I, for one, think this guidance is a big step forward for the field and consider the clarity with which OIG has expressed itself to be a real gift to the compliance profession. It sets the scene for compliance being its own important, dedicated department and lessens the opportunity for conflicts of interest to exist. It also means that a genuine compliance expert is in charge of the direction of the function, and critically, they maintain full control over their budget allocation and set compliance priorities themselves.
Perhaps the easiest way to discuss possible changes in organizations is to disseminate the guidance to relevant stakeholders with a debrief on some of the highlights—including the section on compliance officer independence and empowerment. Then you can seek feedback about how the organization might adjust to be better aligned with the guidance and with government expectations.
Making immediate changes may prove to be difficult in situations where a general counsel or chief finacial officer has signed on to an organization with the understanding that they will be leading two portfolios and are now expected to drop one portfolio and the CCO title if that is the direction the company chooses to go. Sensitivity should be shown, and where the company is unable to gain the necessary buy-in for separate and distinct functions, they may consider whether other adjustments that demonstrate independence and empowerment of compliance could be implemented.
Reviewing ethics and compliance job descriptions for substance and title to make it clear that the role is compliance—not legal—and the duties to be performed are compliance duties only will not only help organizations better adhere to the guidance but will also promote academic and skill set diversity in the organization. If legal responsibilities are removed from compliance job descriptions, and that work is still considered necessary, be sure to provide for it in legal department job descriptions. This exercise is also an apt juncture for organizations to critically review all of the legacy requirements for compliance roles and assess whether they are all still required today, or whether further updates are needed. It may be tricky to adjust the titles and responsibilities of existing staff without their full willingness to accept the change; however, this review can certainly take place for roles the company is hiring for moving forward.
Hiring managers should ask themselves if they have a bias that leads to lawyers being selected for compliance positions over candidates who aren’t legally qualified. A quick scan of your team’s background and qualifications should provide a pulse check on whether this is the case for you. If so, be conscious of that bias in hiring processes moving forward. Specifically, state in your advertising that nonlawyers are welcome. An example from an excerpt of a job I advertised on LinkedIn in October 2023 stated the following:
“Ideally suited for this position is a senior Compliance practitioner from the Life Sciences space—of course you need not be legally trained to be considered an exceptional candidate, I’m looking for an ethics and compliance nerd and that’s the important qualification.”
The best person for a compliance job is the one who can do all the responsibilities required of them. None of which should be legal tasks and, therefore, the best person for the job need not have legal qualifications. Calling out that everyone with relevant experience is welcome is a way to create a sense of belonging at the outset of your job search.
When working with your talent acquisition team, be clear in your briefing at the start about what you’re looking for and take the time to explain the distinction between legal and compliance roles and responsibilities. Some laypeople equate compliance to legal by explaining that appropriately experienced nonlawyers should be selected for shortlisting, and precisely the skills required to be considered adequately experienced will help vet at the beginning.
While my overall position is that we should always try our best to follow government guidance, I acknowledge that there will possibly be some organizations that are unable to or consider it undesirable in their current circumstances to follow all the recommendations set out by government authorities. The fact that OIG repeatedly emphasizes within the guidance itself that it is of a recommendatory, nonbinding nature only should give those organizations some level of comfort. That aside, I consider it prudent to “show the receipts,” if you will, for considering the guidance and keeping accurate records to explain why certain gaps or lack of alignment might exist in some areas.
by Mary Shirley
Corporate Compliance & Ethics Week 2023 kicked off with a gift for healthcare and life sciences compliance practitioners by way of the U.S. Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) General Compliance Program Guidance, released in November.[1]
Many areas of the guidance covered aspects already familiar to compliance officers from previous guidance; however, one particular area caught my eye: being the first pronouncement of its kind by any compliance regulator, seemingly designed to provide details around OIG’s apparent expectations of what an independent and empowered compliance function would look like.
An effective, empowered, and independent compliance officer
The guidance states as follows:
To fulfill their duties, the compliance officer should be empowered, and independent of other duties to the entity that might impair their ability, to identify and raise compliance risks and advise on how to mitigate risks, achieve and maintain compliance with Federal health care program requirements, and succeed as a compliant entity. Thus, the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board. Usually, leaders of these functions are the general counsel and the chief financial officer, but some entities give them different titles.
To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care items and services or billing, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. (Emphasis added by OIG).[2]
This is a pretty clear recommendation that not only should compliance not report to legal, but that the compliance officer should not also lead legal, which I interpreted as indicating that the general counsel should not also hold the chief compliance officer (CCO) mantle.
OIG acknowledges that this is often not the case by referencing that the compliance department often has the general counsel or CCO at the helm of the function. Anecdotally, I think this is correct and can be verified by simply plugging in the search term “general counsel and chief compliance officer” into LinkedIn, whereby numerous exact hits for individuals will follow.
The previous passage also indicates that compliance officers should be focused on and dedicated to compliance as their sole responsibility; they should not perform substantive services in other business functions, including giving legal or financial advice. In other words, compliance officers should stick to practicing compliance, which does not involve giving legal advice.
So, what does this mean for the modern-day compliance function?
1. Companies that do not already feature wholly independent compliance departments should consider whether they ought to adjust their organizational structure and reporting lines.
I, for one, think this guidance is a big step forward for the field and consider the clarity with which OIG has expressed itself to be a real gift to the compliance profession. It sets the scene for compliance being its own important, dedicated department and lessens the opportunity for conflicts of interest to exist. It also means that a genuine compliance expert is in charge of the direction of the function, and critically, they maintain full control over their budget allocation and set compliance priorities themselves.
Perhaps the easiest way to discuss possible changes in organizations is to disseminate the guidance to relevant stakeholders with a debrief on some of the highlights—including the section on compliance officer independence and empowerment. Then you can seek feedback about how the organization might adjust to be better aligned with the guidance and with government expectations.
Making immediate changes may prove to be difficult in situations where a general counsel or chief finacial officer has signed on to an organization with the understanding that they will be leading two portfolios and are now expected to drop one portfolio and the CCO title if that is the direction the company chooses to go. Sensitivity should be shown, and where the company is unable to gain the necessary buy-in for separate and distinct functions, they may consider whether other adjustments that demonstrate independence and empowerment of compliance could be implemented.
2. Companies requiring that compliance staff hold a (often U.S.) juris doctorate and admission to a bar in good standing—as well as companies that call compliance positions “counsel” or “attorney” roles by way of the official title/designation—should consider whether this practice is hard to reconcile with the indication that compliance staff should not be acting as lawyers or giving legal advice.
Reviewing ethics and compliance job descriptions for substance and title to make it clear that the role is compliance—not legal—and the duties to be performed are compliance duties only will not only help organizations better adhere to the guidance but will also promote academic and skill set diversity in the organization. If legal responsibilities are removed from compliance job descriptions, and that work is still considered necessary, be sure to provide for it in legal department job descriptions. This exercise is also an apt juncture for organizations to critically review all of the legacy requirements for compliance roles and assess whether they are all still required today, or whether further updates are needed. It may be tricky to adjust the titles and responsibilities of existing staff without their full willingness to accept the change; however, this review can certainly take place for roles the company is hiring for moving forward.
Hiring managers should ask themselves if they have a bias that leads to lawyers being selected for compliance positions over candidates who aren’t legally qualified. A quick scan of your team’s background and qualifications should provide a pulse check on whether this is the case for you. If so, be conscious of that bias in hiring processes moving forward. Specifically, state in your advertising that nonlawyers are welcome. An example from an excerpt of a job I advertised on LinkedIn in October 2023 stated the following:
“Ideally suited for this position is a senior Compliance practitioner from the Life Sciences space—of course you need not be legally trained to be considered an exceptional candidate, I’m looking for an ethics and compliance nerd and that’s the important qualification.”
The best person for a compliance job is the one who can do all the responsibilities required of them. None of which should be legal tasks and, therefore, the best person for the job need not have legal qualifications. Calling out that everyone with relevant experience is welcome is a way to create a sense of belonging at the outset of your job search.
When working with your talent acquisition team, be clear in your briefing at the start about what you’re looking for and take the time to explain the distinction between legal and compliance roles and responsibilities. Some laypeople equate compliance to legal by explaining that appropriately experienced nonlawyers should be selected for shortlisting, and precisely the skills required to be considered adequately experienced will help vet at the beginning.
3. Organizations should consider documenting the rationale for elements of the guidance to which they have chosen not to adhere.
While my overall position is that we should always try our best to follow government guidance, I acknowledge that there will possibly be some organizations that are unable to or consider it undesirable in their current circumstances to follow all the recommendations set out by government authorities. The fact that OIG repeatedly emphasizes within the guidance itself that it is of a recommendatory, nonbinding nature only should give those organizations some level of comfort. That aside, I consider it prudent to “show the receipts,” if you will, for considering the guidance and keeping accurate records to explain why certain gaps or lack of alignment might exist in some areas.
Summary
The latest guidance from OIG is a very well-received document by the compliance community because it sets out a degree of detail we haven’t seen before about what characteristics of a compliance function’s structure and reporting lines are desirable. It helps us figure out what actions we should take to better align ourselves and our organizations more broadly with government expectations around what constitutes an effective, independent, and empowered program.
These changes will necessitate discussion with various organizational stakeholders as they will be a significant departure for companies accustomed to having general counsel and chief financial officers manage the compliance function.
Takeaways
-
The U.S. Health and Human Services Office of Inspector General (OIG) has clearly communicated a recommendation to organizations that compliance functions should be empowered and independent.
-
Empowered and independent functions are considered organizationally independent; they should not be helmed by the general counsel, chief financial officer, or another business member outside of legal.
-
Compliance officers should be focused on the practice of compliance and should not be giving legal or financial advice. In light of this guidance, it is incumbent on many organizations to consider whether it is appropriate to continue making compliance positions dependent on legal qualifications and including “counsel” or “attorney” in the titles of compliance positions.
-
Compliance officers should closely review department job descriptions, ensure they are focused on compliance duties only, and consider whether it is appropriate to include relevant juris doctorate and admission to bar qualifications in compliance job descriptions.
-
The guidance is nonbinding and of a recommendatory nature only, so the suggestions by OIG should not be interpreted as hard and fast rules; however, practitioners should seriously consider making appropriate adjustments that will better help their organizations align with the guidance where it is possible to do so.
*Mary Shirley is Head of Compliance at Masimo in Irvine, CA.
1 U.S. Department of Health and Human Services, Office of Inspector General, General Compliance Program Guidance, November 2023, https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf.
2 U.S. Department of Health and Human Services, General Compliance Program Guidance, 39.
