The question of whether compliance is doing what’s right, what’s legal, or whatever the government says has generated considerable discussion.
One Monitor Mondays listener recently suggested that legal and compliance arenas have different goals. In her view, compliance aims to avoid court, while a lawyer’s job is to win in court. I understand why she might hold that position, but I want to challenge it.
To critically reexamine a position, it is often helpful to consider an analogous situation and determine if your position is intellectually consistent. My dad was a risk manager, which may color my thinking, but I posit that both compliance and legal are best viewed as risk managers as well. How do risk managers handle potential medical malpractice? They know they can’t completely eliminate risk. Risk is part of life. The title “risk manager” illustrates the responsibility to lower it, recognizing that some actions that may lower risk could have collateral side effects that outweigh the benefit. In some situations, you admit liability and settle. But when someone tries to bring a baseless claim, you fight it aggressively.
That is exactly the strategy that both lawyers and compliance professionals should use. Compliance should work to prevent trouble, and if that fails, fix it. A risk manager wouldn’t say “if a plaintiff’s lawyer argues it, we must defer.” He or she certainly wouldn’t say “it’s my job to advocate for the patient, right or wrong, and the malpractice lawyer’s job is to defend us.”
So if you think the job of compliance is to advocate blindly for the government, ask yourself, why do you view the job as so different from a risk manager’s job? Analogies can be flawed. If you think this one is, please drop me an email and explain why, and please make an argument rather than simply asserting “it’s different.” And if you’re thinking that compliance should be viewed differently because it involves ethics, I would note that a medical organization’s duty to an injured patient should be just as high as its duty to an insurer. You admit when you’re wrong, but when you aren’t wrong, you fight back.
After a recent HCCA speech, one person said “David, I think you are more willing to take risks than I am.” While I didn’t know enough about that individual’s risk tolerance to dispute the statement, I’ll admit that in most areas of life, I am cautious. One of my core principles is live to fight another day. But my personal risk tolerance is totally irrelevant when I work with a client. I might take risks for a client I wouldn’t take myself, and if a client wants me to surrender despite a strong argument existing, I do. In each case I will note my objection, but since the client is responsible for the consequences of the decision, the client has the absolute right to make the decision. My duty is to come up with creative arguments to keep clients out of trouble, and then to explain the peril of relying on that argument. I would be doing my client a serious disservice if I ignored the risk that the government may see an issue differently than I do.
I would argue, however, that when a compliance officer fails to describe all of the defenses to a possible overpayment, he or she is also failing to fulfill an obligation to the organization. The compliance officer need not recommend that the organization follow an aggressive tact, but they should make sure that the organization is aware of the option.
If your lawyer fails to consider the risk of taking an aggressive position, you need a new lawyer. Keeping with the risk manager analogy, both lawyers and compliance officers should expect to obtain informed consent from their client. Informed consent can’t be one-sided. Each organization should understand the risks and benefits associated with each possible action and choose accordingly. Legal and compliance need to jointly develop all of the arguments that government can use to attack a situation, and all of the defenses to rebut it.
Ideally, they agree on a recommended course. Even when they agree, perhaps especially when they agree, the organization should hear the counterpoints. When they don’t agree, they should present both sides, and let the leadership choose a path. There is a reason we labeled the Monitor Mondays segment “Risky Business.”
We work in an industry full of risk. Compliance and legal have a joint responsibility to manage that risk. To do it effectively, however, they must do it together.