Healthcare Compliance Risks

Some regulatory risk areas are common to all health care providers, says Practical Guidance for Health Care Governing Boards on Compliance Oversight, a 2015 report that was produced “to assist governing boards of health care organizations (boards) to responsibly carry out their compliance plan oversight obligations under applicable laws.” These risk areas include activities that are highly vulnerable to fraud or other violations—referral relationships, billing problems, privacy breaches, and quality-related events (OIG, HHS, 2015).

In its report, the Office of Inspector General, U.S. Department of Health and Human Services (OIG, HHS) urges compliance professionals and boards to monitor industry trends (“the increasing emphasis on quality, industry consolidation, and changes in insurance coverage and reimbursement”), new areas of risk, and reports from within their own walls. Doing so involves using both internal and external sources. Employee reports to ethics hotlines and internal audits are examples of internal sources, according to the report, and professional publications, HHS OIG-issued guidance, consultants, competitors, and news media are examples of external sources.

HHS encourages health care boards to exercise their oversight responsibilities. The report contains a number of recommendations, including the following:

  • Ensure that a corporate information and reporting system exists and that the reporting system is adequate to assure the board that appropriate information relating to compliance with applicable laws will come to its attention timely and as a matter of course.
  • Use widely recognized public compliance resources as benchmarks for their organizations (e.g. the Federal Sentencing Guidelines, OIG’s voluntary compliance-program guidance documents, and OIG Corporate Integrity Agreements).
  • Make a meaningful effort to review the adequacy of existing compliance systems and functions for the size and complexity of their organizations.
  • Develop a formal plan to stay abreast of the ever-changing regulatory landscape and operating environment (e.g. periodic updates from informed staff and outside educational programs).
  • Add an experienced regulatory, compliance, or legal professional to the board, or periodically consult with one.
  • Evaluate the adequacy, independence, and performance of their organizations’ related functions (e.g. compliance, legal, internal audit, human resources, and quality improvement).
  • Have a process to ensure appropriate access to information (for all).
  • Evaluate and discuss how management works together to address risk.
  • Set and enforce expectations for receiving regular reports about organizational risk mitigation and compliance efforts—from a variety of key players.
  • Support the concept that compliance is “a way of life” (e.g. assess employee performance in promoting and adhering to compliance; assess individual, department, or facility-level performance in executing the compliance program, with appropriate sanctions or rewards).

The Practical Guidance report, a joint effort of the HHS OIG, the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association, explores these and other recommendations in more detail, making it a good addition to health care professionals’ reading lists.

Ethical Advocate can assist health care organizations in implementing and managing ethics hotlines and in providing ethics and compliance training.


Office of Inspector General, U.S. Department of Health and Human Services. Practical Guidance for Health Care Governing Boards on Compliance Oversight, April 2015.