Kusserow on Compliance: Fifteen tips for a more effective hotline program

Having an effective hotline program is a must for any effective compliance program. The operative word is “effective.” Laurel Eakes at the Compliance Resource Center has worked with many hotline operations. She notes from her experience that “the hotline needs to be seen by employees and management as a priority to bring complaints and allegations of wrongdoing in house. The alternative is to drive such information externally to government agencies, litigating attorneys, media, etc., and that can only spell trouble. As such, not acting promptly on information received can result in potential liabilities, headaches, and a lot of remedial work. It is important to make employees comfortable in raising concerns internally and lessening the perceived need to resort to ‘whistleblowing’ to external parties.” Eakes offered the follow tips she has found with her clients for ensuring a more effective hotline program:

  1. Implement related policies (e.g. hotline Operations, Duty to Report, Non-Retaliation, Anonymous and Confidential Reporting, Investigations, etc.)
  2. Log and track all complaints/allegations received through resolution
  3. Set time frames for completion and resolution of complaints and verify they are followed
  4. Be sure those investigating hotline allegations have been trained how to do it properly
  5. Document all steps in the process of resolving hotline complaints/allegations
  6. Have posters on employee bulletin boards for the availability and use of the hotline
  7. Ensure hotline number and its availability is included in new employee orientation
  8. Ensure the hotline program is part of annual compliance training
  9. Have information about the use of the hotline made part of the Employee Handbook
  10. Consider having a flyer go out to all employees on the availability of the hotline
  11. If there is an Intranet for employee use, include information about the hotline
  12. If there is an organization newsletter or intranet, use it to promote the hotline
  13. Maintain a document management system for compliance records
  14. Ensure records are kept in a secure limited access area
  15. Develop summary reports for management and Board on results from the hotline program

 

For more information on this subject, contact Laurel Eakes (leakes@complianceresource.com)

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Written policies are necessary to govern compliance communication channels

An organization with an effective compliance program is one whose employees can easily share and receive information about what is expected of them in the workplace and one who provides a means to report compliance issues and violations of standards of behavior. The OIG and DOJ stress the importance of having multiple channels of compliance communication, not limited to hotlines. Without question, the “hotline” is the major avenue of communication for receiving reports of employee concerns, observed unallowable behavior, violations of law/regulations, breach of safety standards, theft, and other wrongdoing. This channel has been further stimulated by the inclusion of web-based reporting in recent years. Other channels by which employees can voice concerns and perceptions can include feedback from training, independent confidential surveying, bulletin boards, suggestion boxes, emailing, exit interviewing, staff meetings, etc. Included with these other channels should be the easy and direct access to managers, as well as the compliance office.

Communication is a two-way street that needs to include feedback and dissemination of information to employees. It is important to share news, announcements, discussions, surveys and anything else with employees. This information needs to come from an accessible place. Many health care organizations use their Intranet as a major communication vehicle. Once the compliance communication channels have been created, it calls for “rules of the road” governing the processes in the form of policies and procedures.

The fact is that there are several related policy documents called for by regulatory authorities as essential to an effective compliance program. These include, but are not limited to, “Duty to Report Policy,” “Non-Retaliation Policy,” “Anonymous Reporting Policy,” “Confidential Reporting Policy,” “Hotline Operations Policy,” “Compliance Investigation Policy,” “Disclosure of Overpayments Policy,” “Disclosure of Violations of Law/Regulations,” and “Compliance Office Confidentiality Policy,” among others. There is also need for policies for proper handling and management of information to guard against leaks, which opens the door to a whole set of policies related to IT and information controls. These policies should be inter-related and mutually supporting. They tell employees of their obligations to report suspected wrongdoing, how to do it, how the information will be acted upon, and what to expect once the report is submitted.

For more information regarding this subject and availability of compliance policy templates, see the Policy Resource Center at www.complianceresource.com.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ issues 2020 compliance program guidelines

Provides a more in-depth analysis of compliance programs

The DOJ released the updated Evaluation of Corporate Compliance Programs to assist prosecutors in making an informed analysis about an organization’s compliance program at the time of charging decisions. It has not changed much from the prior releases that included a list of 119 compliance-related questions. The new guidance continues to focus on three core questions derived from the Justice Manual, namely,  whether a compliance program is “well designed,” “being applied earnestly and in good faith,” and “works in practice.” It restates the importance of having a compliance program suitable for the company’s risk profile but added context and detail for companies to ensure that their compliance priorities are aligned with the DOJ’s expectations.

These include: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Additional attention is given to these principles for companies to enhance their compliance program and adhere to best practices that would best position themselves in the event of an inquiry or enforcement action from a government regulator. It reflects the continued expectation that a compliance program should continue to evolve and improve over time as the business changes and the compliance function matures. Meaningful risk assessments and program evaluations are critical to this end. There is added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “has the periodic review led to updates in policies, procedures, and controls?”

The DOJ has continued to move away from the antiquated model of a generic, “off-the-shelf” compliance program and focus more on how an organization acts in response to risk assessments. Other questions include whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior identified issues or from those of other companies operating in the same industry and/or geographical region. The DOJ asks about effective monitoring of compliance and whether a company’s compliance program has continuous access to operational data and information across functions. The DOJ underscores, once again, the importance of having regular reviews of the compliance program; and make it clear that this should not be “cookie cutter” “check the box” type reviews. These reviews should lead to useful findings that result in meaningful changes and improvements. Greater emphasis is also given to the adequacy of compliance resources, quality of trained staff, and empowerment for the program. The importance of oversight of any third-party agents that act on a company’s behalf is stressed, including whether the company engages in risk management of third parties throughout the lifespan of the relationship. The questions include whether the company completed pre-ad post-acquisition due diligence; and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

The guidance asks whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees; and if the policies have been published in a searchable format for easy access and reference. Employee training received new attention, suggesting companies consider the format of their trainings to be more responsive, including by: (1) investing in shorter, more targeted training sessions, and (2) ensuring a process by which employees can ask questions arising out of the training. In addition, there is the question as to the extent to which the training has an impact on employee behavior or operations. With regards to the hotlines, the guidance had added language to ensure that the hotline is an accessible, responsive tool, whether the company test whether employees are aware of the hotline and feel comfortable using it, and if reports are tracked from inception to finish.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Why encourage anonymous hotline calls?

The are in your best interest

Encouraging anonymity with hotline callers may at first seem a bad practice, however, it is not.  It is a sound policy and in the best interest of the organization. However, many believe no calls should be accepted without an individual disclosing his or her identity. Those individuals are wrong. First, the HHS OIG, Sentencing Commission, DOJ, and Sarbanes-Oxley Act all promote anonymous reporting. The OIG in its compliance guidance state “At a minimum, comprehensive compliance programs should include…a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.  Failing to provide for and encourage anonymity undercuts the perceived effectiveness of the compliance program. There are other positive reasons for having anonymous reporting:

  1. Not allowing anonymity discourages reporting for fear of becoming a victim of retribution or retaliation. The result is that an individual may give information to someone else like an attorney, the media, government agencies, or simply not tell anyone which may lead to a growing exposure to liability to the organization. As a rule, the more serious the complaint or allegation, the less likely callers will be willing to identify themselves.
  2. The disclosure of an individual’s identity creates a burden for the organization to protect the caller’s identity (“confidentiality) once it is known. Failure to protect identified callers may result in unprotected reprisals or retaliation and serious consequences for the organization that may draw in attorneys, government, and regulatory agencies. There are many cases of litigation for reprisals or wrongful discharge where the company was put in the awkward position of trying to evidence the call did not contribute to the adverse action or termination. This is not a burden if the caller was anonymous.
  3. It is also useful to keep in mind that many callers may want to self-disclose their identity, in order to achieve a protection as a “Whistleblower” to forestall performance or conduct-based actions by trying to invoke the organization’s non-retribution/non-reprisal policy. For some, calling the hotline may be an attempt to block the adverse personnel action.

In some cases, it is desirable, and perhaps even necessary, to learn the identity of the caller in order to properly act on the information offered. There are circumstances where having the identity is essential to act upon a serious allegation. In such cases, callers can be encouraged to identify themselves, noting that their confidentiality will be protected. As such, it is important to also have a Confidentiality Policy, along with the Anonymity Policy.  Both such policies are called for in the OIG compliance guidance documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.