July 27, 2000

Practical Considerations in Managing the Cost and Effectiveness of Corporate Compliance Programs

Christopher A. Myers

Unless their heads have been buried deeply beneath the sand during the past few years, most providers of health care in the United States are well aware that a compliance program is desirable. They have at least a general understanding that a compliance program might benefit them, although they cannot always articulate why. Health care executives and counsel read the papers and trade journals just like the rest of us. They understand that the Departments of Justice (DOJ) and Health and Human Services (HHS) have made stamping out health care fraud and abuse one of their top priorities. They understand that government enforcement agencies have targeted virtually every aspect of the health care industry for investigations and criminal and civil fraud prosecutions. They understand that civil fines in excess of one hundred million dollars have become common and that many health care executives have received significant prison terms.

Why is it then, that at a recent seminar for a health care trade association, nearly one-half of the providers in the audience admitted that they did not have a compliance program in place? This article will attempt to answer that question and provide some practical solutions to providers’ legitimate concerns that compliance programs can be too cumbersome, expensive and ineffective.

Before we outline our solutions to the problems listed above, a quick review of recent events will help put this discussion into context.

  • For fiscal year 1999 alone, the federal government claims to have recovered $524 million in judgments, settlements and administrative fines. This amount does not include the recently announced tentative settlement with Columbia HCA, which, alone, will pay the government approximately $750 million. Fiscal year 1999 netted 396 criminal convictions and 2,978 individuals and entities excluded from participation in the federal health care programs, including Medicare and Medicaid. In addition, the year ended with 2,278 civil fraud matters pending.
  • The Department of Health and Human Services fraud and abuse related budget for the year 2001 will increase twenty-nine percent over fiscal year 2000 levels. There will be an additional $48 million for 100 fraud fighters at carriers and intermediaries. There will be $70.8 million to implement the July 1998 nursing home quality initiative.
  • At least one health care fraud specialist has been established in every local United States Attorney’s Office in the country.. In 1997 alone, 167 new federal jobs were added to the health care fraud fighting force, along with an additional 77 FBI agents dedicated to health care issues. The HHS Office of the Inspector General (OIG) is implementing a plan to hire 243 new investigators and to staff Medicare fraud field offices in every state.
  • Whistleblower suits alleging health care fraud under the qui tam provisions of the False Claims Act have increased from 17 in 1992 to almost 300 in 1998. Some experts estimate that currently there may be as many as 4,000 additional whistleblower suits in the pipeline. The huge, multi-million dollar False Claims Act settlements with many of the largest corporate providers of health care in the United States have created a cottage industry of qui tam plaintiff’s lawyers, who are beating the bushes for new cases.

What can health care providers do in the face of this onslaught? Here, DOJ, HHS OIG and the defense bar are on the same page. A corporate compliance program is the most effective way to avoid the troubles outlined above in the first place, as well as the best way to minimize the blow if problems are discovered.

Compliance programs originally came to the attention of the public through the Federal Sentencing Guidelines for Organizations, published in 1991. Conceived as a means of providing credit at sentencing for organizations that made a legitimate effort to obey the law, but nevertheless committed a crime, compliance programs were originally thought to provide benefit only upon conviction of a crime. There are, however, a number of other significant benefits of compliance programs, which we will briefly describe here.

  • Under the Sentencing Guidelines, organizations with an "effective" compliance program receive a significant reduction in the calculation which determines the seriousness of their offense. This, in turn, can result in substantial reduction of the fines imposed.
  • Other benefits under the Sentencing Guidelines include the possibility of avoiding probation and modifications of the timing of restitution payments.
  • Compliance programs can help organizations discover problems on their own and to "self-report," thus making the organization eligible for additional significant reductions in fines and penalties. Further reductions in penalties related to the lack of complicity of senior officers can be obtained through compliance programs.
  • Perhaps more important than benefits in the event of a criminal conviction are benefits that help to avoid a conviction in the first place. These include:
  • Helping to persuade prosecutors that the criminal intent necessary for conviction is not present in the organization. Thus, a case can be guided from the criminal to the civil side of a prosecutor’s office.
  • Entitlement to participate in "amnesty" or "voluntary disclosure" programs that typically result in an agreement by the government not to prosecute criminally.
  • Uncover impropriety early enough to correct it and avoid criminal or civil fraud actions.
  • In the event of a criminal or civil fraud trial, the existence of a compliance program can be used to convince the jury that the organization is a good citizen and that it did not intend to commit any wrongdoing.
  • Recent developments in shareholder derivative lawsuits have held that officers and directors of health care companies, which do not implement effective compliance programs, subject themselves to potential per se liability for breach of fiduciary duty.
  • Finally, there are a number of intangible business benefits of compliance programs: (1) they can prevent and/or detect internal employee misconduct and provide a vehicle for making necessary corrections; (2) they can create an opportunity for marketing the organization as a good corporate citizen; (3) they can help to boost the morale of employees by demonstrating that the organization is committed to good and honest behavior; (4) costs related to implementation of compliance programs are tax deductible, whereas fines for criminal or civil fraud are not; and (5) in cost-based reimbursement systems, the costs related to implementation and operation of compliance programs may be reimbursable.

In light of the serious threats to the financial well-being and even the continued existence of health care organizations, we have been surprised at the continued resistance by health care executives to establishing a compliance program. We frequently hear comments like: "This sounds like a good idea, but my CFO/CEO would never go for it;" or "Compliance programs are for companies which might be committing fraud, my company works hard to do the right thing already;" or "I know we need one, but its just too expensive for right now;" or "It’s just too cumbersome;" or "We are too small to have a compliance program."

In studying the issues, talking with providers and consultants and thinking through the process of implementing numerous compliance programs for health care entities, we have identified the most significant problems related to compliance programs as follows: (1) costs; (2) complexity; (3) training logistics; (4) employee turnover; (5) monitoring and auditing issues; and (6) documentation of compliance efforts. We will discuss each of these problems below, as well as solutions that address the major aspects of each problem.


Costs related to implementation of a compliance program come from many areas. First, a compliance program document, including an organizational Code of Conduct, must be drafted. Second, a compliance officer must be appointed with sufficient status, staff, authority and salary to carry out his/her job effectively. Third, the Code of Conduct and related training materials must be developed and communicated to employees in a relevant and understandable manner. Fourth, there must be monitoring and auditing conducted related to risk areas to which the organization is exposed. Fifth, background checks must be conducted to insure that persons who have been convicted of health care fraud and excluded from participation in the federal health care programs are not hired. Sixth, documentation of the organization’s compliance efforts must be maintained and the program must be updated periodically.


There is no getting around the fact that the regulations affecting the health care industry are not only voluminous, but they can be extremely complex. There are often multiple layers of regulations coming from the federal health care agencies (Health Care Financing Administration (HCFA) and HHS OIG); state Medicaid programs; Fiscal Intermediaries and Carriers. The regulatory guidelines come in multiple forms as well, including: statutes; regulations; program memoranda; letter guidelines; Carrier and Fiscal Intermediary manuals and guidance from industry groups. Sometimes lawyers, consultants and agency personnel can reasonably disagree on the interpretation of the various guidance materials.


In order to have an effective compliance program, employees must be trained to understand the compliance program generally and to understand the specific issues which are relevant to their jobs. For example, the billing department of a nursing home must understand the issues related to billing for skilled nursing services, including the Medicare Prospective Payment System (PPS) and how the PPS system ties in with the quality and level of care delivered. For companies with more than one facility or office, training issues become more difficult. These companies must be concerned about the logistics and cost of either bringing employees to training sites or bringing trainers to the employees. There are also concerns regarding providing training and care to patients at the same time and in providing training to employees who work the afternoon and night shifts. Finally, even if this first set of problems is solved and appropriate training is provided to all employees, many health care providers are faced with significant turnover. They are constantly replacing trained employees with untrained ones. For a compliance program to be effective, these new employees also must receive training. This can be not only expensive, but a logistical nightmare as well.


The Sentencing Guidelines state that an effective compliance program must include appropriate monitoring or auditing of actual performance. Thus, for example, once the billing department employees have received training on compliance related issues, there must be a program of monitoring their actual performance to see that the billing function meets regulatory requirements. Where to dedicate scarce resources and how to document performance of this function often cause significant confusion and concern, even among providers with the best intentions.


Even if a provider meets all of the compliance program requirements discussed in this article, it may be of no avail if the compliance activities are not documented. In fraud investigations the government takes the position that , "If it isn’t documented, it wasn’t done." Similarly, in evaluating whether an organization has an effective compliance program, government reviewers want to see the documentation. Thus, if an excellent training program was delivered to employees, but the provider cannot document the date, time and who attended, the provider may receive little or no credit for its effort. If an employee calls the compliance hotline to report possible billing improprieties and the company conducts a thorough follow-up investigation, but is not able to document that fact, little credit may be given. If a provider consults the HHS OIG web-page listing of excluded individuals and entities before hiring a billing office supervisor but fails to document that fact, no benefit of the doubt will be given when the government evaluates the company’s compliance efforts.


In our experience, some health care providers are simply resigned to the fact that compliance programs are expensive and cumbersome. Others, who have already entered into settlement agreements with government enforcement agencies have expensive and onerous compliance programs imposed on them as a condition of settlement and continued participation in the Medicare and Medicaid programs. Other providers say to themselves, "We are not crooks, so we don’t need to spend the money it would take to implement a compliance program." After much thought and study, however, we believe that providers of all types and sizes can have effective compliance programs without bankrupting the company in the process. In delivering compliance program services to health care clients, we have discovered ways to marry compliance program experience with emerging internet technologies to devise cost-effective compliance solutions.

Until recently, health care provider’s compliance departments or reimbursement offices had to keep paper copies of all relevant health care statutes, regulations, manuals and other guidance and to update those materials manually. The process was often difficult logistically because it required someone to keep track of new issuances from a variety of agencies and other sources and to substitute the old language for the new in a consistent and organized manner. Frequently, headquarters materials would be kept relatively up to date, but, due to lack of trained personnel or budget, field offices or facilities would often fall hopelessly behind. People in different parts of the company would, thus, be operating under different sets of rules.

Now, through the use of the internet and/or company intra/extranet services, providers can electronically make up to date resource materials available immediately to all parts of the organization. In this same manner, compliance program documentation can be revised and updated immediately by the compliance department or compliance counsel and distributed to employees through the company’s computer system. In addition to a significant cost savings, this method is much simpler and less subject to inadvertent errors than the old paper-based system.

Training costs and related logistical problems also can be significantly reduced. Training materials, both general and specific, can be made interactive and available on the employee’s schedule. Thus, if an employee is unable to attend a particular training session, training materials can be posted to the company’s secure compliance web-page for review when the employee is available. Interactive testing can be built into training programs to make them more interesting and more effective. Such testing can also be used to document both the fact that the program was delivered to the employee and that it helped the employee to understand the issues covered. Automatic logging of employees can document which employees took the training sessions and their individual test scores. This will help the compliance department to identify weaknesses in the training, how it might be improved and where resources should be focused.

Web-based compliance training can also solve problems related to employee turnover. Training sessions can be videotaped or stored in digital form. They can be made available through the compliance web-site and delivered to new employees. The system can automatically document and update the delivery of training programs to new employees. Patient care and business office functions can be maintained without shutting down to send employees to off-site training programs.

Monitoring and auditing functions also can be enhanced through the use of a web-based compliance program. Areas of high risk for specific types of providers and the government’s views related to those risks are available on HCFA, OIG and DOJ web-sites and through reports and guidance materials published by those agencies. These materials can be made available to an organization’s compliance officials and specific risk areas affecting its operations can be targeted for monitoring and auditing activities. Information gathered can be stored in secure electronic media and then analyzed by internal or external consultants in remote locations. Through the use of outside counsel, the results of certain types of analyses can be protected under the attorney-client privilege unless and until the company chooses to disclose them.

Documentation of compliance reports and activities can be made automatically in a web-based compliance program. This would apply to training programs and other communications to employees related to the compliance program, but also to tracking the monitoring and auditing functions, background checks, follow-up on hotline calls and other reports and in documenting routine compliance activities. Then, if government agents come calling and ask whether a compliance program is in place, providers can not only say, "Yes," but with little time and cost, they can prove it.

For all of the reasons set forth above, we believe that web-based compliance programs provide the solution to many of the practical difficulties associated with compliance programs. They can be used to significantly reduce the costs associated with compliance efforts as well as resolving the many logistical difficulties traditionally associated with compliance programs. Using these methods, it is now much easier to design and implement cost-effective compliance programs for both large and small providers of health care services.

Related Insights