Kusserow on Compliance: Use of temporary compliance and privacy officers

By now every health care provider is aware of the need for an effective compliance program under direction and management by a compliance officer, as well as a privacy officer to ensure HIPAA compliance. It is common these days for organizations to have compliance and privacy officer vacancies as result of a retirement, termination, someone changing jobs, or any other of a dozen reasons. Sometimes it may have been triggered by an audit or investigation by the HHS Office of Inspector General (OIG), Department of Justice (DOJ), HHS Office for Civil Rights (OCR), or a CMS contractor. In other cases, a board or new executive leadership may wish to use proven experts to promote and/or elevate the programs to a higher level. Regardless of the reason, the departure of a long time incumbent creates a vacuum that needs to be filled quickly for day to day management and responding to emerging issues to avoid serious problems and potential liability. The worst time to have a vacancy is when entering the holiday season and the end of the calendar year. For a variety of reasons, it is a time when many problems and issues arise needing prompt attention.

Steve Forman, CPA, is an expert on the subject with over 25 years as a healthcare compliance officer and consultant, including serving on multiple occasions as an interim compliance officer.  He notes that the sudden departure of a compliance or privacy officer makes the problem of finding someone properly qualified in a timely manner a serious issue. Confronted with a rapidly evolving regulatory and enforcement environment, health care organizations cannot afford to take the chance on having a gap in these positions. When such a gap occurs, engaging an expert on a short term engagement can hold the reigns of the program together, while a permanent replacement is found. Using a properly qualified outside expert presents a lot of advantages.  They can bring the experience of having served in other organizations and dealing with many of the same issues already addressed by prior jobs. It is also important that they have not been invested in any prior decisions, nor have they been aligned with any parties in the organization.  Most importantly, they bring “fresh eyes” to the program. They can provide objective assessment on the state of the compliance program, offer suggestions, and give guidance for improvements.

Suzanne Castaldo, JD, who specializes in providing interim compliance and privacy officers for healthcare clients, noted that clients to whom she has provided interim officers, usually take three to five months to find that hire a permanent replacement with necessary experience and qualifications. When they seek temporary officers, she provides experienced professionals with previous experience as a compliance or HIPAA privacy officer. Over the last 25 years, her firm has worked with over 3,000 health care organizations in building, evaluating, managing, and building compliance program that provide a unique level of knowledge and expertise. Using the right professional with a lot experience and technical skills can make significant improvements for any compliance program in a relatively short order.

Camella Boateng is another highly experience compliance professional who has served as an interim compliance and privacy officer for several organizations. She has found that organizations have a tendency to understate the needs in the vacant position.  In every case where she has been called upon to fill a vacancy, she has encountered serious problems that were hidden or not recognized by the organization. In fact, these unattended problems often were the reason for the departure of the incumbent. As such, those seeking temporary compliance or privacy officers require more than someone just to monitor and manage day to day work. They should look to added benefits and services an outside expert can bring, including providing an independent assessment of the status of the compliance program and high-risk areas warranting attention. Before leaving the engagement they can develop a “road map” for the incoming compliance officer to follow. All this can result in developing comprehensive briefings for management and board on the state of the program

Lisa Shuman is a consultant that has served as an interim privacy officer for organizations. She observed that the work flow is different from that of a compliance officer. She has found from her experience that most engagements can be part time with much of the work done remotely.  The first month usually involves focusing on reviewing adequacy of existing policies, procedures, controls, and training content. After that, the work focuses primarily on privacy violation investigations that arise, however, it is important that the interim privacy officer be available at any time to deal with issues



Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Doctor, nurse indicted for fraudulent schemes involving unnecessary compounded medications

Separate indictments brought against a nurse practitioner and doctor by the Department of Justice (DOJ) alleged that the two individuals participated in separate but similar schemes to defraud TRICARE. Under the schemes, the nurse practitioner and doctor prescribed medically unnecessary compounded medications to individuals they had not examined, had a compounding pharmacy dispense the medications, and seek reimbursement from TRICARE.

The indictment against the nurse practitioner

According to the indictment, TRICARE reimbursed the compounding pharmacy more than $3.3 million for compounded medications prescribed by the nurse practitioner between February 2013 and October 2016, In addition, the nurse practitioner allegedly received more than $50,000 in kickback payments from a marketer for the compounding pharmacy in return for prescribing the compounded medications and making false statements to the FBI. The nurse practitioner was charged with conspiracy to commit health care fraud and wire fraud; wire fraud; conspiracy to distribute and dispense a controlled substance; distributing and dispensing of a controlled substance; conspiracy to solicit and receive health care kickbacks; soliciting and receiving health care kickbacks; and making false statements.

The indictment against the doctor

The indictment against the doctor stated that TRICARE reimbursed the compounding pharmacy more than $2.3 million for compounded medications prescribed by the doctor between October 2014 and December 2015. In response to an audit conducted by TRICARE, the doctor allegedly submitted falsified patient records to make it appear as though he had examined patients before prescribing the compounding medications. He was charged with conspiracy to commit health care fraud and wire fraud, wire fraud, conspiracy to distribute and dispense a controlled substance, distributing and dispensing a controlled substance, conspiracy to falsify records in a federal investigation and falsification of records in a federal investigation.

New York dietary supplement maker accused of failing to comply with cGMP regulations

At the request of the FDA, the U.S. Department of Justice filed a civil complaint against Riddhi USA Inc. of Ronkonkoma, New York, and its owner and President Mohd M. Alam, to enjoin the distribution of adulterated and misbranded dietary supplements. The complaint alleges that Riddhi and Alam prepared, packed, and held dietary supplements under conditions that failed to comply with the FDA’s current good manufacturing practice (cGMP) regulations for these products.

According to the complaint, the FDA inspected the Riddhi facility in January 2017 and found numerous significant deviations from cGMP regulations, including a failure to: (1) establish product specifications for identity, purity, strength, and composition of their finished dietary supplements; (2) conduct at least one appropriate test to verify the identity of a dietary ingredient; and (3) establish and follow written procedures for quality control operations.

The complaint further alleges that many of the cGMP deviations were the same as those observed by the FDA during a previous inspection that occurred in January 2016. The complaint notes that on April 27, 2016, the FDA issued a warning letter detailing violations of cGMP regulations observed during the 2016 inspection and that these violations are the same as those observed during the FDA’s subsequent 2017 inspection.

The complaint also alleges that the dietary supplements were misbranded under the labeling provisions of the federal Food, Drug & Cosmetic Act (FDC Act) (21 U.S.C. §301 et seq.) because the products are fabricated from two or more ingredients but fail to declare any ingredients on their product labels or labeling. Specifically, the complaint alleges that the dietary supplement Neuroxygen is misbranded because it is manufactured using soy lecithin, which contains “soy,” but soy is not listed on the product label. The complaint also alleges that the products Prenatal Formula, Osteo Gest, Neuroxygen, Inflam-Ease, and All-Ease, are misbranded because their label or labeling fails to declare the place of business of the manufacturer, packer, or distributor.

Behavioral health fraud perpetrators plead guilty to $1M Medicaid scheme

Two men, who created and managed a company that provided mental health care to Medicaid patients and collected over $1 million in Medicaid payments, pleaded guilty to conspiracy to commit health care fraud. The president of Coastal Bay Behavioral Health, Inc. (Coastal Bay) acknowledged in the plea agreements that the other participant was an “excluded provider,” who was prohibited from billing federal health care programs due to a 2011 conviction for health care fraud. Each man faces a maximum penalty of five years in prison and a fine of up to $250,000.

Although the president was aware that he was employing an excluded provider, he did not disclose this fact to the state Medicaid program. Using an alias, the provider performed a variety of functions, including hiring and firing individuals, seeing patients, and performing other managerial tasks. Coastal Bay received $1.2 million in reimbursements from Medicaid because of the provider’s alleged fraud, according to court papers.

The provider and his family received significant financial benefits due to his involvement in Coastal Bay. Specifically, the provider had access to a Coastal Bay credit card, which he used to make routine purchases at restaurants, furniture stores, gas stations, and other places in North Carolina, even though Coastal Bay had no operations in North Carolina. In addition, the provider and his immediate family received more than $10,000 in direct payment withdrawals from the Coastal Bay business account.