Kusserow on Compliance: Compliance officers should have active roles in CIA negotiations

Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, has a reputation for managing the most difficult and complicated corporate integrity agreements (CIAs) on behalf of the OIG. At the recent Health Care Compliance Association (HCCA) Compliance Institute, she urged compliance officers not to sit on the sidelines while a CIA is being negotiated with the OIG.   They should be actively involved in all facets of negotiation and should not wait to be involved until the agreement is signed and put into effect. She reminded everyone that once the CIA is signed, the compliance officer will be the face of the company to the OIG, not the attorneys.   From years of experience, she has found attorneys negotiating terms and conditions of a CIA often don’t have the operational experience to fully understand all the implications of what is being committed to in terms and obligation. As a result, it is not uncommon for attorneys to come back to the OIG after a CIA has been executed to try to renegotiate points.   This is triggered as result of management and the compliance officer realizing what is involved in meeting the terms and condition.   Ellis stated that the OIG is not inclined to reopen CIA negotiations.  The mistake was not having the compliance officer on the front end of negotiations and present during the negotiation process.  As the CIA settlement process takes shape, the compliance officer needs to:

  • be part of the negotiations;
  • review and comment on all drafts;
  • create a basic plan from the draft to determine what it takes to meet obligations;
  • conduct a min-gap assessment of what it takes to do what the CIA would require;
  • begin work on implementation strategies; and
  • start the process to determine resource needs to meet obligations.

Ellis also made the point that attitude matters once a CIA is in place, and compliance officers should work with the monitor in an open and honest way. A positive working relationship between the monitor and the compliance officer is to everyone’s best interest.  The earlier in the process that they get to know each other, the better.

Thomas Herrmann, J.D., was previously responsible on behalf of the OIG for negotiating CIAs and providing monitors, and subsequently gained many years of consulting experience working with more than a dozen clients with CIAs and as an independent review organization (IRO).  He says that what many fail to understand is that, although the OIG is involved in the Department of Justice (DOJ) settlement process, a different OIG attorney will be assigned as negotiator for the CIA.  Once the agreement is executed, it is passed on to a different OIG attorney to be the monitor to assure compliance with the terms of the CIA.   A very common mistake is for attorneys to deal with issues handled by someone earlier in the process, or in effect, re-litigate.  This is a big mistake.  The OIG will not re-litigate or interpret decisions made by the DOJ.  At the same time, the OIG monitor is definitely disinclined to deal with issues that were or should have been addressed with the OIG negotiator.  Herrmann goes on to explains that the OIG views the organization’s legal counsel as filling an adversarial role, but once things are executed, the OIG does not want to continue dealing with the advocate.  The focus of the relationship with the OIG should be on meeting the terms of the CIA. Herrmann sees it as a huge mistake for the legal counsel to continue making arguments or try to modify terms with the monitor, as this frequently leads to aggravation of matters and creates additional problems for the organization.  The monitor wants to deal with how the organization will meet its obligations, and that means working with the compliance officer to determine how the terms and conditions of the CIA will be fulfilled.  It behooves compliance officers to get to know their monitor as quickly as possible, evidence their commitment, and exhibit an attitude to work out what it takes to get the job done.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience; in fact, she was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Her experience with Ellis was precisely what Ellis explained during her presentation.   Maintaining the focus on meeting the obligations of the agreement is very important for credibility and permits ironing out of issues. By listening carefully and responding to Ellis’ questions openly in a forthright manner, Kusserow developed a very good working relationship.  This made work easier for everyone.  Compliance officers need to listen carefully to what the monitor expresses, working as needed and then immediately following up to report actions taken. The focus must stay on getting the job done to the satisfaction of the OIG.  It is also critical that the compliance officer at all times be “straight up” and honest with the OIG.  If this is done, then a bond of trust can be developed that can iron out details that are sure to arise. This can permit seeking non-adversarial clarification of terms and conditions. On the other hand, failing to develop a proper working relationship with the monitor can result in lack of understanding and increased work for everyone. As such, as soon as the CIA is signed, the compliance officer should come into direct contact with the OIG monitor.

Suzanne Castaldo, J.D., has worked both as a litigator and compliance consultant dealing with numerous organizations with CIAs. She confirmed what Ellis noted about attorneys negotiating with the OIG without active involvement of either management or the compliance officer. In almost every case, it has created avoidable issues.  She strongly recommends that anyone engaging a law firm to assist with CIA negotiations insist on including knowledgeable members of management and the compliance officer in all meetings with the OIG.  All terms that are being negotiated should be reviewed and assessed by them to understand all implications and resulting work obligations. Many attorneys will not find this to their liking and may argue against it.   However, not being part of this process reminds one of “arriving at the dance after it is over.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.


Kusserow on Compliance: Compliance culture a key measure of program effectiveness

The compliance culture is the set of shared attitudes, values, goals, and practices that characterizes an institution or organization when it comes to compliance with laws, regulations, rules, standards, code of conduct, and policies.   Oversight agencies believe the compliance program should be a change agent in promoting a culture of compliance that creates an environment less likely to have regulatory or enforcement problems.  This means establishing a culture in which everyone in the work environment embraces and adheres to rules, regulations, laws, code of conduct, and policies.  The Department of Justice (DOJ) and the HHS Office of Inspector General (OIG) frequently encounter organizations with compliance programs that exist on paper, but that culturally failed to be effective in operation. Compliance officers should find means to evidence that the culture of the organization matches the compliance goals.

Positive compliance culture promotes good business

Carrie Kusserow, with over 15 years’ experience as a compliance officer and consultant, makes the case that a good compliance culture is also good for business and does not just serve as a “cost center.” She notes there are many positive benefits to be derived from the effort. She offered the following points in her argument.

  • Organizations are less likely to have liabilities, arising from wrongful behavior.
  • Evidence suggests compliance-committed organizations are more efficient.
  • Lower employee turnover occurs when the organization culture is to abide by rules and standards.
  • There exists greater employee commitment to compliance with laws, rule, code of conduct and policies.
  • Employees feel less pressure to compromise company standards to achieve company goals.
  • Employees are empowered to report wrongful behavior and misconduct internally, not externally.

Compliance culture surveys evidence compliance program effectiveness

Steve Forman, CPA has been using compliance culture surveys for the last 20 years, both as a compliance officer and as a compliance consultant. He believes that one of the best and most inexpensive methods for evaluating, evidencing, and benchmarking compliance program effectiveness is through a compliance culture survey that measures employee perceptions of ethical culture and/or the compliance program. He likes using this type of survey, alternately with a compliance knowledge survey that tests employee knowledge of the program. He points to the fact that the OIG recommends this in its Compliance Program Guidance, wherein it noted that “as part of the review process, the compliance officer or reviewers should consider techniques such as . . . using questionnaires (employee surveys) . . . developed to solicit impressions of a broad cross-section of . . . employees and staff.” Results from a professionally administered survey provide a very powerful and credible report to the compliance oversight committee, as well as to any outside authority questioning the program. They can also identify relative strengths in the compliance programs, as well as those areas requiring special attention that are invaluable for compliance officers.

Compliance survey benefits

Conducting a compliance survey provides numerous benefits to an organization.  For example, it can:

  • provide outcome measurements for the compliance program;
  • serve as critical evidence in determining the degree of effectiveness of the compliance program;
  • identify program strengths and potential weakness warranting attention;
  • evidence the extent of individual and leader commitment to compliance;
  • assess the current state of the compliance climate or culture of an organization;
  • communicate a positive message that employee opinions and perceptions are valued;
  • underscore organization commitment to employees;
  • increase management attention on what is being measured;
  • provide metrics as to progress in developing an effective compliance program;
  • benchmark compliance program effectiveness improvement;
  • signal the organization as to employee attitudes and perceptions;
  • tell employees that what they believe and understand is important; and
  • provide guidance as to where improvements are needed.

Benchmarking compliance program progress

Jillian Bower, with many years of experience in administering compliance surveys, as well as serving as interim compliance officer, notes the OIG compliance guidance says that “the existence of benchmarks that demonstrate implementation and achievements are essential to any effective compliance program.”  Surveys can be used to meet that standard. If the survey being used is anchored in a large database of users, the organization can benchmark them against that universe, viewed as very important by most organizations. Furthermore, an initial survey can establish a baseline from which future surveys can be used to benchmark progress of the compliance program. The surveys can benchmark and measure change in the compliance environment over a period of time. However, Bower warns it is inadvisable to use the same survey annually, as significant changes among the work force takes time to show results.

Alena Treen, of the Compliance Resource Center (CRC), has many years’ experience in administering compliance surveys. She explained that culture surveys focus on the beliefs and values which guide the thinking and behavior of employees within an organization. They are usually presented in a Likert Scale format that offer a series of gradation in which respondents are asked whether they “Strongly Disagree,” “Disagree,” are “Neutral,” “Agree,” or “Strongly Agree,” with the statement presented in each item. This is in contrast with a compliance knowledge survey designed to learn how much employees know about the program with questions answerable as yes or no. She notes it is highly advisable to use a valid and independently web-based administered survey that has been tested over many organizations and ensures participant confidentiality. Using a professional survey service specializing in health care compliance is surprisingly inexpensive and less costly than developing and delivering a survey in house that doesn’t carry the same level of credibility. The CRC has been using the Compliance Benchmark Survey© since 1993 and has been employed by hundreds of health care organizations and over a half million surveyed population. Treen normally deals with reports that are about 50 pages in length that provide advice on each topical area and question as to how improvements may be made.   Clients find that comparing their results with the universe to be the most beneficial information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

OIG reviews MassHealth and its Medicaid data and information system safeguards

MassHealth failed to adequately safeguard data and information systems through its Medicaid Management Information System (MMIS) according to an audit by the HHS’ Office of Inspector General (OIG) undertaken to determine whether Massachusetts safeguarded MMIS data as required under federal requirements.

What is MMIS?

The MMIS is “an integrated group of procedures and computer processing operations (subsystems) developed at the general design level to meet principal objectives” which are: Title XIX program control and administrative costs; service to recipients, providers and inquiries; operations of claims control and computer capabilities; and management reporting for planning and control. States receive 90 percent federal financial participation (FFP) for design, development, or installation of MMIS and 75 percent FFP for operation of state mechanized claims processing and information retrieval systems.

MassHealth MMIS

The Massachusetts Executive Office of Health and Human Services is responsible for administering the state Medicaid program, commonly known as MassHealth, and information technology architecture, maintenance, and support is provided by the Massachusetts Office of Information Technology. Application support is provided through a contract with Hewlett-Packard.

The audit

Audits of information security controls are performed routinely on states’ computer systems used to administer HHS-funded programs and states are required to implement computer system security requirements and review them biennially. The OIG’s audit of MassHealth’s MMIS included MassHealth’s websites, databases, and other supporting information systems. The review was limited to security control areas and controls in place at the time of the visit. Specifically, the OIG looked at MassHealth’s implementation of federal requirements and National Institute of Standards and Technology guidelines regarding: system security plan, risk assessment, data encryption, web applications, vulnerability management, and database applications. Preliminary findings were communicated directly to MassHealth prior to the report’s issuance.

OIG’s findings

The OIG found MassHealth did not safeguard MMIS data and supporting systems as required by federal requirements. Vulnerabilities were discovered related to security management, configuration management, system software controls, and website and database vulnerability scans. Should exploitation of the vulnerabilities have occurred (and there was no evidence that it had), sensitive information could have been accessed and disclosed and operations of MassHealth could have been disrupted. Sufficient controls must be implemented over MassHealth Medicaid data and information systems.

Specific vulnerabilities uncovered were not detailed in the report because of the sensitive nature of the information. However, specific details were provided to MassHealth so it may address the issues. In response to the report, MassHealth described corrective actions it had taken or planned to take in response to the vulnerabilities.

Equities rest with agency in administrative enforcement actions

Administrative enforcement is quicker than an investigation but still “deadly” for the provider or supplier, concluded Judith Waltz, partner at Foley & Lardner LLP, at the American Health Lawyers Association’s 2017 Institute on Medicare and Medicaid Payment Issues. “Administrative enforcement” means the tools available to HHS, CMS, and the HHS Office of Inspector General (OIG) without or with limited formal involvement of the Department of Justice, including civil money penalties (CMPs), payment suspensions, and billing privilege or enrollment denials and revocations. In administrative enforcement actions, the equities and more discretion may rest with the agency, and a lesser burden of persuasion applies for the agency to prove its case.

Exclusion regulations

In December 2016 the OIG revised its exclusion regulations (see 81 FR 88334) in part to implement the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148). Waltz explained that the Final rule did the following: (1) expanded its permissive exclusion authority for convictions related to obstruction of an investigation to include audits; (2) added permissive exclusion authority for making false statements, omissions, or misrepresentations in enrollment applications; (3) added early reinstatement for loss of license in a different state; and (4) added a 10-year look-back period for exclusions.


Waltz noted that CMPs are being updated annually for inflation pursuant to a final rule issue in December 2016 (see 45 C.F.R. Part 102). For example, a CMP for failing to grant timely access is up to $15,000 per day, $16,312 after inflation, and the CMP for false statements, omissions, or misrepresentations in enrollment or similar documents is up to $50,000 per false statement, $54,732 after inflation. Waltz said, “After inflation, numbers are unbelievable.”