This was originally published in Reuters Legal News (May 16, 2023).
Private equity investment in health care can be lucrative. Yet, health care and private equity often can seem antithetical: One is driven by patient care and compliance while the other is motivated to make a quick profit. To coexist successfully (and profitably), private equity must fully appreciate all the potential compliance risks and requirements of a target health care entity before making an investment and work to implement, overhaul or update a target’s health care compliance programs once acquired.
Our four-part playbook for investors new to the health care sector provides an overview of precautions, a review of enforcement trends, and an outline for due diligence essentials.
In this final piece, we summarize why the deliberate process of compliance is critical to successfully investing in a health care entity, regardless of the ongoing pressures to close a transaction, and give insights on the Seven Elements of an Effective Compliance Program as provided by the U.S. Health & Human Services’ (HHS) Office of Inspector General (OIG).
A quick review: Why is compliance important?
Establishing, updating, and upholding a strong health care compliance program is essential to staying in business, making a legitimate profit, and mitigating the risk that comes with governmental audits and investigations.
Who requires compliance programs?
Multiple federal government agencies, laws, and programs in the United States mandate providers implement compliance programs:
- HHS’ OIG has developed a series of compliance guidance documents to ensure that internal controls are implemented by health systems to promote a culture that mitigates fraud, waste, and abuse and adheres to applicable statutes and regulations.
- The Social Security Act addresses health care compliance and ethics responsibilities.
- The Patient Protection and Affordable Care Act (ACA) mandates that health care providers implement a compliance plan as a condition of enrollment in Medicare, Medicaid, or the Children’s Health Insurance Program.
- Medicare Advantage requires its providers demonstrate “a commitment to compliance, integrity, and ethical values” via implementation of a compliance plan that incorporates the seven core elements detailed below.
What are the seven elements of a legally effective compliance program?
While these concepts may seem novel to investors, the Seven Elements are meant to provide the core elements for any sound compliance program, but there are pitfalls:
1. Written standards of conduct, policies, and procedures. Compliance programs are built upon a Code of Conduct or Code of Ethics that summarizes the broad legal and ethical principles under which the system must operate.
Widespread adoption of written policies and procedures that are designed to encourage compliance is paramount to running a compliant operation.
Policies and procedures should provide a solid framework for the overall design of the program and include:
- The job description, scope of obligation, and authority of the compliance officer;
- A charter establishing the purpose, duties, and responsibilities of the compliance committee; and
- A description of how the operational areas of the health care provider execute the compliance program and how its effectiveness will be measured.
Policies and procedures should also cover elements such as: fraud, waste, and abuse; patient privacy and data security; substance use disorders; billing transparency and coding; staffing credentials and licensing; medical research; training; disciplinary procedures; and government inquiries and investigations.
Common pitfall: Serious consequences occur when a health system’s compliance team fails to routinely review compliance policies to update and/or add new policies. No matter the separation between the parent company and the portfolio company in private equity, compliance oversight must occur from the top down.
2. A compliance officer and compliance department. The compliance officer and team are responsible for developing, operationalizing, and monitoring the compliance program. To be effective, each health care entity must make clear and respect the compliance officer’s independence — including remaining separate from the organization’s legal department — so that the officer can act with autonomy.
The compliance officer must have access to the CEO, board, and legal counsel and should report directly to the CEO or other top executive so that he/she is not overridden by middle management. The compliance department must also make clear a reporting “chain of command” for responding to complaints or reports of potential compliance issues.
The chain of command becomes murky when a private equity investor has a management company operating the administrative side of a practice. Does the chain of command stop with the management company, or does it go to the leadership of the private equity firm? If the latter, is the private equity firm’s overarching leadership monitoring its health care entity closely?
Common pitfall: Some organizations have the compliance officer report directly to legal counsel, which can create a significant conflict of interest given that the compliance officer and legal counsel have distinct duties and obligations to the organization.
3. Education and training. Once adopted, a health care compliance program must be disseminated throughout the organization so that all affected personnel and agents have knowledge of its content. Each employee should receive training upon hire and receive annual, mandatory compliance training on the code of conduct, basic compliance standards, and policies. Organizations may conduct routine testing of employees to ensure they understand concepts of the program.
Common pitfall: While a universal approach to compliance training can be acceptable, some areas, such as billing/coding, need more specific compliance training. In the private equity setting, the overarching leadership is advised to consider the key personnel beyond the health care entity that need to be involved in the detailed compliance training.
4. Effective communication. To support a culture of compliance, policies and related procedures must be regularly communicated upstream and downstream.
The health care entity’s personnel should understand they are obligated to report suspected violations of the compliance program; participation is not “suggested.” To encourage this behavior, all employees should feel safe to report good faith allegations of fraud or abuse.
To ensure employees feel comfortable reporting allegations of noncompliance, a company must (1) make clear the various avenues through which employees may report suspected violations or other compliance concerns or questions, (2) ensure and enforce confidentiality, and (3) outline a non-retaliation policy.
Common pitfall: Failing to consider how the lack of feedback from the workforce on potential compliance issues may point to the ineffectiveness of the reporting mechanism. Rather than assuming effectiveness of the compliance program, consideration of the avenues for reporting suspected noncompliance may be needed.
5. Auditing and monitoring. The health care compliance program must be subject to ongoing monitoring processes, with particular attention given to compliance with billing and coding requirements.
Audits are often conducted by an outside consultant. Generally, compliance audits should be conducted under attorney-client privilege to allow open discussions with counsel as to any issues uncovered and to determine how to address them.
Additionally, the HHS-OIG Work Plan includes compliance risk areas that HHS’ OIG has identified for the upcoming year. These risk areas should be added to an organization’s monitoring, auditing, and compliance objectives to ensure the organization swiftly identifies and addresses any risk areas that are HHS-OIG priorities.
Additional efforts to monitor compliance with the program can be gleaned through employee exit interviews, as well as tracking and trending reports of violations.
Common pitfall: Failing to proactively address billing issues can lead to big problems, sometimes with huge penalties and even false claims liability. Liability may attach to those who should have knowledge and/or oversight to the health care operations, even if not directly involved in the health care operations day-to-day.
6. Investigations and discipline. The standards of conduct and other principles borne out by the health care compliance program should be subject to enforcement by means of well-publicized disciplinary guidelines. The guidelines should also provide disciplinary mechanisms for failing to detect or report non-compliance. Likewise, each organization should make clear the investigative process to review allegations of noncompliance.
Common pitfall: Failure to actively investigate and address compliance issues tends to erode goodwill earned through a compliant culture where everyone “buys-into” the purpose and mission of compliance.
7. Corrective actions and responding to detected problems. The organization should consistently take appropriate and timely corrective actions regarding violations of its health care compliance program in a fair, objective, and discrete manner. Leadership must act promptly and proactively to enforce compliance policies and procedures and take appropriate disciplinary action to demonstrate that the compliance program works.
Common pitfall: Failing to investigate and appropriately address compliance problems can lead, inadvertently, to whistleblower actions.
As underscored earlier in the series, the need for functioning compliance programs within a health care system cannot be stressed enough. Although private equity investors prefer to move quickly to acquire a target, once the transaction closes, the liabilities of the target become the liabilities of the buyer. The consequences for noncompliance are grave: potential government investigations, legal liability, and millions of dollars in fines and settlements.
Not only should private equity investors evaluate existing compliance programs before making an investment by conducting a thorough due diligence investigation, but they should also work to continually update the target’s existing health care compliance plan and encourage continued adoption post-investment.
For more information, contact any attorney with Frost Brown Todd’s Health Care Innovation industry team.