Compliance officers in the healthcare sector have more responsibilities than ever before as healthcare organizations look to save on costs, a recent benchmark report finds.

The 2019 Healthcare Compliance Benchmark Report, conducted by SAI Global in partnership with compliance consulting firm Strategic Management Services, polled 419 people in the healthcare industry to gauge the current state of their compliance programs. One of the most notable trends, the report found, has been the evolving role of chief compliance officers, beyond simply regulatory compliance obligations.

“Over the last 10 years, there has been a movement toward adding responsibilities onto the compliance officer,” says Richard Kusserow, former U.S. Department of Health and Human Services inspector general and CEO of Strategic Management Services.

Specifically, the report found that 37.5 percent of respondents said their compliance officers have responsibility for HIPAA privacy, and another 30 percent said they have responsibility for HIPAA security. Additionally, 30 percent said compliance has responsibility for internal audit or risk management, while 17 percent said they have responsibility for legal.

But even as the responsibilities of compliance officers expand, half of respondents said they expect their compliance budgets to remain the same. “So, they’re taking on more responsibilities without any significant increase in resources,” Kusserow says.

The survey also observed a continuing trend of more compliance departments turning to vendors to help with non-core compliance activities. Among the top tools and services used include hotline answering services; sanction screening; and e-Learning services. Other services include policy and code development; automated compliance incident management software; claims reviews; sanction screening result resolution; and specialized compliance/HIPAA investigations.

Compliance priorities

In the healthcare space, the top three compliance program challenges that respondents cited were engagement of leadership support; managing ongoing auditing of high-risk compliance areas; and getting program managers to focus on compliance risks in their area.

As far as how they intend to improve their compliance operations internally, respondents cited “evidencing compliance program effectiveness” as their top priority. Yet, the way in which many go about achieving this is not best practice, given that half of respondents said they rely upon internal processes—such as checklists and self-assessment tools—to evidence program effectiveness, while one-third said they use internally developed compliance surveys.


The problem with this approach is that “you cannot be objective in reviewing your own operations,” Kusserow says. To be credible, ongoing auditing and evaluation must be done by a party independent of the program. Just 29 percent of respondents said they use an independent expert to conduct their reviews and assessments.

Moreover, internally generated compliance surveys lack credibility. “Employees do not trust the motives of a survey. They don’t believe they will be anonymous,” Kusserow says. “The result is that those surveys tend to be skewed in a way that’s not really helpful.”

Getting this process right is especially important, since employee surveys are reinforced repeatedly by the Office of Inspector General (OIG) and are strongly advocated in the OIG’s resource guide, “Measuring Compliance Program Effectiveness.” Employee surveys can identify both strengths in the compliance program, as well as those areas requiring special attention—helping to proactively reduce regulatory risk.

In addition to demonstrating compliance program effectiveness, other top priorities of compliance programs include making improvements in compliance auditing; gaining increased support for the program; providing quality compliance training; revising/updating compliance-related policies; and investigative management. Compliance investigations; improved hotline efficiency; board training; upgrading the sanction screening process; and program manager ongoing monitoring of their risk areas were also listed.

The report also asked about compliance officers’ top priorities from a risk management perspective, which are separate and distinct from the operational priorities of the compliance department overall. In this regard, HIPAA security and HIPAA privacy moved into first place among respondents as the highest priority for the compliance program, likely due to continued cyber-attacks, data breaches, and increasing enforcement actions by the Office of Civil Rights.

A second high-risk priority in the healthcare sector is auditing and monitoring physician arrangements. Monitoring physician arrangements should be an important priority, as arrangements with referral sources in violation of the Anti-Kickback Statute and Stark Laws remain the No. 1 healthcare enforcement priority for both the Department of Justice and OIG. From a compliance risk standpoint, the improper design and implementation of physician arrangements can result in significant fines, denial of payments, and exclusion from federal healthcare programs.

Board oversight

Respondents to the survey were also asked about how compliance interacts with the board. The top board oversight areas that respondents cited include meeting with the compliance officer to receive reports regarding the program operations (77 percent); reviewing the results of significant compliance investigations (66 percent); and reviewing findings from ongoing auditing of high-risk areas (62 percent).

Among the more concerning findings, however, was that 34 percent of respondents indicated the compliance officer meets with the board without members of management present. “Every compliance officer should meet with the board or a board committee with management being present,” Kusserow says. Moreover, just 24 percent of respondents indicated that the board reviews and approves the compliance budget, “a critical factor in effective oversight of the program and in determining overall value of the program,” the report stated.

Another concerning finding was that only 18 percent said that board oversight includes active involvement in the evaluation of the compliance officer’s performance and bonuses. This is not best practice. “Certainly, the board should have some say about whether the compliance officer is doing an adequate job or not,” Kusserow says.

Respondents were also asked what topics they typically present to the board. Oversight of the compliance program was selected by over half of the respondents as the highest priority for presentation topics for the board, followed by “updating on the regulatory and legal environment” and “updating on results from ongoing auditing of high-risk areas.”

Other topics presented to the board, as cited by respondents, included:

  • Presentation of results from significant compliance investigations;
  • Independent evaluation of the compliance program;
  • Conflict-of-interest issues;
  • Results of ongoing monitoring by program managers; and
  • Issues from the hotline.

When asked about the frequency with which the board meets with compliance, 59 percent of respondents said that compliance meets with the board at least quarterly—which aligns with best practice. Another 15 percent of respondents said they meet monthly; 11 percent said annually; and 14 percent said only as needed or not at all. “Meeting annually is not enough, and meeting monthly is overkill, placing the board in a role best filled by management,” the report said.

Overall, the report reveals that compliance officers’ expectations continue to increase, even as budgets, staff, and enforcement activity remain steady. Moving forward, conducting ongoing independent reviews to gain insights into the effectiveness of the compliance program should remain a priority among compliance officers in the healthcare sector.