Client Alert: Guidance for Health Care Companies Seeking to Hire a Compliance Officer

I. Introduction

Selecting a compliance officer is one of the most consequential hiring decisions a health care organization can make. In an industry subject to an intricate web of federal and state regulations, including the Anti-Kickback Statute, the Stark Law, the False Claims Act, and the Health Insurance Portability and Accountability Act (HIPAA), the consequences of compliance failures can be severe. They include multimillion-dollar settlements, exclusion from federal health care programs, criminal liability, reputational harm, and, most importantly, potential patient safety risks.

A well-qualified compliance officer serves as the linchpin of an organization's compliance infrastructure. This individual is responsible for designing, implementing, and overseeing the compliance program; fostering a culture of ethical behavior; and ensuring the organization identifies and addresses regulatory risks before they escalate. Given these significant responsibilities, health care companies must approach this hire with the same rigor and intentionality they would apply to selecting a chief financial officer or general counsel.

This article provides practical guidance for health care organizations seeking to identify and evaluate candidates for the compliance officer role. It is structured around the Seven Elements of an Effective Compliance Program, the foundational framework established by the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) and the Federal Sentencing Guidelines and offers additional recommendations to ensure the hire positions the organization for long-term compliance success.

II. The Seven Elements of an Effective Compliance Program

The Seven Elements of an Effective Compliance Program have served as the foundation for health care compliance programs since HHS-OIG first issued compliance program guidance in the late 1990s. The OIG's more recent General Compliance Program Guidance (GCPG), published in November 2023, reaffirms these foundational elements while placing additional emphasis on organizational culture, board and leadership engagement, and risk assessment. Any compliance officer candidate should demonstrate meaningful experience across these seven areas:

  1. Implementing written policies, procedures, and standards of conduct.
  2. Serving as a designated compliance officer and working with a compliance committee.
  3. Conducting and/or overseeing effective training and education.
  4. Developing and maintaining effective lines of communication (e.g., hotlines, anonymous reporting, and open-door policies).
  5. Conducting and/or leading internal monitoring and auditing programs.
  6. Partnering with other teams (such as human resources) in enforcing standards through well-publicized disciplinary guidelines.
  7. Responding promptly to detected offenses and undertaking corrective action.

These elements are not merely aspirational. They represent the substantive building blocks that the OIG, the Department of Justice (DOJ), and federal courts evaluate when assessing whether an organization's compliance program is effective. A compliance officer lacking experience in one or more of these areas will be unable to fully build, assess, or maintain the organization's program.

III. Evaluating Candidate Experience Against the Seven Elements

When evaluating compliance officer candidates, hiring organizations should assess demonstrated experience in each of the seven elements. Below, we discuss the types of experience that map to each element.

A. Drafting, Reviewing, and Monitoring Policies and Procedures (Element 1)

Written Policies, Procedures, and Standards of Conduct: A strong candidate will have substantial experience drafting, reviewing, and periodically updating compliance policies, procedures, and standards of conduct. This includes developing a code of conduct, creating department-specific policies addressing regulatory risks (e.g., referral arrangements, gifts and entertainment, conflicts of interest), and establishing a cadence for policy review and revision. Because policies are living documents that must remain current with evolving regulations and organizational changes, this experience also relates to Element 5 (monitoring), and a capable compliance officer will know how to monitor adherence to policies and identify gaps and risks requiring updates or monitoring.

B. Compliance Leadership, Independence, and Governance (Element 2)

Designated Compliance Officer and Committee: The candidate should have prior experience serving in a compliance leadership role that included genuine independence and authority. This means reporting directly to the board of directors or an audit/compliance committee and not solely through the general counsel or chief financial officer and chairing or managing a compliance committee with cross-functional representation. Experience structuring the compliance function (including staffing, budget, and reporting lines) is critical. The candidate should understand the governance expectations the OIG articulates around compliance officer independence and the risks created when compliance is subordinated to business, legal or financial functions.

C. Designing and Delivering Compliance Training (Element 3)

Training and Education: A qualified candidate will have experience designing and delivering effective compliance training and education programs tailored to various audiences, from front-line staff and clinical personnel to senior management and board members. This includes developing annual training plans, role-specific modules (e.g., coding and billing training for revenue cycle staff, anti-kickback training for business development), tracking completion rates, and assessing training effectiveness. The candidate should be able to demonstrate how training programs have been adapted in response to identified compliance risks, audit findings, or regulatory changes.

D. Building Effective Lines of Communication (Element 4)

Lines of Communication: The candidate should have experience building and managing reporting mechanisms, including compliance hotlines, anonymous reporting channels, and open-door policies that encourage employees to report concerns without fear of retaliation. Beyond the mechanics of establishing a hotline, the candidate should demonstrate experience fostering a "speak-up" culture, one in which employees at all levels feel safe raising compliance and ethical concerns. This includes implementing non-retaliation protections, publicizing reporting mechanisms, and tracking and triaging reports to ensure timely follow-up.

E. Auditing and Internal Monitoring (Element 5)

Internal Monitoring and Auditing: Experience with audits and internal monitoring is essential. The ideal candidate will have conducted or overseen risk assessments to identify the organization's highest compliance risk areas, developed risk-based audit and work plans, managed claims and billing audits, overseen coding reviews, and coordinated with external auditors. The candidate should be able to articulate how audit findings have been translated into corrective actions and how monitoring activities have been utilized to verify the effectiveness of those actions over time.

F. Enforcing Disciplinary Standards (Element 6)

Enforcing Standards Through Disciplinary Guidelines: A strong candidate will have experience designing and enforcing well-publicized disciplinary standards that are applied consistently across all levels of the organization, from entry-level staff to senior executives. This includes experience working with human resources professionals in developing progressive discipline frameworks, advising human resources and management on appropriate disciplinary responses to compliance violations, and ensuring that disciplinary actions are documented and proportionate. The candidate should understand that inconsistent coordination and enforcement undermine the credibility of the entire compliance program.

G. Investigations, Corrective Action, and Self-Disclosure (Element 7)

Responding to Detected Offenses and Corrective Action: The candidate must have experience conducting compliance investigations, performing root-cause analyses, developing corrective action plans (CAPs), and, where appropriate, making self-disclosures to applicable government agencies (e.g., through the OIG Self-Disclosure Protocol or  Centers for Medicare and Medicaid (CMS) Voluntary Self-Referral Disclosure Protocol). This also includes experience with remediation, verifying that corrective actions have been implemented and are effective, and with refund and overpayment processes under the 60-day rule. Candidates who have navigated government investigations, audits, or Corporate Integrity Agreements (CIAs) bring particularly valuable experience in this area.

IV. Recommended Professional Background and Credentials

Given the complexity and breadth of health care compliance, not every professional background is equally suited to the compliance officer role. For a sizable or sophisticated health care organization, particularly one operating in a high-risk regulatory environment, it is recommended that the compliance officer possess one of the following professional backgrounds:

A. Experienced Health Care Attorney

An experienced health care attorney brings deep knowledge of the legal and regulatory framework governing the industry. This includes deep knowledge in and experience with the Anti-Kickback Statute, the Stark Law (physician self-referral), the False Claims Act, HIPAA privacy and security regulations, the Emergency Medical Treatment and Labor Act (EMTALA), CMS Conditions of Participation, and state-specific fraud and abuse laws. A health care attorney's training in legal analysis, risk assessment, contract review, and statutory interpretation equips them to identify regulatory exposure, advise on compliant business structures, and interface effectively with government agencies, external counsel, and regulators.

B. Licensed Medical Professional (e.g., Registered Nurse)

A licensed medical professional, such as a registered nurse (RN) or other clinician with compliance experience, brings an invaluable understanding of clinical operations, medical documentation, coding practices, and patient-care risk. This background is particularly advantageous in organizations where coding and billing compliance, clinical documentation integrity, and quality-of-care issues represent significant risk areas. A clinician-turned-compliance-officer can bridge the gap between clinical staff and compliance requirements in a way that builds credibility and trust among providers.

C. CPA with Health Care Experience

A Certified Public Accountant (CPA) with health care experience brings strong financial controls expertise, audit skills, and a detailed understanding of billing and reimbursement, cost reporting, and financial compliance. This background is particularly well suited to organizations facing risks in areas such as Medicare cost reporting, claims submission accuracy, financial arrangements with referral sources, and internal financial controls. A CPA's audit methodology and analytical rigor are directly transferable to compliance monitoring and auditing functions.

While these three professional backgrounds are recommended for sizable or complex organizations, the hiring company should ultimately evaluate each candidate's specific health care compliance experience, certifications, and demonstrated competencies against the Seven Elements regardless of their academic or professional pedigree.

V. Additional Recommendations for the Hiring Process

Beyond assessing candidates against the seven elements and professional background criteria, health care organizations should consider the following additional recommendations when hiring a compliance officer:

A. Relevant Professional Certifications

Look for candidates who hold, or are actively pursuing, recognized compliance certifications. The Certified in Healthcare Compliance (CHC) credential, conferred by the Health Care Compliance Association (HCCA), is one of the accepted industry standards for certifications. Other valuable credentials include the Certified Compliance and Ethics Professional (CCEP) from the Society of Corporate Compliance and Ethics (SCCE) and specialty designations for managed care, research, or privacy compliance. Certifications signal a commitment to the profession and demonstrate baseline knowledge of compliance program fundamentals.

B. Organizational Seniority and Independence

Ensure the compliance officer role is structured with appropriate seniority, independence, and direct access to the board of directors or an audit/compliance committee. The position should not be subordinate to the general counsel, chief financial officer, or any other executive in a manner that could compromise the compliance officer's independence or create a conflict of interest. The OIG has consistently emphasized that independence is a hallmark of an effective compliance program; a compliance officer who cannot raise concerns to the board without filtering through other executives cannot fulfill the role's core purpose. The board should require that a compliance officer cannot be removed without consultation with the board or one of its committees.

C. Communication, Leadership, and Interpersonal Skills

Compliance is fundamentally a people function. The compliance officer must be able to communicate complex regulatory concepts in plain language, influence organizational culture, build relationships across departments, and earn the trust of both front-line employees and senior leadership. Prioritize candidates who demonstrate strong leadership presence, emotional intelligence, and the interpersonal skills necessary to effect cultural change, not merely technical regulatory expertise.

D. Subject-Matter Fit with Organizational Risk Profile

Consider whether the candidate's experience aligns with the organization's specific risk areas and operational profile. A hospital system faces different compliance challenges than a physician group practice, a pharmaceutical or device manufacturer, a managed care organization, or a long-term care facility. The ideal candidate will have worked in or closely with the same type of health care entity and will understand the particular regulatory risks, billing patterns, and operational workflows that characterize the organization's environment.

E. Familiarity with Applicable Laws and Regulations

Confirm that the candidate has working knowledge of the key federal and state laws and regulations applicable to the organization, including but not limited to:

  • The Anti-Kickback Statute and its safe harbors
  • The Stark Law (physician self-referral) and its exceptions
  • The False Claims Act (federal and state)
  • HIPAA privacy and security regulations
  • EMTALA (Emergency Medical Treatment and Labor Act)
  • CMS Conditions of Participation and Conditions for Coverage, and/or
  • State fraud, abuse, and licensing requirements

F. Corporate Integrity Agreement (CIA) Experience

If the organization is currently operating under or at risk of entering into a CIA, prioritize candidates who have direct experience operating under or negotiating CIAs. This specialized experience is critical for understanding the heightened reporting, monitoring, and governance requirements imposed by the OIG and for ensuring the organization satisfies its obligations without disrupting operations.

G. Cultural Fit, Integrity, and Objectivity

Evaluate the candidate's cultural fit, personal integrity, and ability to maintain confidentiality and objectivity. The compliance officer must be willing to deliver difficult messages to senior leadership, maintain independence in the face of organizational pressure, and handle sensitive information with discretion. Reference checks and behavioral interview questions should specifically probe these attributes.

H. Organizational Commitment: Budget, Staffing, and Resources

Finally, the hiring process itself should signal the organization's commitment to compliance. A compliance officer who is not given an adequate budget, sufficient staffing, access to technology tools, and the authority to implement the compliance program cannot succeed. Organizations should ensure that the position is resourced appropriately and that the hire is accompanied by a genuine organizational commitment to supporting the compliance function. Candidates will evaluate prospective employers on this point; an under-resourced compliance function is a red flag for experienced professionals.

VI. Conclusion

Hiring the right compliance officer is not merely a regulatory checkbox; it is a strategic investment in the organization's integrity, risk management, and long-term viability. By evaluating candidates against the Seven Elements of an Effective Compliance Program, prioritizing appropriate professional backgrounds and credentials, and attending to the structural and cultural factors that enable compliance success, health care organizations can identify a compliance officer who will build and sustain a program that meets both the letter and the spirit of regulatory expectations.

The stakes are high. A well-chosen compliance officer can prevent costly enforcement actions, protect the organization's reputation, and, most importantly, help ensure that patients receive safe, high-quality care within a framework of legal and ethical conduct.

For more information, please contact Grant DearbornMara Rendina, or another member of Shumaker's Health Law Team.

Disclaimer: This article is provided for general informational purposes only and does not constitute legal advice. It is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Readers should consult qualified healthcare legal counsel regarding specific compliance questions or situations applicable to their organizations.

Related Insights

View All Insights