Skip to main content
Explore URMC

URMC Compliance Plan

Download the Complete URMC Compliance Plan
Download the Complete Highland Hospital Compliance Plan

The University of Rochester Medical Center ("Medical Center") has established this Compliance Plan and appointed a Compliance Officer to ensure that quality patient care, health care research and medical education occurs at this institution in a manner that fully complies with all applicable state and federal laws and regulations. It is the policy of the Medical Center that

  1. All employees are educated about the applicable laws and trained in matters of compliance,
  2. There is periodic auditing, monitoring and oversight of compliance with those laws,
  3. There exists an atmosphere that encourages and enables the reporting of non-compliance without fear of retribution,
  4. Responsibility is not delegated to persons with a propensity to act in a non-compliant manner, and
  5. Mechanisms exist to investigate, discipline and correct non-compliance.

This Plan provides for the existence of a Compliance Officer who has ultimate responsibility and accountability for compliance matters. However, each individual employee or agent of the Medical Center remains responsible and accountable for his or her own compliance with applicable laws. Confirmed acts of non-compliance will be disciplined ("Discipline," as used throughout this policy shall include all steps described in the Human Resource policy manual and faculty policies and regulations including, without limitation, termination and tenure revocation).

This Plan is intended to provide a framework for individual or departmental compliance efforts and to apply generally to all Medical Center personnel and functions. Detailed plans, codes of conduct, or manuals covering compliance in specific areas, such as billing for clinical services, have been separately developed and fit within this framework. Each individual compliance plan or code must be submitted to and approved by the Compliance Officer.

Education and Training

The Compliance Officer will monitor the education of employees concerning the existence of the compliance program, the contents of this plan, and the need to abide by the specific laws and regulations affecting individual departments and employees of the Medical Center. The Compliance Officer will ensure that Medical Center employees receive a copy of the Code of Conduct. He/she or members of the Compliance Office staff will inform employees of changes in the laws or regulations periodically and systematically through written communications and inservice training.

All current and new Medical Center employees will have access to this plan. Reference to its existence and how to secure a copy will appear in the University of Rochester Personnel Policy and Procedure Manual and in the Faculty Handbook. This web site contains all Compliance Office plans and policies.


Corrective Action or Discipline

Every confirmed act of non-compliance may result in corrective action or discipline. The sanction for a single act of non-compliance will be decided by the Compliance Officer. Members of Compliance Office Leadership may advise on sanctions for severe or repeated instances of non-compliance. Sanctions may include a requirement to follow a certain process or procedure in the future, restitution, and/or discipline. This is not intended as an exhaustive list, and other sanctions may be recommended by the Corporate Compliance Advisory Committee. Such recommendations given to the Medical Director or Compliance Officer will be brought to the attention of Compliance Office Leadership for discussion before the Compliance Officer renders a final decision.

Non-Delegation of Authority

The Compliance Officer has the authority to revoke the delegation of discretion to any employee found to be non-compliant. Simply as an example, a person responsible for billing clinical services who is found to be coding bills improperly may be required to submit bills to the Compliance Officer or designee for some period of time necessary to ensure proper compliance


The Compliance Officer, Compliance Program Medical Director or their designee(s) will investigate every report of non-compliance (and retaliation), whether reported through the hot line or otherwise. Investigations will be done promptly and will consist of interviewing personnel, examining documents, and consulting with legal counsel, if necessary. All employees must cooperate with those investigating such matters and non-cooperation may result in discipline.

The Compliance Officer, Compliance Program Medical Director or their designee(s) have full authority to interview any employee and review any document (subject to state and federal laws on patient confidentiality) he or she deems necessary to complete the investigation.

A written record of each investigation will be created and maintained by the Compliance Officer. He/she will make every effort to preserve the confidentiality of such records and will make any necessary disclosures on a "need to know" basis only.

The Compliance Officer will report the results of each investigation considered significant to Compliance Office Leadership. He/she will recommend a course of discipline and/or other corrective action. Sanctions for non-compliance may be imposed. (See "Sanctions.")


There shall be appointed a Compliance Officer, reporting to the Compliance Program Medical Director. These individuals report to the General Counsel to the Medical Center and to the Vice President and Chief Financial Officer of the Medical Center. To avoid any issues related to a conflict of interest regarding legal or financial matters associated with compliance, the Compliance Program Medical Director and Compliance Officer have direct access to the Senior Vice President and Vice Provost for Health Affairs-Medical Center and Strong Health System Chief Executive Officer and the University of Rochester Medical Center Board.

Compliance Office Leadership includes the following: the Senior Vice President and Vice Provost for Health Affairs-Medical Center and Strong Health System Chief Executive Officer, the General Counsel to the Medical Center, the Vice President and Chief Financial Officer of the Medical Center, the Compliance Program Medical Director, the Compliance Officer and others as designated by the Senior Vice President and Vice Provost for Health Affairs-Medical Center and Strong Health System Chief Executive Officer.

The Compliance Officer oversees the education of personnel regarding proper compliance, the auditing and monitoring of the status of compliance, and the reporting, investigation, discipline and correction of non-compliance. It is also his/her responsibility to ensure programs are in place to guarantee that significant discretionary authority is not delegated to persons with a demonstrated or suspected propensity for improper or unlawful conduct.

It is not expected that the Compliance Officer will have the knowledge or expertise necessary to ensure compliance with all laws and regulations that affect the various departments of the Medical Center. He/she is responsible, however, for the overall program and must ensure that qualified, knowledgeable personnel within individual divisions or departments of the Medical Center assist in monitoring and educational functions.

The Compliance Officer and Compliance Program Medical Director report on the Medical Center's fulfillment of its compliance goals to Compliance Office Leadership (at least quarterly) and to the University of Rochester Medical Center Board (at least annually). The report includes but is not limited to:

  1. The level of compliance or non-compliance found as a result of monitoring and auditing,
  2. The success of efforts to improve compliance, including training and education
  3. The non-delegation of discretionary authority to those with the propensity to act improperly, and
  4. Corrective or disciplinary action taken with respect to those found to be non-compliant.

The Compliance Officer has full access to all personnel and relevant documentation (subject to state or federal confidentiality laws) deemed necessary to perform his/her oversight and reporting duties.

The Compliance Officer may appoint such staff as deemed necessary to assist in the performance of the responsibilities outlined above. Any members of the Compliance Officer's staff will be treated as the Compliance Officer for purposes of cooperation with his/her efforts to perform his/her duties.

Monitoring and Auditing

The Compliance Officer will be responsible for monitoring employees' compliance with applicable laws and regulations. He/she will ensure that the level of compliance in each division or department is audited periodically. He/she will arrange as well for external auditing as deemed necessary.

If the Compliance Officer discovers that a department's or individual's level of compliance is unacceptable, he/she may impose a plan of corrective action, which may include future monitoring of an individual or department on a more frequent basis. Corrective actions and sanctions for acts of non-compliance will be managed as outlined previously. (See "Sanctions.")


All employees have the responsibility to comply with applicable laws and regulations and to report any acts of non-compliance.

Any employee who perceives or learns of an act of non-compliance should either: Speak to his/her supervisor, call the Compliance Officer or call the Compliance Integrity Hot Line. Supervisors are required to report these issues through established channels in Human Resources/Personnel and/or the Compliance Office. Reports to the hot line may be made anonymously if the caller so desires, although giving a name and phone number generally makes investigating reports easier and more effective. All employees are encouraged to call the hot line if they have any question about whether their concern should be reported. A written record of every report received will be kept for a period of six years. Every effort will be made to preserve the confidentiality of reports of non-compliance (although calls made anonymously will always preserve the autonomy of the caller). All employees must understand, however, that circumstances may arise in which it is necessary or appropriate to disclose information. In such cases disclosures will be on a "need to know" basis only.

All employees are required to report acts of non-compliance. Any employee found to have known of such acts but who failed to report them will be subject to discipline.

No employee of the Medical Center shall in any way retaliate against another employee for reporting an act of non-compliance. Acts of retaliation should also be reported to the hot line and will be investigated by the Compliance Officer or his/her designee. Any confirmed act of retaliation shall result in discipline.

Personnel who staff the hot line are instructed to report the information they receive immediately to the Compliance Officer or his/her designee.

If a finding of non-compliance during a Compliance Office investigation involves an employee who may be involved in human subject research, notice will also be given to the Office of Human Subject Protection (OHSP) about the affected individual/investigator(s) and/or study(ies). This will be accomplished by the Compliance Officer or his/her designate contacting the Director of the OHSP and/or Director of the Research Subject Review Board (RSRB).

There is also an Information Line, which exists to answer questions from employees about any compliance issue or whether conduct constitutes non-compliance.