Compliance Program Effectiveness Assessment
Evaluate your organization's compliance program against the OIG's 7 elements of an effective compliance program. Based on OIG Compliance Program Guidance, the Federal Sentencing Guidelines Chapter 8, and 42 C.F.R. Part 1001.
Federal Sentencing Guidelines Requirement
The Federal Sentencing Guidelines (USSG Chapter 8) establish that an organization must have an effective compliance and ethics program to receive credit for mitigating penalties. OIG has adopted these same 7 elements as the standard for healthcare compliance programs. A program missing any element is considered deficient. In enforcement actions, DOJ evaluates each element individually. A compliance program that looks complete on paper but fails in practice (no real hotline usage, no disciplinary follow-through, outdated policies) receives no credit. Compliance programs are judged on outcomes, not intentions.
Step 1: Written Policies & Procedures
Confirm your organization has written compliance standards and policies that are reasonably capable of reducing the prospect of criminal or regulatory violations
Verify policies address all major risk areas: billing and coding, physician arrangements, HIPAA privacy and security, anti-kickback, Stark Law, exclusion screening, and government investigations
Check that policies are current: have they been reviewed and updated within the past 12 months to reflect changes in law, regulation, and CMS guidance?
Assess accessibility: can every employee and contractor locate the compliance policies within 2 minutes? (intranet, shared drive, printed manual)
Confirm a code of conduct exists and is distributed to all employees, board members, contractors, and medical staff at hire and annually thereafter
Verify that policies include specific prohibitions against retaliation for good-faith compliance reporting
Compliance tip: OIG expects written policies to be living documents, not binder-shelf decorations. The single most common audit finding is policies that were written once and never updated. If your policies still reference HIPAA provisions by pre-2013 numbering, or do not address the 2020 Stark modernization rule, they are stale. Update them before an auditor notices.
Step 2: Compliance Officer & Compliance Committee
Confirm a designated Compliance Officer has been appointed with day-to-day operational responsibility for the compliance program
Verify the Compliance Officer has direct access to the CEO, governing body (board of directors), and legal counsel without intermediate filtering
Assess whether the Compliance Officer has sufficient authority, resources, and autonomy to implement the compliance program effectively (budget, staff, tools)
Confirm a Compliance Committee exists with representatives from key departments: billing/coding, clinical operations, legal, human resources, IT/security, and physician leadership
Review Compliance Committee meeting frequency: quarterly at minimum, with documented agendas and minutes
Verify the Compliance Officer is not subordinate to the CFO, General Counsel, or any operational leader whose responsibilities could create a conflict of interest with compliance oversight
Compliance tip: OIG has repeatedly emphasized that the Compliance Officer must have a direct reporting line to the board. If your Compliance Officer reports to the CFO or General Counsel and has no independent board access, you have a structural problem. In enforcement actions, DOJ treats this as evidence that compliance was subordinate to revenue. Fix the reporting line before anything else.
Step 3: Training & Education
Verify all employees receive general compliance training within 90 days of hire, covering the code of conduct, reporting obligations, and key regulatory requirements
Confirm role-specific training is provided to high-risk functions: billing and coding staff (CPT/ICD accuracy, upcoding prevention), physicians (Stark and AKS), privacy officers (HIPAA), and IT staff (security rule)
Check that training is not limited to online modules: does your program include live sessions, case studies, or scenario-based exercises that test comprehension?
Verify annual refresher training is mandatory and tracked. Pull completion records for the last 12 months. What is your completion rate?
Assess whether training content is updated when laws change (e.g., No Surprises Act, 2020 Stark modernization, state-specific requirements)
Confirm that board members and senior leadership receive compliance training, not just front-line staff. OIG specifically flags organizations where leadership is exempt from training.
Compliance tip: A 15-minute annual click-through module does not constitute an effective training program. OIG evaluates whether training is substantive, role-specific, and tested for comprehension. If you cannot demonstrate that employees understood the material (not just that they clicked 'complete'), your training program has a gap. Add attestations, quizzes, and scenario exercises.
Step 4: Communication Lines (Hotline & Reporting)
Confirm a confidential reporting mechanism exists (compliance hotline, web portal, email, or written drop box) that is available to all employees, contractors, and agents
Verify the reporting mechanism allows anonymous reporting. If it does not, document why and what alternative protections exist.
Test the hotline: place a test call or submit a test report. How quickly does someone respond? Is the response documented? OIG expects response within 48-72 hours.
Review the complaint log for the past 12 months: how many reports were received, investigated, and resolved? Zero reports is a red flag, not a sign of compliance.
Confirm that the organization has a documented non-retaliation policy and that employees are aware of it. Survey or interview a sample of staff: do they know how to report a concern?
Verify that compliance reports are triaged, investigated, documented, and reported to the Compliance Committee and board (in aggregate or for significant matters)
Compliance tip: OIG considers zero reports on a compliance hotline to be a warning sign, not proof that nothing is wrong. It typically means employees do not trust the system or do not know it exists. If your hotline received zero complaints in the past year, investigate why. Common causes: fear of retaliation, lack of awareness, and belief that nothing will be done. Each of these is fixable.
Step 5: Internal Monitoring & Auditing
Confirm a written annual audit plan exists that identifies specific compliance risk areas to be audited (billing accuracy, exclusion screening, physician arrangements, HIPAA security, BAA compliance)
Verify audits are conducted by qualified personnel independent of the function being audited (internal audit, external firm, or compliance staff not involved in the audited operations)
Review the claims audit methodology: are you pulling a statistically valid sample? OIG expects a minimum of 30 claims per provider or risk area for meaningful results.
Confirm monthly exclusion screening against OIG LEIE and SAM.gov for all employees, contractors, vendors, and board members. Document each screening cycle.
Assess whether audit findings are reported to the Compliance Committee and result in documented corrective action plans with deadlines and responsible parties
Verify that monitoring is continuous, not just annual: are you running real-time or monthly checks on coding patterns, referral volumes, claim denial rates, and access logs?
Compliance tip: The difference between monitoring and auditing matters. Monitoring is ongoing and operational (e.g., monthly claim denial reports, weekly exclusion checks). Auditing is periodic and retrospective (e.g., annual coding accuracy review). You need both. An organization that audits annually but does not monitor between audits has blind spots that last 11 months.
Step 6: Enforcement & Discipline
Confirm written disciplinary standards exist that apply to all employees regardless of position, including officers, managers, physicians, and board members
Verify that the disciplinary standards specifically address compliance violations: billing fraud, HIPAA breaches, failure to report, retaliation against reporters, and exclusion from federal programs
Review the last 12 months of compliance-related disciplinary actions: were they consistent and proportionate? Were similar violations treated similarly regardless of the employee's seniority?
Check whether managers and supervisors are held accountable for compliance failures in their areas. OIG expects that a manager who knew or should have known about a violation faces consequences.
Confirm that the organization screens all new hires and contractors against OIG LEIE and SAM.gov before engagement, and that employment is conditioned on exclusion-free status
Verify that compliance performance is included in annual performance reviews and compensation decisions for managers and senior leaders
Compliance tip: Selective enforcement destroys a compliance program faster than anything else. If a billing clerk is terminated for a coding violation but a physician generating $2M in referrals receives a verbal warning for the same type of violation, the message is clear: revenue outranks compliance. OIG and DOJ look specifically for evidence of unequal enforcement. Document every disciplinary action and the reasoning behind it.
Step 7: Response & Corrective Action
Confirm a documented process exists for responding to detected compliance violations, including investigation protocols, escalation criteria, and timeline requirements
Verify that the organization has a process for determining whether a detected violation triggers a mandatory disclosure obligation (CMS Self-Referral Disclosure Protocol for Stark, OIG Self-Disclosure Protocol for AKS, HHS for HIPAA breaches)
Review corrective action plans from the past 12 months: were root causes identified? Were systemic fixes implemented, not just individual discipline?
Assess whether the organization conducts a lookback analysis after detecting a billing or coding violation to determine the scope and financial impact across all affected claims
Confirm that identified overpayments are reported and returned within 60 days of identification as required by the ACA (42 U.S.C. § 1320a-7k(d)). Failure to return overpayments within 60 days creates False Claims Act liability.
Verify that corrective actions are tracked to completion, with follow-up audits to confirm the fix was effective. An unverified corrective action is no corrective action.
Compliance tip: The 60-day overpayment rule is one of the most underappreciated compliance obligations. Under the ACA, once you identify an overpayment, you have 60 days to report and return it. After 60 days, the overpayment becomes an obligation under the False Claims Act, with treble damages and per-claim penalties. The clock starts when you identify the overpayment or when you should have identified it through reasonable diligence. This is why internal monitoring matters: if your audits should have caught the overpayment earlier, the 60-day clock may have already started.
Is Your Compliance Program Effective?
Does your organization have written compliance policies that were reviewed and updated within the past 12 months?
Continue to next question
Critical gap. Outdated or missing policies are the #1 finding in OIG audits. Update immediately.
Does a designated Compliance Officer have direct, unfiltered access to the board of directors and adequate resources to operate the program?
Continue to next question
Structural deficiency. OIG considers indirect board reporting a sign that compliance is subordinate to operations. Fix the reporting line.
Does your training program include role-specific content, comprehension testing, and documented completion for all staff including leadership?
Continue to next question
Training gap. Click-through modules without comprehension testing do not satisfy OIG standards. Add assessments and live components.
Does a confidential, accessible reporting mechanism exist, and did it receive reports in the past 12 months?
Continue to next question
Communication gap. Zero reports suggests employees do not trust the system or do not know about it. Investigate and remediate.
Does the organization conduct regular internal audits with statistically valid samples and continuous operational monitoring between audits?
Continue to next question
Monitoring gap. Annual audits without interim monitoring leave 11 months of blind spots. Implement monthly or quarterly monitoring.
Are disciplinary standards applied consistently regardless of position, including to physicians and senior leadership?
Continue to next question
Enforcement gap. Selective enforcement destroys credibility. Document all disciplinary actions and ensure consistency.
Does the organization have a documented process for investigating violations, conducting lookback analyses, returning overpayments within 60 days, and verifying corrective actions?
Your compliance program addresses all 7 OIG elements. Document this assessment, maintain evidence, and reassess annually.
Response gap. Missing corrective action processes create False Claims Act exposure under the 60-day overpayment rule. Build and document the process immediately.
Red Flags That Signal Program Weakness
Compliance Officer reports to CFO or General Counsel, not the board
Zero hotline complaints in the past 12 months
Compliance policies have not been updated in 2+ years
No documented disciplinary action for compliance violations
Board of directors never receives compliance reports
Training completion rate below 90%
No exclusion screening process or screening less than monthly
Overpayments identified but not returned within 60 days
Audit findings with no documented corrective action plans
Compliance budget reduced while organization revenue increased