Kusserow on Compliance: 2020 DOJ compliance program guidelines on continuous improvement and use of data

The DOJ released an update to its Compliance Guidance, intended to assist prosecutors in making informed decisions about whether a company’s compliance program was effective at the time of an offense. It emphasizes the importance of using data and technology to support compliance efforts, including assisting with continuous updates of a compliance program and assessing the adequacy and effectiveness of it at the time of the offense, charging decision, and case resolution. Many of the changes involve adding questions about a company’s ability to learn from its own experience through, among other things, the use of data and technology. The guidance asks whether companies:

  1. Engage in periodic reviews limited to a “snapshot” in time, or one based on continuous access to operational data across functions?
  2. Incorporated “lessons learned” through a “process for tracking and incorporating into its periodic risk assessment” information acquired both internally and from other similarly situated companies?
  3. Update policies/procedures and if they provide enough data to allow for effective monitoring and testing their effectiveness?
  4. Publish policy documents in a searchable format for easy reference and access?
  5. Can track access to specific policies/procedures to understand which are attracting the most attention from employees?
  6. Have means for employees to ask questions arising out of training?
  7. Have evaluated extent to which training has had an impact on employee behavior or operations?
  8. Engage in continuous ongoing monitoring and improving reporting mechanisms?
  9. Periodically test[s] hotline effectiveness, and track reports from inception to conclusion?
  10. Effectively communicate compliance requirements to employees during compliance education and training?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ and HHS OIG issue annual Health Care Fraud and Abuse Control Program Report

The HHS OIG and DOJ issued their annual Health Care Fraud and Abuse Control Program Report. The report outlines efforts undertaken annually as a result of HIPAA, which established the program to “coordinate federal, state, and local law enforcement activities with respect to health care fraud and abuse.” For FY 2019 the reported recoveries were $3.6 billion, of which about $2.5 billion was returned to the Medicare trust fund. The recoveries included judgments and settlements from fraud causes brought in 2019 and in prior years. In addition, the DOJ reported opening 1,060 new criminal health care fraud investigations, which led to charges against 814 defendants. The DOJ Civil Division opened 1,112 new civil health care fraud investigations. Medicare and Medicaid fraud investigations by HHS’s Office of Inspector General resulted in 747 criminal actions and 684 civil actions against individuals and entities. In 2019, HHS also excluded 2,640 individuals from participation in the Medicare and Medicaid programs. The breakdown of exclusions included 1,194 based on criminal convictions related to Medicare and Medicaid, 335 for other health care programs, 238 for patient abuse or neglect, and 576 as a result of state health care licensure revocations.

The report also provided information on the return on investment (ROI) for the HCFAC program over the last three years (2017 – 2019) at $4.2 returned for every $1.00 expended. Results were reported as being in large measure due to the Health Care Fraud Prevention and Enforcement Action Team (HEAT) that was designed to coordinate enforcement efforts related health care fraud. These teams are comprised of top-level law enforcement agents, prosecutors, attorneys, auditors, evaluators, and other staff from DOJ and HHS and their operating divisions, and are dedicated to joint efforts across government to both prevent fraud and enforce current anti-fraud laws around the country. The Strike Force teams are a key component of HEAT.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ issues 2020 compliance program guidelines

Provides a more in-depth analysis of compliance programs

The DOJ released the updated Evaluation of Corporate Compliance Programs to assist prosecutors in making an informed analysis about an organization’s compliance program at the time of charging decisions. It has not changed much from the prior releases that included a list of 119 compliance-related questions. The new guidance continues to focus on three core questions derived from the Justice Manual, namely,  whether a compliance program is “well designed,” “being applied earnestly and in good faith,” and “works in practice.” It restates the importance of having a compliance program suitable for the company’s risk profile but added context and detail for companies to ensure that their compliance priorities are aligned with the DOJ’s expectations.

These include: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Additional attention is given to these principles for companies to enhance their compliance program and adhere to best practices that would best position themselves in the event of an inquiry or enforcement action from a government regulator. It reflects the continued expectation that a compliance program should continue to evolve and improve over time as the business changes and the compliance function matures. Meaningful risk assessments and program evaluations are critical to this end. There is added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “has the periodic review led to updates in policies, procedures, and controls?”

The DOJ has continued to move away from the antiquated model of a generic, “off-the-shelf” compliance program and focus more on how an organization acts in response to risk assessments. Other questions include whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior identified issues or from those of other companies operating in the same industry and/or geographical region. The DOJ asks about effective monitoring of compliance and whether a company’s compliance program has continuous access to operational data and information across functions. The DOJ underscores, once again, the importance of having regular reviews of the compliance program; and make it clear that this should not be “cookie cutter” “check the box” type reviews. These reviews should lead to useful findings that result in meaningful changes and improvements. Greater emphasis is also given to the adequacy of compliance resources, quality of trained staff, and empowerment for the program. The importance of oversight of any third-party agents that act on a company’s behalf is stressed, including whether the company engages in risk management of third parties throughout the lifespan of the relationship. The questions include whether the company completed pre-ad post-acquisition due diligence; and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

The guidance asks whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees; and if the policies have been published in a searchable format for easy access and reference. Employee training received new attention, suggesting companies consider the format of their trainings to be more responsive, including by: (1) investing in shorter, more targeted training sessions, and (2) ensuring a process by which employees can ask questions arising out of the training. In addition, there is the question as to the extent to which the training has an impact on employee behavior or operations. With regards to the hotlines, the guidance had added language to ensure that the hotline is an accessible, responsive tool, whether the company test whether employees are aware of the hotline and feel comfortable using it, and if reports are tracked from inception to finish.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG response plan—four goals for the COVID-19 Crisis

The HHS Office of Inspector General (OIG) has identified four goals to respond to the COVID-19 Pandemic: protecting people, protecting funds, protecting infrastructure, and promoting effectiveness. The OIG set out its framework in the OIG Strategic Plan: Oversight of COVID-19 Response and Recovery.

PROTECT PEOPLE. The OIG plans for this goal include to: (1) issue guidance on its administrative fraud enforcement authorities related to delivering needed patient care; (2) conduct rapid-cycle reviews of conditions affecting HHS beneficiaries or health care providers; (3) inform/support response efforts; (4) help ensure continuity of HHS operations during the public health emergency; (5) identify and investigate fraud and scams that endanger HHS beneficiaries and the public; (6) alert the public to fraud schemes related to COVID-19; and (7) assess the impacts of HHS programs on the health and safety in the acquisition, management, and distribution of COVID-19 tests and vaccine and treatment research and development.

PROTECT FUNDS. HHS was appropriated $251 billion for COVID-19 response and recovery—to prevent, prepare for, and respond to coronavirus, along with funds from other appropriations. The OIG plans for this  goal include: (1) reviewing of oversight, management, and internal controls for awarding, disbursement, and use of funds; (2) assessing whether recipients met requirements; (3) mitigating major risks that cut across program and agency boundaries; (4) ensuring that intended purposes of funds granted are being used properly; (5) identifying and investigating suspected fraud and exercising OIG’s administrative enforcement authorities; (6) identifying program integrity vulnerabilities and recommend safeguards; and (7) providing alerts to potential fraud risks or schemes to steal funds.

PROTECT INFRASTRUCTURE. Objectives for this goal include: (1) protecting the security and integrity of IT systems and health technology; (2) identifying IT vulnerabilities and incidents, mitigating threats, and restoring IT services; and (3) focusing on identifying and investigating cybersecurity vulnerabilities related to COVID-19 response.

PROMOTE EFFECTIVENESS. The OIG’s plans for this goal include: (1) focusing on COVID-19 efforts to identify successful practices and lessons learned from the emergency preparedness and response; (2) reviewing pandemic preparedness planning to identify how preparedness funding was spent; and (3) assessing COVID-19 impact on HHS programs and beneficiaries, including expanded telehealth in Medicare.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.