For over 20 years, the federal government has encouraged nursing facilities to implement compliance programs to promote and monitor adherence to statutes, regulations, and government healthcare program requirements. In 2010, the requirement for nursing facilities to have a compliance program was codified by Section 6102(b) of the Patient Protection & Affordable Care Act of 2010, which required Medicare skilled nursing facilities and Medicaid nursing facilities to have a compliance and ethics program.[1] The Centers for Medicare & Medicaid Services (CMS) finalized regulations at 42 C.F.R. § 483.85, implementing the requirement in 2016. The final rule required all Medicare and Medicaid participating nursing facilities to comply with the regulation by November 28, 2019.[2] In July 2019, CMS proposed rules to scale back the compliance program regulation.[3] However, the proposed rules were never finalized, and challenges arising from the COVID-19 pandemic largely overshadowed compliance program requirements for nursing facilities until now.
Revised Guidance
In July 2022, CMS released revisions to “Appendix PP” of the State Operations Manual, which provides guidance to surveyors of long-term care facilities on their Medicare and Medicaid conditions of participation (Revised Guidance).[4] The Revised Guidance takes effect on October 24, 2022,[5] and contains the first-ever guidance to surveyors in a long-term care facility’s compliance and ethics program obligations.[6] The Revised Guidance shows a clear intention on the part of CMS to enforce the rule as finalized in 2016 and abandon the prior administration’s efforts to scale back the requirements.
The Revised Guidance highlights CMS’s expectations for long-term care compliance and ethics programs to ensure compliance with 42 C.F.R. § 483.85—and the facility’s compliance program is more than a mere collection of written policies. Nursing facilities and compliance officers should review their programs in light of the Revised Guidance to ensure they incorporate CMS’s interpretation of what constitutes an effective compliance program.
To avoid being cited for a regulatory deficiency related to the compliance and ethics program requirements at 42 C.F.R. § 483.85, we recommend nursing facilities incorporate five core principles in their compliance program policies and procedures:
-
Make sure all staff are aware of the program and how to anonymously report suspected violations. All staff should know the facility has a compliance program and how to anonymously report compliance issues. This is key to ensuring the facility’s compliance program is effective. The Revised Guidance prompts surveyors to specifically ask facility staff if they are aware of the program and how to anonymously report issues.[7] Because of high staff turnover and increasing reliance on staffing agencies, facility staff must be continually reminded of the facility’s compliance program and reporting mechanisms. It is impossible for facilities to over-publicize their compliance programs. Compliance officers should also make sure their reporting policies are easy to understand and plainly state how facility staff can anonymously report suspected violations.
-
Include a well-documented routine audit and monitoring program. The facility should have a well-documented routine audit and monitoring program that it can provide to surveyors when they request information on its compliance program. The Revised Guidance directs surveyors to determine how the facility uses monitoring and auditing systems to detect compliance issues and assess whether high-level personnel overseeing the compliance program are aware of these efforts and how identified compliance issues are resolved.[8] Surveyors will likely ask to review facility documentation relating to audit and monitoring efforts, as well as documentation substantiating how identified issues were resolved, including whether overpayments were identified and returned. For compliance investigations conducted under attorney–client privilege, compliance officers should ensure their investigation and reporting files redact privileged information for production to surveyors while also containing enough information to establish to surveyors that the facility is investigating and appropriately resolving and reporting potential compliance violations. During and after any investigations conducted under attorney–client privilege, compliance officers should discuss with legal counsel how to document the investigation, including summary information that can be provided to surveyors upon request.
-
Integrate the compliance program with the facility’s Quality Assurance and Performance Improvement (QAPI) program. Nursing facilities should ensure their compliance program addresses how and when information and data from the compliance program are integrated into the facility’s QAPI program. The Revised Guidance specifically recommends the two programs be integrated and that the QAPI committee work with the compliance officer to determine if trends or systemic problems need to be addressed.[9] Compliance officers should ensure their compliance programs include reporting audit and investigation findings, as appropriate, to the facility’s QAPI committee and that the compliance officer and QAPI committee are coordinating efforts to address identified issues. Facilities need to do more than simply include reporting to the QAPI committee as part of the facility’s compliance policies. Facilities should put practical measures in place to ensure actual communication between the compliance and quality committees and coordination between the two groups as it relates to auditing and monitoring activities, process improvement activities, and staff education and training.
-
Annually review and update compliance policies. Nursing facilities and compliance officers should review their compliance programs annually, including the results of routine audits and investigations of reported or identified compliance issues and make updates for the subsequent year’s program based in part on this review.[10] The facility should share the annual review with the facility’s governing body and use the review to inform the subsequent year’s compliance programming and staff training. In planning for the subsequent year’s compliance programming, including determining what areas to audit and monitor, compliance officers should utilize the facility’s assessment developed under 42 C.F.R. § 483.70(e) to identify risk areas and determine the resources needed for the program. Operating organizations with five or more facilities are required to mandate annual compliance training for staff,[11] but all facilities should be refreshing and updating their training annually or as needed to address new regulatory requirements and/or identified compliance issues within the facility.
-
Ensure there is no actual or perceived retaliation. The Revised Guidance explicitly directs surveyors to ask facility staff if they “are confident in reporting compliance matters without fear of retaliation.”[12] Additionally, elsewhere in the Revised Guidance, CMS provides recommendations to surveyors regarding how to ensure facilities have written policies and procedures that prevent and prohibit retaliation against individuals, including employees, for reporting suspected crimes in compliance with 42 C.F.R. § 483.12(b)(5)(iii).[13] According to the Revised Guidance, facilities should encourage reporting of reasonable suspicions of crime and implement policies and procedures “that promote a culture of safety and open communication in the work environment.”[14] The Revised Guidance also requires facilities to post a conspicuous notice of employee rights. It must include information about the employee’s right to file a complaint with the State Survey Agency if they believe the facility has retaliated against them or another individual who reported a suspected crime, as well as information regarding how to file such a complaint.[15] The sign should be posted in an area visible to employees and must be at least the same size and type as other required employment-related signs.
The requirements for nursing facility compliance programs apply at the “operating organization” level, defined as “the individual(s) or entity that operates the facility.”[16] Multifacility and chain organizations, or facilities that rely heavily on management companies to manage and operate the facility’s day-to-day operations, should review their compliance programs to ensure they are tailored and can be effectively implemented at the individual facility level.
Although the 2019 proposed regulation would have removed the requirement for organizations with five or more facilities to designate a compliance officer with overarching compliance responsibility within the organization as well as compliance liaisons at each individual facility,[17] the Revised Guidance makes clear these provisions continue to apply. The Revised Guidance directs surveyors to ensure that operating organizations with five or more facilities have a designated compliance officer and a facility-based compliance liaison at each individual facility.[18] According to the Revised Guidance, the designated compliance officer must have “sufficient time and other resources” to fulfill their responsibilities under the compliance program, and the compliance program must be a “major responsibility” for them.[19]
Multifacility and chain organizations, as well as their management companies, should review their compliance programs to ensure they effectively operationalize compliance at the individual community level and across the organization. For example, the organization should ensure staff members at individual facilities understand and are trained on who their facility compliance liaison is as well as who they may go to at an organizational level, such as the compliance officer, if they feel uncomfortable reporting or discussing a compliance issue at the facility. Because larger organizations may have more complicated reporting structures, it is imperative these organizations clearly communicate to staff how to report compliance concerns, including the organization’s anonymous reporting processes.
