F895
(Rev. 225; Issued: 08-08-24; Effective: 08-08-24; Implementation: 08-08-24)
483.85 Compliance and ethics program.
§483.85(a) Definitions. For purposes of this section, the following definitions apply:
Compliance and ethics program means, with respect to a facility, a program of the operating organization that—
§483.85(a)(1) Has been reasonably designed, implemented, and enforced so that it is likely to be effective in preventing and detecting criminal, civil, and administrative violations under the Act and in promoting quality of care; and
§483.85(a)(2) Includes, at a minimum, the required components specified in paragraph (c) of this section.
High-level personnel means individual(s) who have substantial control over the operating organization or who have a substantial role in the making of policy within the operating organization.
Operating organization means the individual(s) or entity that operates a facility.
§483.85(b) General rule.
Beginning November 28, 2019, the operating organization for each facility must have in operation a compliance and ethics program (as defined in paragraph (a) of this section) that meets the requirements of this section.
§483.85(c) Required components for all facilities.
The operating organization for each facility must develop, implement, and maintain an effective compliance and ethics program that contains, at a minimum, the following components:
§483.85(c)(1) Established written compliance and ethics standards, policies, and procedures to follow that are reasonably capable of reducing the prospect of criminal, civil, and administrative violations under the Act. and promote quality of care, which include, but are not limited to, the designation of an appropriate compliance and ethics program contact to which individuals may report suspected violations, as well as an alternate method of reporting suspected violations anonymously without fear of retribution; and disciplinary standards that set out the consequences for committing violations for the operating organization's entire staff; individuals providing services under a contractual arrangement; and volunteers, consistent with the volunteers' expected roles.
§483.85(c)(2) Assignment of specific individuals within the high-level personnel of the operating organization with the overall responsibility to oversee compliance with the operating organization's compliance and ethics program's standards, policies,
and procedures, such as, but not limited to, the chief executive officer (CEO), members of the board of directors, or directors of major divisions in the operating organization.
§483.85(c)(3) Sufficient resources and authority to the specific individuals designated in paragraph (c)(2) of this section to reasonably assure compliance with such standards, policies, and procedures.
§483.85(c)(4) Due care not to delegate substantial discretionary authority to individuals who the operating organization knew, or should have known through the exercise of due diligence, had a propensity to engage in criminal, civil, and administrative violations under the Social Security Act.
§483.85(c)(5) The facility takes steps to effectively communicate the standards, policies, and procedures in the operating organization's compliance and ethics program to the operating organization's entire staff; individuals providing services under a contractual arrangement; and volunteers, consistent with the volunteers' expected roles. Requirements include, but are not limited to, mandatory participation in training as set forth at §483.95(f) or orientation programs, or disseminating information that explains in a practical manner what is required under the program.
§483.85(c)(6) The facility takes reasonable steps to achieve compliance with the program's standards, policies, and procedures. Such steps include, but are not limited to, utilizing monitoring and auditing systems reasonably designed to detect criminal, civil, and administrative violations under the Act by any of the operating organization's staff, individuals providing services under a contractual arrangement, or volunteers, having in place and publicizing a reporting system whereby any of these individuals could report violations by others anonymously within the operating organization without fear of retribution, and having a process for ensuring the integrity of any reported data.
§483.85(c)(7) Consistent enforcement of the operating organization's standards, policies, and procedures through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for the failure to detect and report a violation to the compliance and ethics program contact identified in the operating organization's compliance and ethics program.
§483.85(c)(8) After a violation is detected, the operating organization must ensure that all reasonable steps identified in its program are taken to respond appropriately to the violation and to prevent further similar violations, including any necessary modification to the operating organization's program to prevent and detect criminal, civil, and administrative violations under the Act.
§483.85(d) Additional required components for operating organizations with five or more facilities. In addition to all of the other requirements in paragraphs (a), (b),
(c), and (e) of this section, operating organizations that operate five or more facilities must also include, at a minimum, the following components in their compliance and ethics program:
§483.85(d)(1) A mandatory annual training program on the operating organization's compliance and ethics program that meets the requirements set forth in §483.95(f).
§483.85(d)(2) A designated compliance officer for whom the operating organization's compliance and ethics program is a major responsibility. This individual must report directly to the operating organization's governing body and not be subordinate to the general counsel, chief financial officer or chief operating officer.
§483.85(d)(3) Designated compliance liaisons located at each of the operating organization's facilities.
§483.85(e) Annual review.
The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care.
INTENT
To ensure that facilities have in operation an effective compliance and ethics program that uses internal controls to more efficiently monitor adherence to applicable statutes, regulations and program requirements to deter criminal, civil and administrative violations under the Act and promote quality of care for nursing home residents.
DEFINITIONS
“Due care” generally means the care that a reasonable person would use under the same or similar circumstances.1
"Entire staff" includes all staff employed by the facility or operating organization, individuals providing services under a contractual arrangement, and volunteers, consistent with the volunteers’ expected roles.2
GUIDANCE
Background
On March 16, 2000, the Department of Health and Human Services Office of the Inspector General (OIG) issued their Compliance Program Guidance for Nursing
Facilities to promote “a higher level of ethical and lawful conduct throughout the entire health care industry” (65 FR 14289). The OIG previously issued guidance for other segments of the health care industry based on the belief that “a health care provider can use internal controls to more efficiently monitor adherence to applicable statutes, regulations, and program requirements.” This guidance also provided the basis for Section 6102(b)(1) of the Patient Protection and Affordable Care Act of 2010 which amended the Act to add section 1128I(b) of the Social Security Act (the Act) requiring Medicare skilled nursing facilities and Medicaid nursing facilities to have a compliance and ethics program. The OIG guidance from 2000 recommended seven elements which should be included in an effective, comprehensive compliance and ethics program that are:
1. Implementing written policies, procedures and standards of conduct
2. Designation of a compliance officer and compliance committee
3. Conducting effective training and education
4. Developing effective lines of communication
5. Enforcing standards through well-publicized disciplinary guidelines
6. Conducting internal monitoring and auditing
7. Responding promptly to detected violations and corrective action
For further information, see the OIG publications regarding compliance and ethics programs in nursing facilities:
• Publication of the OIG Compliance and Ethics Program Guidance for Nursing Facilities (2000): https://oig.hhs.gov/compliance/compliance-guidance/index.asp.
• OIG Supplemental Compliance Program Guidance for Nursing Facilities (2008): https://oig.hhs.gov/compliance/compliance-guidance/index.asp
Common risk areas are mostly associated with the delivery of health care to nursing facility residents, including sufficient staffing, comprehensive care plans, medication management, infection prevention, appropriate use of psychotropic medications and resident abuse, neglect and safety.
Additional risk areas include, but are not limited to, resident rights, fraud prevention, billing and cost reporting, employee screening, resident assessment accuracy, creation and retention of records, falsification and modification of documentation, conflicts of interest, kickbacks, inducements and self-referrals.
The above background information and associated documents are provided as resources.
REQUIREMENTS FOR ALL FACILITIES
Compliance and Ethics Program
The operating organization of each facility must have a compliance and ethics program that has been reasonably designed, implemented, maintained and enforced, so that it is
likely to be effective in preventing and detecting criminal, civil, and administrative violations under the Act and in promoting quality of care.
It is important for the facility to consider their facility assessment developed according to §483.71 in identifying risk areas, developing and maintaining their compliance and ethics program, and determining resources needed for the program.
Written standards, policies and procedures
The operating organization must have written standards, policies and procedures for its compliance and ethics program, which include at a minimum:
• Designation of an appropriate compliance and ethics program contact to whom an individual can report suspected violations;
• An alternate method of reporting suspected violations anonymously without fear of retribution;
• Disciplinary standards that describe the consequences for committing violations for the entire staff.
High-level Personnel Oversight
The operating organization must assign specific individuals within the high-level personnel of the organization with the overall responsibility of overseeing adherence to the compliance and ethics program’s standards, policies, and procedures.
High-level personnel means individuals who have substantial control over the operating organization or who have a substantial role in the making of policy within the operating organization. The individuals considered ‘‘high-level personnel’’ will differ according to each operating organization’s structure. Some examples include, but are not limited to, a director; executive officers including the chief executive officer (CEO); members of the board of directors; an individual in charge of a major business or functional unit of the operating organization; or an individual with a substantial ownership interest in the operating organization, as defined in section 1124(a)(3) of the Act.
Sufficient Resources and Authority
The program must include provisions ensuring that the specific individual(s) designated with oversight responsibility have sufficient resources and authority to assure compliance with program standards, policies, and procedures. The resources devoted should include both human and financial resources.
Delegation of Substantial Discretionary Authority
Organizations must exercise the care that a reasonable person would use under the same circumstances (due care) when delegating substantial discretionary authority to individuals, to ensure that the delegation is not made to an individual who the operating
organization knew, or should have known, through the exercise of due diligence, had engaged in or had the predisposition to engage in unethical acts, or potential criminal, civil and/or administrative violations of the Act.
Effectively Communicating Program Standards, Policies and Procedures
The facility is required to effectively communicate to the entire staff, the standards, policies and procedures of the compliance and ethics program. Requirements include, but are not limited to, mandatory participation in training, as set forth in §483.95(f), orientation programs, and/or dissemination of information that explains what is required under the program, in a practical manner.
For information on compliance and ethics training requirements, see §483.95(f), (F946).
Reasonable Steps to Achieve Program Compliance
The facility must take reasonable steps to achieve compliance with the program’s standards, policies and procedures. These steps include, but are not limited to:
1. Utilizing monitoring and auditing systems to detect criminal, civil, and administrative violations under the Act, by any of the facility’s entire staff.
2. Publicizing a reporting system whereby any of the organization’s entire staff could report violations anonymously within the operating organization without fear of retaliation.
3. Having a process for ensuring the integrity of any reported data.
Consistent Enforcement through Disciplinary Mechanisms
The compliance and ethics program must establish appropriate disciplinary mechanisms and effectively communicate those mechanisms, so that the operating organization’s entire staff is clearly aware of the consequences of program violations.
The operating organization is required to consistently enforce its standards, policies, and procedures through appropriate disciplinary mechanisms, including, as appropriate, discipline of individuals responsible for failing to detect and report a violation to the appropriate party identified in the organization’s compliance and ethics program.
Response to Detected Violations
After an operating organization detects a violation, it must ensure that all reasonable steps identified in its program are taken to respond appropriately to the violation and to prevent further similar violations. This includes any necessary modification to the organization’s program to prevent and detect criminal, civil, and administrative violations under the Act.
The reasonable steps that should be taken when a violation is detected should be clearly identified in the operating organization’s program. Such steps may include a corrective
action plan, the return of overpayments, a report to the government and/or or a referral to criminal and/or civil law enforcement authorities. The steps will differ depending upon the size of the operating organization, the position of the individual reporting the violation, and the type of violation. For example, an operating organization’s program may state that a staff member should immediately notify their immediate superior when he or she detects a violation. However, if it is the immediate superior or the operating organization’s management whom the staff member believes is committing the violation, the staff member should have an alternative process to report the violation, such as, an executive officer of the organization, the Office of the State Long-Term Care Ombudsman or other appropriate agency or law enforcement authority.
Facilities should integrate the information and data they collect or which arises out of their compliance and ethics programs into their Quality Assurance and Performance Improvement (QAPI) program, see §483.75(g)(2)(iii), F868. The QAPI committee should work with the compliance officer to determine if there are trends or patterns of systemic problems.
Annual review
As an operating organization becomes aware of changes in laws and/or requirements, it should modify its program to ensure it is current with requirements. The operating organization's performance in prior years should also be used to improve its program. As an operating organization revises its program, it should ensure that those changes are communicated to its entire staff.
ADDITIONAL REQUIREMENTS FOR OPERATING ORGANIZATIONS WITH FIVE OR MORE FACILITIES
Mandatory Annual Training
For operating organizations with five or more facilities, the organization must have a mandatory annual training program. The annual training should be delivered in a practical manner based on its resources, the complexity of the operating organization and its facilities and in accordance with compliance and ethics training requirements in §483.95(f), (F946).
Designated Compliance Officer
Operating organizations that operate five or more facilities must designate a compliance officer for whom the compliance and ethics program is a major responsibility.
The operating organization should ensure that the assigned compliance officer has sufficient time and other resources to fulfill all of his or her responsibilities under the operating organization's compliance and ethics program.
The compliance officer should be able to communicate with the governing body without being subject to any coercion or intimidation. This is to ensure that the compliance officer is not unduly influenced by other managers or executive officers, such as the general counsel, chief financial officer or chief operating officer.
Designated Compliance Liaison
A designated compliance liaison must be located at each of the operating organization’s facilities. At a minimum, the facility-based liaison should be responsible for assisting the compliance officer with his or her duties under the operating organization’s program at their individual facilities.
INVESTIGATIVE PROCEDURES
When concerns regarding the compliance and ethics program are identified, use the applicable probes below to assist with investigating and determining compliance.
PROBES
• Does the operating organization have written standards, policies and procedures for the compliance and ethics program that are reasonably capable of reducing the possibility of criminal, civil and administrative violations under the Act?
• Interview high-level personnel designated to oversee the organization’s compliance and ethics program about their involvement in the program. Determine:
o how the facility uses monitoring and auditing systems to detect criminal, civil, and administrative violations by staff;
o if they are aware of the potential violation under investigation and what was their response.
• Ask staff if:
o they are aware of the facility’s compliance and ethics program;
o there is a method for staff to anonymously report suspected violations;
o they are confident in reporting compliance matters without fear of retaliation.
• When reports or reasonable suspicions of violations are identified, did the organization take prompt action to respond to the violation and prevent future occurrences, including enforcement of program standards, policies and procedures through disciplinary mechanisms, if appropriate?
• Did the operating organization delegate substantial discretionary authority to an individual it knew or should have known through due diligence, had a propensity to engage in criminal, civil and/or administrative violations?
• Does the operating organization review the program annually and as needed, in response to organization, facility and/or regulatory changes?
• If the operating organization has five or more facilities, have a compliance officer and a facility-based compliance liaison been designated and is mandatory annual training conducted?
POTENTIAL TAGS FOR ADDITIONAL INVESTIGATION
If a negative or potentially negative resident outcome is determined to be related to the facility’s failure to meet compliance and ethics requirements it should also be investigated under the appropriate quality of care or other relevant requirement.
For concerns related to systems of care and management practices, written policies and procedures for feedback, data collections systems, monitoring, analyzing and acting on available data to make improvements, see Quality Assurance and Performance Improvement (QAPI) requirements in §483.75.
1 http://thelawdictionary.org/due-care/ (accessed on April 17, 2015).
2 Medicare and Medicaid Programs; Reform of Requirements for Long-Term Care Facilities [CMS–3260–F], 81 FR 68688, at page 68814 (Oct. 4, 2016).
