Kusserow on Compliance: Growing use of the responsible corporate officer doctrine increases importance of effective compliance programs

For decades the Department of Justice (DOJ) and Office of Inspector General (OIG) has been increasing their usage of the responsible corporate officer (RCO) doctrine. The DOJ has been using the doctrine for decades in an ever widening set of circumstances in order to change the corporate culture of companies. Yet, the agency found that financial penalties alone are insufficient to do this.

The doctrine imposes strict liability on corporate officers based solely on their area of responsibility within the corporation, regardless of their knowledge of the underlying criminal activity or their participation in it. In 2010, the OIG issued a position paper on the doctrine that underscored the agency’s commitment to use its permissive exclusion authority against executives and board members that permitted wrongful activity through negligence.

On September 9, 2015, the DOJ came out with new guidelines on corporate conduct. It reflects an increased focus on individual accountability for corporate wrongdoing, both civil and criminal, and on the importance of corporate cooperation with prosecutors. The new guidance has the objective of directing attention on individual accountability for corporate wrongdoing to increase deterrence by holding individuals responsible for their actions. It also addresses the importance of corporate cooperation in the context of governmental investigations.

Key provisions of the DOJ prosecutor guidelines

  • Credit for cooperation. There must be complete disclosure of all relevant facts, including identification of all those involved in or responsible for the misconduct, regardless of their position, status, or seniority, and all facts relating to that misconduct. It will also depend upon timeliness of the cooperation; diligence, thoroughness, and speed of the internal investigation; and the proactive nature of the cooperation.
  • Prosecutors focus on individuals. The guidelines call for prosecutors to concentrate on individual wrongdoing from the inception of the investigation through the resolution of the case, including how a health care provider approaches a voluntary disclosure of billing errors; how employees respond to internal requirements for cooperation; and how employees conduct business with material legal implications in the absence of any government inquiry.
  • Protection of individuals not included in corporate settlements. The discouragement of agreeing to release officers, directors, and current and former employees from individual civil liability as a condition of the corporate resolution has been common in the past. This preserves the DOJ’s ability to pursue responsible individuals.
  • Civil enforcement against individuals not limited to ability to pay. The DOJ will no longer evaluate actions against wrongdoers solely on the basis of an ability to pay, but will focus more on deterrence on others. As such, the DOJ may pursue civil monetary penalties against lower level employees who likely lack the ability to recompense the government for its alleged losses or for applicable civil penalties.

10 tips for compliance officers

  • Study the RCO doctrine, know how it is being applied, and inform executives and board members of its significance in terms of personal liability.
  • Stress to management and board that the best RCO defense is an effective compliance program and that executive support of the program reduces their personal risks.
  • Provide annual education to the board on its fiduciary compliance obligations and duties.
  • Expect boards and executives to demand more evidence of compliance program effectiveness.
  • Look to developing and providing metric evidence of compliance program effectiveness.
  • Ensure program managers are engaged in ongoing monitoring of their programs.
  • Ensure an ongoing audit plan for all high risk areas to verify ongoing monitoring and validate that it is effective in addressing vulnerabilities.
  • Arrange for annual independent review of the compliance program by experts, as well as an independently administered compliance survey of employees, alternating methods employed.
  • Ensure that all allegations or complaints of wrongdoing are promptly and thoroughly investigated.
  • Verify executives are provided definitive written legal opinions before entering into agreement with referral sources or making decisions in compliance high risk areas.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Credit balances going to the top of the high risk list

Failing to reconcile credit balances and repaying overpayments has become a new and major threat to providers. Now these acts can be viewed as “reverse false claims” that could easily result in millions of dollars in penalties. The Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) mandated the report and return of overpayments within 60 days of those payments being “identified;” failure to do so creates a reverse false claim.

Credit balances generally occur when the reimbursement that a provider receives for services provided to a beneficiary exceeds the charges billed, such as when a provider receives a duplicate payment for the same services from another third-party payer. It was unclear when the clock on when these balances should be returned started ticking, as neither Congress nor CMS identified when this period begins, leaving it to interpretation by providers. This room for interpretation ended in July of 2015 with a decision by a federal court in a qui tam case. In that matter, the providers were charged with failing to timely investigate and resolve a suspected problem of receiving overpayments. The court ruled that notice of potential violations was sufficient to start the 60-day clock. Holding otherwise would permit willful ignorance to delay the formation of an obligation to repay the government money that is due, the court noted.

A new report, issued by the Office of Inspector General (OIG) has shed some light on to what extent this exposes providers to liability. The OIG examined provider overpayments in Medicaid programs and found that failing to identify and return Medicaid overpayments was a continuing problem. The agency performed reviews in eight states to update prior work on Medicaid credit balances and the report was already in draft when the federal court issued its new ruling. The report found efforts in many states were inadequate to ensure that providers were remitting overpayments in a timely manner and called upon CMS to establish a national Medicaid credit balance reporting mechanism and require its regional offices to monitor reporting.

In a sample review of eight providers in each of the eight highlighted states (total of 64 providers), the OIG report estimated unrecovered overpayments of $24,984,165 (of which $16,833,392 was the federal share). This tiny sample suggests that overpayments received and not paid could be a very significant amount of money. The OIG found that providers did not identify, report, and return Medicaid overpayments because the states did not require that providers exercise reasonable diligence in reconciling patient records. In some cases, it noted that some providers did not reconcile some patient records for more than six years.

Implications of the recent court action and new OIG report

Compliance officers should see a large red flag raised when considering the OIG report and the recent federal court decision. Together, we now see that the courts have drawn a clear line of what constitutes failure to timely remit payments and the OIG has demonstrated an ability to identify unreported overpayments. As such, compliance officers should place this issue near the top of compliance high risk areas. It is advisable to immediately begin to ensure that credit balance management is subject to ongoing monitoring as well as ongoing auditing. Failing to report overpayments may trigger reverse false claims that can result in millions of dollars of liability.

Tips for compliance officers

  • Al Bassett, JD, former Deputy Inspector General and FBI executive with 15 years of health care compliance consulting experience, advises “compliance officers to examine the credit balance issue and ensure that all overpayments are being identified in a timely matter and reported to the executive leadership and the board to ensure they are acted upon and paid back in a timely manner.”
  • Jillian Bower of the Policy Resource Center stated that “the court decision increases the importance of having written guidance already in place to address potential overpayments, including policies for conducting investigations, disclosure, as well as protocols between the compliance officer and legal counsel in handling complaints. Without such written guidance, matters could bog down and run out the clock.”
  • Carrie Kusserow, a senior consultant with over a decade of specialized experience with hotlines, observed that “the recent court case came from a whistleblower, as such it is critical to have an effectively operated hotline to quickly capture any reports of overpayment issues to promptly investigate the matter within the short time frame allowed under the court’s ruling and failing to do so becomes a ticking time bomb under the 60-day rule.”
  • Jim Cottos, who has served as an Interim Compliance Officer for many organizations, along with his experience as former Chief Inspector for the HHS OIG, advised that “organizations must have available trained people to quickly investigate and resolve overpayment issues.”
  • Dr. Cornelia Dorfschmid, a nationally recognized expert on analyzing claims, stated “the biggest challenge with identification of overpayment amounts is to do too little for too long. Hesitation can quickly turn into unreasonable delay and non-compliance. The compliance officer should not let that happen. Getting help from independent and objective experts with the determination of claims accuracy and statistical extrapolation, as well as secondary effects, such as on physician productivity and FMV [fair market value] compensation in RVU [relative value units] based models, is a good idea. It will carry a lot more weight with the government than if internal staff does the work. External review work in these cases is best done under direction of legal counsel.”
  • Camella Boateng, a senior compliance consultant brought up “the old adage that says ‘an ounce of prevention is worth a pound of cure.’ It is far better to avoid making billing errors than dealing with the consequences of failing to do so. As such it is worth remembering advice from the OIG to provide specialized compliance annual training regarding applicable billing rules for those involved in claims processing.”



Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.



Health committee hears passionate pleas for Medicaid improvements

The witnesses testifying at a September 18, 2015, Energy and Commerce Committee hearing on four different Medicaid bills all offered moving stories about someone they know whose lives will or would have been affected by the pending legislation. These bills cover a wide range of topics, but all intend to improve access to care for Medicaid beneficiaries.

Clinical trials

The Ensuring Access to Clinical Trials Act of 2015 (H.R. 209) would remove the sunset provision of a similar act passed in 2009 that creates an income exclusion provision for up to $2,000 received in exchange for participation in clinical trials. According to Dr. Michael Boyle, Vice President of Therapeutics Development for the Cystic Fibrosis Foundation, current clinical trial participants and future candidates will be forced to discontinue or decline to participate for fear of losing their Supplemental Security Income (SSI) or Medicaid benefits due to income restrictions if the exclusion is allowed to expire on October 5, 2015. In his testimony, Boyle pointed out that precision medicine allows very targeted and specific therapies to be developed to treat rare diseases and specific groups of patients. The possible trial population for these drugs is limited by the rarity of the disease and the specificity sought. Further reducing the pool of trial participants due to fears of losing vital benefits will limit scientific advancements and efforts to cure these devastating diseases. The Senate has already passed identical legislation.

PACE programs

H.R. 3243 would expand the Program of All-Inclusive Care for the Elderly (PACE) to include those with disabilities under age 55. PACE provides comprehensive in-home care to those who are 55 or older who would otherwise require institutional care. Tim Clontz of the National PACE Association testified about the importance of allowing those with disabilities to remain in their homes, surrounded by their loved ones, as opposed to the strain that moving into a nursing facility puts on both the patient and their families. When asked how PACE would adapt to serving younger patients, Clontz admitted that creative solutions would be necessary but hopes to use pilot programs to determine the best models of care. While some larger programs may be able to create a division dedicated to patients under 55 years of age, he noted that programs in more rural areas would likely need to use existing resources to treat the new patient population.

Special needs trust

The Special Needs Trust Fairness Act of 2015 (H.R. 670) would allow for non-elderly disabled individuals to establish special needs trusts on their own behalf. Special needs trusts, unlike most other trusts, are not considered an asset for Medicaid eligibility determinations. Currently, only parents, grandparents, a legal guardian, or a court may establish a special needs trust on behalf of a non-elderly disabled individual. Richard Courtney, President of the Special Needs Alliance, testified before the committee on the bill and stated that these individuals are mentally capable of making a contract and should be allowed to do so to protect their interests. He noted that some courts have been hesitant to establish these trusts, leaving those without surviving parents little recourse.

Medicaid directory

The Medicaid Directory of Caregivers Act would require state Medicaid programs to establish an electronic list of physicians that accept Medicaid patients. This list would include doctors who have billed Medicaid in the last six months. The Government Accountability Office (GAO) found that Medicaid enrollees encounter difficulties in attempting to access various types of specialty care, and the Centers for Disease Control and Prevention (CDC) noted that physicians are less likely to accept Medicaid patients than those covered by Medicare or private insurance. This updated list of providers accepting Medicaid patients would reduce the time and effort required to find a provider.

Kusserow on Compliance: Tips on information security from the FTC

The health care sector is so focused on Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security related issues under the watchful eyes of CMS and the Office of Civil Rights (OCR) that it often forgotten that there are a host of other laws and regulations related to data security. The Federal Trade Commission (FTC) released “Start with Security: A Guide for Business,” a report concerning data security that has application to all business sectors, including health care. The FTC noted that the report draws upon “lessons learned from more than 50 law enforcement actions.” The guide provides a treasure trove of tips and best practices for protecting sensitive information and associated risks.

The FTC begins with the recognition that sensitive information and data, including personnel information, customers/patients records and credit information, pervades every part of business and every part of any business is impacted by sensitive information. In turn, it is a challenge for businesses to manage confidential information. Betta Sherman, a health care consultant specializing in HIPAA Privacy and Security issues, notes “although this report applies to all business sectors, it is particularly relevant to the health care sector, which has the responsibility to safeguard protected health information (PHI).”

The report states that the starting point is establishing security policy and procedures. It is also important to think through about the kind of information you collect, how long you keep it, and who can access it. If so, risk of a data compromise down the road can be reduced. Dr. Cornelia Dorfschmid, a recognized compliance expert states that “security postures and threats change all the time. For health care organizations it is critical to test their own information security knowledge as well as current security architecture by occasionally engaging independent experts to conduct security risk assessments. Formal security assessments are expected under the HIPAA Security Rule and also required for compliance with meaningful use criteria. Not conducting such risk assessments regularly is foolish.”

Tips and best practices highlighted by the FTC

  • Avoid data security risks by only collecting needed sensitive information.
  • Hold on to information only as long as there is a legitimate business need for it.
  • Periodically review data and decide what needs to be kept and what is no longer necessary.
  • The longer the information is kept, the greater the risk that it may be misused or leaked.
  • Restrict access to sensitive data to only those that have a “need to know.”
  • Limit those with system-wide administrative access to data.
  • Establish strong authentication procedures, including passwords.
  • Require complex and unique passwords.
  • Store passwords securely to prevent unauthorized persons from obtaining access.
  • Guard against hackers by limiting the number of unsuccessful login attempts.
  • Periodically test for common vulnerabilities and security flaws.
  • Use strong cryptography to secure maintenance and transmission of sensitive data.
  • Keep sensitive information secure throughout its lifecycle.
  • Once information is transmitted and decrypted, it still must be protected.
  • Use industry-tested and accepted methods to safeguard and encrypt information.
  • Encryption must be configured and controlled properly to protect sensitive information.
  • Set up and monitor firewalls to limit access between computers on the network and the Internet.
  • Establish intrusion detection and prevention systems (IDS/IPS) for unwanted activity.
  • Install require antivirus and antispyware programs for remote users using the network.
  • Place limits on third-party access to the network.
  • Ensure design changes and changes in management decisions do not permit vulnerabilities.
  • Use readily available secure communications tools pre-installed on mobile devices.
  • If software offers a privacy or security feature, verify that it works as advertised.
  • Test for vulnerabilities in systems as many commonly-known, reasonably foreseeable ways as possible.
  • Take care to select service providers able to implement appropriate security measures.
  • Require service providers to adopt reasonable security precautions.
  •  Verify that the information collection program is consistent with privacy and security policies.
  • When using third-party software, apply security updates as they are issued.
  • Update and patch third-party software regularly to minimize security risks.
  • Have an effective process in place to receive and address security vulnerability reports.
  • Monitor usage and encryption of hard drives, laptops, flash drives, and disks.
  • Implement policies for secure document and data storage and retrieval.
  • Dispose of documents in a secure manner.
  • Protect devices that process personal information.
  • Secure sensitive information when it is outside the office.
  • Acknowledge that lost or stolen laptops, external drives, and mobile devices are a major cause of lost data.
  • Ensure files, drives, disks, etc. sent via ground mail or services are tracked and delivered.
  • Limit instances when employees need to carry sensitive data.
  • When traveling, confidential information should be kept out of sight.
  • Devices with confidential information should be under lock and key when out of sight.
  • No longer needed paperwork should be shredded, burned, or pulverized to be unreadable.
  • Old hard drives and media with sensitive information should be professionally wiped clean.
  • Have periodic independent risk assessments to keep data, reputation, and business information safe.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.