How to limit your risk as a compliance officer

Here are strategies to manage liability

The secret is out that compliance officers face a growing personal liability as their positions within health care organizations continue to take hold and grow in importance. "I don’t think I have had a discussion with a compliance officer that has not included concern for their own personal liability or a conflict of interest between what they felt was appropriate and what someone in the company wanted to do," asserts Anne Novack Branan, a health care attorney with Broad and Cassel in Ft. Lauderdale, FL.

Branan says specific techniques and strategies can be used to minimize that liability, not necessarily at the expense of the employer. Much of the fear that exists stems from the government’s effort to stem violations by creating personal liability through criminal and civil penalties, she explains. "The government uses paranoia about personal liability as a deterrent to crime."

Chris Idecker, a partner with Ernst & Young in Atlanta, agrees that while compliance officers can never completely eliminate the conflict of interest or personal liability inherent in their positions, they can manage that risk using a range of strategies.

Among the measures Idecker recommends are the following:

1. Investigate the position before you accept the job. Idecker, a former compliance officer with Medaphis, says compliance officers should become familiar with the company’s past history and its response to investigations before accepting a new position. "You have to know the reputation of the company and the community," he warns. "Are they committed to doing the right thing? Is this part of their orientation when hiring new employees?"

Recent or anticipated acquisitions or mergers also can be a key factor, he adds. "When you buy a company, you buy their problems. I had a Department of Justice attorney once tell me that she didn’t need whistle-blowers; all she needed was to read the Wall Street Journal and find out who was buying who."

2. Understand the role of management. It is also important to understand the organizational structure and the role management plays in compliance. Idecker says compliance officers should speak directly with the chief executive officer to gauge his or her level of commitment to integrating compliance into the company’s mission. That includes what type of infrastructure will be established as well as compensation.

"I believe that measurements in compensation drive behavior," he says. While compliance officers won’t often get a commitment on what will be spent, they should get a commitment that their recommendations will be considered strongly, he stresses.

Compliance officers also should speak with the chief operations officer to gauge commitment because of the central role that individual plays in most organizations, and they should meet with the board of directors, he adds. "Ultimately, you have to run things by them and get their approval, and they are also your ultimate hammer. They are ones that you don’t want to use very often, so be judicious."

It is also important to understand the organizational structure, adds Idecker. "Will you be the compliance officer for a subsidiary with no support from the parent company, or a compliance officer at a subsidiary where the parent has no knowledge of what goes on in the subsidiary?"

3. Set ground rules with your employer. Compliance officers should examine the scope of their duties, says Idecker. Depending on the job description, compliance officers may be responsible only for compliance, for compliance and internal audit, or compliance and quality control. All of those schemes can work, he says, but compliance officers have to understand before taking a position which arrangement it will be.

Even those arrangements can have their own nuances, he warns. "Sometimes they will ask you to head up the internal audit, and when you look at what is expected of you, it has more of a financial control orientation than a compliance orientation."

The composition of the compliance committee and its relationship to the compliance officer can also be a key factor, Idecker says. "A broad multidisciplinary compliance committee can make your job much easier. They can make the tough decisions and the politically unpopular decisions that you don’t want to expend your political capital on."

4. Ensure proper budgeting. "The biggest problem I see in the field is underfunded plans," asserts Idecker. Not only does the Department of Health and Human Services Office of the Inspector General recognize the need for sufficient funding and staff, it also recognizes that the size and type of the organization dictate that need, he says.

One way to secure adequate funding is to point to areas where the organization can make additional money, he suggests. "Point out areas where correcting documentation shortfalls would have led to more reimbursement. Those are good stories to tell, and it helps make you part of that team. It shows them your value and ensures proper funding."

Idecker says the compliance officer’s job is one of the most complex because it requires knowledge of organizational behavior, human resources, auditing, and legal issues. "It is an extraordinarily complex background, and you can’t be all things to all people."

5. Understand the reporting requirements. Idecker says compliance officers should be wary of the knee-jerk tendency to report directly to the CEO. "That may not be appropriate," he says. But he adds that compliance officers should always report parallel to the people who are expected to comply.

Reporting to the COO should not be ruled out automatically, he adds. "There is a theory in the government that this is like the fox guarding the hen house. I say if it is the fox guarding the hen house, then you have some compliance problems anyway." He says the key factor is whether that person has adequate time and commitment to devote to compliance.

Reporting to the company’s legal officer also can be problematic, he cautions. "I tend not to favor that arrangement because the inherent tensions between legal and compliance are exacerbated," he says. "But I have seen it work in some organizations. It all depends on the makeup of your organization."

In all cases, Idecker says compliance officers must have direct access to the governing body and the CEO. "I also think it is important to document it. In any corporate governance litigation you might have downstream, it is your ultimate hammer, but use it sparingly."

"I think being tightly integrated with operations is the key to compliance," he concludes. "The more you make it a staff function and less of an integrated operational strategy, the less chance of success you will have."