Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Compliance Program Basics

OIG reviews compliance program basics.

Podcast thumbnail image


I'm Heather Westphal and I'm an attorney with the Office of the Inspector General. I will spend the next few minutes discussing some basics about compliance programs, such as, what is a compliance program, and even more important, what makes an effective one?

At its most basic level, a compliance program is a set of internal policies and procedures that you put into place to help your organization comply with the law.

An effective compliance program can enhance your organization's operations, improve quality of care and reduce overall costs.

It can help you identify problems upfront and do something about them before they become systemic and costly.

Right now, you might be thinking, 'Okay, I get it, having an effective compliance program is important.'

So, where is the gold standard, model compliance program that I can use?

OIG has put out a lot of guidance on compliance programs, including, most notably, our Compliance Program Guidances, which we refer to as "CPGs". The CPGs are tailored to specific health care sectors and provide principles to follow when coming up with a program that best suits your organization's needs. And we've also identified fraud and abuse risk areas to watch out for.

However, we have never provided a model compliance program. Why? Because every organization is different. With that said, there are seven basic elements that OIG has long identified as fundamental to any compliance program. Let's walk through those now.

First, you need to have written policies and procedures. Once you figure out the standards of conduct and other policies that make sense for your compliance program, write them down and share them with everyone in your organization. But realize, this is only STEP ONE. Putting a binder of these policies on a shelf only to collect dust is not an effective compliance program. You have to update your policies periodically as your organization grows and changes.

The second fundamental element is to have a compliance professional. Even the smallest organization needs to have someone who is keeping up with Federal and State compliance requirements and recommendations. If you have the resources, designate a compliance officer and empower that individual with independence, authority, and a connection to people and information throughout the organization.

Third, you must conduct effective training. Educate your employees. Make sure that they understand your compliance program policies. The more creative and interactive you can make your training sessions, the better results you will get.

The fourth element is effective communication. What I'm talking about here is a way to facilitate communication between the compliance officer or compliance contact person and all employees. Comment boxes, anonymous hotlines, or even an open door policy are all great options. Give your employees some way to report misconduct... and protect "those who do" from retaliation.

Next, you need an internal monitoring process: Conduct audits. This is the heart of any effective compliance program. You have to use some kind of review to evaluate how your compliance efforts are working.

A good compliance program will identify problems from time to time, if it doesn't, that's a sign that what you're doing is NOT effective. If you detect something problematic, then you are in a position to do something about it.

Sixth, make sure that you enforce your standards: It's not only about developing policies, distributing them, and educating your employees about them. You also need to make sure your employees are actually following them. Take action when you learn someone is not complying with procedures.

Finally, you need to promptly respond to issues: When you get a report of suspected misconduct or other problem, look into right away. Then take steps to resolve the issue as quickly as you can.

If you build your compliance program around these seven elements, you will be off to a great start.