Kusserow on Compliance: DOJ compliance program guidelines once again focus on sufficiency of compliance resources

The 2020 Department of Justice (DOJ) Compliance Program Guidance for prosecutors places increased emphasis on questioning the adequacy of compliance resources that the DOJ views as essential for any program’s effective functioning. The DOJ elaborated that prosecutors should ask questions concerning whether the program is “adequately resourced and empowered to function effectively.” Put differently, even the most artfully constructed program is doomed to fail without sufficient funding, qualified compliance personnel, and widespread support throughout all levels of an organization. A question for many health care organizations is whether the organization would pass DOJ scrutiny on this point.

Results from the 2020 SAI Global Healthcare Compliance Benchmark Survey developed with and analyzed by Strategic Management included information regarding the adequacy of resources for Compliance Officers in meeting their challenges. Reading the details of the responses in the Survey suggest that many compliance offices are likely operating with less than fully adequate resources to meet DOJ expectations. The Survey results indicated that the average compliance office staff levels are five individuals with about one third of respondents reporting only one full-or part-time person. In a related question, over half of respondents indicated they are expecting their budget to remain mostly the same with about one quarter expecting some increase, while at the same time assuming new responsibilities, most notably those related to HIPAA Privacy and Security. Given the average staffing level of compliance offices, increasing responsibilities, heightened enforcement by government agencies, and limited increases in budgetary resources, it is likely that most compliance offices are stretching their limited resources and would have difficulty meeting the DOJ standards. The Survey also found that many are turning to external vendors to provide services and tools, to stretch limited staff resources and to lower operating costs.

 

For more information on this subject, contact Richard Kusserow at rkusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance investigation witness interview questions

20 key questions to be answered

The biggest challenge to conducting successful compliance investigations is knowing how to conduct successful witness interviews. Many find a list of predetermined questions to ask witnesses in a compliance investigation useful. However, care needs to be taken that this approach limits the information the investigator will get from the interview. This is because it constrains the conversation within a rigid framework. Begin with simple questions about an individual’s position, how long they have worked for the organization, identify their supervisor, etc. This will allow the individual to relax a little bit before going into substantive questioning. Keeping the interview as a fluid conversation will likely result in more productive results. It is always preferable to use open-ended questions to let a witness tell their story in their own way, such as “Tell in your own words about….” The following 20 questions can be used as a guide to frame your interviews and can be used as a reminder at the end of the interview to ensure all the key points have been addressed:

  1. What happened?
  2. Where did it happen?
  3. When did it happen?
  4. Who did it?
  5. Has it happened before?
  6. How often?
  7. Who else was present?
  8. Do you know of others who may have been affected by the incident or behavior?
  9. Who else may have seen or heard the incident or behavior?
  10. How did you react?
  11. How did any others present react?
  12. Did you ever indicate that you were upset or offended by the incident or behavior?
  13. Have you discussed the incident or behavior with anyone?
  14. Has anyone else reported this?
  15. How has the incident or behavior affected you?
  16. How has the incident or behavior affected your job?
  17. Have you sought medical treatment or counseling because of the incident?
  18. Do you have any evidence or documentation about the incident or behavior?
  19. Is there anyone else who may have relevant information?
  20. Is there any other relevant information that I haven’t asked you about?

For more information on conducting compliance investigation interviews or securing investigator training, contact Richard Kusserow at  Rkusserow@strategicm.com .

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Inova Health System another victim of ransomware attack

Inova Health System is the latest of a dozen health systems affected by a ransomware attack at a third-party software vendor. The Virginia-based health system issued a notice on September 9, 2002 notifying up to 1,045,270 patients and donors, according to a notification Inova submitted to the HHS Office for Civil Rights (OCR). The incident is traced back to Blackbaud Inc., a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities. Inova’s notice stated that it was notified by Blackbaud of a ransomware attack which it had discovered and stopped in May 2020.

The attack involved intermittently removing data from the Blackbaud system, which included certain information maintained for Inova. Investigation by Inova found that the personal information affected by the attack may have contained certain personal information of some patients and donors, including: full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history such as donation dates and amounts. The notice also stated there is no evidence that the data will be misused, disseminated or made publicly available and Inova was assured that all compromised data was destroyed and the vulnerability that allowed the incident was closed. The incident did not expose Social Security numbers, financial account information, payment card information, or electronic health records. Blackbaud reportedly prevented the cybercriminals from blocking its system access and fully encrypting its files, however the criminals were able to remove a copy of a subset of data. Blackbaud also reported paying a ransom so that the attackers would destroy their backup file of stolen information.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Fifteen tips for a more effective hotline program

Having an effective hotline program is a must for any effective compliance program. The operative word is “effective.” Laurel Eakes at the Compliance Resource Center has worked with many hotline operations. She notes from her experience that “the hotline needs to be seen by employees and management as a priority to bring complaints and allegations of wrongdoing in house. The alternative is to drive such information externally to government agencies, litigating attorneys, media, etc., and that can only spell trouble. As such, not acting promptly on information received can result in potential liabilities, headaches, and a lot of remedial work. It is important to make employees comfortable in raising concerns internally and lessening the perceived need to resort to ‘whistleblowing’ to external parties.” Eakes offered the follow tips she has found with her clients for ensuring a more effective hotline program:

  1. Implement related policies (e.g. hotline Operations, Duty to Report, Non-Retaliation, Anonymous and Confidential Reporting, Investigations, etc.)
  2. Log and track all complaints/allegations received through resolution
  3. Set time frames for completion and resolution of complaints and verify they are followed
  4. Be sure those investigating hotline allegations have been trained how to do it properly
  5. Document all steps in the process of resolving hotline complaints/allegations
  6. Have posters on employee bulletin boards for the availability and use of the hotline
  7. Ensure hotline number and its availability is included in new employee orientation
  8. Ensure the hotline program is part of annual compliance training
  9. Have information about the use of the hotline made part of the Employee Handbook
  10. Consider having a flyer go out to all employees on the availability of the hotline
  11. If there is an Intranet for employee use, include information about the hotline
  12. If there is an organization newsletter or intranet, use it to promote the hotline
  13. Maintain a document management system for compliance records
  14. Ensure records are kept in a secure limited access area
  15. Develop summary reports for management and Board on results from the hotline program

 

For more information on this subject, contact Laurel Eakes (leakes@complianceresource.com)

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.