Kusserow on Compliance: Compliance officers should have active roles in CIA negotiations

Laura Ellis, HHS Office of Inspector General (OIG) Senior Counsel, has a reputation for managing the most difficult and complicated corporate integrity agreements (CIAs) on behalf of the OIG. At the recent Health Care Compliance Association (HCCA) Compliance Institute, she urged compliance officers not to sit on the sidelines while a CIA is being negotiated with the OIG.   They should be actively involved in all facets of negotiation and should not wait to be involved until the agreement is signed and put into effect. She reminded everyone that once the CIA is signed, the compliance officer will be the face of the company to the OIG, not the attorneys.   From years of experience, she has found attorneys negotiating terms and conditions of a CIA often don’t have the operational experience to fully understand all the implications of what is being committed to in terms and obligation. As a result, it is not uncommon for attorneys to come back to the OIG after a CIA has been executed to try to renegotiate points.   This is triggered as result of management and the compliance officer realizing what is involved in meeting the terms and condition.   Ellis stated that the OIG is not inclined to reopen CIA negotiations.  The mistake was not having the compliance officer on the front end of negotiations and present during the negotiation process.  As the CIA settlement process takes shape, the compliance officer needs to:

  • be part of the negotiations;
  • review and comment on all drafts;
  • create a basic plan from the draft to determine what it takes to meet obligations;
  • conduct a min-gap assessment of what it takes to do what the CIA would require;
  • begin work on implementation strategies; and
  • start the process to determine resource needs to meet obligations.

Ellis also made the point that attitude matters once a CIA is in place, and compliance officers should work with the monitor in an open and honest way. A positive working relationship between the monitor and the compliance officer is to everyone’s best interest.  The earlier in the process that they get to know each other, the better.

Thomas Herrmann, J.D., was previously responsible on behalf of the OIG for negotiating CIAs and providing monitors, and subsequently gained many years of consulting experience working with more than a dozen clients with CIAs and as an independent review organization (IRO).  He says that what many fail to understand is that, although the OIG is involved in the Department of Justice (DOJ) settlement process, a different OIG attorney will be assigned as negotiator for the CIA.  Once the agreement is executed, it is passed on to a different OIG attorney to be the monitor to assure compliance with the terms of the CIA.   A very common mistake is for attorneys to deal with issues handled by someone earlier in the process, or in effect, re-litigate.  This is a big mistake.  The OIG will not re-litigate or interpret decisions made by the DOJ.  At the same time, the OIG monitor is definitely disinclined to deal with issues that were or should have been addressed with the OIG negotiator.  Herrmann goes on to explains that the OIG views the organization’s legal counsel as filling an adversarial role, but once things are executed, the OIG does not want to continue dealing with the advocate.  The focus of the relationship with the OIG should be on meeting the terms of the CIA. Herrmann sees it as a huge mistake for the legal counsel to continue making arguments or try to modify terms with the monitor, as this frequently leads to aggravation of matters and creates additional problems for the organization.  The monitor wants to deal with how the organization will meet its obligations, and that means working with the compliance officer to determine how the terms and conditions of the CIA will be fulfilled.  It behooves compliance officers to get to know their monitor as quickly as possible, evidence their commitment, and exhibit an attitude to work out what it takes to get the job done.

Carrie Kusserow has over 15 years’ compliance officer and consultant experience; in fact, she was brought in to be the compliance officer to an organization under a CIA while Laura Ellis was the monitor. Her experience with Ellis was precisely what Ellis explained during her presentation.   Maintaining the focus on meeting the obligations of the agreement is very important for credibility and permits ironing out of issues. By listening carefully and responding to Ellis’ questions openly in a forthright manner, Kusserow developed a very good working relationship.  This made work easier for everyone.  Compliance officers need to listen carefully to what the monitor expresses, working as needed and then immediately following up to report actions taken. The focus must stay on getting the job done to the satisfaction of the OIG.  It is also critical that the compliance officer at all times be “straight up” and honest with the OIG.  If this is done, then a bond of trust can be developed that can iron out details that are sure to arise. This can permit seeking non-adversarial clarification of terms and conditions. On the other hand, failing to develop a proper working relationship with the monitor can result in lack of understanding and increased work for everyone. As such, as soon as the CIA is signed, the compliance officer should come into direct contact with the OIG monitor.

Suzanne Castaldo, J.D., has worked both as a litigator and compliance consultant dealing with numerous organizations with CIAs. She confirmed what Ellis noted about attorneys negotiating with the OIG without active involvement of either management or the compliance officer. In almost every case, it has created avoidable issues.  She strongly recommends that anyone engaging a law firm to assist with CIA negotiations insist on including knowledgeable members of management and the compliance officer in all meetings with the OIG.  All terms that are being negotiated should be reviewed and assessed by them to understand all implications and resulting work obligations. Many attorneys will not find this to their liking and may argue against it.   However, not being part of this process reminds one of “arriving at the dance after it is over.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

Kusserow on Compliance: Compliance culture a key measure of program effectiveness

The compliance culture is the set of shared attitudes, values, goals, and practices that characterizes an institution or organization when it comes to compliance with laws, regulations, rules, standards, code of conduct, and policies.   Oversight agencies believe the compliance program should be a change agent in promoting a culture of compliance that creates an environment less likely to have regulatory or enforcement problems.  This means establishing a culture in which everyone in the work environment embraces and adheres to rules, regulations, laws, code of conduct, and policies.  The Department of Justice (DOJ) and the HHS Office of Inspector General (OIG) frequently encounter organizations with compliance programs that exist on paper, but that culturally failed to be effective in operation. Compliance officers should find means to evidence that the culture of the organization matches the compliance goals.

Positive compliance culture promotes good business

Carrie Kusserow, with over 15 years’ experience as a compliance officer and consultant, makes the case that a good compliance culture is also good for business and does not just serve as a “cost center.” She notes there are many positive benefits to be derived from the effort. She offered the following points in her argument.

  • Organizations are less likely to have liabilities, arising from wrongful behavior.
  • Evidence suggests compliance-committed organizations are more efficient.
  • Lower employee turnover occurs when the organization culture is to abide by rules and standards.
  • There exists greater employee commitment to compliance with laws, rule, code of conduct and policies.
  • Employees feel less pressure to compromise company standards to achieve company goals.
  • Employees are empowered to report wrongful behavior and misconduct internally, not externally.

Compliance culture surveys evidence compliance program effectiveness

Steve Forman, CPA has been using compliance culture surveys for the last 20 years, both as a compliance officer and as a compliance consultant. He believes that one of the best and most inexpensive methods for evaluating, evidencing, and benchmarking compliance program effectiveness is through a compliance culture survey that measures employee perceptions of ethical culture and/or the compliance program. He likes using this type of survey, alternately with a compliance knowledge survey that tests employee knowledge of the program. He points to the fact that the OIG recommends this in its Compliance Program Guidance, wherein it noted that “as part of the review process, the compliance officer or reviewers should consider techniques such as . . . using questionnaires (employee surveys) . . . developed to solicit impressions of a broad cross-section of . . . employees and staff.” Results from a professionally administered survey provide a very powerful and credible report to the compliance oversight committee, as well as to any outside authority questioning the program. They can also identify relative strengths in the compliance programs, as well as those areas requiring special attention that are invaluable for compliance officers.

Compliance survey benefits

Conducting a compliance survey provides numerous benefits to an organization.  For example, it can:

  • provide outcome measurements for the compliance program;
  • serve as critical evidence in determining the degree of effectiveness of the compliance program;
  • identify program strengths and potential weakness warranting attention;
  • evidence the extent of individual and leader commitment to compliance;
  • assess the current state of the compliance climate or culture of an organization;
  • communicate a positive message that employee opinions and perceptions are valued;
  • underscore organization commitment to employees;
  • increase management attention on what is being measured;
  • provide metrics as to progress in developing an effective compliance program;
  • benchmark compliance program effectiveness improvement;
  • signal the organization as to employee attitudes and perceptions;
  • tell employees that what they believe and understand is important; and
  • provide guidance as to where improvements are needed.

Benchmarking compliance program progress

Jillian Bower, with many years of experience in administering compliance surveys, as well as serving as interim compliance officer, notes the OIG compliance guidance says that “the existence of benchmarks that demonstrate implementation and achievements are essential to any effective compliance program.”  Surveys can be used to meet that standard. If the survey being used is anchored in a large database of users, the organization can benchmark them against that universe, viewed as very important by most organizations. Furthermore, an initial survey can establish a baseline from which future surveys can be used to benchmark progress of the compliance program. The surveys can benchmark and measure change in the compliance environment over a period of time. However, Bower warns it is inadvisable to use the same survey annually, as significant changes among the work force takes time to show results.

Alena Treen, of the Compliance Resource Center (CRC), has many years’ experience in administering compliance surveys. She explained that culture surveys focus on the beliefs and values which guide the thinking and behavior of employees within an organization. They are usually presented in a Likert Scale format that offer a series of gradation in which respondents are asked whether they “Strongly Disagree,” “Disagree,” are “Neutral,” “Agree,” or “Strongly Agree,” with the statement presented in each item. This is in contrast with a compliance knowledge survey designed to learn how much employees know about the program with questions answerable as yes or no. She notes it is highly advisable to use a valid and independently web-based administered survey that has been tested over many organizations and ensures participant confidentiality. Using a professional survey service specializing in health care compliance is surprisingly inexpensive and less costly than developing and delivering a survey in house that doesn’t carry the same level of credibility. The CRC has been using the Compliance Benchmark Survey© since 1993 and has been employed by hundreds of health care organizations and over a half million surveyed population. Treen normally deals with reports that are about 50 pages in length that provide advice on each topical area and question as to how improvements may be made.   Clients find that comparing their results with the universe to be the most beneficial information.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG issues resource guide on measuring compliance program effectiveness

On January 17, 2017, the HHS Office of Inspector General (OIG) hosted a group of compliance professionals to discuss ways to measure the effectiveness of compliance programs. It really was a “brainstorming” session with the objective to generate to a large number of ideas for looking at the seven standard elements of a compliance program. The key term to remember is “ideas.” On March 27, 2017, the OIG posted a Resource Guide that included these ideas about compliance programs, not a “checklist” to assess a compliance program. It was generated to provide as many ideas as possible, while being broad enough to assist any type of organization and permit each to choose which ones best suit its needs. Some ideas may not apply to some entities. The Guide provides ideas from which an organization may choose a small number in any given year. The Guide does not follow the OIG compliance guidance documents in detail, except that it addresses the seven standard elements. As such, many items listed cannot be found or tracked. This list provides ideas for measurement options to a wide range of organizations with diverse size, operational complexity, industry sectors, resources, and compliance programs.

Using all the ideas or even a large number of these was deemed impractical and is not recommended. The OIG notes that how the list in the guide can be used depends on those using it. Some of these suggestions might be used frequently and others only occasionally. The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different. The following compliance program elements were addressed by the participants in work groups over a series of sessions:

  1. Standards, Policies, and Procedures;
  2. Compliance Program Administration;
  3. Screening and Evaluation of Employees, Physicians, Vendors and Other Agents;
  4. Communication, Education, and Training on Compliance Issues;
  5. Monitoring, Auditing, and Internal Reporting Systems;
  6. Discipline for Non‐Compliance; and
  7. Investigations and Remedial Measures.

It is worthwhile remembering that effectiveness is related to “outcome,” not output.   For example, having compliance training for all covered employees is a process outcome metric. How well the participants learned the lessons and retained them is a factor of outcome or effectiveness of the training. When reviewing the lists provided in the Guide, remember most of the items relate to process. Another important factor to consider is how determinations relating to items on the listing will be made, and by whom.

Measuring overall effectiveness 

In its compliance guidance documents, the OIG cites two ways program effectiveness can be measured.

  1. Employee Surveys. In the listing, there were notations throughout that relate to outcome.   In many places, it was suggested to use surveys to learn about employee knowledge, understanding, and attitudes related to compliance issues. In fact, surveys were mentioned 61 times throughout all seven elements. Surveys were also included in the various OIG compliance guidance documents as a means for measuring compliance program effectiveness. There are two types that can be used: a Knowledge Survey that measure employees on their knowledge and understanding of the compliance program, and a Compliance Culture Survey that measures employee attitudes and perceptions concerning organization compliance. Both compliance knowledge and culture surveys were cited as ways to determine how well things were functioning. If a validated and tested survey is used and administered independently that ensures anonymity of respondents, there is great value in the results. The value can be magnified many times if the results can be benchmarked against a large universe of those using the identical survey instrument. Organizations can also benchmark results from one survey to another, showing program improvements. Results from this survey provide powerful evidence of compliance program effectiveness to executive leadership, the board, and even to outside authorities.
  2. Independent Compliance Program Effectiveness Evaluation. OIG compliance guidance documents note that all program managers are responsible for ongoing monitoring of their areas of responsibility.   Alongside of that is ongoing auditing by those independent of the program area to verify that the monitoring is taking place and validate that it is effective in addressing any high-risk areas. Compliance is also a program and the listing in the Guide can be useful for the compliance officer in monitoring compliance. However, the compliance officer cannot independently audit his or her program for effectiveness.   This must be done by an outside, independent, and objective party. As such, a compliance program effectiveness evaluation can look across all seven elements, and most of the ideas in the Guide should be addressed in the results.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.