Compliance officers seeking more insight into how to gauge the effectiveness of their compliance programs have a new resource guide at their fingertips.

The Department of Health and Human Services Office of Inspector General (HHS-OIG) late last month published “Measuring Compliance Program Effectiveness: A Resource Guide,” intended to provide healthcare organizations—irrespective of size, operational complexity, or amount of resources—with a variety of metrics for measuring the core elements of a compliance program.

Although geared toward the healthcare industry, most of the more than 400 compliance metrics listed broadly apply across all industries and all geographies. “These metrics, for the most part, are universal to every compliance department,” says Roy Snell, CEO of the Health Care Compliance Association (HCCA), a non-profit organization for ethics and compliance professionals in the healthcare industry.

HCCA developed the resource guide in collaboration with HHS-OIG, which convened in January 2017 to discuss ways to measure the effectiveness of compliance programs. During this roundtable, compliance professionals in the healthcare industry brainstormed ideas on “what” and “how” to measure the following seven core elements of a compliance program:

Standards, policies, and procedures;

Compliance program administration;

Screening and evaluation of employees, vendors, and other agents;

Communication, education, and training on compliance issues;

Monitoring, auditing, and internal reporting systems;

Discipline for non-compliance; and

Investigations and remedial measures.

Roundtable participants then divided each of these seven elements into more than 50 sub-categories of metrics. The HHS-OIG stressed that using all the metrics, or even a large number of them, in any given year is “impractical and not recommended.”

“These metrics, for the most part, are universal to every compliance department.”
Roy Snell, CEO, Health Care Compliance Association

Highlights of the metrics’ sub-categories for each of the seven elements discussed in the resource guide are summarized below:

Standards, policies, and procedures: 62 metrics addressing the accessibility, ease-of-use, quality, accountability, and approval process of standards, policies, and procedures.

Compliance program administration: 68 metrics concerning matters of the board, the compliance officer, and compliance committee. This section also includes metrics concerning compliance budgets, staffing, cultural surveys, incentives, and performance evaluations.

Screening and evaluation of employees, vendors, and other agents: 40 metrics addressing employee accountability, screening of employees and vendors, disclosure requirements, conflicts of interest, and exit interviews.

Communication, education, and training on compliance issues: 49 metrics on what and how to measure training, board obligations and responsibilities, communication, competency, and a culture of compliance.

Monitoring, auditing, and internal reporting systems: 77 metrics on what and how to measure a compliance program’s reporting system, risk assessments, auditing and monitoring work plan, corrective action plans, as well as auditor and vendor oversight.

Discipline for non-compliance: 34 metrics on what and how to measure awareness, documentation, and promotion criteria.

Investigations and remedial measures:  71 metrics on what and how to measure the quality and consistency of investigations, as well as the tracking, communication, and escalation of investigations. Also discussed are metrics on measuring the training, professionalism, and independence of investigators; the involvement of legal counsel; adherence to non-retaliation; timeliness of response; the handling of government inquiries; and the monitoring of results.

“The purpose of this list is to give healthcare organizations as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit its needs,” the resource guide states. “This is not a checklist to be applied wholesale to assess a compliance program.”


Below are some examples of metrics mentioned in the HCCA-OIG Resource Guide on measuring compliance program effectiveness -- Board of Directors.

Rather, compliance professionals should carefully discern which key metrics most directly apply to their own organization. Deciding which metrics to use may be based either on the need to address potential gaps in the compliance program, for example, or the need to assess an area that has not been assessed in a while, Snell of the HCCA says.

Just going through the exercise of choosing the right metrics can help promote the compliance program and gain the buy-in of stakeholders, says Frank Sheeder, a partner at law firm Alston & Bird and former president of the HCCA. It compels people to ask questions about the compliance program, to identify where more work may need to be done, and to look at the compliance program from a new perspective, he says.

Broader effort. The HHS-OIG resource guide is “not a trivial development,” Sheeder adds. It is part of a broader effort by the government in “encouraging organizations to have effective compliance programs and to be very thoughtful about enacting effective measures.”

For example, the HHS-OIG in April 2015 issued in collaboration with several industry groups an educational resource, “Practical Guidance for Healthcare Governing Boards on Compliance Oversight.” The document also assists internal auditors, in-house counsel, and compliance officers that report to those boards.

In addition to HHS-OIG, the Fraud Section of the Department of Justice’s Criminal Division in February 2017 published a list of sample topics and questions, entitled the “Evaluation of Corporate Compliance Programs.” The document provides ethics and compliance officers a more explicit and transparent explanation as to what common questions the Fraud Section may ask in evaluating a corporate compliance program when determining whether to bring criminal charges against a company.

“Both the OIG and Department of Justice have their own take on compliance program effectiveness,” says Michael Peregrine, a partner at law firm McDermott Will & Emery. “Healthcare organizations should read the HHS-OIG resource guide together with the Department of Justice’s ‘Evaluation of Corporate Compliance Programs’ to come with up a program that’s truly comprehensive,” he says.

Boards and senior leadership at healthcare organizations have focused on the effectiveness of their compliance programs for a while, says Lisa Murtha, a senior managing director at FTI Consulting. One sign of this is that FTI Consulting often receives requests for proposals from many organizations to do compliance program effectiveness assessments, she says.

In response to the growing emphasis that the government is placing on compliance program effectiveness, “prudent organizations have been commissioning external independent reviews of their compliance programs more and more,” Sheeder says. Independent compliance effectiveness assessments lend objectivity and credibility to effectiveness reviews, he says.

What the HHS-OIG and Department of Justice have signaled is that “just having the seven elements [of a compliance program] in place is nowhere near enough when it comes to proving to the government that your compliance program is effective,” Murtha says. The OIG resource guide provides a helpful framework for which to develop an audit plan for assessing program effectiveness, she says.

“Compliance professionals are always striving to demonstrate that their programs are effective,” Sheeder says. The HHS-OIG resource guide provides healthcare organizations and other industries “a wide array of yardsticks against in which they can measure their compliance programs.”