative Task Force and its Steering and Drafting Committees,
we are pleased to announce the release of the following document, “Evaluating and Improving a Compliance
Program, A Resource for Health care Board Members, Health care Executives and Compliance Officers.”
This resource is now available to all HCCA members and other interested parties on the public section of the
HCCA website at www.hcca-info.org.

This document is the product of an extensive collaborative process and reflects hundreds of volunteer hours of
research, meetings, drafting, collaborative discussions, decades of collective professional experience, as well as
the important feedback received from the HCCA membership through surveys, interactions at meetings and
finally, through comments received during a 45-day review and comment period.

We trust that this document will provide added value by identifying and sharing information and best practices
regarding the operation and evaluation of compliance programs. While principally developed for the benefit of
HCCA members, this reference is intended to be a useful guide to all health care compliance professionals.
Nevertheless, it is important to note that this document is not intended nor should it be used as a “cookbook” or
“list of standards.” One size certainly does not fit all. As a reference, you should use and tailor this information
to meet the specific needs of your organization and to better inform your board members, senior management and

This document will also serve as the foundation for the next steps in HCCA’s continued efforts to provide
practical tools to you, our members, to assess the performance of compliance programs within health care
organizations. Recognizing the complexity and variety of compliance issues within different health care industry
sectors, the HCCA Board has assigned the task of developing specific performance measurement tools for
different health care industry sectors to the HCCA Compliance Focus Groups (CFG’s), e.g., Health Systems CFG,
Home Health CFG, Pharmaceutical CFG, etc. The CFG’s will provide an appropriate and useful forum to attract
volunteers and their ideas to tailor and customize these tools to fit specific industry sector needs.

We encourage you to volunteer your time and ideas and join the CFG that represents your sector of health care.
Become part of the solution – join a CFG today! For more information on HCCA’s CFG’s, please contact Tracy
Hlavacek at (888) 580-8373, via email at [email protected], or visit the HCCA website at hcca-

With best regards,

L. Stephan Vincze, J.D., LL.M., CHC Sheryl Vacca
Chairman, Compliance Performance Measurement Immediate Past President, HCCA
Initiative Task Force Chair, Drafting Committee
Chairman, HCCA Pharmaceutical Compliance Focus Group HCCA Board Member
HCCA Board Member

Version 1.0
April 4, 2003
Health Care Compliance Association Copyright © 2003.

Evaluating and Improving

Compliance Program

A Resource

For Health Care Board Members, Health Care Executives
and Compliance Officers


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


Table of Contents

Preamble ……………………………………………………………………………………… 3

Introduction………………………………………………………………………………….. 5

Indicator #1 – Policies and Procedures …………………………………………… 11

Indicator #2 – Ongoing Education and Training ……………………………… 14

Indicator #3 – Open Lines of Communication ………………………………… 18

Indicator #4 – Ongoing Monitoring and Auditing …………………………… 22

Indicator #5 – Enforcement and Discipline ……………………………………. 27

Indicator #6 – Investigation, Response and Prevention …………………….. 31


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.



The goal of the HCCA Compliance Performance Measurement Initiative is to improve the quality and
effectiveness of compliance programs by identifying and sharing information regarding the operation and
evaluation of compliance programs.

Due to the complexity and volume of health care regulations and the relative infancy of compliance
programs in health care organizations, management and governing bodies frequently have questions about
compliance programs. Are we focused on the right issues? Is the program addressing our principal risks?
How much should we spend? Are we deriving maximum value from our efforts? How do we evaluate
the quality and effectiveness of our program? While this document does not provide definitive answers to
these questions, it is intended to assist governing bodies, management teams, and compliance officers in
health care organizations in evaluating and improving compliance activities. In short, this document is
provided by the HCCA as a tool to help an organization determine whether the resources it devotes to
compliance are effectively, efficiently and appropriately utilized.

Simply stated, the objective of a compliance program is to create a process for identifying and reducing
risk and improving internal controls. Stated another way, from a legal enforcement standpoint, an
effective compliance program reduces the likelihood that an organization will be found to have recklessly
disregarded or deliberately violated the law. The aim of this document is to be a fluid guide to common
indicators and recommended best practices for compliance programs, not a collection of rigid standards.
In rare instances we have taken the position that a particular action or practice is an essential component
of an effective compliance program. In most instances however, what the organization is advised to do
depends on its size, resources, business activities, and past behaviors. We recognize and emphasize that
“one size does NOT fit all.” Compliance activities are best tailored to the unique needs and risks of the
organization. The common indicators identified in this document will not be applicable or appropriate for
every organization and even those common indicators that are relevant may need to be adjusted or
modified by the organization to achieve the objective of compliance.

Nevertheless, investigative and enforcement entities have consistently stated that a compliance program
should be judged, at least in part, by how it compares to programs of similarly situated organizations.
The HCCA believes that this document will help governing bodies, management teams, and compliance
officers effectively evaluate compliance programs and serve as a useful tool in the effort to improve the
quality and efficiency of compliance activities.

While the HCCA initiative is conducted principally as a benefit and service to HCCA members, the work
of this initiative will be shared with other interested public and private parties in a sincere effort to
promote greater understanding and progress in the field of health care compliance.


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


The HCCA Compliance Performance Measurement Initiative Task Force and Committee Members are:

Task Force

Steve Vincze, Chair Lori Richardson Pelliccioni
Odell Guyton Roy Snell
William Heffron Sheryl Vacca
Lewis Morris Alan Yuspeh

Steering Committee

Lisa Murtha, Chair Jeff Oak
Al Bothe David Orbuch
Steve Brannan Steve Ortquist
Suzie Draper Dan Roach
Rory Jaffe John Steiner

Drafting Committee

Fred Entin, Co-Chair William Tillett
Sheryl Vacca, Co-Chair Debbie Troklus
William Mitchelson Mark Watson
Glen Reed Howard Young
Brent Saunders


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.



We live and operate in an era of risk. Nowhere is this truer than in the health care industry. While we
have decades of experience in the development of programs to address risks associated with patient care,
infectious diseases, workplace injuries, and natural disasters, most health care organizations have only
recently recognized the seriousness of the risk posed by non-compliance with the complex laws that
govern business practices in health care, like the False Claims Act, fraud and abuse, tax and antitrust
laws. Many organizations have begun implementing compliance programs to address these risks and to
answer new challenges like those posed by the Health Insurance Portability and Accountability Act,
“HIPAA.” Recent, highly publicized failures of corporate governance have raised questions regarding
the role of governing bodies and increased the emphasis on promoting and enhancing board oversight.

Compliance programs play an important role in helping health care organizations fulfill their obligations
to public and private payers, shareholders or bondholders, and the community at large. Health care
organizations have recognized that such programs are important because the regulatory environment in
which we operate is exceedingly complex, and we have a fundamental obligation to our patients and the
public to ensure that our participation in government and private reimbursement systems and the
operation of our health care organization is consistent with applicable laws and regulations.

What Is A Compliance Program?

In its simplest terms, a compliance program is a systematic process aimed at ensuring that the
organization and its employees (and perhaps business partners) comply with applicable laws, regulations,
and standards. In the context of health care, it usually includes a comprehensive strategy to ensure the
submission of consistently accurate claims to federal, state, and commercial payers. It frequently includes
an effort to adhere to other applicable laws and regulations relating to the delivery of health care products
and services. Some programs go beyond these areas and address antitrust, environmental, tax and other
laws as well. However, the principal focus of most compliance programs is on health care specific laws.

In a general sense, a compliance program has two basic components – structural and substantive.

• The structural component includes the basic framework necessary to build and operate an effective

compliance program. The structural component includes those elements articulated by the Office of
the Inspector General as necessary elements of a compliance program. These elements would
typically be included in any compliance program, regardless of the substantive legal or regulatory
issues the organization is trying to address. Generally, a program would include standards (policies
and procedures), high-level oversight, reporting, employee screening, education, auditing/monitoring,
enforcement and prevention.

• The substantive component relates to the specific body of substantive law (Medicare, Medicaid, anti-

kickback, Stark, insurance, ERISA, tax, antitrust, environmental, privacy, etc.) with which the
organization is attempting to comply. Organizations frequently develop policies and education
programs that explain to affected employees the obligations that the law imposes upon them in the
performance of their particular job function. For example, if the Medicare program requires patient
care providers to document patient care and treatment, an organization would seek to ensure that its
patient care staff understands the documentation requirements. Similarly, where services must be
provided by properly licensed and approved providers, care would be taken to ensure that providers


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


are properly qualified and enrolled. Also, health plans comply with laws governing mandated
benefits, appeals and grievance procedures and timely claims payment.

A compliance program is much more than a policy communicating the organization’s intent to comply
with the applicable laws. In order to be effective, the compliance program must be designed in a manner

• Addresses the organization’s business activities and consequent risks;

• Educates those persons whose jobs could have a material impact on those risks;

• Includes auditing and reporting functions designed to measure the organization’s actual compliance

and the effectiveness of the program, and to identify problems as quickly and as efficiently as

• Provides for the prompt remediation of problems which are identified; and

• Contains enforcement and discipline components that ensure that employees take seriously their

compliance responsibilities.

Creating an effective compliance program requires the commitment of the organization to comply with
applicable laws. It also requires a systematic effort (scaled to the size, resources, and complexity of the
organization) to understand its principal legal obligations and risks and to make employees aware of how
the relevant laws and risks impact the performance of their job functions. In addition, employees will be
made aware of their obligation to be an active participant in the organization’s compliance effort.

Compliance Program Foundation

In its various guidance documents, the Office of the Inspector General, “OIG,” has spoken authoritatively
on the basic elements of an effective compliance program. The Federal Sentencing Guidelines have
defined an effective compliance program as “a program that has been reasonably designed, implemented,
and enforced so that it generally will be effective in preventing and detecting criminal conduct.”1 Clearly,
this requires more than just policy statements reminding employees of their obligation to obey the law. In
fact, the Sentencing Guidelines discuss seven elements of a compliance program.

1. Compliance Standards “The organization must have established compliance standards and procedures

to be followed by its employees and other agents that are reasonably capable of reducing the
prospect of criminal conduct.” Comment 3.(k)(1).

2. High Level Responsibility “Specific individual(s) within high level personnel of the organization

must have been assigned overall responsibility to oversee compliance with such standards and
procedures.” Comment 3.(k)(2).

3. Trustworthy Individuals “The organization must have used due care not to delegate substantial

discretionary authority to individuals whom the organization knew, or should have known through the
exercise of due diligence, had a propensity to engage in illegal activities.” Comment 3.(k)(3).

1 Federal Sentencing Guidelines, §8.A.2.Comment 3.


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


4. Education “The organization must have taken steps to communicate effectively its standards and

procedures to all employees and other agents, by requiring participation in training programs or by
disseminating publications that explain in a practical manner what is required.” Comment 3.(k)(4).

5. Monitoring and Auditing “The organization must have taken reasonable steps to achieve compliance

with the standards, by utilizing monitoring and auditing systems reasonably designed to detect
criminal conduct by its employees and other agents and by having in place and publicizing a reporting
system whereby employees and other agents could report criminal conduct by others within the
organization without fear of retribution.” Comment 3.(k)(5).

6. Enforcement and Discipline “The standards must have been consistently enforced through

appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible
for the failure to detect an offense. Adequate discipline of individuals responsible for an offense is a
necessary component of enforcement; however, the form of discipline that will be appropriate will be
case specific.” Comment 3.(k)(6).

7. Response and Prevention “After an offense has been detected, the organization must have taken all

reasonable steps to respond appropriately to the offense and to prevent further similar offenses —
including any necessary modifications to its program to prevent and detect violations of law.”
Comment 3.(k)(7).

Evaluation and Measurement

In recent years compliance professionals Boards and executive leadership of organizations that have
implemented compliance programs, and enforcement officials who have an interest in compliance
effectiveness have all wrestled with how to evaluate an organization’s compliance efforts. Due to the
relative infancy of such programs there is scant data of measurable and objective criteria on which to
build an evaluation process.

As a practical matter, and in order to create a starting point for efforts to improve the quality and
efficiency of compliance programs, we believe that a compliance program can be evaluated by analyzing
two dimensions: effort and outcomes.

Effort is the time, money, resources and commitment that an organization puts into building and
improving a compliance program. While effort by itself will not guarantee compliance, it is unlikely that
outcomes will improve if the organization devotes inadequate time and resources to the task. Particularly
in the first several years of a program, effort is one measure of effectiveness that an organization can use
to assess its compliance program. How do the resources devoted to the program compare to similarly
situated organizations (size and complexity)? Are we addressing the issues that create the greatest risk for
similar organizations engaged in similar activities? Are we promptly refunding overpayments? Have we
addressed the issues that the OIG has identified in its guidance documents?

Outcomes are the impact that our efforts have on our level of compliance. As the compliance program
matures, the principle measure of effectiveness moves from effort to outcomes. If our processes are
appropriate, patients receiving non-covered services in an outpatient setting will have first received an
Advanced Beneficiary Notice or “ABN”. If our education efforts are adequate, coding will improve over
time. If our screening is consistent, the frequency with which we discover that we have employed or


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


contracted with an excluded individual decreases. If our processes are adequate we will have fewer
instances where employees fail to receive required training. Our claim denial rates will decline, the
number of payments to physicians without an appropriate contract will fall, and we will consistently have
documentation that supports the claims we have submitted.

Obviously, progress will not always be linear. Staff turnover or personnel shortages will occur,
something will fall through the cracks, the rules will change, new reimbursement methodologies will be
adopted (APCs, RUGs, Home Health PPS, Medicare + Choice), new rules will be adopted (Stark), and
new laws will be enacted (HIPAA). Each of these events may temporarily slow our improvement.
Similarly, efforts will not always be perfect. An issue may be overlooked, an employee may ignore the
rules, or systems may temporarily fail us. In these instances we must show that we have moved promptly
to address an issue we missed in the past, appropriately disciplined the individual who disregarded the
rules, and corrected the mistakes caused by human error or system failure.

However, a compliance program that cannot demonstrate improvement in mitigating risk areas cannot be
deemed effective. Many providers are beginning to develop measurement tools to objectively evaluate
compliance programs. This document reflects some of the benchmarks or indicators that are in use and
the HCCA will continue to gather and share these tools with the health care industry. In doing so, it is our
goal to improve the quality and efficiency of compliance programs in the organizations we are honored to


Provider groups and representatives are understandably concerned about the time and effort required to
implement, maintain and improve a compliance program. In many segments of health care, margins are
razor thin if they exist at all. Providers are struggling with new government mandates, declining
reimbursement, increasing numbers of uninsured, professional shortages, and technology challenges. The
resources that an organization can devote to a compliance program are directly linked to both its size and
its margins.

While many of the specific activities discussed in this document – and even in the federal guidance
documents noted above – are relevant to most organizations, we recognize some activities will not work
in all organizations. For example, comment 3(k)(5) suggests that organizations must have reporting
systems, which employees and other agents may utilize “…without fear of retribution.” The OIG
suggests, and many organizations utilize, hotlines (staffed either internally or externally) designed to
preserve the anonymity of callers. As a practical matter, anonymity is difficult if not impossible in the
context of a small physician practice, which employs only a handful of people. Even if the caller did not
identify himself or herself, it is unlikely that the members of the clinic would not be able to identify the
source of the call. However, while anonymity may be a good idea in many contexts, the important
element is that the clinic has a process in place, which encourages employees to articulate their concerns
(e.g., through a suggestion/question box). The clinic should also have a mechanism to reasonably
evaluate and address the concern, and a culture that assures employees do not suffer retaliation as a result
of participating in the process.

In short, with rare exceptions, the components of an effective compliance program described in this
document can be altered if they are not relevant to the organization or if they are impractical given the
organization’s size and structure. This document frequently suggests multiple alternatives for achieving a
specific objective. Finally, this is the HCCA’s initial effort in this regard, but certainly not the last.


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


Accordingly, this reference should be used as a “living document”—one that will evolve over time with
advances made and lessons learned in the compliance profession. This document has been formally
issued by the HCCA only after the HCCA Board, HCCA members, other interested persons and
organizations, and government had a meaningful opportunity to review the document, provide comments
and feedback and participate in collaborative discussions about how to make the document more useful.
We fully expect that the quality and utility of this document will improve as we continue to gather
information and comments from our members and other interested persons, review our practices, measure
our programs and improve our understanding of the laws, our organizations and our profession.

Questions are frequently raised regarding the respective roles of the Compliance Officer, management,
and the Board of Directors (or relevant Board committee) in the compliance process. The HCCA believes
that it is the Compliance Officer’s job to oversee the development and/or implementation of the
compliance program, to monitor adherence to the program, and to assess the impact of the program on the
organization’s compliance (outcome). These duties would include the program structure, content,
education programs, monitoring processes and other pieces of the program working with those in
operations in the organization and appropriate resources (e.g., legal, human resources, procurement,
billing, coding, reimbursement, and accounts payable) within and/or outside the organization. In an era of
resource constraints, it is also the Compliance Officer’s job to ensure that the program developed is as
efficient as possible.

The role of management is to ensure that the Compliance Officer is provided adequate resources (taking
into consideration the organizations size, risk, and resources) and to ensure that the program, once
developed, is effectively implemented. Fundamentally, it is management’s job to ensure that the program
developed by the compliance function is properly implemented.

The role of the Board is to ensure that the organization has implemented a compliance program that is
reasonably calculated to be effective. One purpose of this document is to help the Board (and
management) understand the components of an effective compliance program and enable the Board to
more intelligently and efficiently fulfill its responsibility.

We hope that the document is useful. If you have questions, suggestions or concerns, you can
provide your comments to the HCCA at the following address: Attention Tracy Hlavacek, HCCA,
5780 Lincoln Drive, Suite 120, Minneapolis, Minnesota 55436.


Version 1.0
April 4, 2003 Health Care Compliance Association Copyright © 2003.


Indicator #1 – Policies and Procedures

A. Rationale

In order to effectively operate a compliance program, an organization must generally develop written
standards, policies and procedures designed to address its principal risks. These written standards
communicate organizational values and expectations regarding employee behavior, explain the operation
of the compliance program, clarify and establish internal standards for compliance with laws and
regulations, and help employees understand the consequences of non-compliance to both the organization
and the individual.

Health care law and regulations are very complex. Providers and other health care organizations must
comply with thousands of pages of laws, rules, manual provisions and other requirements that are specific
to health care alone. Most health care organizations must also comply with the same tax, antitrust,
employment, environmental and other laws that apply to business organizations generally.
Meeting this obligation is most effectively accomplished in organizations that have developed policies
designed to guide employee conduct. These policies will distill relevant laws and regulations into clear,
understandable direction for employees. They will help focus the employee’s attention on the principal
compliance pitfalls or risks the organization faces.

B. Relevant Issues

Building an effective compliance program does not require the development of hundreds or even dozens
of policies and procedures. However, most compliance programs include policies and procedures that fall
into three broad categories: (i) a Code of Conduct; (ii) policies relating to the operation of the compliance
program; and (iii) policies addressing the organization’s principal legal (substantive) risks.

The Code of Conduct is typically a document that sets forth in general terms the organization’s
commitment to comply with the law. It varies from one or two to more than 30 pages in length. It
frequently includes statements or guidelines addressing the organization’s principal legal risks,
expectations relating to employee conduct, information regarding the organization’s compliance program
and instructions on how an employee can access the organization’s reporting mechanisms (see Indicator #
3). It may outline fundamental expectations regarding employee behavior applicable to all employees. It
is typically distributed to all employees upon commencement of employment.

Operational policies and procedures address the operation of the compliance program itself. Policies may
address issues such as the compliance reporting structure in the organization, compliance education
requirements, the …