Kusserow on Compliance: Human resources management compliance jurisdiction

The great majority of internal investigations arise from complaints filed with the human resources management office (HRM) or through the compliance office hotline. Both functions have their own jurisdiction for dealing with sensitive issues, and this can raise tension and conflict if not addressed properly. HRM has a mission to assist employees in a host of ways, ranging from salaries and benefits to working conditions. It is therefore not surprising that the department is a front-line recipient of questions, concerns, complaints, and allegations related to the workplace. For all practical purposes, the primary responsibility for investigating and resolving personnel-related issues, including unfair labor practices, discrimination and harassment, lies with HRM.

Specific rules must be followed when conducting such investigations and the federal agency providing guidance and oversight is not the HHS Office of Inspector General (OIG) or the Department of Justice (DOJ), but the Equal Employment Opportunity Commission (EEOC). Furthermore, in some states, individuals conducting these types of investigations must undergo a designated number of hours of specialized training on the laws and rules governing employees in the workplace.

The sources of workplace complaints are varied, but their emergence is all but inevitable. With that in mind, it is important to have a clearly communicated and consistently applied policy detailing the specific procedure for reporting complaints. Many organizations encourage employees to utilize the “traditional” chain of command approach to reporting and resolution, while others have established more progressive open door communication policies to encourage unrestricted communication. Direct reporting to HRM is also an option for employees.  Allowing employees to report issues via an employee hotline, generally managed by the compliance officer, is yet another mechanism of reporting.  With most hotline calls have issues that fall under HRM primary jurisdiction, it requires careful coordination to guard against a matter falling between the cracks. This does not necessarily create a bright line of authority between the two functions, as many concerns raised may cross the line from being personnel issues to being compliance issues. It is essential that the compliance office and HRM maintain open communications and establish reciprocal reporting obligations for the purpose of ensuring the appropriate department is apprised of issues that are its primary concern. They must be able to coordinate investigative and resolution activity to avoid unnecessary duplication of efforts.

All of these reporting approaches provide a stream of information that can result in the need for internal inquiry or investigation. It is very important to note that, in order to have an effective reporting program that employees will actually utilize, it must be coupled with a clearly stated anti-retaliation policy. Employees must know that retaliation or attempted retaliation in response to lodging a complaint or invoking the complaint process is strictly prohibited by the organization. In August of 2016, the EEOC issued “Enforcement Guidance on Retaliation and Related Issues”, the EEOC’s first comprehensive review of retaliation since 1998. This was in direct response to the fact that retaliation is now the most frequently alleged basis of discrimination that EEOC receives.

The compliance officer focuses much attention on the Anti-Kickback Statute, Stark Laws, False Claims Act, and other fraud laws with considerable attention given to the OIG, DOJ, and state Medicaid Fraud Control Units. By contrast, the laws that most often occupy HRM interest include Title VII of the Civil Rights Act 1964; the Age Discrimination in Employment Act; the Americans with Disabilities Act; the Family and Medical Leave Act; the Fair Labor Standards Act; the Uniform Services Employment/Reemployment Rights Act; the Employee Retirement Security Act’s governing compensation and benefit plans; and the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) for employer-sponsored health benefits, among others.  The government agencies that oversee these areas are the U.S. Department of Labor, the Equal Employment Opportunity Commission (EEOC), and a variety of state agencies.  Violations can result in serious penalties.

Regarding matters that HRM must investigate and resolve, one area long overshadows (numerically) compliance matters raised to the compliance officer to handle: discrimination and unlawful harassment. Complaints to the federal EEOC and state counterparts number over 100,000 annually.  Many other complaints are received by HRM that never go so far as to be reported to outside authorities.   To meet the challenge of avoiding such complaints, HRM must implement a variety of compliance policies and train everyone on them.  These activities are familiar to compliance officers, who must do the same within their risk areas. However, in the case of some of the HRM-related laws and regulations, federal and state governments establish special rules for standards for related policies and mandatory training.  Special rules extend to the manner by which these types of cases are to be investigated and by whom, when there is a formal complaint.

One example of a compliance risk area requiring care relates to unlawful (sexual) harassment. In a series of Supreme Court cases, the High Court set forth the principle that no employer can mount an affirmative defense to allegations of unlawful harassment unless they can meet three standards: (1) they have zero tolerance policies and procedures in place; (2) all employees and managers are trained on these policies; and (3) the organization has taken steps to identify emerging issues and do not just wait until a complaint takes place.  On this last point, examples of action steps by management include screening hotline calls for any indications of emerging issues, conducting exit interviews and asking about employee work environment issues, and using training on the subject as a means to open discussion of potential problems.  In the latter case, having people stay behind to make further inquiries is more likely to open doors that public statement during formal training.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG issues first 2017 Semi-Annual report—1,422 exclusions in first half of 2017

The OIG released is first semi-annual report for 2017 which included the number of exclusion actions taken. There were a total of 1,422 individuals and entities they excluded from Medicare, Medicaid, and other Federal health care programs. Most of the exclusions resulted from convictions for crimes relating to Medicare or Medicaid, for patient abuse or neglect, or as a result of license revocation. The OIG posts all such actions on its List of Excluded Individuals and Entities (LEIE).  In its compliance guidance, the OIG calls for screening of all individuals and entities engaged by or with whom they do business against the LEIE. CMS also makes such screening a condition of participation and enrollment. The OIG has a number of Administrative Sanction authorities whereby they have added steadily to the LEIE database. In the last three years the OIG added over 10,000 exclusions to the LEIE.

OIG Enforcement Authorities

Tom Herrmann, JD, is a nationally recognized health care compliance consultant.  He served for a number of years in the OIG Counsel’s Office as Chief of the Administrative Litigation Branch, and supervised the litigation of cases involving the imposition of civil monetary penalties and program exclusions. He explained that the OIG has been delegated the authorities to impose Civil Monetary Penalties, assessments, and program exclusion on health care providers and others determined to have engaged in defined wrongdoing. The effect of an OIG exclusion is that no payment may be made for any items or services furnished by an excluded individual or entity, or directed or prescribed by an excluded physician. He noted that in almost all instances where the OIG’s imposition of program exclusion or CMPs is appealed, it is upheld by a HHS Administrative Law Judge (ALJ), the HHS Departmental Appeals Board (DAB), and Federal Courts. As such, it is absolutely essential to have ongoing sanction-screening of anyone engaged by a healthcare organization.

Jillian Bower, is another highly experienced health care compliance consultant, who has assisted scores of clients in meeting the sanction-screening obligations through the Compliance Resource Center (CRC). She notes that CMS has been very aggressive in calling for sanction screening, not only of the LEIE, but Debarments posted by the General Services Administration (GSA), as well as pressuring State Medicaid Directors to establish exclusion databases and mandate monthly screening by their enrolled providers. Since then most states have moved to comply with the CMS direction. This has increased the sanction-screening burden greatly for not only for the compliance office, but also human resource management (HRM). Procurement is also affected by the number of vendors and contractors that also have to be screened. Medical credentialing is involved because physicians granted staff privileges have to be screened. In order to meet screening mandates, it is almost a necessity to use a vendor search engine tools to assist in sanction-screening. This saves downloading the sanction databases of all the entities and developing their own search engine. So using a vendor for this purpose is a step in the right direction; however the bulk of the work remains with the organization to do screening and resolving potential “hits” remains with the organization. Altogether this can be a considerable effort and many organizations have to dedicate one or many employees to meet all these obligations. Alternatively, many just outsource the entire process, including verification and certification of results to a vendor

Sanction-Screening Tips

  1. Ensure periodic sanction screening of employees, medical staff, contractors, and vendors against the LEIE, not just at time of engagement but periodically thereafter. An individual or entity may be pass a sanction screen at time of engagement, but later have a sanction imposed.

 

  1. Maintain a complete record of sanction screening to evidence meeting mandates with individual(s) responsible for sanction screening attesting to results each time screening has taken place. If using a vendor to conduct the sanction screening on behalf of the organization, they should provide a full certified report each time they perform their service.

 

  1. Develop a compliance policy and applications requiring as a condition of employment, gaining staff privileges, or engagement, attestation that the individual has not been, nor are they now, the subject of an investigation by any duly authorized regulatory or enforcement agency. It is also advisable to add a condition of engagement that employees must promptly report any notice of investigation that involves them.

 

  1. Care should be taken to meet state Medicaid screening requirements in addition to checking the LEIE. For those organizations that cross state lines, it is particularly important to ensure compliance with state sanction screening mandates that differ from state to state.

 

  1. Inasmuch as most exclusions in the LEIE arise from another underlying court, state agency, or licensure board action, it is critical as part of the credentialing process to verify that health care professionals are duly licensed and not until any restrictions. Engaging or giving staff privileges to individuals who are restricted in their license may be considered by CMS as violating conditions of participation.

 

  1. Educate and inform management and employees on their obligation to promptly report any notification of an adverse action by any duly authorized regulatory or enforcement agency. Policies should be implemented to reinforce this.

 

  1. Consider using a vendor tool to assist in sanction-screening, but compare services and costs to avoid unnecessary expenditures; and consider the cost-benefits of outsourcing then entire sanction-screening process.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG Work Plan now being updated monthly

The OIG announced that its work planning process is being modified to be more dynamic and to reflect the adjustments being made throughout the year in response to changing priorities and responding to new emerging issues. The OIG, as of June 15, 2017, will now adjust its Work Plan on a monthly basis, rather than semi-annually as has been done previously to ensure that it more closely aligns with the work planning process. The monthly updates will include the addition of newly initiated Work Plan items and the removal of completed items.

The Work Plan sets forth various audits and evaluations that are underway or planned during the fiscal year and beyond. Projects listed in the Work Plan span the Department and include CMS, public health agencies such as the Centers for Disease Control and Prevention (CDC) and National Institutes of Health (NIH), and human resources agencies such as Administration for Children and Families (ACF) and the Administration on Aging. The OIG also plans work related to issues that cut across departmental programs, including State and local governments’ use of Federal funds, as well as the functional areas of the Office of the HHS Secretary. In conducting its work, the OIG assesses relative risks in HHS programs and operations to identify those areas most in need of attention. In evaluating potential projects to undertake, the OIG considers a number of factors, including mandates set forth in laws, regulations, or other directives; requests by Congress, HHS management, or the Office of Management and Budget; top management and performance challenges facing HHS; work performed by other oversight organizations (e.g., GAO); management’s actions to implement OIG recommendations from previous reviews; and potential for positive impact.

New Projects Added

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

 

 

Kusserow on Compliance: Guarding against mobile device breaches: Tips from an expert

Camella Boateng, an expert on HIPAA makes the point that “Most HIPAA breaches involve mobile devices. Such breaches dominate the under 500 patient breaches, which has masked the true number of such breaches is masked.  The publicity of these types of breaches is likely to change as OCR begins implementing their new policy to investigate breaches under 500.  Of particular note, the OCR has announced that in selecting organizations for audit, one factor will be whether or not they reporting minor breaches. From experience, they expect that almost any organization will have a HIPAA breach of some sort or another over time; and therefore those that report no breaches can be considered suspect.”  She offered the following checklist of tips on mobile device security and precaution.

  1. Provide management, accountability, and oversight structures for covered entities.
  2. Establish policies, protocols, processes, and procedures for mobile device use.
  3. Provide training on the bring your own device (BYOD) policy.
  4. Keep an inventory of personal mobile devices authorized to access and transmit electronic protected health information (ePHI).
  5. Use a device key, password, or other user authentication to verify user identity.
  6. Install and/or enable encryption that protects protected health information (PHI) stored on and sent by mobile devices.
  7. Install or enable firewalls and regularly update security software (such as malware).
  8. Install or activate remote wiping and/or disabling.
  9. Reinforce constantly to keep devices under personal control or under lock and key.
  10. Install radio frequency identification (RFID) tags to help locate lost or stolen mobile devices.
  11. Establish remote shutdown tools that can remotely lock lost mobile devices.
  12. Disable or do not install file-sharing applications on devices used for ePHI transmission.
  13. Establish electronic processes to ensure unauthorized parties do not destroy or alter ePHI.
  14. Conduct training on procedures for using mobile devices to access ePHI.
  15. Educate clinicians on the risks of data breaches, HIPAA violations, and fines.
  16. Delete all stored PHI before reusing or discarding a device.

After following all of the above steps, perform an outside independent security risk assessment to determine (a) if personal mobile devices are being used to exchange ePHI; (b) which devices are used on internal networks; (c) what information is accessed, received, stored, and transmitted; (d) whether proper authentication, encryption, and physical protections are in place to secure the exchange of ePHI; and (e) whether users have been properly trained on security procedures.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.