A 2016 Final Rule from CMS created a new regulatory requirement for long-term care facilities, 42 C.F.R. § 483.85, that mandates such facilities have in operation, by November 28, 2019, a compliance and ethics program that is “reasonably designed to be effective in preventing and detecting criminal, civil, and administrative violations under the [Social Security] Act and in promoting quality of care.” The following eight components of a compliance and ethics program are required for all long-term care facilities’ operating organizations:

  1. Written compliance and quality of care policies and procedures. Such policies and procedures should include, but not be limited to, designating an appropriate compliance and ethics program contact to whom suspected violations may be reported; providing an alternate method of reporting suspected violations anonymously without fear of retribution; and disciplinary standards that set out the consequences for committing violations for the operating organization’s entire staff. These may take the form of a Code of Conduct or other general quality of care and health care compliance standards.
  2. High-level compliance oversight. An individual within the “high-level personnel,” who has substantial control over the operating organization or who has a substantial role in the making of policy within the operating organization, must be assigned overall responsibility to oversee compliance with the compliance and ethics program’s standards, policies, and procedures. This individual may be the CEO, a member of the board of directors, or a director of a major division in the operating organization. The person charged with responsibility for compliance oversight may have responsibilities outside of compliance, but should make routine compliance reports to the board, reporting not only issues but the status of complaint investigations and policy developments, trends, and budget.
  3. Sufficient resources and authority. The individual(s) tasked with compliance oversight must be supported within the organization, in both resources and authority, to reasonably assure compliance with such standards, policies, and procedures. This includes budget, staffing, and enforcement capabilities.
  4. Due care in delegating substantial discretionary authority. Operating organizations are required to exercise “due care” in delegating such authority to individuals, avoiding people the organization knew, or should have known through the exercise of due diligence, have a propensity to engage in criminal, civil, and administrative violations. Such individuals should not be put into positions of power, authority, policymaking, or oversight. “Due care” includes screening all hired and contracted individuals and staff for exclusion from federal health care programs.
  5. Effective communication of compliance standards. The operating organization must take steps to effectively communicate the standards, policies, and procedures in the organization’s compliance and ethics program to the operating organization’s entire staff, individuals providing services under a contractual arrangement, and volunteers. Requirements include, but are not limited to, mandatory participation in training or orientation programs, or disseminating information that explains, in a practical manner, what is required under the organization’s program. Operating organizations should develop orientation and training materials specific to compliance that are routinely updated.
  6. Procedures to promote compliance. The operating organization is also required to take reasonable steps to achieve compliance with its program’s standards, policies, and procedures. Such steps include utilizing monitoring and auditing systems, often requiring the development of a monitoring and auditing plan based on external and internal risk in an “ongoing evaluation process.” These steps should also include having in place and publicizing an anonymous reporting system which individuals may use without fear of retribution, and having a process for ensuring the integrity of any reported data. Such a system normally takes the form of an anonymous hotline.
  7. Consistent enforcement of compliance standards. Consistent enforcement should occur through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect and report a violation to the compliance and ethics program contact.
  8. Appropriate responses to violations. After a violation is detected, the operating organization must ensure that all reasonable steps identified in its compliance program are taken to respond appropriately to the violation and to prevent further similar violations, including any necessary modification to the operating organization’s program.

If an operating organization has five or more facilities, in addition to meeting these eight requirements, it is also expected to designate a dedicated compliance officer, for whom the operating organization’s compliance and ethics program is a major responsibility. The compliance officer must report directly to the operating organization’s governing body and not be subordinate to the general counsel, chief financial officer, or chief operating officer. An operating organization with five or more facilities also must designate compliance liaisons at each facility.

Once the compliance program is established, long-term care organizations must review their programs annually, revising as necessary to reflect changes in all applicable laws or regulations and to deter, reduce, and detect violations. This annual review, and any resulting changes, should be documented.

More compliance program guidance for nursing facilities may be found here.