DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
This article discusses compliance program basics. Compliance program basics are addressed in a resource from the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS). The name of this resource is “The Seven Elements of an Effective Compliance Program.” This resource covers compliance program fundamentals, by addressing the questions of “What is a Compliance Program?” and “What Makes an Effective Compliance Program?”.
What is a Compliance Program?
At its most basic level, a compliance program is a set of internal policies and procedures that an organization puts into place to help it comply with some requirement - a law, a regulation, a framework, etc. An effective compliance program can enhance an organization’s operations, improve the quality of services, and reduce overall costs. An effective compliance program can also help organizations identify problems upfront, allowing organizations to address these problems before they become system-wide and costly.
The Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) has identified seven basic elements as fundamental to any compliance program. These elements include:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Let’s discuss each of these.
1. Written policies, procedures, and standards of conduct.
Organizations should determine what content must be in their policies and procedures by consulting applicable law, regulations, compliance frameworks, and standards. Once an organization determines the standards of conduct and the content of policies and procedures that are appropriate for its compliance program, the organization should put the standards of content, and policy and procedure content, in writing. Then, the organization should share the written standards, policies, and procedures with the appropriate individuals in the organization. The organization should update standards of conduct, policies, and procedures as the organization grows and changes.
2. Designating a Compliance Officer.
The second fundamental element is to designate a compliance professional. HIPAA requires the designation of both a Privacy Official and a Security Official. Other laws also require designation of compliance officers, with similar-sounding titles, such as “principal officer.” Whatever the law, the designated official(s) must be familiar with federal and state law compliance requirements and recommendations. Organizations should empower the designated compliance officials with independence, authority, and a connection to people and information throughout the organization.
3. Conducting effective training.
Organizations must train the workforce on policies, procedures, and standards of conduct - in short, on their compliance program. The organization should conduct effective training, which can be accomplished by educating employees and making sure that they understand the organization’s compliance program policies. The more interactive an organization can make the training sessions (e.g., by offering quizzes, live video presentations, and the opportunity to ask questions), the more the training will “stick.”
4. Developing effective lines of communication.
Organizations should determine how to best facilitate communication between the compliance officer or compliance contact person on the one hand, and all employees on the other. Comment boxes, anonymous hotlines, or even an open-door policy, may be effective options. Organizations should provide employees with the means for reporting misconduct and should protect individuals who allege misconduct from retaliation.
5. Conducting internal monitoring and auditing.
An effective compliance program requires an internal monitoring process. An internal monitoring process consists of conducting self-audits. Audits serve as a measure to evaluate how well an organization’s compliance efforts are working. A good compliance program will identify problems from time to time; if the program does not do this, chances are that the compliance program is not effective. Through robust internal monitoring and auditing, if an organization detects something problematic during an audit, the organization is in a position to do something about it.
6. Enforcing standards through well-publicized disciplinary guidelines.
Organizations must take care to enforce their policies, procedures, and standards. Doing so will encourage employees to actually follow them. Organizations should take action upon learning that someone is not complying with policies, procedures, standards, or conduct. Discipline should be administered consistently with applicable antidiscrimination laws and other applicable laws to which an organization is subject.
7. Responding promptly to suspected or detected offenses and undertaking corrective action.
Organizations that receive or are given reports or complaints of suspected misconduct or other problems should look into the matter promptly, then take prompt corrective measures to resolve the issue. Such measures may include applying sanctions - disciplinary measures - against workforce members who are not “following the rules.” Sanctions should be well-publicized, and consistently and fairly applied.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article