Codes of Ethics in the Wake of Sarbanes-Oxley
By Anne Maltz
One of the more significant but often overlooked aspects of the Sarbanes-Oxley Act is its mandate for a code of ethics. Even though they are not currently bound by law to comply with the provisions of Sarbanes-Oxley, health care organizations and their boards may wish to use the Act's guidelines to conduct an internal audit of ethics policies and conflict-of-interest procedures that will protect and better position the organization in this era of reform.
The provision in Sarbanes-Oxley that addresses codes of ethics, Section 406, became effective for public companies reporting for the fiscal year ending on or after July 15, 2003. Section 406 requires that companies disclose whether they have adopted a code of ethics for their principal executive, financial and accounting officers or persons performing similar functions for the company. If a company has a code, it must be made public. If a company chooses not to adopt a code, it must disclose its reason for deciding not to do so in its annual report.
While the Securities and Exchange Commission (SEC) does not proscribe language for a code of ethics, it does require that companies include written standards that would reasonably deter wrongdoing and would promote:
In addition, Section 406 has specific reporting requirements for a company's waiver of the code.
Most health care organizations already have a code, including a conflict-of-interest policy, because professional and regulatory entities demand it. For example, the American Hospital Association's Code recommends a conflict-of-interest policy, which applies to officers, governing board members and medical staff, as well as anyone else who makes or influences decisions for, or on behalf of, the institution.
The Joint Commission on Accreditation of Healthcare Organizations requires a written code of ethical behavior that addresses conflicts of interests that may arise in marketing, billing, admissions, and patient transfer and discharge. The Internal Revenue Service (IRS) requires tax-exempt health care organizations to have conflict-of-interest policies. State laws, either through their regulation of hospitals, health care professionals and/or not-for-profit entities, require a conflict-of-interest policy to be in place or the state prohibits specific acts that would give rise to a conflict of interest. There are even specific federal and states laws, such as the Stark physician self-referral and federal antikickback laws, written to prevent conflicts of interest.
Although most health care organizations have a code of ethics, few implement it. Boards that do not oversee code compliance place themselves at risk of violating their fiduciary obligations. A board-directed internal audit that addresses the five standards outlined in the Sarbanes-Oxley Act is an ideal way to enhance organizational compliance and demonstrate the board's commitment to its fiduciary responsibilities. A board's internal audit of its code should focus on the key responsibilities listed below.
1. Review the organization's current conflict-of-interest policy. It should be tailored to the organization's size and scope. The board should ask: Is the code of ethics relatively narrow like the IRS model or broad like the AHA model? Are there written processes in place to detect and address potential conflicts of interest at the board and staff level? Traditionally, boards have been rather large and have contained many inactive members. How has this dynamic affected potential conflicts of interest? Has it affected implementation?
2. Review government filings. While only publicly traded hospitals will be filing with the SEC, not-for-profit hospitals also have detailed financial filing requirements with state regulatory authorities and the IRS. The critical issue in making any such filing is whether everything is disclosed appropriately. The Sarbanes-Oxley requirements for enhanced financial controls will be pivotal to implementing this aspect of the hospital's code. (For more Trustee coverage of Sarbanes-Oxley, see "Good Governance: Ensuring the Financial Health of Your Hospital," in the September issue; "Avoiding Conflict of Interest," in the July/August issue; "Responding to Governance Challenges: The Audit Committee," in the April issue; "Corporate Responsibility Laws and Not-for-Profits: Getting Ahead of the Curve," in the February issue; and "The Governance Audit: Assessing and Improving the Board," the November/December 2002 Workbook.)
3. Review the organization's compliance program. The board should evaluate all areas that pose risk to the hospital and its related entities and include a methodology for board oversight. The areas the board should evaluate include, among others, relationships between the hospital and for-profit entities and other providers as well as the hospital's method of handling professional discipline issues.
Given the distribution of the HHS Office of Inspector General's (OIG) publication regarding the importance and structure of hospital compliance programs, and the OIG's enforcement activities, each hospital should have a detailed compliance program in place. The board should assess its relationship to, and the adequacy of, its compliance program. It should know how the compliance program is structured, who is responsible for its implementation and operation, how the board provides oversight, whether the compliance plan addresses the issues that place the organization at risk, and how the board is kept apprised of changes in federal and state law.
4. Report promptly and address objectively any code violations in order to resolve the immediate problem and demonstrate the organization's ongoing commitment to its code. The board should begin its inquiry by asking: How is the code disseminated? How are violations reported? Are they also brought to the attention of the board? With what frequency and level of detail does reporting to the board occur? Are the reports adequate?
5. Ensure that a formal oversight program is in place to make certain the organization adheres to its code of ethics. The board should begin by asking: How does our institution handle accountability? What documentation is involved? If there have been no violations and no dialogue about potential violations, does that point to a lapse in process or a stellar understanding of the code?
As federal regulations grow more demanding and state attorneys general use Sarbanes-Oxley as a framework to examine not-for-profit entities, it will no longer be sufficient to stow a code of ethics on the shelf or use a cookie-cutter approach for the design, implementation and audit of a code.
Two recent settlements--Columbia HCA for $745 million to settle a federal billing fraud investigation and Tenet Health Care for $34 million to settle an accusation that the hospital and cardiologists were complicit in providing unnecessary cardiac surgery--speak directly to this issue. While the hospitals did not admit any wrongdoing in these cases, at their base lies an accusation of the failure to obey federal and state law. As these instances of alleged misconduct violate standard codes of ethics, Sarbanes-Oxley is another weapon in the government's arsenal. In fact, it has already been used successfully in the for-profit sector in the HealthSouth case.
While there are very real administrative costs associated with the implementation and management of compliance programs, the rigorous internal controls and governance guidelines established by Sarbanes-Oxley are sound policies and smart business. Because public confidence in the health care system is so critical, and because the industry by and large has codes of ethics in place, Section 406 can be used to initiate an audit through which the board analyzes the organization's current code of ethics and the processes through which that code is implemented and maintained. This assessment should become a regularly scheduled and documented event to make sure that once appropriate criteria are established, they are enforced.
Anne Maltz, R.N., J.D., concentrates her legal practice in health care at Herrick, Feinstein LLP, New York. She can be reached at (212) 592-1524 or amalt@herrick.com.
This article first appeared in the November 2003 issue of Trustee Magazine.