Kusserow on Compliance: Why encourage anonymous hotline calls?

The are in your best interest

Encouraging anonymity with hotline callers may at first seem a bad practice, however, it is not.  It is a sound policy and in the best interest of the organization. However, many believe no calls should be accepted without an individual disclosing his or her identity. Those individuals are wrong. First, the HHS OIG, Sentencing Commission, DOJ, and Sarbanes-Oxley Act all promote anonymous reporting. The OIG in its compliance guidance state “At a minimum, comprehensive compliance programs should include…a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.  Failing to provide for and encourage anonymity undercuts the perceived effectiveness of the compliance program. There are other positive reasons for having anonymous reporting:

  1. Not allowing anonymity discourages reporting for fear of becoming a victim of retribution or retaliation. The result is that an individual may give information to someone else like an attorney, the media, government agencies, or simply not tell anyone which may lead to a growing exposure to liability to the organization. As a rule, the more serious the complaint or allegation, the less likely callers will be willing to identify themselves.
  2. The disclosure of an individual’s identity creates a burden for the organization to protect the caller’s identity (“confidentiality) once it is known. Failure to protect identified callers may result in unprotected reprisals or retaliation and serious consequences for the organization that may draw in attorneys, government, and regulatory agencies. There are many cases of litigation for reprisals or wrongful discharge where the company was put in the awkward position of trying to evidence the call did not contribute to the adverse action or termination. This is not a burden if the caller was anonymous.
  3. It is also useful to keep in mind that many callers may want to self-disclose their identity, in order to achieve a protection as a “Whistleblower” to forestall performance or conduct-based actions by trying to invoke the organization’s non-retribution/non-reprisal policy. For some, calling the hotline may be an attempt to block the adverse personnel action.

In some cases, it is desirable, and perhaps even necessary, to learn the identity of the caller in order to properly act on the information offered. There are circumstances where having the identity is essential to act upon a serious allegation. In such cases, callers can be encouraged to identify themselves, noting that their confidentiality will be protected. As such, it is important to also have a Confidentiality Policy, along with the Anonymity Policy.  Both such policies are called for in the OIG compliance guidance documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: A Dozen tips for evaluating hotline vendors

Review current vendor contracts; it may be time to switch

A hotline is a critical part of any effective compliance program. It provides an avenue of communication that permits employees to report sensitive matters outside the normal supervisory channels. The compliance officer bears the responsibility of constantly reviewing and improving the effectiveness of the hotline operation. The U.S. Sentencing Commission, HHS OIG, and DOJ call hotlines critical to an effective compliance program. Most hotlines are operated through vendors. Only a very few organizations have the size, capacity, and resources to manage a 24/7 hotline, as is needed for an effective operation. The following are some best practice tips in selecting or retaining a hotline vendor:

 

  1. Compare costs of a vendor with the cost to maintain and operate a hotline in-house. A vendor should provide their services at a set (fixed) fee that can be used for comparison purposes. A good rule of thumb is that the cost of a hotline service should be around $1 per employee per year.

 

  1. Industry Focus. Determine the level of expertise in the health care industry. It is advisable to have a company familiar with and sympathetic to health care issues, rather than focus on employee theft or other generic matters common to all industries. Ask for a breakdown of the types of clients they serve. Do they have a primary focus (transportation, finance, energy, health care)?

 

  1. Hotline Service Types. In today’s environment, it is advisable to have two levels of service. The first is a Web-based reporting system that prompts individual complainants, as well as the option to call and speak with a live operator. Either approach has its pluses and minuses. Your vendor should provide both approaches in a single service fee.

 

  1. Vendor Contract Traps. A vendor should keep business with good service, not tricky contract terms. The contract should permit cancelation at any time with a simple 30-day notice.  If you have a current contract, check the termination clauses to see if cancelling a contract is cumbersome. If it is, ask to renegotiate the termination clause and if they decline, then take steps to follow termination procedures in the contract. Usually such procedures are a short window to cancel, before the contract renews.

 

  1. Hotline Number. Always use and own your own hotline number. To use a vendor number is another common vendor trap. If you advertise their number, to then change would necessitate changing all the places you have advertise the number. If, in such a contract, it is advisable to either renegotiate the agreement to use you own number or change to another vendor, it is worth the pain of making the change.

 

  1. Background and References. It is advisable to know as much about the vendor as you can. Determine who the key players are in the ownership, management and operation of the service and check out their credentials. Do they have personal history and expertise in hotline operations? Also, ask for client references from any vendor you are considering.

 

  1. Policies, Procedures, and Protocols. The company should be able to provide expert advice on developing operating protocols for following up an allegations and complaints received through the hotline. This includes providing/signing a Business Associate Agreement to meet HIPAA Protected Health Information requirements (and if they don’t know what that means, forget them).

 

  1. It is important to insist and have as part of any contract, provision of a full written report within one business day of receipt of the call. For urgent matters, it should be immediate.

 

  1. Reports Provided. Reports on individual calls should be well written, clear, concise and of high quality. The manner the report is delivered is important. There are security problems with reports provided either by facsimile or email. This could be problematic. Web-based reporting is the most secure, with notification of a report being provided via email.

 

  1. Like any other vendor, the company should have at least one to three million dollars liability coverage. If your vendor does not have this insurance, consider changing over to one that provides this assurance.

 

  1. Caller Contact Information. Although anonymity is a must for any hotline, sometimes gaining additional information from callers is important. Vendors should have procedures for providing callers with a means to call back without disclosing their identity. Check that out to see if it meets your needs.

 

  1. Accessibility to Responsible Parties. Responsiveness of vendors to your hotline needs is very important. If something comes up, will there be a responsible live human being available with who you can communicate issues and concerns? You never want to be lost in a bureaucratic shuffle or IVR system.

 

For more information on this topic, contact Marvin Mills (mmills@complianceresource.com).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Documentary pillars supporting effective compliance programs

16 key documents described

Critical to an effective Compliance Program (CP) is reinforcing it with key documents that provide the supporting pillars. The following describes some of most important compliance program documents:

  1. Code of Conduct. This can be viewed as the Constitution for the organization and should be distributed to all covered persons.
  2. Charters for the Executive and Board Level Oversight Committees. These should establish oversight and support for the CP and define roles and responsibilities.
  3. Compliance Officer Charter/Position Description. It is important to formally describe the role of this position, responsibilities, reporting relationship to the CEO and Board, etc.
  4. Protocols Between the Compliance Office and Legal Counsel, HR, Internal Audit, etc. Many functions overlap or intersect with the Compliance Office. Working relationships need to be defined to avoid “turf issues.”
  5. Compliance Education and Training Policy. This should describe the development and implementation of regular, effective education and training programs for all affected parties, and describe general topics covered, frequency of training, and how you will document completion of the training.
  6. Hotline Charter/Policy. There needs to be a document that establishes a process to receive complaints and how they will be handled. It should describe how individuals can report concerns and ask questions or request guidance.
  7. Policies Addressing Ongoing Monitoring of High-Risk Areas. This is for program managers on their responsibilities to monitor their risk areas, develop and implement written guidance to their staff, training of the staff on how to comply and verify they are following the instructions properly.
  8. Policies Addressing Ongoing Auditing of High-Risk Area. These should address independent reviews of high-risk areas to verify and validate ongoing monitoring is operating the way it should and assist in the reduction of identified problem areas.
  9. Policies Governing Internal Investigations. Outline of the general steps that will be taken to investigate a report of possible problems; and documentation of results.
  10. Policies Addressing Non-Engagement of Sanctioned Individuals and Entities. This should state that there will be no engaging, contracting with, accepting referrals or prescriptions from those that are sanctioned, excluded or debarred from federal and state health care programs.
  11. Conflicts of Interest Policy. This should require all potential conflicts of interest be disclosed and provide a method for addressing them.
  12. Anonymity and Confidentiality Report Policies. Employees should be allowed to report potential wrongdoing anonymously and policy should protect the identity of those who request confidentiality.
  13. Non-Retaliation Policy. This should address protection against retaliation of those reporting potential wrongdoing.
  14. Document Policy Management and Retention. This should outline document retention and destruction requirements and should address electronically maintained documents.
  15. Credentialing and License Policy. This should address which individuals must maintain licensure and state that make clear no engagement or contract individuals and entities that are not properly licensed. It should define verification procedures.
  16. Disclosure of Overpayments and Violations of Law and Regulations Polices. Overpayments are common and sometime there is identification of wrongdoing. Strict rules should govern when and under what circumstances disclosures to outside parties is required.

These are only a starting point. All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.

For more information on this topic contact Marvin Mills (mmills@complianceresource.com) at the Compliance Resource Center that maintains over 1,000 compliance-related policy templates.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Debriefing complainants—24 question tips

It is very important to fully debrief any complainants and act in a very timely manner to avoid having them go elsewhere with their information—such as an attorney, government agency, media, etc. Any of these other channels could result in serious problems and possible liability. In many cases the information may come anonymously from the hotline, underscoring the importance that those answering the calls be trained on properly debriefing callers and be familiar with health care related issues.

Also, time is not a friend once information is received that may warrant immediate action. Complicating matters is that frequently a single complaint may include several different allegations, each of which needs to be addressed independently. In the debriefing process, once the story is told, specific clarifying questions need to be asked in guiding the person back through the information. This should be done by asking the standard WHO, WHAT, WHEN, WHERE, and WHY questions. These should be designed to expand on the factual details and to test and corroborate the information and be sure the chronologies of events are established.

It is important also to look for avenues and leads that will provide direction by which to either substantiate the allegations or dismiss them. Inasmuch as the allegations may relate to a specific event, something personal or organization wide, an ongoing process problem, etc. It is impossible to draft a set of question that would apply in every circumstance, however the following gives an idea about the types of questions that can be asked in a formal debriefing.

 

DEBRIEFING QUESTIONS

 

  1. What happened that led to the making of the complaint?
  2. Why are you coming forth with it now?
  3. What occurred, where, when, and how?
  4. Did the person who engaged in the conduct engage in similar conduct with anyone else?
  5. Has anyone else complained to you about similar conduct?
  6. When did it occur (date and time)?
  7. Where did it take place?
  8. How did you respond when it occurred?
  9. Who did you discuss it with and when? 
  10. What did you say? What did they say?
  11. How has this incident affected you?
  12. Has your job been affected in any way?
  13. Who else was present when the act occurred? 
  14. Where were they in relation to you? 
  15. Who else has any knowledge of the act? 
  16. Has anyone else discussed it with you? 
  17. If so, who and what did that person say? 
  18. Did anyone see you immediately after the act?
  19. Who else was involved, knows about, or witnessed it?
  20. Who else have you told (employees, supervisor, attorney, media,)?
  21. Why do you think it happened?
  22. What documentary evidence would help in the investigation?
  23. What do you believe should be done to resolve this matter?
  24. Has is happened before (an isolated event or part of a pattern)?

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.