As we approach the end of 2025, the Compliance Officer (CO) tends to reflect on our compliance program over the past year. Did we do what we set out to do, and was it effective? Typically, the answer is yes; if not, the next few months will be hectic. Now the CO looks towards the future – that is, the next fiscal year. I propose that the Compliance Officer makes these New Year’s resolutions:
New Year’s Resolution 1: Failure to Prepare is Preparing to Fail
Around this time of year, the CO is deep into a risk assessment, reviewing what regulatory risk will change, how that will affect the organization, and what happened last year that could have gone better. The CO must prepare for what is coming down the regulatory pipeline and be able to pivot when the unexpected occurs. Each new administration brings its shares of woes, but the CO does not have time to lament. Rather, they must navigate their ship through the unexpected winds of regulatory change with sails of agility. One can rarely control regulatory conditions but understanding how to respond to change skillfully is the trademark of a successful compliance program. Just as importantly, the CO must pick and choose which regulatory changes pose the most risks. For those with small practices and no dedicated CO, facing every regulatory risk is not realistic. The CO must choose the highest risk battles. High risk might not always be from new regulations, but from old failures. The CO must reflect on the previous fiscal year, see where there are opportunities for improvement and take steps to address those.
New Year’s Resolution 2: Build Up a Compliance Infrastructure
Often, smaller practices have a minimal compliance program consisting of billing and coding compliance and not much beyond that. The Department of Health and Human Services (HHS) has some specific guidance on the bare minimum of a compliance program, and it really means having it documented to prove that it exists. The CO must take steps to prove an effort was made to create an effective compliance program, often in the form of a documented work plan. That risk assessment the CO made is a good way to show your organization what its biggest risks are, but a work plan shows how you are going to address those risks. The bigger your company, the more compliance risks; putting into place a strong compliance infrastructure becomes necessary to deter and respond to risk. Is there an anonymous hotline for employees and patients to make compliance concerns known to management? Is compliance training integrated into current systems (for example, your HR system)? Is compliance documented and shared with organizational leadership? Above all, are these systems and programs effective? The HHS Office of the Inspector General looks for proof of effectiveness of a compliance program, not just that it exists. The CO must resolve to build a compliance infrastructure, review systems and ensure effectiveness.
New Year’s Resolution 3: Policies for All, Big or Small
Easy in theory, difficult in practice, the CO must resolve to document policies, procedures, standards and guidelines. To be enforceable, policies must be approved by the appropriate leader, understandable to the layperson, updated and relevant, and accessible to all employees affected by it. You can have a few policies or you can have a lot of policies; it depends on your organization and your risk appetite. But if you don’t have an enforceable policy, you might as well not have one at all. Let’s make this next year the one when we review all our policies to make sure they reach the threshold of enforceability.