Kusserow on Compliance: Hotline tips and best practices

From the days of the defense industry’s initiative that included the use of hotlines to communicate potential fraud problems, this practice has been included in a wide variety of compliance guidance standards, regulations, and law. The U.S. Sentencing Commission Guidelines for Organizations and the HHS Office of Inspector General (OIG) have been promoting the use of a hotline as a critical element of any compliance program. The Sarbanes-Oxley Act mandated that covered entities have a hotline by law. The privacy and security rules under the Health Care Portability and Accountability Act (HIPAA) (P.L. 104-191) promote hotlines. Even the Supreme Court has made decisions that make it clear that hotlines are needed to raise an affirmative defense for unlawful harassment. The problem for many is trying to determine how and what an effective hotline function should look like. The following will touch on some of the key elements of making a hotline operation effective:

  • Properly establish the hotline. One of the most tangible components of the compliance program is a hotline that employees can use without fear of retaliation. Hotlines can be established internally with relative ease, but this has its downside. Hotlines, as well as the controls to guard against identifying callers, are costly in terms of time and effort. Very few organizations have the capability of maintaining a hotline internally 24 hours a day, seven days a week. Fortunately, many firms are available to operate such a hotline. The best practice is to use only a vendor who provides both a web-based reporting system, along with live operator services. Notification of hotline reports can be sent via email, but the reports should not be sent via email or faxed because of security issues. The best practice is to have the reports posted in a web-based mail box with limited access controls.
  • Develop operational governing rules. Ensure hotline operation effectiveness begins with establishing clear objectives for the hotline and an operations manual or policy document that address the manner by which information from the hotline is addressed.
  • Establish a basic plan of operation. A hotline operation extends beyond just having a telephone number. It needs operating protocols and procedures and security measures, as well as rules for investigation, follow-up, and resolution of issues. Operating protocol and procedures are the details of how the hotline will be operated including the hours of operation, report preparation, response times, etc. This information may be included in the hotline policies; however, it would be more appropriate for an operations manual.
  • Develop and implement related policies. A number of policy documents are needed to ensure the hotline function will be able to function effectively. They range from the describing manner by which the calls are answered, documented, and acted upon by those responsible for its operation. However, there are many other needed policies for efficient operation; some extend to the entire work force. Many of these are spelled out by the OIG in their compliance guidance documents. They include, among others:
    • duty to report;
    • anonymity;
    • confidentiality;
    • non-retaliation/retribution;
    • relationship with legal counsel/human resources and financial management;
    • investigation of hotline complaints and allegations;
    • records management and security;
    • reporting to external authorities; and
    • auditing and monitoring of the hotline to verify and evidence effectiveness.
  • Promote the hotline. Many would hope and prefer that no one calls the hotline. However, if a credible channel of communicating violations of laws, regulations, Code of Conduct, policies, and other wrongdoing is not freely available, it may drive the person to go externally to an attorney, the media, or a government agency. It is far better to have those problems surface internally where they can be addressed, than having to respond to external bodies having received the information. The worst case scenario is having a whistleblower go to an attorney to file a qui tam action. Virtually every work day of the year, such suits are filed; virtually all Corporate Integrity Agreements (CIAs) are a result of such actions. The best practice is to encourage employees and others in the work place to report suspected problems. This begins with posters on all employee notice boards. The Code of Conduct should focus on the hotline in the cover letter, as well as in the body. All the policy documents noted above should be implemented and brought to the attention of covered persons. All compliance training should go into some detail about the hotline and how it can be accessed.
  • Assess follow-up on call reports. An assessment of the steps following receipt of a call is often overlooked with internal hotline review. If the primary objective of a hotline is to receive and resolve allegations of misconduct or other problems, then the Compliance Officer should carefully review this secondary process. Thus, a major component of an effectiveness assessment should be focused on secondary steps in the following up on hotline reports.
  • Ongoing monitoring. The OIG calls for ongoing auditing and monitoring of the compliance program itself, including the hotline operation. The compliance office should be responsible for monitoring the operation of the hotline, including verifying policies and procedures are being followed; looking for changes in call volume and any reason for such changes; and assessing quality of information received by the hotline and the manner by which issues are investigated and resolved.
  • Ongoing auditing. Ongoing monitoring is a program manager’s responsibility, however ongoing auditing involves an independent review conducted by external parties. The purpose of such reviews are to verify that the hotline is operating as designed; and that it is effective in carrying out its established purpose. The Compliance Officer should arrange for an independent review of the operation in terms of organization and how calls are received and acted upon. For those hotlines that are contracted out to a vendor for operation, the compliance office can combine the monitoring and auditing. In such cases, there should be test call made to the hotline to see how quickly the vendor answers the calls, their proficiency in debriefing the caller, as well as reviewing the quality of the resulting report.
  • Reports to oversight committees. The results from the hotline operation should be summarized in terms of types of calls received and results of the follow-up investigation or review. All reports of an independent audit review of the hotline operation should also be reported to them. The purpose of these reports is to keep them informed and assured that the hotline function is being handled responsibly and all issues that arise from those that use this channel of communication are addressed in a timely and responsible manner. However, it is not a good practice to report raw information, not yet evaluated or investigation, to these committees. If done, the responsibility and accountability for subsequent actions lies with them as the higher authority.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.