Kusserow on Compliance: ‘Mock’ DOJ compliance program evaluations may be worthy of consideration

In 2018, Assistant Attorney General Brian Benczkowski developed guidance to educate prosecutors on taking a deep look into the sufficiency and proper functioning of a subject company’s compliance program, giving leniency to an organization with an effective compliance program. In 2019, the DOJ Compliance Program Guidance set the stage with 179 questions that prosecutors should use. The 2020 DOJ version advanced significantly upon the guidance and nearly doubled the number of factors and questions to be considered. It concentrated on a “deep dive” beyond the “paper program” in assessing the effectiveness of program operations. The guidance has now been extended from just the Criminal Division to include all of DOJ, including the Civil Division, where most health care cases are handled.

The multitude of questions and factors related creates a great challenge for Compliance Officers trying to convince prosecutors that their program meets these standards. Inasmuch as the DOJ would have already determined the organization has violated federal law, it is reasonable to expect the DOJ will want hard credible evidence from the Compliance Officer. The fact is, very few programs can withstand detailed examination by the DOJ. Compliance Officers may find a “Mock DOJ Compliance Program Evaluation” as a useful step to advance the program to meet the challenge.

A “Mock Review” is an assessment that mirrors the tenets of a formal evaluation by DOJ prosecutors. When Strategic Management performs such reviews, it take a very different approach from a traditional evaluation or “Gap” analysis.  Those reviews result in something like a report card, whereas the “Mock Review” is more limited and less costly consulting advisory engagement conducted in collaboration with the Compliance Officer that focuses on identifying ways to better document answers to the DOJ question. Results are action items to fortify and fix noted weaknesses and can be used foundation for the annual Compliance Office workplan. A “Mock Review” also has the benefit of evidencing the continuing improvement and advancement of the Compliance Program.

For more information on this subject, contact Richard Kusserow (rkusserow@stratgicm.com).

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Evidencing compliance culture is a major focus of the DOJ compliance guidance

“Has the company surveyed employees to gauge the compliance culture”

The DOJ 2020 Evaluation of Corporate Compliance Programs calls for prosecutors to “assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operation.” The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top. Additionally, “beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company.” Prosecutors are told to review the company’s culture of compliance and give consideration to the following questions:

  1. “Has the company surveyed employees to gauge the compliance culture”
  2. “How often and how does the company measure its culture of compliance?”
  3. “What steps has company taken in response to its measurement of compliance culture?”

The challenge is finding the best method by which a compliance culture survey can be administered, analyzed, and evidence a positive compliance culture. This also means having results which are convincing and credible to both those surveyed and those who review the results. One answer is to employ the Compliance Benchmark Culture Survey© which has been employed since 1993 by hundreds of health care organizations and entities with survey population of over three quarters of a million employees. It is the only such survey focused exclusively on the health care sector. It is time tested, reliable and provides credible results meeting the tests of validity in the accuracy of measurement and reliability with the quality of the data obtained and overall survey viability. Unlike the Compliance Knowledge Survey© that uses dichotomous “yes-no” answers, a culture survey uses a Likert Scale where respondents specify their level of agreement or disagreement to a question or statement, thus capturing the intensity of their feelings for a given item. As such, using this type of survey applies when trying to gauge attitudes and perceptions of employees regarding the compliance program.

 

Compliance Benchmark Culture Surveys© are a very cost-effective method and excellent way to gather lots of information from many people. The cost of a most surveys is approximately $5,000 – 7,000.  This includes a 30 page plus report that provides a “deep-dive’” data analysis and interpretation of results for individual questions, panels, or overall scoring with suggested actions for making improvements. It can also be used for internal benchmarking of current results as a baseline against which future surveys can be benchmarked, as well as for external benchmarking against the universe of organizations using same using the same survey instrument.

 

For more information on this topic, contact Richard Kusserow at rkusserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR continues enforcement involving HIPAA breaches

 2020 Survey found 60 percent of health care organizations had recent OCR encounters

Lifespan to pay $1,040,000 to Settle Unencrypted Stolen Laptop Breach

Although many agencies have taken the Pandemic into consideration when pursuing enforcement actions, this does not mean they have stopped altogether. Everyone was reminded of this with the announcement that Lifespan Health System Affiliated Covered Entity has agreed to pay $1,040,000 to the HHS Office for Civil Rights (OCR) and to implement a corrective action plan with OCR monitoring for 2 years, in order to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee’s laptop containing electronic protected health information affecting 20,431 individuals. OCR’s investigation found:

  • Lack of policies and procedures to encrypt all devices used for work purposes.
  • Failure to encrypt ePHI on laptops
  • Lack of device and media controls
  • Failure to have a business associate agreement in place

Going forward, Lifespan must designate at least one individual to ensure that the organization enters into business associate agreements with its business associates. It must also develop a process for evaluating business relationships and determining which vendors should be considered business associates.

It is noteworthy that the 2020 Healthcare Compliance Benchmark Survey Report found respondents reporting more enforcement encounters with OCR than with the OIG or DOJ.  Nearly 60 percent of respondents reported having encounters with the OCR regarding HIPAA breaches in the last few years. The question is no longer whether there will be a HIPAA Breach problem that draws OCR attention, but when it will occur.  The Survey also found was that three quarters of compliance offices now had responsibility for HIPAA Privacy.  This lays the compliance challenge at the feet of Compliance Officers.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Written policies are necessary to govern compliance communication channels

An organization with an effective compliance program is one whose employees can easily share and receive information about what is expected of them in the workplace and one who provides a means to report compliance issues and violations of standards of behavior. The OIG and DOJ stress the importance of having multiple channels of compliance communication, not limited to hotlines. Without question, the “hotline” is the major avenue of communication for receiving reports of employee concerns, observed unallowable behavior, violations of law/regulations, breach of safety standards, theft, and other wrongdoing. This channel has been further stimulated by the inclusion of web-based reporting in recent years. Other channels by which employees can voice concerns and perceptions can include feedback from training, independent confidential surveying, bulletin boards, suggestion boxes, emailing, exit interviewing, staff meetings, etc. Included with these other channels should be the easy and direct access to managers, as well as the compliance office.

Communication is a two-way street that needs to include feedback and dissemination of information to employees. It is important to share news, announcements, discussions, surveys and anything else with employees. This information needs to come from an accessible place. Many health care organizations use their Intranet as a major communication vehicle. Once the compliance communication channels have been created, it calls for “rules of the road” governing the processes in the form of policies and procedures.

The fact is that there are several related policy documents called for by regulatory authorities as essential to an effective compliance program. These include, but are not limited to, “Duty to Report Policy,” “Non-Retaliation Policy,” “Anonymous Reporting Policy,” “Confidential Reporting Policy,” “Hotline Operations Policy,” “Compliance Investigation Policy,” “Disclosure of Overpayments Policy,” “Disclosure of Violations of Law/Regulations,” and “Compliance Office Confidentiality Policy,” among others. There is also need for policies for proper handling and management of information to guard against leaks, which opens the door to a whole set of policies related to IT and information controls. These policies should be inter-related and mutually supporting. They tell employees of their obligations to report suspected wrongdoing, how to do it, how the information will be acted upon, and what to expect once the report is submitted.

For more information regarding this subject and availability of compliance policy templates, see the Policy Resource Center at www.complianceresource.com.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.