Kusserow on Compliance: Conducting compliance risk assessments

The issue of conducting compliance risk assessments continues to be a challenge for Compliance Officers. In the SAI Global’s ninth annual Compliance Benchmark Survey conducted with Strategic Management Services, nearly four out of ten responding organizations reported that the Compliance Office had responsibility for all risk management, not just for the compliance program.  As with all program managers, Compliance Officers have responsibility for risk management in the areas of their areas of responsibilities. This includes conducting risk assessments as part of ongoing monitoring.  However, there remains a lot of confusion among compliance officers and organizations regarding the whole subject. However, regardless of who assumes the responsibility for assessing risk areas, the subject should begin with how regulatory bodies define risk assessment.

Defining risk assessment 

Federal Regulations. (e) Annual review. The operating organization for each facility must review its compliance and ethics program annually and revise its program as needed to reflect changes in all applicable laws or regulations and within the operating organization and its facilities to improve its performance in deterring, reducing, and detecting violations under the Act and in promoting quality of care  (see 42 C.F.R. 483.85).

US Sentencing Commission Guidelines Manual. 2(a)(5) The organization shall take reasonable steps—(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program (§8B2.1 Nov. 2016).

OIG Compliance Guidance Documents.  The OIG has in a variety of compliance guidance documents called for compliance risk assessments. For example, in their Compliance Guidance for Nursing Faculties they “recommend that all nursing facilities evaluate their current compliance policies and procedures by conducting a baseline assessment of risk areas, as well as subsequent reevaluations. . .” How a nursing facility assesses its compliance program performance is therefore integral to its success. The attributes of each individual element of a compliance program must be evaluated in order to assess the program’s ‘‘effectiveness’’ as a whole. Examining the comprehensiveness of policies and procedures implemented to satisfy these elements is merely the first step. Evaluating how a compliance program performs during the provider’s day-to-day operations becomes the critical indicator.

When conducting a risk assessment it is necessary to determine the objectives. The following relates to ideas and tips concerning compliance program risk assessment.

Compliance program risk assessment objectives

  • Verify all the elements of the compliance program have been implemented
  • Determine whether all the elements are functioning as planned
  • Evaluate the documentation evidencing effectiveness of the program
  • Identify compliance program strengths, as well as areas warranting improvement
  • Develop a work plan to measure program improvements and address any weaknesses

Questions to ask about compliance risk areas

  • Were levels of risk and vulnerabilities assigned?
  • Is there an annual work plan to address identified high-risk areas?
  • Are their internal controls and policies addressing high-risk areas?
  • Are policies periodically reviewed and updated?
  • Do policies address applicable regulations, recent OIG Work Plans, etc?
  • Were compliance-related policies distributed to all covered persons?
  • Is there a Code of Conduct that provides compliance guidelines for employees?
  • Do employees signed receipt evidencing receipt of Code of Conduct?
  • What evidence is there that employees were trained on the Code and policies?
  • What evidence exist that employees understood and remembered lessons?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: GAO calls for CMS to mitigate program risks in managed care

·       Medicaid enrollment in managed care rose in three years from 35 to 55 million beneficiaries

·       $170 billion Medicaid managed care is half of total federal Medicaid expenditures

·       CMS is not doing enough to ensure accuracy in payments

 

Congress called for the Government Accountability Office (GAO) to conduct a study of the Payment Error Rate Measurement (PERM), which  measures the accuracy of capitated payments for managed care, including CMS’s and states’ oversight. Driving this inquiry was the rapid growth of Medicaid managed care enrollment, which increased by 56 percent in three years, jumping from covering 35 million beneficiaries to 54.6 million beneficiaries. Federal Medicaid managed care expenditures last year were $171 billion, almost half of the total for Medicaid. The GAO focused on weaknesses in oversight, given the recent rapid growth. The GAO reviewed program integrity risks reported in 27 federal and state audits and investigations over a five year period; federal regulations and guidance on the PERM; and the CMS’s Focused Program Integrity Reviews. The GAO also contacted program integrity officials in the 16 states with a majority of 2016 Medicaid spending for managed care. The GAO found:

  1. Ten of 27 federal and state audits and investigations identified about $68 million in overpayments and unallowable MCO costs, not accounted for by PERM estimates.
  2. Another investigation resulted in a $137.5 million settlement.
  3. CMS does not have a process to track managed care overpayments and cannot determine whether states considered those overpayments when they set capitation rates.
  4. CMS is not doing enough to ensure that states are adequately paying managed Medicaid companies and that the plans are making correct payments to providers.
  5. The managed care component of the PERM neither includes a medical review of services delivered to enrollees, nor reviews of MCO records or data.
  6. CMS and states have updated regulations, focused reviews, and used federal program integrity contractors’ audits of managed care services, however, some of this is only recent, and it may not fully address risks across all states.
  7. CMS does not ensure identification and reporting of overpayments to providers and unallowable costs by MCOs.

The GAO called for CMS to consider and take steps to mitigate the program risks that are not measured in the PERM, such as overpayments and unallowable costs. Such an effort could include actions such as revising the PERM methodology or focusing additional audit resources on managed care. The GAO also recommended CMS expedite the release of planned guidance and requirements for states to report to the CMS overpayments made between managed-care providers and plans.

 

 

 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ Policy for continued antitrust enforcement DOJ

At the American Bar Association’s Anti-Trust in Healthcare Conference, Deputy Attorney General Barry Nigro provided a wide ranging presentation regarding DOJ efforts to combat rising health care fraud. He noted that, in 2016, health care spending in the United States accounted for $3.3 trillion, or $10,348 per person—approximately 18 percent of Gross Domestic Product (GDP). At this level of spending, the economy can ill afford fraudulent activity to increase the cost of health care. Inasmuch as health care involves critical care, it means the DOJ is giving it a higher priority. DOJ is continuing to give this area a priority that includes rigorous investigation and prosecution of those engaged in Medicare provider fraud and price gouging by drug makers. The DOJ will carry on with questioning mergers and potential collusion among health systems and payers. This includes market allocation agreements, price fixing, and naked market allocation. Some of the topical areas covered in his address included the following:

  1. Criminal prosecutions related to price fixing and market allocation agreements
  2. Parties circumventing generic drug regulations
  3. Market allocation and no-poach agreements
  4. Limitations on exemptions and immunities from anti-trust laws
  5. Continued reliance on the Clayton Antitrust Act
  6. Urging states to consider negative effect on competition when passing laws
  7. Support for certificate of need provisions
  8. Urging states to consider laws that impose occupational licensing requirements
  9. Professionals being able to advertise receiving board certification to patients

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Exit interviews as a compliance communication channel

Tom Herrmann, JD, had served in a senior capacity with the Office of Counsel to the Inspector General (OIG) at HHS. He pointed out that the OIG, in its compliance guidance, calls for the development of effective lines of communication with employees as very important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. This include implementation and use of hotlines (including anonymous hotlines), e-mails, written memoranda, newsletters, and other forms of information exchange to maintain these open lines of communication. One significant channel of communication is the use of exit interviews to debrief departing employees prior to their departure. A major factor influencing the advancement of exit interviews in connection with compliance programs has been the rise in the number of “whistleblowers.” Most of these come from people reporting on an organization they had recently left.  As such, there is great value in debriefing those departing the job that includes asking question about any observed violations of law, regulation, Code of Conduct, or policies. Optimally, an exit interview process should be done in time to permit possible remedial actions before they leave employment.  He has found that exit interviews can also be useful in avoiding other costly litigation involving unlawful harassment, discrimination, safety violations, etc.  It is very important to keep a record of the interviews conducted and responses.

Carrie Kusserow has been developing, enhancing and monitoring exit interview programs for over 15 years. She noted that many organizations conduct employee exit interviews (also called exit surveys) to gather data for improving working conditions and retaining employees. This has been common in human resource management for generations and this type of communication can be useful in taking actions to correct deficiencies, reduce turnover, identify potential compliance-related problems, and maintain a productive work environment. However, exit interviews may also be used to alert an organization to company compliance issues, potential whistle-blowers, or quality of care issues. At a minimum, an exit interview should include compliance program oriented questions that relate to compliance education, policies, anonymous reporting procedures, and attitudes towards the compliance program. The following are examples:

  1. How effective was your training on the compliance program, Code of Conduct and policies?
  2. Were you trained on how to report concern and problems confidentially or anonymously?
  3. Did you believe that those reporting compliance issues would be protected from retaliation?
  4. Are you aware of any ethical or compliance issues; and if so did you report them?
  5. How could the company strengthen its message regarding ethics and compliance?
  6. Is everyone in the work force treated fairly?
  7. Do you believe management fully supports the compliance program?
  8. Are you leaving due to any compliance concerns about your job or work environment?
  9. Are you aware of any improper or illegal conduct in the workplace? If so, who and what?
  10. Have you reported compliance issues or concerns that are unaddressed? If so, explain.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.