Legal and Regulatory Compliance

Separation of Compliance and Legal Functions Key to Effective Hospital Compliance Program

May 15, 2015 10:06 am

How the compliance, legal, and internal audit functions relate to each other within healthcare organizations has been a matter of some dispute. When one trumps the other, organizations face compliance risks.

In the first collaboration of its kind by these groups, the Inspector General of the Department of Health and Human Services (HHS OIG), the American Health Lawyers Association (AHLA), the Association of Healthcare Internal Auditors (AHIA), and the Health Care Compliance Association (HCCA) recently released a joint educational resource to assist governing boards of healthcare organizations carry out their compliance plan oversight obligations. 

In addition to helping governing boards, the document will assist the internal auditors, lawyers, and compliance officers who report to those boards. One especially interesting aspect of the document is its discussion of roles and relationships among the various departments most concerned with regulatory matters: compliance, legal, internal audit, human resources, quality, and risk management.

Practical Guidance

Titled Practical Guidance for Health Care Governing Boards on Compliance Oversight, the document provides helpful ideas about processes for identifying risks, improving adherence to program objectives, and effective reporting for board meetings. The document expands on issues presented in prior documents issued jointly by OIG and AHLA, and it suggests ways to identify compliance risks in a rapidly changing healthcare environment.

After stating the first principle of fiduciary duty—“a board must act in good faith in the exercise of its oversight responsibility”—the document proceeds to elucidate more than 50 other expectations for good governance. Many of the recommendations will be familiar to experienced legal and compliance professionals. But taken as a whole, they amount to a unique checklist for governing boards.

Access related tool: Checklist: Board Oversight of the Healthcare Compliance Function

Roles and Relationships

The report recommends establishing, in charters or other organizational documents, clear “functional boundaries” for all those departments and setting an expectation of cooperation and collaboration among them. The board “should be aware of, and evaluate, the adequacy, independence, and performance of [these] functions within an organization on a periodic basis,” the authors state. (Emphasis added.)

How compliance and legal, in particular, relate to each other has been a matter of some dispute ever since the first compliance guidance was issued by the OIG in 1996. On this point, the guidance strongly suggests that the compliance officer should not be subordinate to legal counsel. It is perhaps the first time these organizations have so clearly spoken on the issue.

In my experience, the best arrangement is for both the compliance officer and legal counsel to report to the CEO and for each to have a “dotted line” to the governing board. This latter communication route exists as a check against possible noncompliant actions of senior management. (See also the item about executive sessions in the related tool.)

As the joint guidance document points out, “an organization’s counsel and compliance officer should collaborate to further the interests of the organization,” but they should be separate departments. “Organizations that do not separate these functions … should recognize the potential risks of such an arrangement.” This recommendation “reflects the independent roles and professional obligations of each function.”

I have sometimes seen compliance—and even internal audit as well—relegated to a subservient role, reporting not to the CEO but to general counsel or, if nominally separate, being overshadowed by the latter. This can lead to a conflict of interest on the part of counsel—who must in effect wear two hats at once—and, depending on the personalities involved, to frustrations on the part of the compliance officer and internal auditor. The resulting dysfunction may cause the organization to be found not to have an “effective compliance program” under Federal Sentencing Guidelines.

The legal function advises the organization about risks, of course, as do the compliance, internal audit, risk management and quality departments. But unlike the others, legal must also defend the organization when violations are discovered or alleged. At that point, there is a possibility that counsel will become overly protective—some might say paranoid—and to hinder, in the name of attorney-client privilege, efforts to investigate allegations of noncompliance and take corrective action. The governing board should ensure that the organizational structure does not inadvertently encourage this kind of dysfunctionality.

Cooperation Is Key

As the authors of the joint guidance state, “To operate effectively, the compliance, legal, and internal audit functions should have access to appropriate and relevant corporate information and resources. As part of this effort, organizations will need to balance any existing attorney-client privilege with the goal of providing such access to key individuals.”

A governing board should evaluate how the departments work together to identify risks, avoid duplication of effort, implement corrective action, and communicate freely with each other throughout the process.

A board must ensure that management facilitates this kind of open communication and that board members receive candid advice from all the departments involved. This is not possible when one function (legal, for example) trumps the others.


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );