Abstract connections of lines and spheres.

Long-Term Care Compliance: Developing a Compliance Program Based on Risk

By Sarah Couture

October 16, 2018

According to the new Long-Term Care Requirements of Participation Final Rule (the LTC Final Rule), Long-Term Care (LTC) facilities are required to implement a compliance and ethics program by November 2019.[i] Development and implementation of an effective compliance program can be structured around the Office of the Inspector General’s Compliance Program Guidance (OIG) for Nursing Facilities from 2000[ii] and 2008 utilizing the Seven Elements. Entities must assess internal and external compliance risk, and structure the compliance program to best mitigate those risks.[iii]

Building a Compliance Program on Assessed Compliance Risk

Effective compliance programs are built using the structural foundation of an effective compliance program using the Seven Elements. The 1991 advisory compliance program guidance published by the United States Sentencing Commission originally introduced the Seven Elements.[iv] Industry-specific compliance program guidance in the late 1990s and early 2000s re-emphasized the Seven Elements and included application to various segments of the healthcare industry.

The LTC Final Rule also describes the new compliance program requirements using the structure of the Seven Elements. According to the LTC Final Rule, LTC entities must structure compliance programs around the following:

  • written compliance and quality-of-care policies and procedures
  • high-level program oversight and sufficient resources and authority to ensure compliance
  • procedures to promote compliance, such as auditing and monitoring
  • an anonymous reporting system
  • consistently enforced disciplinary actions
  • appropriate responses to violations and prevention of similar future violation

Programs must also include a pre-hire screening process, an annual review, and an update of the compliance and ethics program. In addition, organizations with five or more facilities must also provide annual mandatory compliance training (another of the Seven Elements), appoint a compliance officer, and designate a compliance liaison for each of the facilities – thereby increasing the specificity with which compliance programs must be organized.

The LTC Final Rule expects the compliance programs in long-term care entities to “reduc[e] the prospect of criminal, civil, and administrative violations.”[v] To know how to build out the Seven Elements in a way that effectively reduces the prospect of violations, an entity must understand what risks could lead to violations and understand the implications of failure to address those risks. Developing policies and procedures just to satisfy the requirements of the rule could easily result in a “paper program” that exists on paper but is not truly effective in mitigating the risk of criminal, civil, and administrative violations.

An effective compliance program builds out the Seven Elements in a thoughtful way based upon assessed risks. For example, policies and procedures should be developed and crafted to address known risks and guide employee action. Education should be entity and risks specific to instruct the workforce regarding compliance risks and how the employee and entity can help prevent violations.

Assessment of Internal and External Compliance Risk

Internal compliance risks are those risks that are specific to an entity. Some examples could include staffing numbers or experience of staff (including nursing home administration), locations and number of facilities, business models, billing practices, compliance expertise/knowledge of the board of directors and the senior leadership team, adequacy of internal audit processes, processes for ensuring compliant contracts, pharmacy structure and medication procedures, and cultural specifics such as employee trust in leadership and accountability for wrongdoing.

Internal risks can be assessed through meetings and discussion with leadership and management groups, staff surveys and interviews, paper and on-site auditing and monitoring results, and billing data analytics. Assessment of internal compliance risk is essential when developing a plan to address the Seven Elements.

In addition to assessing internal risks, entities must assess external compliance risks related to regulatory requirements, industry trends, and recent enforcement actions. The OIG Skilled Nursing Facility compliance program guidance documents published in both 2000 and 2008 provide a good starting point for external risk assessment. These documents detail risks that should be addressed by compliance programs, including quality-of-care risks related to sufficient staffing, comprehensive resident care plans, medication management, appropriate use of psychotropic meds, resident safety and staff screening, billing risks related to case mix, therapy services, and restorative and personal care services. Anti-Kickback Statute risks exist as well, such as: free goods and services, service contracts and physician services, discounts, and hospices.

The LTC Final Rule updates and further outlines many of these risks and adds additional requirements that must be implemented over a three-year period. The OIG publishes a Work Plan that is updated each year.[vi] The OIG Work Plan displays the audit and review priorities of the OIG, and frequently includes issues related to long-term care, therapy services, pharmacy, hospice, and home health. Applicable items on the OIG Work Plan should be evaluated when assessing external risk. Professional organizations can be a helpful source for understanding compliance risks, as they provide industry updates, specialty expertise, and an opportunity to interact with peer organizations. Another source for external compliance risk assessment is recent enforcement actions.

The OIG’s website includes a listing of recent civil and criminal enforcement actions against various types of entities, including skilled nursing facilities, rehabilitation companies, hospices, pharmacies, and home health agencies for compliance, quality, and billing issues. These types of entities have seen consequences including significant civil monetary penalties, corporate integrity agreement (CIA) requirements, and even prison time related to a variety of compliance failures. These compliance failures can include hiring persons excluded from federal healthcare programs, billing for services provided at a substandard quality of care, having insufficient processes for controlled substances, paying bribes and kickbacks in exchange for patient referrals, and billing for medically unnecessary therapy, hospice, and home health services. Regulatory guidance and requirements, OIG Work Plan items, and recent enforcement actions represent potential risks that should be evaluated when developing an effective compliance program.

Risk Assessment to Compliance Plan

Once the compliance risks have been compiled, it is important to prioritize the risks according to the likelihood of each risk occurring and the magnitude of the possible effect of the occurrence on the entity. Once the risks are prioritized, the entity can begin to develop a plan to address and mitigate the risks through the Seven Elements.

An effective compliance program is one that assesses and understands its internal and external risks and crafts the compliance plan and priorities to most effectively mitigate the risks.


[i] 81 FR 68688
[ii] Federal Register / Vol. 65, No. 52 / Thursday, March 16, 2000 / Notices
[iii] Federal Register / Vol. 73, No. 190 / Tuesday, September 30, 2008 / Notices
[iv] “2016 Chapter 8.” United States Sentencing Commission, 27 Oct. 2016, www.ussc.gov/guidelines/2016-guidelines-manual/2016-chapter-8.
[v] 81 FR 68688
[vi] Department of Health and Human Services. “Work Plan.” Work Plan | Reports & Publications | Office of Inspector General | U.S. Department of Health and Human Services, oig.hhs.gov/reports-and-publications/workplan/index.asp.