Kusserow on Compliance: Tips for an effective compliance exit interview program

– Useful only if done correctly

Carrie Kusserow has developed and evaluated many compliance-related exit interview programs and has found that one that is properly designed and constructed may give early warning of a potential liability and permit corrective action to prevent escalation of the problem. There is the added benefit that the program may deter departing employees from becoming “whistleblowers” after they have secured new employment and are free of the fear of retribution or retaliation. By affording these employees an opportunity to provide information prior to departure permits the individual a legitimate path for redress of grievance and reduces the likelihood they will turn outside the company to “blow their whistle.”

She found the most cost effective, efficient, and useful programs are those that separate the last day HR exiting process of filling out forms, turning in company property, providing COBRA and other needed information. On the last day, departing employees are often preoccupied with the process of leaving and what is required and may be reluctant to reveal the full and true reasons for leaving. Exit interview should be conducted as far in advance of the last day as possible. They should be a live exchange and not just “fill out the form” process and those conducting the interviews should be properly trained and with the skills to obtain useful information.

If done properly, exit interviews allow departing employees to describe experiences and identify issues for management that could otherwise remain unknown. Most such interviews will likely only take 15 to 30 minutes. The biggest challenge is defining those that the compliance officer should debrief. There is only a limited number that can be done. Generally, the individuals are limited to members of management and those identified as potentially having a grievance against the organization.  She offered the following tips for those considering establishing or enhancing their exit interview program.

 

  1. Create a policy document as to what level of management should be debriefed by the compliance officer. It is important to carefully define covered persons to avoid individuals resisting being interviewed. It should be considered just another formality in the exiting process. It then can be presented as yet another formality that must be followed before exiting the organization.

 

  1. Interviews should be scheduled as soon as possible after the decision to the leave the organization has been made. This permits the organization to take remedial action to any problems raised during the interview before the person leaves.

 

  1. Conduct the interview away from the person’s office to avoid distractions or interruptions in a place where the conversation can be overheard.

 

  1. Use open-ended questions, where the departing employee supplies the answer, are much more effective than having answers given from a predetermined list. Departing employees are typically reluctant to say or do anything that might prejudice their opportunities for future employment. The reliability and usefulness of the results is strongly affected by the skill of the interviewer and whether the employee trusts the interviewer.

 

  1. Include questions about the departing employee’s experience, especially where it involves compliance matters, discrimination, and harassment, etc. The debriefing should include very pointed questions about their work place experience with regards to compliance.

 

  1. Questions should include whether they observed any violations of laws, regulations, Code of Conduct, policies, etc. If so, the compliance office should be alerted.

 

  1. Any management, regulatory, or legal issue raised should be addressed, if possible, before the employee leaves the control of the organization. Taking corrective action while the person is still an employee may forestall that person from taking the same issues with an attorney, government agency, media, etc.

 

For more information or assistance in establishing Compliance Program Exit Interview Programs, contact ckusserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG program exclusions reported for second half of 2019

Total of 2640 new exclusions added to the LEIE in 2019

Under the Social Security Act, the HHS Office of Inspector General (OIG) is able to exclude individuals and entities from participation in Medicare, Medicaid, and other Federal health care programs. Exclusions are required (mandatory exclusion) for individuals and entities convicted of the following types of criminal offenses: (1) Medicare or Medicaid fraud; (2) patient abuse or neglect; (3) felonies for other health care fraud; and (4) felonies for illegal manufacture, distribution, prescription, or dispensing of controlled substances. The OIG is also authorized (permissive exclusion) to exclude individuals and entities on several other grounds, including misdemeanors for other health care fraud (other than Medicare or Medicaid); suspension or revocation of a license to provide health care for reasons bearing on professional competence, professional performance or financial integrity; provision of unnecessary or substandard services; submission of false or fraudulent claims to a federal health care program; or engaging in unlawful kickback arrangements. The Patient Protection and Affordable Care Act (ACA) added another basis for imposing a permissive exclusion, that is, knowingly making, or causing to be made, any false statements or omissions in any application, bid, or contract to participate as a provider in a federal health care program, including managed care programs under Medicare and Medicaid, as well as Medicare’s prescription drug program.

During this semiannual reporting period, the OIG excluded 1,347 individuals and entities from Medicare, Medicaid, and other federal health care programs. Most of the exclusions resulted from convictions for crimes relating to Medicare or Medicaid, patient abuse or neglect, financial misconduct, controlled substances, or as a result of license revocation. The OIG completed the deployment of a new service for State Medicaid Fraud Control Units (MFCUs) to report convictions through a central web-based portal for exclusion. This improved reporting from those agencies. A list of excluded individuals and entities can be found at https://exclusions.oig.hhs.gov/.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: New Jersey’s largest hospital system—Hackensack Meridian Health—subject to ransomware attack

Hackensack Meridian Health announced that it was the subject of a ransomware attack and paid an undisclosed amount to regain control over its systems. Hackensack is the largest health system in New Jersey with $6 billion in annual revenue, more than 35,000 employees, and 17 hospitals—including, Jersey Shore University Medical Center in Neptune, Hackensack University Medical Center, and JFK Medical Center in Edison. The attack brought down the computer network for two days, forcing hospitals to reschedule non-emergency surgeries and sending doctors and nurses scrambling to deliver care without access to electronic records. The health system promptly notified the FBI and other authorities and spoke with cybersecurity and forensic experts. The announcement included that health system had insurance coverage to help cover the costs associated with cyber-attacks—payment, remediation, and recovery efforts. The attack forced hospitals to reschedule nonemergency surgeries and doctors and nurses to deliver care without access to electronic records. The network’s primary clinical systems have now returned to being operational, and information technology specialists are working to bring all its applications back online. The announcement did not include that any patient information was subject to unauthorized access or disclosure.

This is another vivid reminder for health care organizations to prepare for and plan on how to respond to such an attack. Hospitals and providers of health care services continue to be a prime target to ransomware attacks. Their systems tend to be more vulnerable and dependence of their patient data is critical to their function. Any failure to have access to it can be extremely detrimental for patients.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Health care remains a top target for cyber-criminals

Data has value and businesses and individuals rely upon imperfect systems to store their information. Those committing fraud focus on sensitive data and targets with weak controls. For these reasons, data breaches are becoming more common in the health care sector where sensitive data can be found. Thus, organizations which have yet to protect themselves need to take proper cautionary steps to control access to that information. Among the best targets are hospitals and other health care institutions that are dependent on immediate access to their data in order to provide necessary treatment for their patients. They also have a treasure chest of data about their patients, including addresses, date of birth, Social Security numbers, family members, phone numbers, contact details, and more. Once obtained, this information can be sold on the “black market.” Gaining access to this valuable data can be extremely profitable, but locking the entity out of access to their information, as in the case of ransomware, can be a calamity for providers that must have immediate access to their patient data. A further attraction to cyber-criminals is the fact that many health care entities have weak controls. In this regard, entities’ major weakness is their employees, who through ignorance or carelessness open the door to cyber-attacks. With that in mind, health care firms should put more resources into proper training for their employees.

Cyber-Attack Prevention Tips

  1. Implement policies and procedures for taking precautions against malware
  2. Provide training on recognizing phishing and the danger of malicious links and attachments
  3. Ensure everyone creates complex passwords that are difficult to penetrate
  4. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  5. Limit employee access to systems on a need to know standard.
  6. Review/restrict privilege by limiting the people accessing files on a single server
  7. Monitor email carefully and don’t open email attachments from unknown parties
  8. Train employees (the weak link) to recognize and prevent cybercrimes
  9. Train against clicking email links/attachments, or responding to “pfishing” inquiries
  10. Ensure employees don’t leaving the workplace with data and files
  11. Monitor external exchanges
  12. Continuously monitor employee and vendor networks
  13. Establish an aggressive patching schedule for all software
  14. Update software to include improved controls
  15. Establish and monitor the use of encryption of transmitted information
  16. Regularly test users to make sure they are on guard
  17. Configure email servers to block zip or other files that are likely to be malicious
  18. Focus security efforts on those files that are most critical—patient records

For more information on this subject, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.