The 8 Key Elements of an Effective HIM/Coding Compliance Program


by John Goulart, Jr., MSM-HCA, BSMT(ASCP), CHC, 340B ACE

Hospital Compliance Officer, MetroWest Medical Center/Tenet Healthcare

Having worked at several large medical centers and multi-hospital networks, I have tailored the Health and Human Services (HHS) Office of Inspector General (OIG) Compliance Program Guidance documents to eight key elements that must be in place for our health information management or coding compliance program to accomplish its goals and be effective. These eight elements will help ensure you are doing the best you can with the resources you have.

Let’s take a look at the eight elements of an effective compliance program tailored to HIM / Coding.

1. Connection to a Compliance Officer and reporting through a Compliance Committee
Does your department routinely meet with Compliance to discuss issues, share findings, and collaborate on corrective action plans? The three most important functions of any compliance effort are to 1.) Prevent, 2.) Detect, and 3.) Remediate issues. Everyone needs to “be present” in order for this to happen.

Are you reporting data, including the PEPPER (Program for Evaluating Payment Patterns Electronic Report) and other available data up to the facility’s / organization’s Compliance Committee at some frequency? Are these items being discussed at your departmental committee meeting first, along with coding accuracy and medical record integrity?

2. Written standards
We all know that in documentation of medical services, if it isn’t written, it might as well not have happened. Similarly, written standards are critical for communicating your compliance program. Having written them, are they?

  • Posted?
  • Communicated?
  • Readable?
  • Reviewed?

If yes, great! Keep in mind that it doesn’t mean all staff understand the standards and why they are important, that they can actually comply with the standards, and that they will necessarily apply them correctly. There is more work to do. I recommend conducting a survey to see which concepts have hit the mark and stuck and which have not. Then you can help those who need assistance in understanding or retaining those concepts.

3. Communication channels
Communication needs to be bidirectional. Don’t confuse communicating with providing education and training. We all use email, but an email is not always effective in providing education and training. Consider your audience.

But how do we know that compliance-related communication really matters? We actually do:

A George Washington University study, “Evidence on the Use and Efficacy of Internal Whistleblower Systems,” demonstrates a strong correlation between reporting volumes and positive business outcomes.

The NAVEX Global 2019 Ethics & Compliance Hotline Benchmark Report, found that the median number of contacts for all reporting channels (hotline, other calls, emails, requests for guidance), is 1.4 reports per 100 employees. Do you know your communication rate per 100 employees?

4. Education and training
So if written standards do not guarantee compliance and an email is not sufficient to provide education to your employees, what do you do?

I have found that one of the most effective training methods to offer is scenario-based training. The goal is to ensure staff understand what they are being asked to do, what they actually can do, and ultimately that they will do it accurately. Scenario-based training does two things: 1.) It thwarts comments like “That training has nothing to do with my job,” and more importantly, 2.) It shows your audience that you care about understanding the challenges they face and can actually discuss compliance effectiveness in a meaningful way.

5. Auditing and Monitoring
Auditing of results and monitoring behaviors is where you gather data on what happens when the rubber hits the road.

  • Is there an auditing and monitoring work plan?
  • Is it based on risk?
  • Is it dynamic or static?
  • Is the passing threshold 95 – 100% or something else?
  • Are there criteria for pass and move on vs. fail and repeat?
  • Is the work plan inclusive of follow-up audits?

There is nothing more important than having a plan. A plan keeps you focused and on track, even when the daily distractions are overwhelming. Not having a work plan is like heading to the grocery store without a list when you are really, really hungry.

A risk-based plan is also important. Everyone will tell you where you could focus your valuable time and energies, but a risk-based plan is a unique plan based on your organization. It will force you to collaborate with others at your facility by discussing risks and quantifying the impact of those risks in today’s regulatory environment.

Now you have developed your plan, had your compliance committee bless it, and you’ve shared it, that is it for this year, right? No! If a government agency, payer, or other comes out with a new focus area you will need to evaluate it. If the new area is relevant to your operation and poses a significant risk it is time to adjust your work plan.

Does your plan include follow-up auditing if the initial review did not meet a defined passing threshold? It should. If you find a problem this year and your organization fixes it (and just how did your organization fix it: education and training, a programming hard stop, or a work-around?) did it stick? Only a follow-up review will let you know. Test a few more samples and be certain. Once you meet and maintain an assurance threshold, the issue should no longer be a significant risk (unless, Heaven forfend, something changes). Time to move on.

6. Response
Is your compliance program one of continuous improvement or focused on financial metrics? Does your compliance program respond in line with a Just Culture?

Just Culture is a concept related to systems thinking which emphasizes that mistakes are generally a product of faulty organizational cultures, rather than solely brought about by the person or persons directly involved. In a just culture, after an incident, the question asked is, “What went wrong?” Everyone is treated uniformly and fairly.

Reputation is another thing to consider along with your just culture. Are you the type of organization that considers and contemplates the following?

  • Do you voluntarily refund when you find an error resulting in an overpayment?
  • What is your responsibility to look-back?
  • Do you preserve all documentation?
  • Do you cooperate when investigated?

7. Enforcement
Are there incentives and disciplinary measures to ensure that compliance is being implemented and maintained effectively?

What do your performance reviews look like? Do they take compliance into consideration in a meaningful way and reward active participation and ethical actions?

What do your staff meeting agendas or communications look like? Do they speak to compliance and encourage staff to reach out for guidance and clarification? Are they positive? Tone from the top is one of the most important factors whether from the office of the CEO or the office of the HIM / Coding Director.

What does your bonus / incentive evaluation program look like? Are people being rewarded for compliance participation or disregarded? Are there ways in which, inadvertently perhaps, they are actually punished for compliance? Always consider confidentiality before publicly recognizing compliance program participation.

8. Risk Assessment (this element is not a formal element in the original HHS OIG documents, but it is mentioned enough times to later warrant its own placeholder)
A compliance risk assessment should be performed annually. All of your “plans” should spin from this assessment based on risk.

The US Department of Justice offered the following guidance in 2019:

  • A work plan and risk assessment are no longer sufficient:
    • Having an investigation process is key
    • Plans and trainings need to be risked-based
    • Action-based compliance program (readjustments / reallocations)
    • Self-disclosures / cooperation / remedial action

Remember that your institution is unique with specific challenges and goals. These eight elements of an effective compliance plan would need to be modified to fit your institutional culture and the staff available. The most important thing, in my opinion, is to demonstrate that you / your organization is doing the most effective job with the resources it has. Good luck!


eLearning Library
The eLearning Library subscription provides unlimited access to over 60 courses, assessments, and training curriculums designed to enhance job-specific, self-paced learning for one full year. Special pricing available for Groups. Train your entire team! Learn more here.



About the author
John Goulart, Jr., MSM-HCA, BSMT(ASCP), CHC, 340B ACE, is the Hospital Compliance Officer for MetroWest Medical Center, a member of Tenet Healthcare. John was previously Director of Compliance Audit and Billing Compliance for Beth Israel Deaconess Medical Center and Beth Israel Lahey Health; Corporate Billing Compliance Manager for Partners Healthcare, Massachusetts General Hospital, and Brigham and Women’s Hospital; and Laboratory Business Manager and Compliance Officer for Newton-Wellesley Hospital, Massachusetts General Hospital, and Brigham and Women’s Hospital. John can be reached at [email protected] or


About the Author

Libman Education
Libman Education Inc. is a leading provider of training for the health care workforce offering self-paced and instructor-led online courses designed and developed by leading industry experts in Health Information Management (HIM) and Medical Record Coding. Our courses are specifically designed to improve individual skills and increase the efficiencies and competencies of health care providers and institutions. At Libman Education, we understand the needs and challenges of a well-trained workforce and offer the right-mix of online education to ensure that the health care professionals are prepared to meet the challenges of the changing workplace.

Comments are closed.