Building an Effective Compliance Program for Nursing Facilities


Post By: Matthew Babcock, FACHE, Principal, The Bonadio Group

The Nine Components of a Successful Skilled Nursing Compliance Program

Effective compliance programs go beyond quality improvement and reporting, resident safety, and survey readiness; they function to reduce an organization’s financial and legal risk. When it comes to skilled nursing facilities, having an effective compliance program is not only a good business practice, but is required by the Affordable Care Act (ACA) and Centers for Medicare and Medicaid Services (CMS) regulations.

The ACA directs the Secretary of Health and Human Services (HHS) and the Inspector General of HHS (OIG) to jointly promulgate regulations for an effective compliance program for skilled nursing facilities[1]. In developing regulations, 42 United States Code section 1320a-7j(b)(2) directs that specific elements, or the formality of the compliance program, should take into account the size of the organization such that larger organizations should have more formal programs and include written policies defining standards and procedures that employees should follow. The following outlines the nine components required for a compliance program applicable to skilled nursing facilities (herein “organizations”)[2]:

Component 1: Develop Written Compliance Standards and Procedures

Organizations must have established compliance standards and procedures to be followed by their employees and other applicable agents. The written standards, policies and procedures (SPP) must be reasonably capable of reducing the prospect of criminal, civil, and administrative violations under the Social Security Act (SSA) and promote quality of care.

Component 2: Assign Ownership and Responsibility to Oversee Compliance Program

Specific individuals must be assigned with overall responsibility to oversee fidelity to the standards, policies and procedures. The specific individuals must be within the high-level personnel of the organization which may include, but not limited to, the CEO, members of the board, or directors of major divisions in the organization.

Component 3: Gather and Make Available Resources for Compliance

Sufficient resources must be made available to the specific individuals assigned with compliance responsibility to reasonably assure compliance with the program and its SPPs.

Component 4: Due Care to Not Delegate

Substantial discretionary authority cannot be delegated to individuals who the organization knew or should have known have a propensity to engage in civil, criminal, and administrative violations. For example, individuals who are excluded cannot have discretionary authority in operations.

Component 5: Implement Communication of SPPs

Organizations must take steps to effectively communicate its standards and procedures. Additionally, communication must be shared with all employees and others.

Effective communication can be through requiring participation in training programs, or by disseminating publications that explain, in a practical manner, what is required.

Component 6: Monitor and Conduct Audits of Compliance Program

The organization must take reasonable steps to achieve compliance with its standards, such as by utilizing monitoring reasonably designed to detect criminal, civil, and administrative violations under the SSA by its employees and other agents. To enable active and accessible monitoring, organizations should also have in place a public reporting system where employees and other agents can report violations by others within the organization without fear of retribution.

Component 7: Consistently Enforce SPPs – Discipline

Standards must be consistently enforced through appropriate disciplinary mechanisms. Violations of the compliance and ethics program, and failure to detect and/or report violations of the compliance and ethics program to the designated compliance program contact within the organization, are subject to disciplinary action.

Component 8: Response and Corrective Action

After violation is detected, the organization must take all reasonable steps to respond appropriately to the offense and prevent a recurrence, including modifying the program, if necessary, to prevent and detect criminal, civil, and administrative violations under the SSA.

Component 9: Review and Reassess the Program

The organization must annually undertake reassessment of its compliance and ethics program to identify changes necessary to reflect changes within the organization and its facilities.


The starting point for an organization’s effective compliance program is what the 9 components require, but that is only the starting point. Technically having something in place to address each component does not make it effective. Effectiveness is increasingly being determined by how an implemented compliance program operates. Engaging an external expert to conduct a gap analysis of what is required and how a compliance program does or does not meet the various federal and state requirements for compliance programs (some States do have compliance program requirements) is one way to help determine if a compliance program is effective.

About the Author: Matthew Babcock, FACHE is a Principal at The Bonadio Group’s Compliance Solutions Group and is located in Albany, NY. For more information, visit

Disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. If the reader of this has legal questions, it is recommended they consult with their attorney.

[1] This article will use the term “skilled nursing facilities” to address the ACA’s requirements on skilled nursing facilities and Medicaid nursing facilities.

[2] Note: This blog entry does not address additional requirements for organizations that operate five or more facilities.