Kusserow on Compliance: OIG response plan—four goals for the COVID-19 Crisis

The HHS Office of Inspector General (OIG) has identified four goals to respond to the COVID-19 Pandemic: protecting people, protecting funds, protecting infrastructure, and promoting effectiveness. The OIG set out its framework in the OIG Strategic Plan: Oversight of COVID-19 Response and Recovery.

PROTECT PEOPLE. The OIG plans for this goal include to: (1) issue guidance on its administrative fraud enforcement authorities related to delivering needed patient care; (2) conduct rapid-cycle reviews of conditions affecting HHS beneficiaries or health care providers; (3) inform/support response efforts; (4) help ensure continuity of HHS operations during the public health emergency; (5) identify and investigate fraud and scams that endanger HHS beneficiaries and the public; (6) alert the public to fraud schemes related to COVID-19; and (7) assess the impacts of HHS programs on the health and safety in the acquisition, management, and distribution of COVID-19 tests and vaccine and treatment research and development.

PROTECT FUNDS. HHS was appropriated $251 billion for COVID-19 response and recovery—to prevent, prepare for, and respond to coronavirus, along with funds from other appropriations. The OIG plans for this  goal include: (1) reviewing of oversight, management, and internal controls for awarding, disbursement, and use of funds; (2) assessing whether recipients met requirements; (3) mitigating major risks that cut across program and agency boundaries; (4) ensuring that intended purposes of funds granted are being used properly; (5) identifying and investigating suspected fraud and exercising OIG’s administrative enforcement authorities; (6) identifying program integrity vulnerabilities and recommend safeguards; and (7) providing alerts to potential fraud risks or schemes to steal funds.

PROTECT INFRASTRUCTURE. Objectives for this goal include: (1) protecting the security and integrity of IT systems and health technology; (2) identifying IT vulnerabilities and incidents, mitigating threats, and restoring IT services; and (3) focusing on identifying and investigating cybersecurity vulnerabilities related to COVID-19 response.

PROMOTE EFFECTIVENESS. The OIG’s plans for this goal include: (1) focusing on COVID-19 efforts to identify successful practices and lessons learned from the emergency preparedness and response; (2) reviewing pandemic preparedness planning to identify how preparedness funding was spent; and (3) assessing COVID-19 impact on HHS programs and beneficiaries, including expanded telehealth in Medicare.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Effective compliance document management system

All effective health care compliance programs should implement some type of compliance Document Management System (DMS), which involves the process of organizing, filing, controlling, and storing documents. The primary purpose is to ensure that all documents, including the Code of Conduct, charters of compliance functions, compliance-related policies and procedures, records of hotline and investigation activity, etc. are current with applicable laws, regulations, and requirements and are properly maintained. A well-managed compliance DMS evidences the effectiveness of the compliance program. Compliance officers need to ensure that their records management policy is being followed and is in line with any retention schedules required by law. When audited by a government entity, it would be necessary to produce evidence about the operation and management of the compliance program. A well-structured DMS will ensure the organization meets regulatory compliance mandates, provide the availability of documents evidencing compliance program effectiveness, and, in turn, mitigate exposure to liabilities.

The 2020 Eleventh Annual Healthcare Compliance Benchmark Survey conducted by SAI Global and Strategic Management Services included questions that focused on management of policy and compliance documents. Results from the latest survey found that compliance offices were split nearly in half between those that manually manage compliance-related documents and those who used automated assistance. One-third reported using some sort of document management software to assist. Only one-fifth reported using a comprehensive document management system. The trend from review of past surveys clearly indicate a movement away from manual processes to DMS. The following are tips to consider when managing compliance-related documents:

  1. Document Management System (DMS). Develop a compliance Document Management System to track, administer, and store compliance related documents and health care compliance policies and procedures.

 

  1. Set-up a Records Retention Schedule. As part of the DMS, schedule how long records should be kept from an operational and legal standpoint, and that outdated records are disposed of in a timely, systematic manner. When determining the retention period for records, it’s important to: (a) perform a record inventory of all physical and electronic records; (b) establish a standardized record classification system; and (c) conduct research on all federal, state, and local records retention requirements.

 

  1. Policies and Procedures. Develop and implement policies and procedures for the creation, distribution, retention, storage, retrieval, and destruction of compliance related documents and health care compliance policies and procedures. Ensure that the compliance records management policy addresses protection of patients’ protected health information. Keep all revised or rescinded policy documents. Should an issue arise concerning a policy, it will be the document in effect at that time and not a current version.

 

  1. Accessibility and Location. The DMS must include being able to find and access information, when needed. It is advisable to index records by date, subject matter, creator, and location of the record.

 

  1. Ongoing Monitoring and Auditing. It is important to have ongoing monitoring of the records management system to ensure compliance with the policy and procedures. Periodic independent audits of compliance should also take place to ensure retention schedules are being followed, timely reviews are made to keep documents current, destruction of documents are in accordance with policies, etc.

 

  1. Records Disposal/Destruction. There are times when documents are no longer needed and should be destroyed. Maintaining unnecessary records longer than necessary increases exposure to possible breaches. Disposing or destroying records must follow closely the written policy guidance, including the means for doing it. It is also important to keep a record of the record disposal.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increase guard on cybersecurity during COVID-19 pandemic

Many health care organizations are facing attacks by cyber-criminals who are using the COVID-19 crisis to get individuals to be less vigilant about security. Hackers are taking advantage of the fears and uncertainty about the pandemic to gain access to systems through malware. These hackers impersonate health authorities such as NIH, CDC, and FDA to get individuals to open attachments that purportedly have important information on the spread of the disease, lockdowns, and quarantine. These new phishing scams have been rapidly spreading during the crisis. As organizations move to expanded teleworking, the vulnerabilities to such attacks greatly increase. As new systems are being introduced for remote working, steps need to be taken to ensure that security and privacy controls are in place. This is particularly important because employees may lower their guard when introduced to new unfamiliar communication methods. Even government agencies are subject to attack. HHS had a cyber-attack on its computer system, intended to disrupt and undermine the response to the coronavirus pandemic. The attack involved overloading the HHS servers with millions of hits over several hours in order to impair operation of the systems. Fortunately, HHS had no degradation of the functioning of its networks.

Tips and Reminders

  1. Alert employees to beware of COVID-19 communications
  2. Re-educate employees on phishing and social engineering defense tactics
  3. Remind employees to not click on email links/attachment, or respond to inquiries
  4. Review third-party vendors’ access to information systems
  5. Authenticate access, particularly as more employees work remotely
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Monitor those accessing sensitive data

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.