Kusserow on Compliance: DOJ, OIG promote a ‘Culture of Compliance,’ Strategic Management can help

The Department of Justice (DOJ) “Evaluation of Corporate Compliance Programs” notes that an effective compliance program includes “[t]he company’s culture of compliance.” It also states it is important for a company to create and foster a culture of ethics and compliance with the law and for executive leadership to implement a culture of compliance from the top. The DOJ calls for its prosecutors to assess whether the company has established processes that incorporate the culture of compliance into its day-to-day operations. The OIG stresses similar points in its Compliance Program Guidance by stating that compliance efforts need to be designed to establish a culture that promotes prevention, detection and resolution of instances of conduct that violate applicable laws, regulations, health care program requirements, and ethical and business practices. The OIG further advises that consideration should be given to using questionnaires that solicit impressions of a broad cross-section of employees and staff. Elsewhere the OIG recommends evaluations of compliance program through “employee surveys.” The U.S. Sentencing Commission Guidelines notes the importance of organizations to develop institutional compliance cultures that discourage criminal conduct and that an effective compliance program must “promote an organizational culture that encourages ethical conduct and a commitment to compliance.”

Solution to Measuring and Benchmarking Compliance Culture

Since 1993, Strategic Management has employed its healthcare compliance culture benchmark survey, on behalf of hundreds of health care organizations with more than three quarters of a million surveyed population. It was developed by a former DHHS Inspector General with the assistance of two PhD experts. The survey design measures employee attitude and perceptions concerning the compliance environment; and has been tested and validated to provide reliable results. The huge database of users permits organizations to benchmark their results against that universe. The results provide invaluable metrics of program effectiveness and can establish a baseline from which future surveys can be used to benchmark improvement. The report provides insights into how effective the compliance program has been in changing and improving the compliance culture of an organization. Employing this tool is surprisingly inexpensive and costs only a small fraction of a full compliance program effectiveness evaluation or even gap analysis.  They are also less costly than developing and delivering a home grown survey that are not validated or tested for reliability. Reports from the Survey runs 30 to 50 pages and include tips for addressing any weaknesses; and benchmarks results against the huge universe of those who have used the same survey three ways: (a) overall results, (b) by category, and (c) individual questions.

 

For more information on a Compliance Culture Survey, contact Kash Chopra, JD (703-535-1413) or at  KChopra@strategicm.com .

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Why encourage anonymous hotline calls?

The are in your best interest

Encouraging anonymity with hotline callers may at first seem a bad practice, however, it is not.  It is a sound policy and in the best interest of the organization. However, many believe no calls should be accepted without an individual disclosing his or her identity. Those individuals are wrong. First, the HHS OIG, Sentencing Commission, DOJ, and Sarbanes-Oxley Act all promote anonymous reporting. The OIG in its compliance guidance state “At a minimum, comprehensive compliance programs should include…a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.  Failing to provide for and encourage anonymity undercuts the perceived effectiveness of the compliance program. There are other positive reasons for having anonymous reporting:

  1. Not allowing anonymity discourages reporting for fear of becoming a victim of retribution or retaliation. The result is that an individual may give information to someone else like an attorney, the media, government agencies, or simply not tell anyone which may lead to a growing exposure to liability to the organization. As a rule, the more serious the complaint or allegation, the less likely callers will be willing to identify themselves.
  2. The disclosure of an individual’s identity creates a burden for the organization to protect the caller’s identity (“confidentiality) once it is known. Failure to protect identified callers may result in unprotected reprisals or retaliation and serious consequences for the organization that may draw in attorneys, government, and regulatory agencies. There are many cases of litigation for reprisals or wrongful discharge where the company was put in the awkward position of trying to evidence the call did not contribute to the adverse action or termination. This is not a burden if the caller was anonymous.
  3. It is also useful to keep in mind that many callers may want to self-disclose their identity, in order to achieve a protection as a “Whistleblower” to forestall performance or conduct-based actions by trying to invoke the organization’s non-retribution/non-reprisal policy. For some, calling the hotline may be an attempt to block the adverse personnel action.

In some cases, it is desirable, and perhaps even necessary, to learn the identity of the caller in order to properly act on the information offered. There are circumstances where having the identity is essential to act upon a serious allegation. In such cases, callers can be encouraged to identify themselves, noting that their confidentiality will be protected. As such, it is important to also have a Confidentiality Policy, along with the Anonymity Policy.  Both such policies are called for in the OIG compliance guidance documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: A Dozen tips for evaluating hotline vendors

Review current vendor contracts; it may be time to switch

A hotline is a critical part of any effective compliance program. It provides an avenue of communication that permits employees to report sensitive matters outside the normal supervisory channels. The compliance officer bears the responsibility of constantly reviewing and improving the effectiveness of the hotline operation. The U.S. Sentencing Commission, HHS OIG, and DOJ call hotlines critical to an effective compliance program. Most hotlines are operated through vendors. Only a very few organizations have the size, capacity, and resources to manage a 24/7 hotline, as is needed for an effective operation. The following are some best practice tips in selecting or retaining a hotline vendor:

 

  1. Compare costs of a vendor with the cost to maintain and operate a hotline in-house. A vendor should provide their services at a set (fixed) fee that can be used for comparison purposes. A good rule of thumb is that the cost of a hotline service should be around $1 per employee per year.

 

  1. Industry Focus. Determine the level of expertise in the health care industry. It is advisable to have a company familiar with and sympathetic to health care issues, rather than focus on employee theft or other generic matters common to all industries. Ask for a breakdown of the types of clients they serve. Do they have a primary focus (transportation, finance, energy, health care)?

 

  1. Hotline Service Types. In today’s environment, it is advisable to have two levels of service. The first is a Web-based reporting system that prompts individual complainants, as well as the option to call and speak with a live operator. Either approach has its pluses and minuses. Your vendor should provide both approaches in a single service fee.

 

  1. Vendor Contract Traps. A vendor should keep business with good service, not tricky contract terms. The contract should permit cancelation at any time with a simple 30-day notice.  If you have a current contract, check the termination clauses to see if cancelling a contract is cumbersome. If it is, ask to renegotiate the termination clause and if they decline, then take steps to follow termination procedures in the contract. Usually such procedures are a short window to cancel, before the contract renews.

 

  1. Hotline Number. Always use and own your own hotline number. To use a vendor number is another common vendor trap. If you advertise their number, to then change would necessitate changing all the places you have advertise the number. If, in such a contract, it is advisable to either renegotiate the agreement to use you own number or change to another vendor, it is worth the pain of making the change.

 

  1. Background and References. It is advisable to know as much about the vendor as you can. Determine who the key players are in the ownership, management and operation of the service and check out their credentials. Do they have personal history and expertise in hotline operations? Also, ask for client references from any vendor you are considering.

 

  1. Policies, Procedures, and Protocols. The company should be able to provide expert advice on developing operating protocols for following up an allegations and complaints received through the hotline. This includes providing/signing a Business Associate Agreement to meet HIPAA Protected Health Information requirements (and if they don’t know what that means, forget them).

 

  1. It is important to insist and have as part of any contract, provision of a full written report within one business day of receipt of the call. For urgent matters, it should be immediate.

 

  1. Reports Provided. Reports on individual calls should be well written, clear, concise and of high quality. The manner the report is delivered is important. There are security problems with reports provided either by facsimile or email. This could be problematic. Web-based reporting is the most secure, with notification of a report being provided via email.

 

  1. Like any other vendor, the company should have at least one to three million dollars liability coverage. If your vendor does not have this insurance, consider changing over to one that provides this assurance.

 

  1. Caller Contact Information. Although anonymity is a must for any hotline, sometimes gaining additional information from callers is important. Vendors should have procedures for providing callers with a means to call back without disclosing their identity. Check that out to see if it meets your needs.

 

  1. Accessibility to Responsible Parties. Responsiveness of vendors to your hotline needs is very important. If something comes up, will there be a responsible live human being available with who you can communicate issues and concerns? You never want to be lost in a bureaucratic shuffle or IVR system.

 

For more information on this topic, contact Marvin Mills (mmills@complianceresource.com).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Effective compliance document management system

All effective health care compliance programs should implement some type of compliance Document Management System (DMS), which involves the process of organizing, filing, controlling, and storing documents. The primary purpose is to ensure that all documents, including the Code of Conduct, charters of compliance functions, compliance-related policies and procedures, records of hotline and investigation activity, etc. are current with applicable laws, regulations, and requirements and are properly maintained. A well-managed compliance DMS evidences the effectiveness of the compliance program. Compliance officers need to ensure that their records management policy is being followed and is in line with any retention schedules required by law. When audited by a government entity, it would be necessary to produce evidence about the operation and management of the compliance program. A well-structured DMS will ensure the organization meets regulatory compliance mandates, provide the availability of documents evidencing compliance program effectiveness, and, in turn, mitigate exposure to liabilities.

The 2020 Eleventh Annual Healthcare Compliance Benchmark Survey conducted by SAI Global and Strategic Management Services included questions that focused on management of policy and compliance documents. Results from the latest survey found that compliance offices were split nearly in half between those that manually manage compliance-related documents and those who used automated assistance. One-third reported using some sort of document management software to assist. Only one-fifth reported using a comprehensive document management system. The trend from review of past surveys clearly indicate a movement away from manual processes to DMS. The following are tips to consider when managing compliance-related documents:

  1. Document Management System (DMS). Develop a compliance Document Management System to track, administer, and store compliance related documents and health care compliance policies and procedures.

 

  1. Set-up a Records Retention Schedule. As part of the DMS, schedule how long records should be kept from an operational and legal standpoint, and that outdated records are disposed of in a timely, systematic manner. When determining the retention period for records, it’s important to: (a) perform a record inventory of all physical and electronic records; (b) establish a standardized record classification system; and (c) conduct research on all federal, state, and local records retention requirements.

 

  1. Policies and Procedures. Develop and implement policies and procedures for the creation, distribution, retention, storage, retrieval, and destruction of compliance related documents and health care compliance policies and procedures. Ensure that the compliance records management policy addresses protection of patients’ protected health information. Keep all revised or rescinded policy documents. Should an issue arise concerning a policy, it will be the document in effect at that time and not a current version.

 

  1. Accessibility and Location. The DMS must include being able to find and access information, when needed. It is advisable to index records by date, subject matter, creator, and location of the record.

 

  1. Ongoing Monitoring and Auditing. It is important to have ongoing monitoring of the records management system to ensure compliance with the policy and procedures. Periodic independent audits of compliance should also take place to ensure retention schedules are being followed, timely reviews are made to keep documents current, destruction of documents are in accordance with policies, etc.

 

  1. Records Disposal/Destruction. There are times when documents are no longer needed and should be destroyed. Maintaining unnecessary records longer than necessary increases exposure to possible breaches. Disposing or destroying records must follow closely the written policy guidance, including the means for doing it. It is also important to keep a record of the record disposal.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.