Corporate Compliance & Ethics Week 2023 kicked off with a gift for healthcare and life sciences compliance practitioners by way of the U.S. Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) General Compliance Program Guidance, released in November.[1]
Many areas of the guidance covered aspects already familiar to compliance officers from previous guidance; however, one particular area caught my eye: being the first pronouncement of its kind by any compliance regulator, seemingly designed to provide details around OIG’s apparent expectations of what an independent and empowered compliance function would look like.
An effective, empowered, and independent compliance officer
The guidance states as follows:
To fulfill their duties, the compliance officer should be empowered, and independent of other duties to the entity that might impair their ability, to identify and raise compliance risks and advise on how to mitigate risks, achieve and maintain compliance with Federal health care program requirements, and succeed as a compliant entity. Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles.
To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care items and services or billing, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. (Emphasis added by OIG).[2]
This is a pretty clear recommendation that not only should compliance not report to legal, but that the compliance officer should not also lead legal, which I interpreted as indicating that the general counsel should not also hold the chief compliance officer (CCO) mantle.
OIG acknowledges that this is often not the case by referencing that the compliance department often has the general counsel or CCO at the helm of the function. Anecdotally, I think this is correct and can be verified by simply plugging in the search term “general counsel and chief compliance officer” into LinkedIn, whereby numerous exact hits for individuals will follow.
The previous passage also indicates that compliance officers should be focused on and dedicated to compliance as their sole responsibility; they should not perform substantive services in other business functions, including giving legal or financial advice. In other words, compliance officers should stick to practicing compliance, which does not involve giving legal advice.
