HHS OIG Issues New Compliance Oversight Guidance for Boards of Directors

Skadden, Arps, Slate, Meagher & Flom LLP

John T. Bentivoglio Jennifer L. Bragg Michael K. Loucks Gregory M. Luce

On April 20, 2015, the Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) published its “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the Guidance).1 The Guidance reiterates the OIG’s views on the role a board of directors (board) should play in overseeing an organization’s compliance program, suggests questions board members should ask in meeting these obligations, and outlines new areas of compliance concern in light of rapidly changing business models and payment systems in the health care industry. Boards and management teams should consider using the new Guidance to foster appropriate conversations about the effectiveness of their organization’s compliance program.

Top Line Summary

  • The new Guidance emphasizes the important role of the Board in ensuring a company’s effective compliance structure. According to the OIG, this role requires (1) a working knowledge of the legal, regulatory and organizational landscapes, (2) open, robust and regular communication with management, and (3) a meaningful assessment of the compliance program.
  • Emerging industry trends, including a heightened focus on lowering costs and increasing quality, are generating new incentives and compliance risks. The Board should work with the company’s management to identify and address these new risks.
  • The Guidance calls on Boards to encourage companies to make compliance an enterprisewide responsibility through incentives, penalties and/or management certifications.

Extension of Prior HHS OIG Guidance

The new Guidance follows more than a decade of HHS OIG advice to boards on compliance program oversight. The HHS OIG first issued guidance for health care boards in 2003.2 That guidance was issued in the wake of the Sarbanes-Oxley Act and was intended to help health care boards “establish, and affirmatively demonstrate, that they have followed a reasonable compliance oversight process.” One year later, HHS OIG issued additional guidance to address issues raised by developments in the law with respect to corporate responsibility and lawyers’ professional ethics, modifications to the Federal Sentencing Guidelines for Organizations (Federal Sentencing Guidelines) and recommendations of the American Bar Association Task Force on Corporate Responsibility.3 In 2007, HHS OIG addressed its growing concern about health care quality via a Guidance that called on health care organizations to view the “oversight of quality” as a “core fiduciary duty” of a health care organization board.4

Now, eight years after its last resource guide, HHS OIG has issued this guidance, stating that it “seeks to provide practical tips” for boards in their health care compliance oversight roles.

Continued Emphasis on Oversight: Asking the Right Questions

With this Guidance, HHS OIG intends to provide boards with practical advice regarding how to meaningfully and efficiently oversee company compliance functions. There are three critical themes of the Guidance:

The board should develop open and robust communication between it and managers with compliance functions;

The board should have a working understanding of the company’s compliance structure and the regulatory environment; and

The board should use its knowledge to exercise meaningful oversight and not merely rubberstamp management decisions. To engage in effective oversight, HHS OIG notes that a Board must ask “the right questions” on each of these points.

Communicate with Management. Effective oversight requires accurate, complete and timely information about the company’s internal workings. As such, HHS OIG recommends boards ask questions such as:

  • Is there a system for reporting compliance issues and corporate information to the board?
  • If so, does the system effectively ensure that the board receives all relevant and necessary information in a timely fashion and as a matter of course?
  • Does the board receive regular reports on internal and external investigations and audits, allegations of material fraud or management misconduct?
  • Do all critical compliance functions have opportunities to report to the board and executive management?
  • Do employees feel confident raising compliance concerns, questions or complaints?

Understand the Law. Neither the board nor the company can effectively identify and mitigate compliance risk without being educated about the relevant regulatory landscape. Therefore, HHS OIG counsels that the board ask:

  • Is management aware of the relevant Federal Sentencing Guidelines?
  • Has management reviewed and incorporated lessons from HHS OIG guidance documents, advisory opinions and recent relevant Corporate Integrity Agreements (CIAs)?
  • Does the board have regular access to a health care compliance expert outside of management?

Understand the Company and Assess Compliance. The board should not condone an inadequate compliance program out of deference to management. Therefore, the board must understand the company’s compliance structure and evaluate whether its scope and complexity will effectively identify and mitigate compliance risk and address noncompliant activity. To those ends, HHS OIG suggests that a board ask:

  • Who is responsible for compliance functions in the company? Are the compliance, legal, internal audit, human resources and quality improvement roles structurally distinct or, at a minimum, functionally independent?
  • What policies and procedures govern the company’s compliance functions?
  • How does management work together to:

a. Identify compliance risk,
b. Investigate and mitigate risk,
c. Resolve disputes regarding the approach to compliance,
d. Develop and deploy corrective actions, and
e. Communicate compliance determinations across the organization?

  • Do all critical compliance functions have access to appropriate and relevant information and resources?
  • Does the company’s compliance structure adequately address compliance issues for a company of this nature, size and complexity?

Assessing Risk: Old Themes and New Trends

Once a company establishes a compliance structure that provides the board with the necessary oversight tools, HHS OIG counsels that the board work with company management to ensure there is a strong process for identifying areas of regulatory or compliance risk. The Guidance instructs that a company and its board look to both internal sources (e.g., hotline, auditing and monitoring results, and exit interviews) and external sources (e.g., HHS OIG Guidance, consultants and the news) to help identify areas of compliance risk.

It comes as no surprise that the Guidance identified some old themes as “areas of particular interest” for health care companies. These include referral relationships, billing issues like upcoding and submitting claims for services not rendered or medically unnecessary services, privacy breaches and events relating to product and services quality.

The Guidance also identified some “recent industry trends” that should be considered when assessing a company’s particular risk portfolio. The heightened focus on lowering costs and increasing quality combined with changes in coverage and reimbursement is generating new incentives and compliance risks. As we advised in 2011,5 the incentive structures that encouraged health care professionals and institutional providers to join Accountable Care Organizations (ACOs) may also result in cost-shifting to entities outside ACOs like pharmaceutical and medical device companies. Diminishing returns for manufacturers may prompt some employees to seek revenue elsewhere — possibly creating new compliance risks. Additionally, new payment policies that align payment with often subjective assessments regarding quality of care may also drive up noncompliant behavior.

Boards are well-advised to stay abreast of these and other emerging trends and resulting compliance concerns. Knowledge of the evolving landscape can help the board more effectively oversee a company’s compliance program.


In an era when boards are increasingly expected to play an active role in companies’ internal compliance efforts, boards should encourage companies to make compliance an enterprisewide responsibility. HHS OIG has used recent CIAs to require compliance certifications from managers and even board members outside of the compliance function.6

The Guidance also suggests that companies could use bonus season to reward or penalize individual employees or departments for compliance assessment results. Similarly, through recent CIAs, HHS OIG has required companies to implement policies and procedures that ensure sales-based incentive compensation systems do not inappropriately incentivize sales representatives of managers for engaging in improper promotion. For example, the Johnson & Johnson CIA requires an annual audit of at least 5 percent of the sales representatives who are eligible for a performance-based award.7 Consistent with the themes addressed above, the Guidance suggests that one of the board’s primary tools is the ability to inquire about management’s approach to various compliance issues including whether, when and how the company will self-disclose Medicare or Medicaid overbilling and probable compliance violations.


HHS OIG’s recent guidance builds on more than a decade of government advice to health care boards and may facilitate management and board discussions about the adequacy of existing compliance efforts in light of emerging regulatory and compliance risks. At the same time, companies reviewing the Guidance should remain mindful of the important distinction between the board’s governance function on the one hand and management’s responsibilities for day-to-operational issues, including the compliance function, on the other. The new Guidance, properly read, does not alter the well-established principles of good corporate governance as established under federal and state laws, regulations and judicial decisions.


1 “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (2015), http://oig.hhs.gov/compliance/compliance-guidance/docs/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf. The Guidance was developed in cooperation with the Association of Healthcare Internal Auditors (AHIA), the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA).

2 HHS OIG and AHLA, “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” (2003), https://oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf.

3 HHS OIG and AHLA, “An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors” (2004), https://oig.hhs.gov/fraud/docs/complianceguidance/Tab%204E%20Appendx-Final.pdf.

4 HHS OIG and AHLA, “Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors” (2007), https://oig.hhs.gov/fraud/docs/complianceguidance/CorporateResponsibilityFinal%209-4-07.pdf.

5 See Skadden client alert, “The Potential Impact of the New Accountable Care Organization Regulations on the Pharmaceutical and Medical Device Industries” (Apr. 26, 2011)

6 See, e.g., “Corporate Integrity Agreement Between HHS OIG and GlaxoSmithKline” (June 28, 2012), https://oig.hhs.gov/fraud/cia/agreements/GlaxoSmithKline_LLC_06282012.pdf.

7 “Corporate Integrity Agreement Between HHS OIG and Johnson & Johnson” (Oct. 31, 2013), https://oig.hhs.gov/fraud/cia/agreements/Johnson_Johnson_10312013.pdf.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.