Guest Blog

Corporate Compliance in Health Care—Governance Oversight Change is Needed

By Guest Blogger: Don Quigley, Retired Chief Legal Officer for an East Coast Health System


Corporate Compliance, like Saskatchewan, has a familiar ring to directors or trustees of health care organizations, but few have personal experience or understanding of its attributes or relevance. That status seems likely to change in 2016 based upon the events of 2015, forecasting increased self-policing, personal accountability for leaders, and physician arrangements as the top risk areas. The government is seeking major, if not radical, changes in compliance oversight.

When health care providers commit or tolerate fraud and abuse in their delivery of services or billing for such services, the unfair and avoidable costs to the government, payors, and patients are enormous. During fiscal year 2014, the total costs for U.S. health care approximated $3 trillion|the total costs for Medicare patients alone totaled $618.7 billion. The Department of Health and Human Services Office of Inspector General (OIG) recently reported estimated recoveries during fiscal year 2015 of $3.35 billion from provider misconduct, and $2.22 billion was realized through civil and criminal investigations. Government officials acknowledge that recoveries represent only a tiny fraction of actual costs resulting from such abuses estimated at 3-10% of total program billings and perhaps exceeding $75 billion annually. Community trustees serving on governing boards of hospitals and health system organizations are mindful of the need to avoid fraud, waste, and abuse for the benefit of society. They are more likely focused on properly serving the best interests of the organizations they govern. Failure to comply with certain federal laws affecting their organizations poses threats that often are unknown to them or underestimated absent periodic education and reminders in the course of approving policies and transactions.

Ever since adoption of the Medicare program in 1965 there have been potential penalties for those seeking improper payment for services not rendered to Medicare and Medicaid beneficiaries (fraud) or billings that seek improper payment for services rendered (abuse). Health care lawyers recognize more specifically the need to comply with three major federal statutes. The Anti-Kickback Statute (AKS) provides for severe civil and criminal penalties for providers who pay something of value to induce patient referrals. The Physician Self-Referral Law (Stark II or Stark Law) strictly controls financial arrangements primarily between hospitals and physicians. Physicians receiving payments outside the rules, such as those above fair market rates or commercially unreasonable are tainted. Each subsequent hospital bill for patient services they order risks major penalties. The False Claims Act (FCA) is a Civil War Reconstruction-era statute that provides for substantial civil and criminal penalties for knowingly billing the government for improper payments and is not limited to health care law violations. Violations of AKS and Stark may surface through various sources including whistle blowers who may initiate private qui tam actions for perhaps 20% of the recovery allocated to them personally. CMS and OIG may resolve AKS and Stark violations with negotiated civil penalties or may refer a case to the U.S. Attorney for that jurisdiction where civil and criminal actions under FCA are likely. Recent FCA actions as described below suggest health care leaders must re-examine the risks. No longer can large but tolerable civil payments be the extent of penalties to fear.

Historical Development of Corporate Compliance

The foundation principle for a compliance program in any business is to manage employee performance against regulatory requirements through stated guidelines, education, and monitoring. Violations of the Foreign Corrupt Practices Act of 1977 with both civil and criminal penalties, prompted the Department of Justice to adopt informal guidelines to consider compliance efforts in assessing charges against defense contractors under criminal investigations. In 1991, the U.S. Sentencing Commission established the first formal sentencing guidelines to be used by federal judges. Those guidelines modeled standards for an “effective compliance program” in all businesses subject to criminal penalties. Health care organizations paid little attention as Stark II came in 1995, and criminal prosecutions against organizations under AKS and FCA were then difficult and rare.

Compliance program development in health care had meager beginnings in the 1990s when DOJ and OIG began mandating compliance programs in Corporate Integrity Agreements routinely required with health FCA settlements. Despite its criminal prosecution origin, compliance programs in health care really began in 1997 with a shift in focus to mitigating civil penalties.  HHS Inspector General June Gibbs Brown sent an “Open Letter” to health care providers supporting such programs and indicating presence of an “effective compliance program” would be the basis for negotiating reduced penalties for violations of health care laws. During the ensuing few years such programs became widely adopted though their depth and breadth varied greatly and few were actually subjected to external review.

Effective Compliance Program Elements

Over the last twenty years there has emerged a consensus among health lawyers, auditors, consultants, and government officials on the essential components of an effective program. Programs vary in the structure and emphasis for core elements programs vary, including the degree to which provisions are reduced to a written consolidated statement. Typically the elements are: (1) program adopted by leadership|(2) written policies often with a code of conduct|(3) targeted staff education|(4) ongoing audit|(5) investigations and corrective actions|(6) hot line for anonymous callers|and (7) periodic program review

Clearly enforcement officials are not satisfied with attention given to all those elements in health care. Perhaps forecasting events coming later in June 2015, CMS issued a Special Fraud Alert to health care providers, noting the need for effective compliance programs and that their presence could have an effect upon resolution of AKS and FCA violations.

Evolution of Compliance Oversight

Most health leaders would concede that program evaluation against the guidelines seldom occurs. Doing nothing on compliance is rare for even small organizations. One reason for any program deficiencies is the lack of adequate governing board designation of the program as a priority.

Corporate compliance has not been deliberately discounted or ignored for oversight by governing boards|other issues have leapfrogged it on the priority list of topics demanding education, analysis, investigation, audit, and policy or program development. Health care publications produce a drumbeat of warnings and advice to health care trustees and executives on the need for immediate attention to various topics. Leaders can probably note multiple issues from the following list as their latest number one priority:

  • cybersecurity;
  • alternate payment models;
  • public reports on quality measures;
  • Affordable Care Act issues;
  • strategic planning;
  • investment management;
  • restructuring of health system authority in governance and management;
  • consolidation and acquisition of provider organizations|and
  • cost reductions required by current or future volume declines;

Those various priorities can suggest a need for immediate attention by the board or senior management. Compliance, however, involving legal standards and maintained with a specialized staff may suggest adequate oversight occurs through management plus a periodic, perhaps annual, board committee review of major audits and investigations by the professional staff and review of the staff work plan for the coming year. That extent of oversight should change with the new threats of criminal prosecution and catastrophic financial penalties.

New Threat of Criminal Prosecutions

The Obama Administration has often touted the increased level of civil and criminal enforcement actions brought against corporations violating federal laws during Attorney General Eric Holder’s tenure. There was, however, frequent criticism for a lack of punishment for responsible individuals when the government commenced or settled such legal proceedings. Over the last six months, three major changes have dramatically altered the rules and risks of punishment for individuals responsible for corporate wrongs.

First is the widely publicized Yates Memorandum. On September 9, 2015, Deputy Attorney General Sally Quinlan Yates issued a memorandum to Assistant Attorneys General, the FBI Director, and all U.S. Attorneys. The Yates memo followed on November 16, 2015, with implementation of the memo by revisions in the U.S. Attorneys’ Manual, altering the so-called “Filip factors,” more formally known as “Principles of Federal Prosecution of Business Organizations.” The memo resulted from work of a task force that began under former Attorney General Holder and was completed under Attorney General Loretta Lynch. It describes six new policies or guidelines to be applied in exercising prosecutorial discretion on whether and how to determine actions against individuals for corporate wrongs:

  1. Corporate leaders must fully investigate and identify all directors and  officers potentially responsible in order to receive “cooperation credit” in negotiating resolution of claims against the corporation;
  2. Investigators must focus on prior acts of directors and officers from the outset of their investigation – not the result;
  3. Separate civil and criminal federal prosecutors are directed to maintain close contacts throughout the process;
  4. Personal releases for directors and officers are not to be given absent “extraordinary circumstances” and will require written approval of the AG or US Attorney's Office as part of resolving the corporate matter;
  5. Corporate cases are directed not to be resolved without a written plan to pursue civil or criminal actions, or both, against individual directors and officers who are thought responsible;
  6. Rejecting prior custom, prosecutors may not consider the ability of individuals to pay fines and penalties if civil or criminal actions are brought against them later.


The attempt by DOJ to force more thorough internal investigations often found lacking in the past may well produce corporate corrections and reduce the volume of corporate wrongs. The added attempt to entice leaders to identify and potentially report themselves or their colleagues faces a less predictable future for compliance oversight changes. Alarm bells have rung across corporate America far beyond health care organizations concerned with the consequences, including:

  • tension between the Board and management when incidents arise;
  • separate counsel for individuals and the organization for internal reviews;
  • liability fears that hinder board recruitment;
  • uncertainty over sufficiency of internal reviews when judged later;
  • potential gaps in D&O insurance policies and indemnification policies|and
  • much higher defense costs for internal and external investigations.

On the flip side, government prosecutors will insist it provides a culture change inside board rooms: a new perspective on the need for oversight of corporate compliance generally and identifying suspect issues for further study, including the individuals responsible. In health care the Yates memo requirement to identify and report responsible individuals is a major development. As the civil settlements described below demonstrate, problematic physician arrangements are big risks and they almost always are approved by some corporate officers and often members of the governing board or its committees.

Secondly, the Department of Justice has brought new focus upon “effectiveness” of compliance programs. On November 2, 2015, Leslie Caldwell, DOJ Chief of the Criminal Division, announced new compliance program evaluation metrics to be applied in support of the Federal Sentencing Guidelines and focusing upon the presence or absence of factors that include:

  • degree of director and management support;
  • adequacy of compliance staffing;
  • existence of adequate written policies periodically reviewed and revised|and
  • communication of policies and guidelines to employees and suppliers

Thirdly, the government has added effective compliance evaluation to a major new health law regulation that will be hard for health care leaders to ignore. The “60-day rule” was included in the Affordable Care Act, Section 6402a and the mandated implementing regulations, 42 CFR 461.365 were issued on February 11, 2016. This new law addresses the issue of health care organizations discovering by audit, investigation, staff reports, or otherwise that it has billed and received payments from a government program that it was not entitled to receive. The recipient organization is given 60 days after discovery to return the payment|failure to do so constitutes an FCA violation for each such billed payment. The enormous risk is that violations of AKS and Stark arising from physician compensation arrangements are also included with the routine billing errors. The new regs specify that the 60-day period begins when the organization has “determined and quantified” the improper payment or should have done so with “reasonable diligence.” The regs then warn that failure to maintain adequate compliance activities may be considered a failure to exercise reasonable diligence in determining and quantifying receipt of improper payments within the 60-day period.

Compliance officers have long struggled with determining which matters require added investigation given normal limits of resources. The 60-day rule seeks to apply pressure on organizations to do more reviews and the regs can put the entire compliance program under examination if the payments in question become subject to government investigation.

New Civil Liability Risks

While routine billing errors remain the mundane work of compliance staff to avoid, the hurricane-sized losses are caused by violations of AKS, Start, and FCA as noted above. Most large penalties arise from violations that involve financial arrangements between hospitals and physicians. Hospitals are predicted to employ 80% of future active physicians on their medical staffs and many of those not employed will have contracts and other arrangements with their local hospital. FCA settlements in late 2015 demonstrate stunning risks in both financial amounts and issues that indicate the likely highest priority for governing board compliance concern.

The highly publicized and analyzed case involving Tuomey Healthcare System in Sumter, South Carolina, ended over a decade of difficult litigation with a settlement in October, 2015, in which Tuomey agreed to pay $72.4 million before its sale to Palmetto Health as part of the settlement. The Tuomey Healthcare leaders entered into negotiations after the U.S. Court of Appeals for the Fourth Circuit upheld a jury verdict and judgment against Tuomey for $237.5 million, an amount that exceeded the then total annual revenues of Tuomey when awarded. A simple summary of the physician employment arrangements and government criticisms is revealing.

The 30l-bed community hospital entered into part-time employment agreements in 2003 with nineteen specialty physicians practicing in the area. The physicians retained their private practices. The employment arrangements were for ten year terms and were not typical employment contracts. The physicians were required to perform all surgeries and refer all procedures to the hospital, including those for their private practice patients. The compensation paid was far in excess of revenue to be collected from their personal services as employees. Their salaries were calculated in part based on net collections by Tuomey for all outpatient procedures including those performed or referred by the physicians from their private practices. One physician commenced the qui tam action in 2005 and the government intervened in 2007. After two trials and appeals Tuomey was forced to settle and sell after the $237.5m judgment was upheld.

Before signing the contracts Tuomey had sought and received multiple external legal opinions that the proposed agreements complied with Stark but one such opinion noted “red flags” for possible Stark violation. That opinion was neither accepted nor shared with the long-time counsel who later opined that the arrangements complied with Stark. The government argued that the arrangements were not “commercially reasonable” and considered the “volume or value” of physician referrals in establishing the compensation. The government further argued that compensation payments exceeding revenue from the physician services personally performed and producing “practice losses” evidenced an intent to pay for the value of their referrals to the hospital. The “advice of counsel” defense was rejected|the court suggested Tuomey may have gone “opinion shopping.” The “practice losses” theory, vigorously opposed by Tuomey counsel and health care attorneys in general, was not specifically relied upon by the court as there were other valid arguments supporting the jury's conclusion. The jury's award is noteworthy for including calculation of 21,700 claims submitted for services ordered by the disqualified physicians assessed at $5500 per claim or nearly $120 million. The risk of a jury applying such simple math makes a trial too risky for most organizations, grants enormous precedent leverage to negotiating prosecutors, and highlights a worst case event for all.

North Broward Hospital District in Florida settled for $69.5 million in September 2015. FCA claims arising from Stark violations including nine highly-paid employed physicians. The government again asserted the “practice losses” theory that such compensation paid above revenue generated from physician services is not commercially reasonable.

Other major Stark/FCA settlements reinforce the risk of physician compensation arrangements including practice losses: Columbus in North Carolina ($35 million), Halifax and Adventists in Florida ($72.4 million and $118.7 million, respectively).

These described settlements offer an education for compliance officers and management. The potential organizational penalties combined with risk of personal liability must change their risk assessment concerning physician payments. Governing boards, however, are positioned to make critical inquiry about community need – not just institutional benefit – to justify budgeting expenses above income in certain practices. Compensation provisions with the potential for windfall payments or provisions that seldom exist in other organizations need to be questioned for “commercial reasonableness” even if blessed by an attorney or consultant. The net effect is that $72.4 million and a forced hospital sale and $69.5 million in penalties for overpaying only nine physicians grabs your attention.

A New Compliance Focus

All health systems and hospitals need compliance programs. The ACA-mandated CMS review of compliance currently under way will likely make them mandatory and the risks today do not justify delay. The more pertinent question is how organizations with existing programs need to review and revise them to be “effective”. Governing boards have a variety of committee structures that have been effective|one model for compliance risk is not necessary. The oversight may in part occur within board meetings for major matters but largely will occur within any of a few separate or consolidated committees. The more important issue is how best to gain sufficient trustee time and staff support to conduct more thorough analysis of topics that relate to high risk areas such as physician agreements. A thorough program review should be the starting point compared with new government guidance. Setting criteria for findings that call for investigation is now a critical program component. The need remains for Enterprise Risk Management covering numerous topics for a broadly regulated business enterprise with many facilities and employees. Even with the board or other committees involved in oversight the compliance oversight committee still deals with agenda challenges to cover the annual audit, tax returns, investigations, and emerging regulatory issues. In that setting the compliance program itself and physician arrangements must still stand out for examination over reports on staff activities. Once the committee begins ongoing true risk analysis, the following topics based on recent events, deserve high priority status:

  • topics identified from ongoing audits and reviews with potential “60-day” rule implications that need thorough and prompt investigation or analysis;
  • physician compensation plans for all employed physicians with supporting market data and potential use of consultants;
  • similar fair market value and reasonableness review of all contracts and leases between the organization and with private practices providing or receiving goods or services;
  • separate review and analysis, with legal consultation, on the basic elements of commercial reasonableness for all non-routine contractual provisions;
  • heightened scrutiny for all non-routine provider transactions, such as the purchase of physician practices, to test all elements for fair and reasonable provisions, especially the acquisition cost, compensation agreements, the pro forma, and the community need or benefit from the acquisition;
  • a community needs assessment, particularly for smaller hospitals for current and future physician and provider resources necessary to serve the hospital service area;
  • discrete analyses of practices with major “practice losses” to evaluate community need or benefits, compensation levels, staffing levels, and productivity levels, for possible changes to mitigate losses

Governing boards in health care should force new models and resources to oversee compliance with the new real threats against the organization and potential threats against themselves. The pace of change and increased volume of catastrophic enforcement penalties may be modest in the short term but we will see government tornadoes touch down upon unsuspecting hospitals scattered across America, prompting others to take precautions that protect their people and their assets. If the effect also reduces unnecessary costs from fraud and abuse then we all benefit. To paraphrase the famous misquote of former General Motors CEO and Secretary of Defense, Charles E. Wilson: What is good for the organization is good for the country.

Download PDF

Notify of
Inline Feedbacks
View all comments