Back to Blog Home

New OIG Guidance for Health Care Governing Boards

Earlier this month, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) released an educational resource for governing boards entitled Practical Guidance for Health Care Governing Boards on Compliance Oversight (Practical Guidance). The Practical Guidance was […]

Earlier this month, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) released an educational resource for governing boards entitled Practical Guidance for Health Care Governing Boards on Compliance Oversight (Practical Guidance). The Practical Guidance was developed in collaboration with the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA), and the Health Care Compliance Association (HCCA). Guidance documents previously issued by the OIG emphasized the need for governing boards (Boards) to be fully engaged in their oversight responsibility. A fundamental element of any oversight plan involves asking the right questions of management to determine the effectiveness of an organization’s compliance plan and to gauge the performance of those carrying out the compliance plan.

The Practical Guidance just released by the OIG seeks to provide guidance to Boards as they oversee their organizations’ compliance with state and federal health care regulations. In particular, the Practical Guidance addresses issues relating to a Board’s oversight of compliance programs, including:

  1. Expectations for Board oversight of compliance programs;
  2. The roles of an organization’s audit, compliance, and legal departments, and the relationships between them;
  3. Mechanisms and processes for issue-reporting within an organization;
  4. Approaches to identify regulatory risks;
  5. Methods to ensure accountability for achievement of compliance goals.

Many of the guidance issues addressed in the Practical Guidance are best practice recommendations rather than strict legal requirements. Since many of the practices addressed in the current Practical Guidance have been discussed in voluntary compliance program documents previously released by the OIG, this post will just highlight some of the newest recommendations addressed by the current Practical Guidance.

Expectations for Board Oversight of Compliance Programs

The Practical Guidance encourages Boards to use publicly available compliance resources as benchmarks for their organizations. Specifically, the Practical Guidance recommends using the Federal Sentencing Guidelines (Guidelines), the OIG’s voluntary compliance program documents, and OIG Corporate Integrity Agreements (CIAs), as baseline tools for Boards and management to determine what functions may be necessary for an effective compliance program.

The OIG recognizes that a one size fits all approach does not work when designing a compliance program and that a board may choose to review the adequacy of an existing compliance program in its own organization-specific way. In the most recent Practical Guidance, the OIG simply recommends that a Board make management aware of the Federal Sentencing Guidelines, voluntary compliance program guidance, and relevant CIAs, as a good first step in ensuring the adequacy of an existing compliance program.

The Practical Guidance also suggests that a Board may raise its level of substantive expertise by adding, or periodically consulting, an experienced regulatory, compliance or legal professional. Adding such a professional to a Board provides a valuable resource to other Board members, and sends a strong message about an organization’s commitment to compliance.

Roles and Relationships

The Practical Guidance recommends that Boards define the interrelationships of the audit, compliance, and legal departments in an organization. A Board should evaluate the adequacy and performance of these departments on a periodic basis. The structure, reporting relationships, and interaction of these and other functions (e.g., quality, risk management, and human resources) should be included as departmental roles and responsibilities are defined.

The Practical Guidance emphasizes the need for an organization’s audit, compliance, and legal departments to speak with a common language to the Board and management with regard to governance concepts, such as accountability, risk, auditing, monitoring, and compliance. Agreeing on the adoption of departmental definitions and relationships can facilitate the development of such a  common language.

Reporting to the Board

The Practical Guidance recommends that a Board set and enforce expectations for receiving regular compliance-related information from management. Regular internal reviews by a Board will not only give the Board a snapshot of where its compliance program is, but regular internal reviews should also lead to better compliance program results and higher quality services.

The Practical Guidance also recommends a Board consider conducting “executive sessions” on a regular basis. These executive sessions would include leadership from the compliance, legal, quality, and audit departments, but would exclude senior management in an attempt to encourage more open communication between departments. Regular executive sessions could also create a continuous expectation of open communication rather than initiating communication only when a problem arises.

Identifying and Auditing Potential Risk Areas

The Practical Guidance recognizes that some regulatory risk is common to all health care providers. The Practical Guidance also recognizes that certain types of activities are more high risk because they are more vulnerable to fraud. Those high risk activities include referral relationships, billing issues, privacy breaches, and quality-related events.

The Board should ensure that strong processes for identifying risk areas are in place, including identifying risk areas from internal or external information sources. The Board should ensure that risk areas are routinely audited and reviewed and should also ensure that management develops, implements, and monitors corrective action plans.

Encouraging Accountability and Compliance

The Practical Guidance recognizes that compliance is an enterprise-wide responsibility. Therefore, while the audit, compliance, and legal functions of an organization serve as advisors, evaluators, identifiers, and monitors of risk and compliance, the actual responsibility of executing the compliance program rests with the entire organization.

A Board may assess execution of a compliance program at the individual, department, or facility-level, and may choose to link incentives to compliance and quality outcomes. The Practical Guidance suggests that, as an extension of its oversight of an organization’s reporting structures, a Board should evaluate whether compliance systems encourage communication across the organization and whether employees feel comfortable raising compliance concerns without retaliation or retribution.


The OIG’s most recent Practical Guidance adds to previously issued compliance documents and provides a good starting point for Boards carrying out oversight of an organization’s compliance with state and federal regulations. A Board should still consult with counsel or other compliance professionals to ensure its compliance program complies with relevant federal, state, and local laws.

To find out more about the effect of governance issues related to health care or your business, contact Fraser Trebilcock at 517.482.5800.