Kusserow on Compliance: Effective hotline programs

All healthcare organizations need confidential compliance communication channels. First and foremost among them is a hotline. By definition, all effective compliance programs should have a hotline. It is an important avenue of communication between employees and management, in that it permits employees to report sensitive matters outside the normal supervisory channels.  The reality is that developing and monitoring a hotline is a critical part of any effective compliance program. It provides an avenue of communication that permits employees to report sensitive matters outside the normal supervisory channels. The compliance officer bears the responsibility of constantly reviewing and improving the effectiveness of the hotline operation.  The US Sentencing Commission, the HHS Office of Inspector General (OIG), and Department of Justice (DOJ) all call for having a hotline, as well as other authorities, including the Sarbanes-Oxley Act for publicly traded companies and the federal courts in connection with unlawful harassment. Failure to establish positive internal compliance reporting channels often results in reporting externally to the OIG and DOJ from “whistleblowers.” The challenge is establishing effective internal compliance communication. Today, it is the exception to find organizations trying to manage a hotline function internally. The fact is that any advantage of internally operated hotlines is more than off-set by the disadvantages.

From a practical standpoint, it simply is not cost effective to operate a hotline 24/7 internally.  Even those that decide to operate and manage the function in house are confronted with a number of challenges—it is extremely inefficient, costly and seldom meets any minimum standards. Hotline numbers will need to be “backstopped” against tracing and all caller identification systems have to be blocked. People answering the calls in house should not be highly visible to the work force. Confidence comes from neither party being known to the other. Hotline vendors have the training and experience to handle complainants. Callers are generally nervous and afraid and knowing they are providing information to an outside party generally is reassuring. They always raise the question of whether anonymity is truly offered and whether employees will ever sufficiently trust calling an employee. It has become the standard practice for organizations to outsource their hotline to a vendor.  However, evaluating those providing the best service at the right price is a challenge. The following are questions that can be used to determine a properly qualified vendor. Those failing key tests should be avoided as they may prove to be a future liability.

 

Questions for hotline vendors

  1. Cost of Service. Does the vendor charge an established fixed rate or sliding rate based upon number of calls? Seek a fixed, not a variable rate, based upon number or time of calls. A good rule of thumb is that the cost of a hotline service should not exceed $1-3 per employee per year.

 

  1. Industry Focus. Can the vendor evidence having understanding and expertise of issues related to the health care industry? Failing to understand healthcare standards and regulatory matters limits the ability to properly debrief callers. Ask for a breakdown of the types of clients they serve by industries.

 

  1. Hours of Service. Does the vendor provide 24/7 service? If not, don’t use them.

 

  1. Call Centers. Does the vendor provide call services? If so, avoid them completely. Call centers provide outbound calls used to promote services and products. Others answer after hour services for businesses (doctors, plumbers, electricians, etc.) and relate messages to their clients. The people doing this are performing a clerical function and answering hotline calls requires more professional expertise. Furthermore, there is the risk of having calls interrupted by a call for some needing emergency service.

 

  1. Hotline Service Types. Does the vendor provide multiple levels of service for (a) receiving live operator calls and (b) a web-based reporting system that prompts individual complainants? One level alone is not enough.

 

  1. Avoiding Vendor Contract Traps. Does the contract permit cancellation at any time with a simple 30 day notice? If not, don’t use them. Staying with a vendor should be because of good service, not because of being locked into them by contract terms. If you have a current contract, check the termination clauses to see if cancelling a contract is cumbersome. If it is, ask to renegotiate the termination clause. If they decline, then take steps to follow termination procedures in the contract.

 

  1. Hotline Number. Does the vendor want to use their phone number? This is a common vendor trap to lock in users to their service. You advertise their number everywhere and to change would necessitate changing all the places you have advertise the number. Always use and own your own hotline number that can be pointed to a vendor.

 

  1. Language Translation. Does the vendor provide a language translation service to address non-English speakers?

 

  1. Check Vendor Background. What is the level of hotline experience among the ownership, management, and operation of the service?

 

  1. Length of Hotline Experience. How many years of experience can the vendor evidence in the management of hotline operations?

 

  1. Policies, Procedures, and Protocols. Does the vendor provide advice on developing operating protocols for following up an allegations and complaints received through the hotline?

 

  1. Business Associate Agreement (BAA). Does the vendor offer to sign a BAA to meet HIPAA protected health information (PHI) requirements for any patient related information received through the hotline? If they don’t know what that means, forget them.

 

  1. Timelines. Will the vendor agree to provide a full written report within one business day of receipt of the call and for urgent matters, immediate notification?

 

  1. Report Delivery Security. Does the vendor deliver call reports by the most secure means? It is critical to establish a secure call report submission process to a specific responsible party and to an alternate should the primary contact be unavailable? Any delivery of reports via fax or email lack necessary security. It is critical that reports are secured to protect those filing the report, as well as those who are subject of the report or mentioned in them. HIPAA PHI, proprietary and confidential data, and personnel information must be protected. Web-based reporting is the most secure with notification of a report being provided via email.

 

  1. Routine vs. Urgent Reporting. Does the vendor assist in establishing a process that alerts the primary contact to any urgent report received? A delay in reporting a serious issue could result in potential liabilities.

 

  1. Insurance. Does the vendor provide at least one to three million dollars liability coverage? If your vendor does not have this insurance, consider changing over to one that provides this assurance.

 

  1. Caller Contact Information. Does the vendor have procedures for providing callers with a means to call back without disclosing their identity?

 

  1. Personalized Service. Does the vendor provide the identity or identities of individuals available to respond to any issues or question that may arise, whether it relates to call reports, invoice issues, or providing general advice? Not having easy access to someone or having to go through a phone system moving you from one office to another before you find a stranger who may or may not be able to answer your questions can be frustrating. If possible, seek an identified accounts manager who will be responsible for any and all issues that arise under the contract.

 

  1. Training and Assistance. Does the vendor provide guidance on the best way to promote understanding of the hotline?

 

  1. Other Useful Benefits. Are there any other services or benefit provided under the contract? This would include such things as supporting policy and procedures for hotline management, poster templates, newsletters, etc. For smaller organizations, these benefits may exceed even the service fees paid to the vendor. Find out what they offer.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Human resources management compliance jurisdiction

The great majority of internal investigations arise from complaints filed with the human resources management office (HRM) or through the compliance office hotline. Both functions have their own jurisdiction for dealing with sensitive issues, and this can raise tension and conflict if not addressed properly. HRM has a mission to assist employees in a host of ways, ranging from salaries and benefits to working conditions. It is therefore not surprising that the department is a front-line recipient of questions, concerns, complaints, and allegations related to the workplace. For all practical purposes, the primary responsibility for investigating and resolving personnel-related issues, including unfair labor practices, discrimination and harassment, lies with HRM.

Specific rules must be followed when conducting such investigations and the federal agency providing guidance and oversight is not the HHS Office of Inspector General (OIG) or the Department of Justice (DOJ), but the Equal Employment Opportunity Commission (EEOC). Furthermore, in some states, individuals conducting these types of investigations must undergo a designated number of hours of specialized training on the laws and rules governing employees in the workplace.

The sources of workplace complaints are varied, but their emergence is all but inevitable. With that in mind, it is important to have a clearly communicated and consistently applied policy detailing the specific procedure for reporting complaints. Many organizations encourage employees to utilize the “traditional” chain of command approach to reporting and resolution, while others have established more progressive open door communication policies to encourage unrestricted communication. Direct reporting to HRM is also an option for employees.  Allowing employees to report issues via an employee hotline, generally managed by the compliance officer, is yet another mechanism of reporting.  With most hotline calls have issues that fall under HRM primary jurisdiction, it requires careful coordination to guard against a matter falling between the cracks. This does not necessarily create a bright line of authority between the two functions, as many concerns raised may cross the line from being personnel issues to being compliance issues. It is essential that the compliance office and HRM maintain open communications and establish reciprocal reporting obligations for the purpose of ensuring the appropriate department is apprised of issues that are its primary concern. They must be able to coordinate investigative and resolution activity to avoid unnecessary duplication of efforts.

All of these reporting approaches provide a stream of information that can result in the need for internal inquiry or investigation. It is very important to note that, in order to have an effective reporting program that employees will actually utilize, it must be coupled with a clearly stated anti-retaliation policy. Employees must know that retaliation or attempted retaliation in response to lodging a complaint or invoking the complaint process is strictly prohibited by the organization. In August of 2016, the EEOC issued “Enforcement Guidance on Retaliation and Related Issues”, the EEOC’s first comprehensive review of retaliation since 1998. This was in direct response to the fact that retaliation is now the most frequently alleged basis of discrimination that EEOC receives.

The compliance officer focuses much attention on the Anti-Kickback Statute, Stark Laws, False Claims Act, and other fraud laws with considerable attention given to the OIG, DOJ, and state Medicaid Fraud Control Units. By contrast, the laws that most often occupy HRM interest include Title VII of the Civil Rights Act 1964; the Age Discrimination in Employment Act; the Americans with Disabilities Act; the Family and Medical Leave Act; the Fair Labor Standards Act; the Uniform Services Employment/Reemployment Rights Act; the Employee Retirement Security Act’s governing compensation and benefit plans; and the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) for employer-sponsored health benefits, among others.  The government agencies that oversee these areas are the U.S. Department of Labor, the Equal Employment Opportunity Commission (EEOC), and a variety of state agencies.  Violations can result in serious penalties.

Regarding matters that HRM must investigate and resolve, one area long overshadows (numerically) compliance matters raised to the compliance officer to handle: discrimination and unlawful harassment. Complaints to the federal EEOC and state counterparts number over 100,000 annually.  Many other complaints are received by HRM that never go so far as to be reported to outside authorities.   To meet the challenge of avoiding such complaints, HRM must implement a variety of compliance policies and train everyone on them.  These activities are familiar to compliance officers, who must do the same within their risk areas. However, in the case of some of the HRM-related laws and regulations, federal and state governments establish special rules for standards for related policies and mandatory training.  Special rules extend to the manner by which these types of cases are to be investigated and by whom, when there is a formal complaint.

One example of a compliance risk area requiring care relates to unlawful (sexual) harassment. In a series of Supreme Court cases, the High Court set forth the principle that no employer can mount an affirmative defense to allegations of unlawful harassment unless they can meet three standards: (1) they have zero tolerance policies and procedures in place; (2) all employees and managers are trained on these policies; and (3) the organization has taken steps to identify emerging issues and do not just wait until a complaint takes place.  On this last point, examples of action steps by management include screening hotline calls for any indications of emerging issues, conducting exit interviews and asking about employee work environment issues, and using training on the subject as a means to open discussion of potential problems.  In the latter case, having people stay behind to make further inquiries is more likely to open doors that public statement during formal training.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: 4 out of 5 organizations under 1,000 employees overpay for their hotline

It is estimated that over 80 percent of health care organizations with fewer than 1,000 employees overpay their hotline vendor. The reasons for this vary.  For large scale vendors, higher overhead may cause difficulty scaling down their prices; smaller vendors may just be trying to wring out every dollar they can. Another problem among vendors is that some provide both answer-operated and web-based reporting systems, while others do not.   This variance in level of service is a complicating factor.  At any rate, only vendors that provide full-range coverage that offers live-operator answering, 24 hours a day, seven days a week, along with web-based reporting, should be used. For both services, anonymous reporting must be an option.

Fair pricing rates. Today, all health care organizations are cost-sensitive and seek reductions anywhere they can, without loss of quality of service. The general rule of thumb for the price of hotline vendor services for organizations under 1,000 employees that provide both operator-answered and web-based reporting system is that the rates for services should range from around a low of $500 per year to $1,000, depending on employee population. Keep in mind set-up costs for a new service, as well as the continuing service fees. For organization with greater employee populations, the service rate should not exceed $1 per employee per year. Those paying higher rates may want to investigate alternative providers to save expenses.

Recent trends in hotline reporting. Carrie Kusserow, a hotline expert with experience gained from running hotline vendor services and managing hotlines as a compliance officer, reports a significant increase in reporting rates on hotlines. She attributes this to a variety of factors. There has been increased promotion of reporting suspected violations by government agencies and compliance officers, coupled with whistleblower protection laws and regulations. Most organizations now have developed compliance programs that mirror the compliance guidance provided by the HHS Office of Inspector General (OIG).  Over time, this has taken hold and become standard operating practice.  This guidance emphasizes the need for organizational commitment to ensuring confidentiality and to those reporting problems, in addition to offering anonymity for those desiring it.  Kusserow quoted Compliance Resource Center reports of a significant trend in the health care sector of an increase in the percentage of anonymous hotline reports, with about three out of four now being submitted that way. In addition, Kusserow explained that compliance officers have become more professional in responding to and investigating complaints and allegations they receive.  This, in turn, has encouraged employees that their reporting will be taken seriously.  Furthermore, compliance training has reinforced the employee’s duty to report problems.

Jillian Bower, of the Compliance Resource Center, has identified another factor contributing to the increase in reporting: the addition of new avenues of communication. As a new generation of technically savvy employees entered the workforce, more employees feel more comfortable using web-based reporting tools; that is becoming the preferred method in increasing numbers.  She notes there has been an increasing percentage of employees who prefer submitting their hotline report through web-based systems, when given that option.   Today, the percentages reported through a live operator and via the web have reach near parity.  As such, it is important the vendor offer the web-based option, and those that do not should not be used.  The end result of all these changes is that the OIG’s advocacy of organizations developing alternative compliance communication channels is a reality.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG hotline being used by scammers

The HHS Office of Inspector General (OIG) accepts hotline complaints by mail, telephone, fax, or online. However, the office emphasizes that it does not use its phone number for outgoing calls. The OIG has issued a Fraud Alert reporting that its Hotline telephone number is being used as part of a telephone “spoofing” scam targeting individuals throughout the country.  The office reported engaging in a criminal investigation of this activity and intends to present cases against perpetrators to the U.S. Department of Justice (DOJ) for prosecution.   It explained that scammers have been altering the appearance of the caller ID to make it seem as if the call is coming from the HHS OIG Hotline, 1-800-HHS-TIPS (1-800-447-8477). Scammers call individuals and represent themselves as HHS OIG Hotline employees and use a variety of tactics to obtain personal information, which can then be used to steal money from an individual’s bank account or for other fraudulent activity.

The OIG warns the public to be on guard and not to provide personal information to callers. Those who believe they may have been a victim of this spoofing scam should report that information to the HHS OIG Hotline or spoof@oig.hhs.gov. Complaints may also be submitted to the Federal Trade Commission (FTC) via 1-877-FTC-HELP (1-877-382-4357).  The OIG also made clear that it is still safe to call into the HHS OIG Hotline to report fraud; information it receives is evaluated by the Office of Investigations, which has 420 Special Agents throughout the country who are specially trained to conduct these investigations.

OIG tips to protect yourself

Do not verify your name or any other personal information to anyone unknown to you. no personal information should be given to unknown individuals, including any of the following information:

  • Social Security number;
  • date of birth;
  • credit card information;
  • driver’s license number;
  • bank account information; or
  • mother’s maiden name.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.