Kusserow on Compliance: Tips on developing and revising the ‘Code of Conduct’

All compliance guidance from the U.S. Sentencing Commission to the HHS Office of Inspector General (OIG) and DOJ has called for having a Code of Conduct as a foundation document for any effective compliance program. However, many such codes are far out of date and fail to provide the needed guidance for employees on their obligations towards compliance. The initiation of compliance program guidance by the OIG was a major stimulant for having Codes of Conduct. In the early days of responding to such guidance, many organizations quickly developed a “Compliance Plan” that included all seven elements of the program, including a Code. Unfortunately, plans are statements of intent, not an operating program and converting them into fully functioning and effective programs has years. This has included reviewing, revising and updating their Code of Conduct and compliance-related policies.

Daniel Peake of the Compliance Resource Center (CRC) (dpeake@compliancereource.com (703)-236-9854) works with compliance officers to provide a variety of compliance related services that includes the Policy Resource Center (PRC) which provides templates for compliance-related documents, including Codes, charters, policies, audit guides, etc. He notes that the PRC offers Code templates, but it is important that the Code should reflect the organization’s spirit, tone, and culture. If it doesn’t ring true to staff, securing their participation and cooperation in the compliance program will be much more difficult. The Code should be tailored to be an extension the mission and vision of the organization. It needs to be part of an ongoing monitoring effort subject to periodic reviews to ensure it remains up to date with the ever-changing regulatory environment.  He offered the following tips:

11 tips for developing or revising the Code of Conduct

 

  1. Determine whether it is time to review and possibly update the Code. Answering the following will help in making that determination: (a) When the Code was last reviewed/revised? (b) Any significant changes in law, regulation, or guidance since last revision? (c) Any changes/updates to compliance policies since last revision?
  1. Review Code templates and examples of other similar organizations. It is useful to review the codes of other organization to help focus on what is needed; and this can save a lot of time and effort. However, copying a Code from another source may prove to be problematic, if it runs counter to the culture of the organization.
  1. Gain buy-in from executive leadership. This is critical and needs to include personal involvement of the Compliance Officer, as well as HRM and Legal Counsel.
  1. Introductory letter from the CEO. It is a best practice to have the CEO introduce and endorse the Code, along with stating that (a) everyone is equally obligated to adhere to it, (b) everyone has a duty to report potential violations without fear of retaliation, (c) a confidential hotline is available to report confidentially or anonymously, etc.
  1. Reference the Code against compliance-related policies. The Code must not conflict with policies and procedures, as it would risk potential liabilities.
  1. Consider using experts to facilitate process. No need to “reinvent the wheel.”  Code development/revision can be simplified, facilitated, and guided by compliance experts in this field; and can ensure inclusion of key concepts, including those called for by the HHS OIG.
  1. Determine Core Code Content. Key to developing a successful Code is to ensure that it addresses the needs of all stakeholders (i.e. management, employees, Board, regulatory agencies, etc.).
  1. Code must detail procedures for addressing compliance issues. Employees should feel comfortable in approaching his or her supervisor, other members of management, HR or the Compliance Office. In addition there must be an option to report to a confidential hotline.
  2. Dissemination of the Code. The Code must be made available to all covered persons through an Intranet, in hard copy with signature receipt, through compliance training, or a combination of all. If the Code is not new, but one that has been revised, then steps need to be made to stop dissemination of the old version.
  3. Translating Code into other languages. A decision is needed as to whether the Code is to be provided only in English, or with versions in other languages. If it will be disseminated in multiple languages, the challenge will be to ensure the Code is written in simple terms, avoiding slang or jargon that will create problems in translating to be equivalent in meaning.
  4. Ensure all out of date Codes are removed from the website and hard copies collected. Having more than one version of the Code in circulation at the same time is a formula for creating problems.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Nine tips for compliance officers—addressing high-risk areas

Carrie Kusserow is an expert on conducting compliance risk assessments and has been called upon by compliance officers to meet their challenge of addressing the numerous compliance high-risk areas. She notes that there are more than 40 high-risk areas identified by the OIG in its Compliance Guidance for hospitals. Guidance for other health care sectors has a similar set of compliance high-risk areas and the number of identified compliance risk areas continues to grow every year. To meet this challenge, compliance officers must stress to program managers their ongoing monitoring responsibility to identify and manage compliance risks within their areas of operations. This includes keeping informed of current rules and regulations; ensuring changes are incorporated into policies and procedures; training staff on following that written guidance; and verifying staff adherence to new policies. Ongoing auditing of operational high-risk areas has two primary objectives, including verifying that managers meet their obligations, and validating that the process achieves the desired outcomes. Audits need to be conducted by parties independent of the operational areas being audited, and may include compliance office staff, internal audit, outsider consultants and auditors, or any combination thereof. She offered the following tips for consideration by compliance officers:

 

  1. Work with management to identify operational high-risk compliance areas as set forth in the OIG Work Plans, Fraud Alerts, Advisory Opinions, audits, and enforcement priorities and in Medicare contractor activities, industry news, PERM reports, and PEPPER data.

 

  1. Implement specialized training programs for program managers on what they need to do to meet their ongoing monitoring of high-risk areas in their operational area.

 

  1. Ensure that program managers have identified and listed all compliance high-risks areas related to their operational areas; have developed/implemented monitoring plans for identified risk areas as part of meeting their ongoing monitoring responsibilities. This includes testing and reviewing adequacy of the internal controls (e.g. policies/procedures) to reduce likelihood of that an unwanted event will occur in high risk areas.

 

  1. Rank high-risk areas in terms of vulnerability and impact or damage from a risk incident, including calculating the potential damage from a compliance risk failure, including the magnitude of direct and indirect financial and reputational consequences; and the likelihood of a compliance risk event by considering whether the area is a current enforcement priority based on risk assessment results.

 

  1. Develop and implement an audit plan based on risk assessment results, giving highest priority to the highest risk areas. The audits should test and continuously review current internal controls for adequacy in mitigating risk and reducing the chance of an unwanted risk event.

 

  1. Ensure corrective action plans have been instituted for all risk area deficiencies identified by ongoing monitoring or auditing.

 

  1. Have a follow-up review of any areas where there had been findings requiring remedial action to ensure corrective measures have been taken and are working as intended.

 

  1. Consider engaging compliance experts to independently evaluate the effectiveness of a compliance program.

 

  1. Present results of risk assessment, monitoring and auditing as regular agenda items for management and board level compliance committees.

 

For more information on compliance high-risk assessment, contact Carrie Kusserow, Strategic Management Managing Senior Consultant (703-535-1453) or at ckusserow@strategicm.com

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Staffing of interim compliance officers

Serious risks arise when there is a gap in compliance officers. Not having someone managing the day to day compliance program is begging for problems. Filling a gap by having someone designated to manage the program until a permanent replacement is found is a bad idea. They likely will do as little as possible in an area they don’t know or could be expected to recognize and address problems in a timely and professional manner. Currently, on average, it takes a minimum of 3 to 5 months to find and bring on board a permanent replacement; and that is far too long to leave the program without active professional management. One solution to consider is using an expert as an interim compliance officer. Managed correctly, it can provide high-value service that is cost effective. Depending on the size and complexity of an organization, an expert may be able to manage the day-to-day operation and deal with emerging compliance issues at less than full time.

Kash Chopra, JD, MBA, has provided highly experienced and knowledgeable consultants as temporary and interim compliance officers to fill a compliance officer gap. Interim compliance officers can make significant improvements for any compliance program in a relatively short order. She noted among the benefits an interim compliance officer expert can bring to an organization is an objective assessment on the status of the program without being invested in any prior decisions. This added value of providing an independent compliance program effectiveness evaluation is a real bonus and this value by itself should save the cost of the engagement. Incorporating this in the terms of a temporary compliance officer engagement can produce the added benefit of gaining an independent assessment of the status of the program by outside experts that are independent. They can provide a road map action plan for the permanent office to improve program effectiveness. As far as the day-to-day management of the program, interim compliance officers bring the expertise in knowing how to respond to identified problems, as well as educating the Board and executive leadership on changes in the regulatory and enforcement environment. Her final advice on the use of the interim compliance officers is to remember that they are temporary compliance officers serving for a period of time until a permanent replacement can be found. As such, the agreement should set time frames of 60 to 90 days with the option to extend on a month to month basis.

For more information about engaging compliance experts to serve as Interim Compliance Officers, Chopra can be reached at KChopra@strategicm.com or (703) 535-1413.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Exit interviews as a compliance communication channel

Tom Herrmann, JD, had served in a senior capacity with the Office of Counsel to the Inspector General (OIG) at HHS. He pointed out that the OIG, in its compliance guidance, calls for the development of effective lines of communication with employees as very important to the successful implementation of a compliance program and the reduction of any potential for fraud, abuse and waste. This include implementation and use of hotlines (including anonymous hotlines), e-mails, written memoranda, newsletters, and other forms of information exchange to maintain these open lines of communication. One significant channel of communication is the use of exit interviews to debrief departing employees prior to their departure. A major factor influencing the advancement of exit interviews in connection with compliance programs has been the rise in the number of “whistleblowers.” Most of these come from people reporting on an organization they had recently left.  As such, there is great value in debriefing those departing the job that includes asking question about any observed violations of law, regulation, Code of Conduct, or policies. Optimally, an exit interview process should be done in time to permit possible remedial actions before they leave employment.  He has found that exit interviews can also be useful in avoiding other costly litigation involving unlawful harassment, discrimination, safety violations, etc.  It is very important to keep a record of the interviews conducted and responses.

Carrie Kusserow has been developing, enhancing and monitoring exit interview programs for over 15 years. She noted that many organizations conduct employee exit interviews (also called exit surveys) to gather data for improving working conditions and retaining employees. This has been common in human resource management for generations and this type of communication can be useful in taking actions to correct deficiencies, reduce turnover, identify potential compliance-related problems, and maintain a productive work environment. However, exit interviews may also be used to alert an organization to company compliance issues, potential whistle-blowers, or quality of care issues. At a minimum, an exit interview should include compliance program oriented questions that relate to compliance education, policies, anonymous reporting procedures, and attitudes towards the compliance program. The following are examples:

  1. How effective was your training on the compliance program, Code of Conduct and policies?
  2. Were you trained on how to report concern and problems confidentially or anonymously?
  3. Did you believe that those reporting compliance issues would be protected from retaliation?
  4. Are you aware of any ethical or compliance issues; and if so did you report them?
  5. How could the company strengthen its message regarding ethics and compliance?
  6. Is everyone in the work force treated fairly?
  7. Do you believe management fully supports the compliance program?
  8. Are you leaving due to any compliance concerns about your job or work environment?
  9. Are you aware of any improper or illegal conduct in the workplace? If so, who and what?
  10. Have you reported compliance issues or concerns that are unaddressed? If so, explain.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.